search

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:
https://depo-platform-documentation.scrollhelp.site/index.html
281 stars 197 forks source link

AWS and Terraform audit #40557

Open rmtolmach opened 2 years ago

rmtolmach commented 2 years ago

Description

The following topics/questions should be explored:

  1. What is our current process for access management for AWS?
  2. Can we upgrade our Terraform version?
  3. AWS access management might be handled by another team in the future. What do we need to do to hand off a clean, organized process?

Background/context

Pain points:

Tasks

Acceptance Criteria

rmtolmach commented 2 years ago
  1. What is our current process for access management for AWS?

assign users to existing user group; or create user group for this user or team based off existing policy; or create new policies.

  1. Can we upgrade our Terraform version?

Maybe! We can test this out as part of Issue 4.

  1. AWS access management might be handled by another team in the future. What do we need to do to hand off a clean, organized process?

The issues laid out below will make this easier to handle in the future.

How do we know what permissions a requesting user need to do their job?

The access request handles this. If it's not production access, they don't need extra approval.

What are the boundaries of the groups?

See issue 2 and 3

terraform apply sometimes needs to be run multiple times.

Addressed in Issue 1

The following issues will be created: Issue 1 Enforce correct order of operations. Currently, our policy follows this order: create policies, create users, create user groups, assign users to user groups, attach policies to users and user groups. (First three can be in any order, but must happen before the last two. This is not currently enforced.) This will require refactoring. This is called here: https://github.com/department-of-veterans-affairs/devops/blob/master/terraform/environments/global/iam_users.tf#L2821 We should either refactor this section or drop it altogether. How to handle dependencies?

Issue 2 General clean-up of user groups. For example, duplicate groups exist (example). Are there unused groups we can delete? Can we combine policies that are unique to user groups?

Issue 3 Standardizing policies. This will likely be messy. Do we need all of these policies? https://github.com/department-of-veterans-affairs/devops/blob/master/terraform/environments/global/iam_policies.tf ideally, we have templates for teams. (For example, this is the tf template for github actions.) Any policy that applies to only one user group, we might want to rename to be team-specific.

Issue 4 Break iam_users.tf and iam_policies.tf out of the global environment. Determine where they should live. Move resources from old state file to new state file without destroying any resources. Experiment with upgrading the tf version on the new location.

jsgarmon commented 2 years ago

Issues #40588 and #40591 created for the first two issues above, and are attached to the epic in Zenhub.

rmtolmach commented 2 years ago

Issues #40616 and #40617 created for issues 3 and 4 above.