Open rmtolmach opened 2 years ago
- What is our current process for access management for AWS?
assign users to existing user group; or create user group for this user or team based off existing policy; or create new policies.
- Can we upgrade our Terraform version?
Maybe! We can test this out as part of Issue 4.
- AWS access management might be handled by another team in the future. What do we need to do to hand off a clean, organized process?
The issues laid out below will make this easier to handle in the future.
How do we know what permissions a requesting user need to do their job?
The access request handles this. If it's not production access, they don't need extra approval.
What are the boundaries of the groups?
See issue 2 and 3
terraform apply sometimes needs to be run multiple times.
Addressed in Issue 1
The following issues will be created: Issue 1 Enforce correct order of operations. Currently, our policy follows this order: create policies, create users, create user groups, assign users to user groups, attach policies to users and user groups. (First three can be in any order, but must happen before the last two. This is not currently enforced.) This will require refactoring. This is called here: https://github.com/department-of-veterans-affairs/devops/blob/master/terraform/environments/global/iam_users.tf#L2821 We should either refactor this section or drop it altogether. How to handle dependencies?
Issue 2 General clean-up of user groups. For example, duplicate groups exist (example). Are there unused groups we can delete? Can we combine policies that are unique to user groups?
Issue 3 Standardizing policies. This will likely be messy. Do we need all of these policies? https://github.com/department-of-veterans-affairs/devops/blob/master/terraform/environments/global/iam_policies.tf ideally, we have templates for teams. (For example, this is the tf template for github actions.) Any policy that applies to only one user group, we might want to rename to be team-specific.
Issue 4
Break iam_users.tf
and iam_policies.tf
out of the global
environment. Determine where they should live. Move resources from old state file to new state file without destroying any resources. Experiment with upgrading the tf version on the new location.
Issues #40588 and #40591 created for the first two issues above, and are attached to the epic in Zenhub.
Issues #40616 and #40617 created for issues 3 and 4 above.
Description
The following topics/questions should be explored:
Background/context
Pain points:
terraform apply
sometimes needs to be run multiple times.Tasks
Acceptance Criteria