search

karmaniverous / metastructure-template

A configuration-driven AWS Organization reference infrastructure. Powered by Metastructure.
https://github.com/karmaniverous/metastructure/wiki
Other
2 stars 0 forks source link

Prevent resource modification without matching Generator tag #1

Open karmaniverous opened 1 month ago

karmaniverous commented 1 month ago

A little hand-wavy but here it is: some resources are marked with a Generator tag indicating how they were created. Obvious values: Terraform, Serverless.

If a resource has this tag, then it shouldn't be modifiable unless the modifying principal has a "matching tag" (which may not make sense within the principal context, but find a way).

This means Terraform-created resources can only be altered by Terraform and so on. Ideally this is an Organization-wide policy that never changes, and you make it work by assigning appropriate tags.

karmaniverous commented 1 month ago

See this GPT chat. This is doable, but will require a lambda function that assigns the appropriate Generator tag to resources created through a given Permission Set. Probably belongs in the Bootstrap batch.