Overly permissive policy in batch_execution_role

[olivermeyer]

The batch_execution_role is allowed to do autoscaling:DeleteLaunchConfiguration on all resources (see here). This is a concern, since it could seriously mess with production systems running in EKS.

Is there a strong reason for allowing this, or is it possible to restrict the resources which are covered by the policy?

[oavdeev]

Good point, it can be narrowed down a bit to launch configurations that are named AWSBatch*.

This wasn't a huge concern since this role is supposed to be used only by AWS Batch itself (the service that is), not by user code running inside a Batch job. I believe these permissions are a simplified version of what AWS tells you to use. But those are indeed a little narrower.

[olivermeyer]

I took a very naive shot at addressing this in https://github.com/outerbounds/terraform-aws-metaflow/pull/12. I could be missing stuff though, and I cannot test the change. @oavdeev could you maybe take a look?