Closed super-cob closed 4 years ago
salvis2
commented
4 years ago Most of those permissions should be in the large data block in aws-creds/iam.tf. It does depend a little bit on what we attach to the deployment, but it's a good place to start.
super-cob
commented
4 years ago I'm talking about going back one step, the perms needed to even run 'terraform apply' the first time. Creating the ECR, EFS, stuff like that. The way I did it was to have my personal user account have some broad perms and we want to have less of that.
salvis2
commented
4 years ago Making sure we are on the same page, my thought for the workflow would be to clone the repo, go into aws-creds/, and generate permissions via a new user or role. Once I've established a way to attach those permissions, I'd go into aws/ and run terraform apply -var-file=cluster.tfvars.
So, as far as getting permissions to create the infrastructure, I think that is roughly set up. Ideally, aws-creds/iam.tf has every permission you need to create the EFS / EKS cluster / etc, but creating the permissions in IAM at all requires permissions. If we need a minimum policy set to create permissions, that would be something that we could list, but would need to be manually generated in IAM maybe.
super-cob
commented
4 years ago You're exactly right, I'm sorry I retract this issue
I've actually started working on this as it's a requirement for our IT department, but the concept here is that you could assume the role 'EKSAdmin' or similar which would have the absolute minimum perms needed to do terraform apply and/or destroy. Special consideration to the IAM Write type of perms (putting them in a separate policy at least) so that they could be easily removed in the case of needing to really lock down those types of permissions (this is our case).