Paulius0112
commented
1 year ago Have you implemented this approach? Is it working?
Open g-psantos opened 2 years ago
Paulius0112
commented
1 year ago Have you implemented this approach? Is it working?
gtirloni
commented
1 year ago This would allow us to grant access to other teams so they can manage their infrastructure more independently. Right now, we need to gatekeep everything because Atlantis a SPOF, from a security perspective.
I don't know how we'd setup and maintain one Atlantis instance per project with a monorepo and hundreds of environments.
TL;DR Is there a way to stop one project from using AssumeRole to read another project's state or alter its resources?
We're considering adopting Atlantis. Ideally, we'd host a single Atlantis service that could handle deployments for multiple projects.
Our plan was to create an AWS IAM Role for the Atlantis service (
role/atlantis). Each project owner would then setup other IAM Roles that Atlantis would assume when executing deployments for that project. For illustration purposes, let's assume that the Atlantis service and Project A are both hosted in AWS Account X, and Project B is hosted in AWS Account Y. Under that scenario, we'd have:aws::x:role/atlantisassigned to the Atlantis service and with policies enablingAssumeRolefor the two roles belowaws::x:role/project-a-atlantisgranting permissions to Project A's S3 state store and AWS actions and resources needed for Project A in Account Xaws::y:role/project-b-atlantisgranting permissions to Project B's S3 state store and AWS actions and resources needed for Project B in Account Y, plus a trust relationship that enables the role to be assumed by the Atlantis service roleHowever, this creates a potential security issue, where Project A could update its own repository to use Project B's Role ARN and, with that, modify Project B's environment or otherwise extract information from it. This could potentially be fixed by having a server-side per-project role allow-list, but we haven't found anything like that in the documentation.
Other than having each project authenticate through environment variable credentials (which is its own can of worms), is there anything we're missing? Are there best practices for multi-project scenarios, or should we give up on that and setup one Atlantis service per project?
Thank you.