Closed danquack closed 3 years ago
jdyke
commented
3 years ago Hey @danquack ! In the meantime, you can find all of the compliance SCPs in the repo here: https://github.com/ScaleSec/terraform_aws_scp/tree/main/compliance_scp
Right now I am manually updating the terraform as this repo is updated but thats not the long-term solution (really not scalable). I actually talked with @kmcquade today about keeping the two repos synced somehow but it may make more sense to add tf to this one.
danquack
commented
3 years ago @jdyke does it make sense to do a web hook trigger from this repo to yours on publish to keep them in sync? Happy to contribute to whatever solution you decide on if need be.
kmcquade
commented
3 years ago Perhaps we can include Terraform module creation inside this repository, as part of this: https://github.com/salesforce/aws-allowlister/blob/main/Makefile#L60-L61
And the ScaleSec repository can leverage this as a remote Terraform module. Thoughts?
jdyke
commented
3 years ago Happy to reference it as a module from terraform_aws_scp -> aws-allowlister, it doesn't make sense to maintain it in two different places. Single source of truth is preferred and this repo is better suited for that.
yi2020
commented
3 years ago I was just about to suggest the module approach as well. It will make it easy for anyone to include it in their own code (I know we want to!). The versioning on the module is important so that people don't accidentally have new SCP policy versions they didn't mean to use.
I would recommend having the module in a separate repo though, as Terraform/Hashi's structure around modules is quite specific and most modules I've ever seen live at the root of their GH repo. Will require syncing through a GH Action on the module repo probably, but easier from a usability perspective. @antonbabenko is an expert in this stuff.
kmcquade
commented
3 years ago That could make sense. It would have the benefit of clear GitHub issues dedicated to the Terraform module only.
danquack
commented
3 years ago @jdyke @kmcquade If I'm understanding this right, it makes sense to close this issue and open a new one in terraform_aws_scp?
jdyke
commented
3 years ago That is desirable from my point of view to keep the repos focused. The terraform repo is strictly for AWS SCPs written in HCL and already has some documentation outlining what they do. In the end it's up to @kmcquade !
kmcquade
commented
3 years ago I am cool with having this in the Terraform repo under ScaleSec!
@kmcquade thanks for making this tool! I have a use case where Id like to run this through terraform, which currently I basically execute the pull into json and then soup it up, but I was wondering if there was any interest in making this part of a custom provider? This is somewhat a feature request, but due to the fact that its a completely different implementation strategy, feel free to close if you don't find interest in it!