search

sciencehistory / terraform_scihist_digicoll

0 stars 0 forks source link

Break out IAM resources into more files. #66

Closed eddierubeiz closed 11 months ago

eddierubeiz commented 12 months ago

This arrangement seems reasonable to me, but there are several other ways we could do it. It's fairly consistent with itself and with the existing arrangement of our buckets.

USERS:

iam_user_eddie_dev.tf
    aws_iam_user.eddie_dev

iam_user_jrochkind_dev.tf
    aws_iam_user.jrochkind_dev

GROUP:

iam_group_dev_users.tf
    aws_iam_group.dev_users
    aws_iam_group_membership.dev_users_membership
    aws_iam_group_policy_attachment.dev_users_mediaconvert_dev
    aws_iam_group_policy_attachment.dev_users_read_backups
    aws_iam_group_policy_attachment.dev_users_read_production
    aws_iam_group_policy_attachment.dev_users_write_staging
    aws_iam_group_policy_attachment.dev_users_write_dev

POLICY:

iam_policy_bucket_access_from_app.tf
    aws_iam_policy.bucket_access_from_app_production
    aws_iam_policy.bucket_access_from_app_staging

iam_policy_replicate_originals_video.tf
    aws_iam_policy.replicate_originals_video

iam_policy_replicate_originals.tf
    aws_iam_policy.replicate_originals

iam_policy_replicate_dzi.tf
    aws_iam_policy.replicate_dzi

iam_policy_replicate_derivatives.tf
    aws_iam_policy.replicate_derivatives

iam_policy_mediaconvert_dev.tf
    aws_iam_policy.mediaconvert_dev

iam_policy_read_backups.tf
    aws_iam_policy.read_backups

iam_policy_read_production.tf
    aws_iam_policy.read_production

iam_policy_write_dev.tf
    aws_iam_policy.write_dev

iam_policy_write_staging.tf
    aws_iam_policy.write_staging

ROLES:

iam_role_replication.tf
    aws_iam_role.S3-Backup-Replication

iam_role_mediaconvert_dev.tf
    aws_iam_role.dev_mediaconvert_role

iam_role_mediaconvert_staging.tf
    aws_iam_role.staging_mediaconvert_role

iam_role_mediaconvert_production.tf
    aws_iam_role.production_mediaconvert_role
eddierubeiz commented 12 months ago

One variation: consider putting the aws_iam_policy.replicate_* information into the same file as the respective production buckets.

jrochkind commented 12 months ago

works for me if you think it's best, you've been dealing with this stuff the most. Important to have some regular intelligible structure, this qualifies to me.

Your variation also would, not sure which is best, your call!