Open gwright99 opened 3 months ago
@nate-simon -- FYI given your recent client conversation. @schaluva -- for awareness and peer opinion.
Two different ways this could be implemented:
TOWER_ALLOW_INSTANCE_CREDENTIALS
to let the IAM Role created by Terraform to be used to also let Tower submit jobs to AWS.
A deliberate design decision was made in that the Terraform installer would be limited only to creating IAM resources necessary for the Tower VM to be able to access other installer-related mechanism (i.e. SSM secrets) and not create the AWS Credential that Tower uses to submit jobs into AWS (e.g. AWS Batch).
This was done for a few reasons:
The downside of this decision is that implementers must go through a manual process to create the necessary credential - often with some confusion and difficulty - before they can use the Seqerakit features of the installer and/or conduct benchmarking / pipeline launches into AWS Batch.
It would not be difficult to extend the tool's capabilities to generate the necessary key set and permissions. This would speed up the deployment process and remove another pain point for the user; albeit via weakened the segregation of concerns.
This ticket has been cut to discuss whether we could introduce this feature and what concerns we should be mindful of.