cliffano
commented
5 years ago I agree with the reasoning, though we need to find the right time for this refactoring.
I think the premise of this change is that we can restructure the stacks in a better way so that we don't have to deal with permission types.
At the moment the stacks separation is based on parent, nested prerequisite, and nested main. This separation was introduced in AOC 2.0.0 and was based on resource dependency, cost, and startup time, allowing AEM main stack to be rebuilt daily without rebuilding the prerequisite.
However, this separation doesn't seem to be future proof because resourcing dependency can change overtime, and the argument about cost and startup time is not always valued the same way for every users, i.e. some users wouldn't care about cost, some users wouldn't care about speed.
I think @dav-shine's suggestion on moving to a better logical separation based on functionalities and ownership is sound. If we refactor the resources, we won't need to maintain permission type a, b, and c anymore. This separation idea is better than the current one because ownership is a real issue for most (if not all) users.
Absolutely agree on the reasoning, we need to identify the opportunity to do this.
As for anecdote, we used to have this modularity in AOC 1.0.0 .
At this time we have to manage customer's differing permissions sets by rewriting large chunks of code and managing seperate branches.
I propose we refactor some of the different components of a stack build into completely different build steps that can be handed out to different teams eg:
IAM, Policies -> Security teams Network -> networking teams DNS -> Networking teams .
Etc..
Stack manager may be split up to allow creation of IAM and data stores (Dynamo) as well.