On 17/10/2024 15:03, Pavel Raiskup via infrastructure wrote:
On čtvrtek 17. října 2024 14:11:26, SELČ Fabian Arrotin via infrastructure wrote:On 17/10/2024 09:25, Pavel Raiskup via infrastructure wrote:Hello team, I now realized that we have these files: files/aws/iam/policies/ files/aws/iam/policies/fcos-builds-releng.json files/aws/iam/policies/robosignatory-fcos-devel.json files/aws/iam/policies/fcos-upload-amis.json files/aws/iam/policies/fedora-infra-ec2.json files/aws/iam/policies/fedora-centos-ec2.json files/aws/iam/policies/fcos-poc-artifacts.json files/aws/iam/policies/fedora-copr-ec2.json These seem to be some initial copies of the policy file, and are probably staled. I'm curious whether we are interested in making the policies maintained from batcave - via IAM API. If so, I think I could help with the ansible.git changes (but I think I'd need more EC2 privileges to tweak the policies). PavelInteresting as for CentOS it's not managed by Fedora infra ansible gitAnd shouldn't it be? How do you maintain it, could we learn from you in how to do this task properly?
Managed by ansible ? sure ..I already had a look at https://docs.ansible.com/ansible/latest/collections/amazon/aws/index.html for that (including the iam_policy_module) but never took time to discuss with Kevin about it.
That's part of the "problem" : both Fedora and CentOS (while different infrastructures and so different teams managing these - while talking to each other !) are (from AWS PoV) sharing the same account. In a ideal world then, Fedora would use Fedora-infra/ansible git repo to manage the Fedora policies, and same thing for CentOS (using its own ansible setup), so that we don't conflict on changes that would be implemented one way or another. What do you think ?
-- Fabian Arrotin gpg key: 17F3B7A1
Attachment:
OpenPGP_0xA25DBAFB17F3B7A1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue