Re: Maintaining EC2 policies in Ansible.git?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 17/10/2024 15:03, Pavel Raiskup via infrastructure wrote:

On čtvrtek 17. října 2024 14:11:26, SELČ Fabian Arrotin via infrastructure wrote:

On 17/10/2024 09:25, Pavel Raiskup via infrastructure wrote:

Hello team,

I now realized that we have these files:

      files/aws/iam/policies/
      files/aws/iam/policies/fcos-builds-releng.json
      files/aws/iam/policies/robosignatory-fcos-devel.json
      files/aws/iam/policies/fcos-upload-amis.json
      files/aws/iam/policies/fedora-infra-ec2.json
      files/aws/iam/policies/fedora-centos-ec2.json
      files/aws/iam/policies/fcos-poc-artifacts.json
      files/aws/iam/policies/fedora-copr-ec2.json

These seem to be some initial copies of the policy file, and are
probably staled.  I'm curious whether we are interested in making the
policies maintained from batcave - via IAM API.  If so, I think I could
help with the ansible.git changes (but I think I'd need more EC2
privileges to tweak the policies).

Pavel



Interesting as for CentOS it's not managed by Fedora infra ansible git


And shouldn't it be?  How do you maintain it, could we learn from you in
how to do this task properly?



Managed by ansible ? sure ..
I already had a look at https://docs.ansible.com/ansible/latest/collections/amazon/aws/index.html for that (including the iam_policy_module) but never took time to discuss with Kevin about it.
That's part of the "problem" : both Fedora and CentOS (while different infrastructures and so different teams managing these - while talking to each other !) are (from AWS PoV) sharing the same account. In a ideal world then, Fedora would use Fedora-infra/ansible git repo to manage the Fedora policies, and same thing for CentOS (using its own ansible setup), so that we don't conflict on changes that would be implemented one way or another. What do you think ? 

--
Fabian Arrotin
gpg key: 17F3B7A1

Attachment: OpenPGP_0xA25DBAFB17F3B7A1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

-- 
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux