On Thu, Oct 17, 2024 at 03:18:23PM +0200, Fabian Arrotin via infrastructure wrote: > On 17/10/2024 15:03, Pavel Raiskup via infrastructure wrote: > > On čtvrtek 17. října 2024 14:11:26, SELČ Fabian Arrotin via infrastructure wrote: > > > On 17/10/2024 09:25, Pavel Raiskup via infrastructure wrote: > > > > Hello team, > > > > > > > > I now realized that we have these files: > > > > > > > > files/aws/iam/policies/ > > > > files/aws/iam/policies/fcos-builds-releng.json > > > > files/aws/iam/policies/robosignatory-fcos-devel.json > > > > files/aws/iam/policies/fcos-upload-amis.json > > > > files/aws/iam/policies/fedora-infra-ec2.json > > > > files/aws/iam/policies/fedora-centos-ec2.json > > > > files/aws/iam/policies/fcos-poc-artifacts.json > > > > files/aws/iam/policies/fedora-copr-ec2.json > > > > > > > > These seem to be some initial copies of the policy file, and are > > > > probably staled. I'm curious whether we are interested in making the > > > > policies maintained from batcave - via IAM API. If so, I think I could > > > > help with the ansible.git changes (but I think I'd need more EC2 > > > > privileges to tweak the policies). > > > > > > > > Pavel > > > > > > > > > > Interesting as for CentOS it's not managed by Fedora infra ansible git > > > > And shouldn't it be? How do you maintain it, could we learn from you in > > how to do this task properly? > > > > Managed by ansible ? sure .. > I already had a look at > https://docs.ansible.com/ansible/latest/collections/amazon/aws/index.html > for that (including the iam_policy_module) but never took time to discuss > with Kevin about it. > > That's part of the "problem" : both Fedora and CentOS (while different > infrastructures and so different teams managing these - while talking to > each other !) are (from AWS PoV) sharing the same account. > In a ideal world then, Fedora would use Fedora-infra/ansible git repo to > manage the Fedora policies, and same thing for CentOS (using its own ansible > setup), so that we don't conflict on changes that would be implemented one > way or another. What do you think ? Yeah. I setup those files way back when when we first were setting things up and I thought we could just manage them there, but then a lot of other groups were onboarded and it didn't work out. ;( I agree it might be nice to either: 1. Figure out a place to put central rules (I think we talked about this in the past, but didnt come up with where we wanted to put them). or 2. Set things up so perhaps each group could manage their own policies? But that might be really hard to do right without restricting things too much to be useful. ;( I once again wish we could use sub-accounts, but alas, thats not possible. kevin
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue