Re: Maintaining EC2 policies in Ansible.git?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 17, 2024 at 03:18:23PM +0200, Fabian Arrotin via infrastructure wrote:
> On 17/10/2024 15:03, Pavel Raiskup via infrastructure wrote:
> > On čtvrtek 17. října 2024 14:11:26, SELČ Fabian Arrotin via infrastructure wrote:
> > > On 17/10/2024 09:25, Pavel Raiskup via infrastructure wrote:
> > > > Hello team,
> > > > 
> > > > I now realized that we have these files:
> > > > 
> > > >       files/aws/iam/policies/
> > > >       files/aws/iam/policies/fcos-builds-releng.json
> > > >       files/aws/iam/policies/robosignatory-fcos-devel.json
> > > >       files/aws/iam/policies/fcos-upload-amis.json
> > > >       files/aws/iam/policies/fedora-infra-ec2.json
> > > >       files/aws/iam/policies/fedora-centos-ec2.json
> > > >       files/aws/iam/policies/fcos-poc-artifacts.json
> > > >       files/aws/iam/policies/fedora-copr-ec2.json
> > > > 
> > > > These seem to be some initial copies of the policy file, and are
> > > > probably staled.  I'm curious whether we are interested in making the
> > > > policies maintained from batcave - via IAM API.  If so, I think I could
> > > > help with the ansible.git changes (but I think I'd need more EC2
> > > > privileges to tweak the policies).
> > > > 
> > > > Pavel
> > > > 
> > > 
> > > Interesting as for CentOS it's not managed by Fedora infra ansible git
> > 
> > And shouldn't it be?  How do you maintain it, could we learn from you in
> > how to do this task properly?
> > 
> 
> Managed by ansible ? sure ..
> I already had a look at
> https://docs.ansible.com/ansible/latest/collections/amazon/aws/index.html
> for that (including the iam_policy_module) but never took time to discuss
> with Kevin about it.
> 
> That's part of the "problem" : both Fedora and CentOS (while different
> infrastructures and so different teams managing these - while talking to
> each other !) are (from AWS PoV) sharing the same account.
> In a ideal world then, Fedora would use Fedora-infra/ansible git repo to
> manage the Fedora policies, and same thing for CentOS (using its own ansible
> setup), so that we don't conflict on changes that would be implemented one
> way or another. What do you think ?

Yeah. I setup those files way back when when we first were setting
things up and I thought we could just manage them there, but then a lot
of other groups were onboarded and it didn't work out. ;( 

I agree it might be nice to either: 

1. Figure out a place to put central rules (I think we talked about this
in the past, but didnt come up with where we wanted to put them).

or

2. Set things up so perhaps each group could manage their own policies?
But that might be really hard to do right without restricting things too
much to be useful. ;( 

I once again wish we could use sub-accounts, but alas, thats not
possible. 

kevin

Attachment: signature.asc
Description: PGP signature

-- 
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux