Create a dedicated IAM role for Jazz core services #414

rajeevr2715 · 2018-12-11T13:55:07Z

Jazz needs a dedicated IAM role that has access to AWS services that Jazz components need (ex: SES, ES:POST etc.).

Current IAM role that we create ($stackId_basic_execution) as part of stack creation is being used for user services as well as Jazz core services.

Create $stackId_platform_services that has privileged permissions & remove permissions that $stackId_basic_execution might not need (SES:* for example).
Assign this role to all Jazz core services so that all core services (functions) assume this role.
Tag these two roles that we are creating (assuming terraform supports this, if not, we can skip this).

bleggett · 2018-12-11T19:05:39Z

@rajeevr2715 Looks like tflint is failing on a bad reference to tags

rajeevr2715 · 2018-12-12T07:10:48Z

@bleggett Fixed it.

bleggett · 2018-12-12T17:44:14Z

@rajeevr2715 @suryajak @devsatishm Is this also going into the next release?

rajeevr2715 requested review from bleggett and devsatishm December 11, 2018 13:55

rajeevr2715 force-pushed the iamrolesplit branch 2 times, most recently from 38df2d3 to 102a087 Compare December 11, 2018 18:11

Split IAM role into platform and userservice basic

f400bbe

rajeevr2715 force-pushed the iamrolesplit branch from 102a087 to f400bbe Compare December 11, 2018 18:13

Tags reordering

63f4871

rajeevr2715 force-pushed the iamrolesplit branch from 41799ae to 63f4871 Compare December 12, 2018 07:07

Merge branch 'develop' into iamrolesplit

7726cb8

bleggett approved these changes Dec 12, 2018

View reviewed changes

bleggett merged commit 70fd9f0 into tmobile:develop Dec 12, 2018

rajeevr2715 mentioned this pull request Dec 14, 2018

Followup - Splunk with IAM roles #422

Merged

Provide feedback