From fa85150f3ed2dbeb2e96a2c146f0dcd5c1a4c30d Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Mon, 9 Jan 2023 10:54:24 +0100 Subject: [PATCH] hack: move terraform readmes into cli Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- .github/docs/terraform.md | 26 ++++++++++++++++++ .../terraform/terraform/iam/aws}/README.md | 27 ------------------- .../terraform/terraform/iam/azure}/README.md | 0 .../terraform/terraform/iam/gcp}/README.md | 0 4 files changed, 26 insertions(+), 27 deletions(-) create mode 100644 .github/docs/terraform.md rename {hack/terraform/aws/iam => cli/internal/terraform/terraform/iam/aws}/README.md (50%) rename {hack/terraform/azure/iam => cli/internal/terraform/terraform/iam/azure}/README.md (100%) rename {hack/terraform/gcp/iam => cli/internal/terraform/terraform/iam/gcp}/README.md (100%) diff --git a/.github/docs/terraform.md b/.github/docs/terraform.md new file mode 100644 index 000000000..07fc3ae12 --- /dev/null +++ b/.github/docs/terraform.md @@ -0,0 +1,26 @@ +# Terraform development + +## iamlive + +[iamlive](https://github.com/iann0036/iamlive) dynamically determines the minimal +permissions to call a set of AWS API calls. + +It uses a local proxy to intercept API calls and incrementally generate the AWS +policy. + +In one session start `iamlive`: + +```sh +iamlive -mode proxy -bind-addr 0.0.0.0:10080 -force-wildcard-resource -output-file iamlive.policy.json +``` + +In another session execute terraform: + +```sh +PREFIX="record-iam" +terraform init +HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform apply -auto-approve -var name_prefix=${PREFIX} +HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform destroy -auto-approve -var name_prefix=${PREFIX} +``` + +`iamlive` will present the generated policy, and after \ the `iamlive` process it will also write it to the specified file. diff --git a/hack/terraform/aws/iam/README.md b/cli/internal/terraform/terraform/iam/aws/README.md similarity index 50% rename from hack/terraform/aws/iam/README.md rename to cli/internal/terraform/terraform/iam/aws/README.md index f15aebe37..32bfb15e7 100644 --- a/hack/terraform/aws/iam/README.md +++ b/cli/internal/terraform/terraform/iam/aws/README.md @@ -22,30 +22,3 @@ yq -i " .provider.aws.iamProfileWorkerNodes = $(terraform output worker_nodes_instance_profile) " path/to/constellation-conf.yaml ``` - -## Development - -### iamlive - -[iamlive](https://github.com/iann0036/iamlive) dynamically determines the minimal -permissions to call a set of AWS API calls. - -It uses a local proxy to intercept API calls and incrementally generate the AWS -policy. - -In one session start `iamlive`: - -```sh -iamlive -mode proxy -bind-addr 0.0.0.0:10080 -force-wildcard-resource -output-file iamlive.policy.json -``` - -In another session execute terraform: - -```sh -PREFIX="record-iam" -terraform init -HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform apply -auto-approve -var name_prefix=${PREFIX} -HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform destroy -auto-approve -var name_prefix=${PREFIX} -``` - -`iamlive` will present the generated policy, and after \ the `iamlive` process it will also write it to the specified file. diff --git a/hack/terraform/azure/iam/README.md b/cli/internal/terraform/terraform/iam/azure/README.md similarity index 100% rename from hack/terraform/azure/iam/README.md rename to cli/internal/terraform/terraform/iam/azure/README.md diff --git a/hack/terraform/gcp/iam/README.md b/cli/internal/terraform/terraform/iam/gcp/README.md similarity index 100% rename from hack/terraform/gcp/iam/README.md rename to cli/internal/terraform/terraform/iam/gcp/README.md