Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-07-27 09:15:22 -04:00
Code Issues Projects Releases Packages Wiki Activity

hack: move terraform readmes into cli

Browse source 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2023-01-09 10:54:24 +01:00
parent ecdc465a42
commit fa85150f3e
4 changed files with 26 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

26
.github/docs/terraform.md vendored Normal file
View file

@ -0,0 +1,26 @@
# Terraform development
## iamlive
[iamlive](https://github.com/iann0036/iamlive) dynamically determines the minimal
permissions to call a set of AWS API calls.
It uses a local proxy to intercept API calls and incrementally generate the AWS
policy.
In one session start `iamlive`:
```sh
iamlive -mode proxy -bind-addr 0.0.0.0:10080 -force-wildcard-resource -output-file iamlive.policy.json
```
In another session execute terraform:
```sh
PREFIX="record-iam"
terraform init
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform apply -auto-approve -var name_prefix=${PREFIX}
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform destroy -auto-approve -var name_prefix=${PREFIX}
```
`iamlive` will present the generated policy, and after \<CTRL-C\> the `iamlive` process it will also write it to the specified file.

27
hack/terraform/aws/iam/README.md → cli/internal/terraform/terraform/iam/aws/README.md
View file

@ -22,30 +22,3 @@ yq -i "
.provider.aws.iamProfileWorkerNodes = $(terraform output worker_nodes_instance_profile) .provider.aws.iamProfileWorkerNodes = $(terraform output worker_nodes_instance_profile)
" path/to/constellation-conf.yaml " path/to/constellation-conf.yaml
``` ```
## Development
### iamlive
[iamlive](https://github.com/iann0036/iamlive) dynamically determines the minimal
permissions to call a set of AWS API calls.
It uses a local proxy to intercept API calls and incrementally generate the AWS
policy.
In one session start `iamlive`:
```sh
iamlive -mode proxy -bind-addr 0.0.0.0:10080 -force-wildcard-resource -output-file iamlive.policy.json
```
In another session execute terraform:
```sh
PREFIX="record-iam"
terraform init
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform apply -auto-approve -var name_prefix=${PREFIX}
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform destroy -auto-approve -var name_prefix=${PREFIX}
```
`iamlive` will present the generated policy, and after \<CTRL-C\> the `iamlive` process it will also write it to the specified file.

0
hack/terraform/azure/iam/README.md → cli/internal/terraform/terraform/iam/azure/README.md
View file

0
hack/terraform/gcp/iam/README.md → cli/internal/terraform/terraform/iam/gcp/README.md
View file