Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
ccdc87ad74
constellation/dev-docs/workflows/terraform.md

1.1 KiB
Raw Blame History

Terraform development

Lock file generation

Lock files are only checked in for modules where the provider is explicitly used. For modules that only consume other modules no lock file is provided to avoid duplication.

iamlive

iamlive dynamically determines the minimal permissions to call a set of AWS API calls.

It uses a local proxy to intercept API calls and incrementally generate the AWS policy.

In one session start iamlive:

iamlive -mode proxy -bind-addr 0.0.0.0:10080 -force-wildcard-resource -output-file iamlive.policy.json

In another session execute terraform:

PREFIX="record-iam"
terraform init
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform apply -auto-approve -var name_prefix=${PREFIX}
HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE="${HOME}/.iamlive/ca.pem" terraform destroy -auto-approve -var name_prefix=${PREFIX}

iamlive will present the generated policy, and after <CTRL-C> the iamlive process it will also write it to the specified file.