zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document architectural decisions (#1506) 

* add architectural decisions log and first decision

* add header

* typo
This commit is contained in:
Ludovico Magnocavallo 2023-07-13 16:15:32 +02:00 committed by GitHub
parent 69028a801e
commit fbbe668015
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
fast/docs/0-bootstram-user-iam.md Normal file
View File

@ -0,0 +1,36 @@
# Remove initial gcloud commands needed to bootstrap
**authors:** [Ludo](https://github.com/ludoo)\
**date:** July 13, 2023
## Status
Rejected.
## Context
The initial `gcloud` commands that grant IAM roles to the user running `apply` for the first time, are sometimes seen an extra hurdle and an unnecessary complication.
These are the roles in question
- `roles/logging.admin`
- `roles/owner`
- `roles/resourcemanager.organizationAdmin`
- `roles/resourcemanager.projectCreator`
One proposal we investigated was internalizing those IAM bindings in the actual Terraform code, either via bare resources or an additional organization module invocation, and depending subsequent resources on it.
On further investigation, this poses a few challenges
- the roles in question are managed authoritatively, and it would be best they remained so (e.g. to clear the Project Creator role, or ensure Organization Administrators match what is in the code)
- project creation depends on those roles, but this creates a cycle dependency as the service accounts created are also assigned those roles, and they cannot implicitly depend (via the project) on the same roles
Working around this issue would require a substantial amount of hoops and a lot of development effort. It would also result in potentially less safe and more fragile code.
## Decision
What we decided is to leave those external commands in place, as the hurdle is minimal and not worth the expense and risks of removing it.
## Consequences
Nothing changes due to this decision.

3
fast/docs/README.md Normal file
View File

@ -0,0 +1,3 @@
# FAST architectural documents
This folder contains assorted bits of documentation used to log current architectural choices, or past decisions. Format is inspired by [Michael Nygard's decision record template](https://github.com/joelparkerhenderson/architecture-decision-record/blob/main/templates/decision-record-template-by-michael-nygard/index.md).