Skip to content

Switch to Custom IAM Instance Policy configuration

Grant Young requested to merge gy-iam-policy-config into main

What does this MR do?

Follow up from !546 (merged)

MR refactors IAM Instance Policy handling to be more synergistic with GET code.

Previous approach was to allow users to pass in IAM Instance Profiles. This looked fine initially but after diving further into edge cases this started to show problems that would require complicated code conditionals with notable maintenance costs. The main issue being that since this is the path to provide permissions to AWS Instances GET sometimes needs to create it's own Roles to achieve this, having users pass in their own Roles was a clash.

The new approach then is to drop down the IAM Policy level and let GET manage the Roles and Profiles, which are more containers for Policies, as follows:

  • Users can now pass IAM Policy ARNs into GET on either a default (all) or specific component level. In this case Default and Component policies will be merged if both passed.
  • If passed a Profile and Role will be created for component instances and the policies attached
  • For Sidekiq and Rails GET will also attach the appropriate policies automatically for S3 Object Storage
    • The previous gitlab_s3_profile will be removed and separate profiles created for each instead. This is not a breaking change and is actually a better security practice.

The benefits of this approach are users only need to now concern themselves with Policies, we can continue manage S3 policies correctly and that it's harmonious with the approach we're likely to take with GCP.

Related issues

Closes #397 (closed)

Author's checklist

When ready for review, the Author applies the workflowready for review label and mention @gl-quality/get-maintainers:

  • Merge request:
    • Corresponding Issue raised and reviewed by the GET maintainers team.
    • Merge Request Title and Description are up to date, accurate, and descriptive
    • MR targeting the appropriate branch
    • MR has a green pipeline
    • MR has no new security alerts in the widget from the Secret Detection and IaC Scan (SAST) jobs.
  • Code:
    • Check the area changed works as expected. Consider testing it in different environment sizes (1k,3k,10k,etc.).
    • Documentation created/updated in the same MR.
    • If this MR adds an optional configuration - check that all permutations continue to work.
    • For Terraform changes: setup a previous version environment, then run a terraform plan with your new changes and ensure nothing will be destroyed. If anything will be destroyed and this can't be avoided please add a comment to the current MR.
  • Create any follow-up issue(s) to support the new feature across other supported cloud providers or advanced configurations. Create 1 issue for each provider/configuration. Contact the Quality Enablement team if unsure.
Edited by Grant Young

Merge request reports