Go/Terraform Integration

Question

Go/Terraform Integration

Closed this issue 4 years ago · 9 comments

@kmcquade thanks for making this tool! I have a use case where Id like to run this through terraform, which currently I basically execute the pull into json and then soup it up, but I was wondering if there was any interest in making this part of a custom provider? This is somewhat a feature request, but due to the fact that its a completely different implementation strategy, feel free to close if you don't find interest in it!

Answer 1 · 2021-04-21T17:46:17.000Z

Hey @danquack ! In the meantime, you can find all of the compliance SCPs in the repo here: https://github.com/ScaleSec/terraform_aws_scp/tree/main/compliance_scp

Right now I am manually updating the terraform as this repo is updated but thats not the long-term solution (really not scalable). I actually talked with @kmcquade today about keeping the two repos synced somehow but it may make more sense to add tf to this one.

Answer 2 · 2021-04-21T17:53:25.000Z

@jdyke does it make sense to do a web hook trigger from this repo to yours on publish to keep them in sync? Happy to contribute to whatever solution you decide on if need be.

Answer 3 · 2021-04-21T17:56:04.000Z

Perhaps we can include Terraform module creation inside this repository, as part of this: https://github.com/salesforce/aws-allowlister/blob/main/Makefile#L60-L61

And the ScaleSec repository can leverage this as a remote Terraform module. Thoughts?

Answer 4 · 2021-04-21T17:59:00.000Z

Happy to reference it as a module from terraform_aws_scp -> aws-allowlister, it doesn't make sense to maintain it in two different places. Single source of truth is preferred and this repo is better suited for that.

Answer 5 · 2021-04-21T18:02:52.000Z

I was just about to suggest the module approach as well. It will make it easy for anyone to include it in their own code (I know we want to!). The versioning on the module is important so that people don't accidentally have new SCP policy versions they didn't mean to use.

I would recommend having the module in a separate repo though, as Terraform/Hashi's structure around modules is quite specific and most modules I've ever seen live at the root of their GH repo. Will require syncing through a GH Action on the module repo probably, but easier from a usability perspective. @antonbabenko is an expert in this stuff.

Answer 6 · 2021-04-21T18:04:30.000Z

That could make sense. It would have the benefit of clear GitHub issues dedicated to the Terraform module only.

Answer 7 · 2021-04-21T18:55:03.000Z

@jdyke @kmcquade If I'm understanding this right, it makes sense to close this issue and open a new one in terraform_aws_scp?

Answer 8 · 2021-04-21T20:11:48.000Z

That is desirable from my point of view to keep the repos focused. The terraform repo is strictly for AWS SCPs written in HCL and already has some documentation outlining what they do. In the end it's up to @kmcquade !

Answer 9 · 2021-04-21T20:28:25.000Z

I am cool with having this in the Terraform repo under ScaleSec!