Pull OS Login into its own submodule like IAP tunneling

Question

Pull OS Login into its own submodule like IAP tunneling

onetwopunch opened this issue 5 years ago · 4 comments

onetwopunch commented 5 years ago

This should encapsulate the following logic:

Downscoped role including random ID
IAM membership
local-exec to iterate throught a passed in list of instances adding the oslogin-enabled if it's not already and on destroy, removing it.

Answer 1 · 2020-01-15T22:19:06.000Z

Downscoped role including random ID
IAM membership

These seem like good ideas.

I'm not sure about local-exec being added though. I'd still prefer to keep that label as managed through the instance config. Let's start without that.

Answer 2 · 2020-01-15T22:25:29.000Z

Do you think the combo of those two is useful enough to make a separate module for though since the metadata is also required to make OS Login work? I kind of like the idea of a module being end-to-end enablement of a feature or service, which isn't really possible for OS Login without having the instance metadata be in scope. I'm fine adding the submodule, just want to make sure it's actually useful on it's own.

Answer 3 · 2020-01-15T22:30:23.000Z

I think those two alone is a helpful start, we can consider what else to add in a future iteration.

Answer 4 · 2020-10-07T21:41:29.000Z

Closing for now since I haven't really seen much of a need for this feature in practice. Most often folks use OS Login in Terraform, they don't do it at the instance level, rather at the project level.