Cloud security (add new team member)

[davidcheung]

• workflow to add someone to a zero project
• provision new IAM for new team member
  • access to ECR
  • access to EKS
  • access to s3 buckets (mainly terraform ones, the rest should be handled via ci/cd pipeline)
• github integration
• default roles for developers, admins
• Different k8s roles for developers / admins? (Maybe limit devs to read only + exec to pods)

[sshi100]

Workflow(draft):

1. DevOps: create a few default IAM roles 'admin' 'developer' with corresponding policies (via TF)
2. IT: pass a new developer username john.smith to DevOps
3. DevOps: add ('john.smith', 'developer') to a user-role list, and apply

[sshi100]

Extensions per review with @bmonkman :

• support access to Kubernetes via aws-auth
• support user-roles 1:N with list( tuple( string, list(string) ) )
• create terraform_zero_modules/iam_users module

[sshi100]

Enhancement per discussion with @bmonkman : considering of User Experience for Startup, we want users to access AWS simply rather than enforcement of assume-role via aws sts, etc). Decided to use 'group' for AWS access instead of 'role, while use 'role' for k8s access as current.

[sshi100]

PR:
commitdev/terraform-aws-zero#6
commitdev/zero-aws-eks-stack#99

[sshi100]

Enhancement:

• allow new users created to be shared crossing Stage and Production environments
• allow to config K8S rules

[sshi100]

Enhancement:

• allow new user to assume role to do things

[sshi100]

Completed. Will enhance client experience with https://app.zenhub.com/workspaces/commit-zero-5da8decc7046a60001c6db44/issues/commitdev/zero-aws-eks-stack/109