New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rationalize compute permissions and security model #145
Comments
We now apply a Role for ECS Tasks using the same policies as our Lambda based compute. We will need to review these default policies per #145, but for now at least all our compute will be consistent on what it can/can't access.
Hitting this in the Learning Machine deployment, where we need to give |
@lukehoban thanks so much for adding |
Unfortunately, there's no fine-grained manage policy that allows |
This change exposes a getLoadBalancer function so that callers can use it when wiring up other AWS infrastructure. For instance, we need this in the customer stack to point the CDN at the web stack. To access it, you can do, for example import * as cloud from "@pulumi/cloud"; import * as awscloud from "@pulumi/cloud-aws"; let svc = new cloud.Service(...); let lb = (svc as awscloud).getLoadBalancer(); I've tried to do this in the most elegant way possible, with the caveat that this of course needs to be revisited as part of #145 alongside the other similar things.
This change exposes a getLoadBalancer function so that callers can use it when wiring up other AWS infrastructure. For instance, we need this in the customer stack to point the CDN at the web stack. To access it, you can do, for example import * as cloud from "@pulumi/cloud"; import * as awscloud from "@pulumi/cloud-aws"; let svc = new cloud.Service(...); let lb = (svc as awscloud).getLoadBalancer(); I've tried to do this in the most elegant way possible, with the caveat that this of course needs to be revisited as part of #145 alongside the other similar things.
This change exposes a getLoadBalancer function so that callers can use it when wiring up other AWS infrastructure. For instance, we need this in the customer stack to point the CDN at the web stack. To access it, you can do, for example import * as cloud from "@pulumi/cloud"; import * as awscloud from "@pulumi/cloud-aws"; let svc = new cloud.Service(...); let lb = (svc as awscloud).getLoadBalancer(); I've tried to do this in the most elegant way possible, with the caveat that this of course needs to be revisited as part of #145 alongside the other similar things.
This change exposes a getLoadBalancer function so that callers can use it when wiring up other AWS infrastructure. For instance, we need this in the customer stack to point the CDN at the web stack. To access it, you can do, for example import * as cloud from "@pulumi/cloud"; import * as awscloud from "@pulumi/cloud-aws"; let svc = new cloud.Service(...); let lb = (svc as awscloud).getLoadBalancer(); I've tried to do this in the most elegant way possible, with the caveat that this of course needs to be revisited as part of #145 alongside the other similar things.
We will likely more broadly re-consider some of the design approaches in this library - but at this point I don't think we need to track this specific issue by itself. |
We need to define our security and permissions model both at the general
@pulumi/cloud
level, and as it needs to be implemented in@pulumi/cloud-aws
(and others).Once we do lock things down more by default, we will also need to define how users who know they are on AWS can open up access explicitly through APIs.
The text was updated successfully, but these errors were encountered: