-
Notifications
You must be signed in to change notification settings - Fork 146
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Split CARMv2 functionality into Team Level Role and Service Level Role (
#158) Issue #, if available: Description of changes: This PR aims to resolve a concern where a user migrating from CARMv1 to v2 (i.e. to teamIDs and service level isolation support) might end up with their resources re-created into incorrect accounts just by enabling the feature flag, due to lack of v2 configuration. The PR splits CARMv2 feature into 2 different features, each behind its own feature flag: 1. team level role - `TeamLevelCARM` , the mappings are being stored in a new configmap `ack-role-team-map` 2. service level role - `ServiceLevelCARM` , the mappings can be stored in both the existing configmap `ack-role-account-map` and the new configmap `ack-role-team-map` When both feature flags are **ENABLED**, the configmap setup may look like below (this is currently all squeezed into the CARMv2 map i.e. `ack-carm-map`): `ack-role-team-map` 👇 ``` data: team-a: "arn:aws:iam::111111111111:role/team-a-global-role" s3.team-a: "arn:aws:iam::111111111111:role/team-a-s3-role" dynamodb.team-a: "arn:aws:iam::111111111111:role/team-a-dynamodb-role" ``` `ack-role-account-map` 👇 ``` data: 111111111111: arn:aws:iam::111111111111:role/global-role s3.111111111111: arn:aws:iam::111111111111:role/s3-role dynamodb.111111111111: arn:aws:iam::111111111111:role/dynamodb-role ``` When both feature flags are **DISABLED**, or neither teamID annotation or service level roles are setup, runtime continues to use the existing CARMv1 setup: `ack-role-account-map` :point_down: ``` data: 111111111111: arn:aws:iam::111111111111:role/global-role ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
- Loading branch information
Showing
5 changed files
with
96 additions
and
110 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters