This message was deleted.
# atlantis-communitys
Slackbot
05/03/2023, 10:27 PMThis message was deleted.
p
PePe Amengual
05/04/2023, 5:37 AMdefine physically?
PePe Amengual
05/04/2023, 5:38 AMI use an atlantis ECS fargate that can assume roles in multiple accounts
PePe Amengual
05/04/2023, 5:39 AMthen my providers is set :
Copy code
provider "aws" {
region = var.region
assume_role {
role_arn = format("arn:aws:iam::%s:role/atlantis-%s-automation-role", var.account_number, var.account_name)
}
}PePe Amengual
05/04/2023, 5:39 AMthere is a map of variables that hold the accounts numbers or you can us the account_name
o
Oleg Gumbar
05/04/2023, 9:40 AMYes, let’s say we have Atlantis instance in ECS fargate, but it has god mode permissions. Let’s imagine we have repo A and repo B. Repo A needs access for AWS account X, repo B needs access for AWS account Y. Sure, I can assume specific roles, but theoretically someone can try to assume role in AWS account Y using repo A and I would like to prevent that physically, in addition to control of IaC repository contents.
j
Justin S
05/04/2023, 1:49 PM@Oleg Gumbar I dont think you have an atlantis issue, its a user/trust issue. You could probably tell atlantis to not allow applies until the PR is approved, and require approvals. So someone has to review your code before its allowed to run.
o
Oleg Gumbar
05/04/2023, 3:21 PM“trust me bro” isn’t solution here I believe
j
Justin S
05/04/2023, 3:22 PMgood thing i didnt say that
o
Oleg Gumbar
05/04/2023, 3:22 PMI have 4 teams working separately
Oleg Gumbar
05/04/2023, 3:22 PMAnd I would like them to outsource review of code planned and applied by someone
Oleg Gumbar
05/04/2023, 3:25 PMI would like solution to be a bit zero-trust by design and not depend from how much do you trust users
Oleg Gumbar
05/04/2023, 3:26 PMSolution where human factor plays role - cannot be scaled
Oleg Gumbar
05/04/2023, 3:27 PMProbably I can solve this using pre-hooks
Oleg Gumbar
05/04/2023, 3:28 PMWhere I can get/set credentials per repo
p
PePe Amengual
05/04/2023, 3:29 PMopen an issue as "zero trust in atlantis " or something like that , there is a big move lately about this, you might get ideas on how to implement some of it, but at this point Atlantis have Opa/contest policies and some VCS rules and that is all
o
Oleg Gumbar
05/04/2023, 3:29 PMYes, but policy check is running after plan
Oleg Gumbar
05/04/2023, 3:29 PM=/
p
PePe Amengual
05/04/2023, 3:31 PMwhat you describe could be acchived by having multiple Atlantis servers and locked down at the cloud provider level and using Vault etc
PePe Amengual
05/04/2023, 3:31 PMnot exactly but close
o
Oleg Gumbar
05/04/2023, 3:32 PMIs there possibility to use policies before plan or init?
p
PePe Amengual
05/04/2023, 3:34 PMI don't know
PePe Amengual
05/04/2023, 3:35 PMthat doesn't stop you running a pre-workflow hook to do whatever
PePe Amengual
05/04/2023, 3:35 PMand that is before any command run