Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document architectural decisions #1506

Merged
merged 3 commits into from
Jul 13, 2023
Merged

Document architectural decisions #1506

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a251382
add architectural decisions log and first decision
ludoo Jul 13, 2023
68a9fbc
add header
ludoo Jul 13, 2023
50ca22f
typo
ludoo Jul 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions fast/docs/0-bootstram-user-iam.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Remove initial gcloud commands needed to bootstrap

**authors:** [Ludo](https://github.com/ludoo)\
**date:** July 13, 2023

## Status

Rejected.

## Context

The initial `gcloud` commands that grant IAM roles to the user running `apply` for the first time, are sometimes seen an extra hurdle and an unnecessary complication.

These are the roles in question

- `roles/logging.admin`
- `roles/owner`
- `roles/resourcemanager.organizationAdmin`
- `roles/resourcemanager.projectCreator`

One proposal we investigated was internalizing those IAM bindings in the actual Terraform code, either via bare resources or an additional organization module invocation, and depending subsequent resources on it.

On further investigation, this poses a few challenges

- the roles in question are managed authoritatively, and it would be best they remained so (e.g. to clear the Project Creator role, or ensure Organization Administrators match what is in the code)
- project creation depends on those roles, but this creates a cycle dependency as the service accounts created are also assigned those roles, and they cannot implicitly depend (via the project) on the same roles

Working around this issue would require a substantial amount of hoops and a lot of development effort. It would also result in potentially less safe and more fragile code.

## Decision

What we decided is to leave those external commands in place, as the hurdle is minimal and not worth the expense and risks of removing it.

## Consequences

Nothing changes due to this decision.
3 changes: 3 additions & 0 deletions fast/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# FAST architectural documents

This folder contains assorted bits of documentation used to log current architectural choices, or past decisions. Format is inspired by [Michael Nygard's decision record template](https://github.com/joelparkerhenderson/architecture-decision-record/blob/main/templates/decision-record-template-by-michael-nygard/index.md).