Finally getting to this thread... it's been crazy. On Mon, Nov 24, 2025 at 01:44:44PM -0600, Michael Winters via infrastructure wrote: > This would normally be a Matrix convo but many are out this week. Plus > there are apparently several independent groups involved here, so my > questions might not have a single answer. For background: I'm an AWS expert, > trying to get oriented to Fedora Infra AWS so I can both run some Fedora > CommOps POCs and contribute to general infra needs. I'm curious about our > Infrastructure as Code (IaC) situation as a first point of orientation. > From the AWS access SOP, it looks like user access roles and policies are > being created by hand in the AWS console. Is that correct? I'm still
Yep it is. We seldom add new groups so that part of it isn't much effort. We do need to manage IAM policies and thats I think where there is pain. In the past we talked about putting that in a single repo somewhere, but never could agree on what that would look like. I personally would be fine just having that open so people could see it/file pr's/etc... but there's other groups that don't want that. We could manage them from infra ansible, but again, it's a shared resource so folks didn't really like us managing it directly. I can reopen that discussion and see if we can make any progress on something. If you have thoughts on what that would best look like, that would be great. > learning my way around our mega-ansible and nirk showed me the policies but > I don't see any roles. Also, how are various groups managing their AWS > infra? (Terraform / CloudFormation / something else?) Do we have a CI/CD > somewhere for these things? And what about billing alerts? Do we have a way > for the right people (as indicated by resource tags) to notice quickly > whether they've accidentally racked up some huge bills? If all of these > capabilities are missing today, I'd be happy to help address that. Thanks in > advance! Michael Winters Yeah, as you can see downthread, each group manages their resources their own way. All be that terraform, home grown, manual, ansible, etc. For fedora infra things are pretty manual. We don't really have a hard dependency on aws. We have some proxy instances in regions we don't have otherwise anything in, some cloudfront distributions (mostly for other aws fedora users to use, but also ostree/atomic for caching). We also of course upload fedora images and manage those (with our own app). We don't have billing alerts because it's a community account and I don't think it will let us set them. We can't even create reports, only see the default billing monthly info. ;( Unless it's changed recently. There are the reports sent to this list also (but doesn't include everything). I don't like that I am a blocker here, but there's only so many hours in the day and so many sanity points I have. ;( I will try and poke all the folks that have access and see if we can improve things. Perhaps we should have some thoughts to propose? kevin -- _______________________________________________ infrastructure mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
