1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
0
My approach has been: tie the role to the "thing" that consumes/needs it, centralizing might seem good but can be dangerous because of a larger impact.
If you're using StackSets, why not set one region as your "main" one and create a condition on the IAM role that only creates it within that region. This way you can still use a single StackSet but only have one IAM role.
Otherwise, you could setup roles within another stack, turn on termination protection and export it's ARN. Something like `FunctionalityX-Lambda-RoleArn".
Personally I try avoid custom resources where they aren't required, especially if you see potentially a lot of updates/changes.
Contenido relevante
- OFICIAL DE AWSActualizada hace 3 meses
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 7 meses