iamlive
iamlive copied to clipboard
iann0036
GitHub Actions workflow running iamlive - how long to wait until the iam output file is fully populated
Hi,
I have a GitHub Actions workflow which essentially does this:
- starts iamlive
- runs terraform (with overly permissive permissions so it runs to completion)
- stop iamlive with a SIGTERM
I have noticed that if I stop iamlive as soon as the terraforming has completed, then the iamlive output file does not have all the permissions in the file that it has used for the terraforming - as it seems iamlive takes an unknown amount of time to fully populate that file.
So I have set a wait of 60 secs after the terraforming and before I stop iamlive.
Is 60 secs a reasonable time to wait, or should it be longer/shorter in duration?
Thanks.
Hey @scott-doyland-burrows,
I'm not aware of any implementation-specific reason why this would be the case. The proxy is running on a thread which sends results back to main in order to write the policy, so there might be a short (probably no more than 1 second) delay in this transfer. Could you let me know if a 1 second sleep fixes your issue, or if not can you estimate the approximate threshold via trial and error?
I have noticed it while running iamlive in CSM mode, with just using ./iamlive so it runs in a separate terminal in the foreground. It takes a few seconds sometimes.
I set it to a just a couple of seconds in my workflow and it seems fine, but I think I will keep it at 60secs to be on the extremely safe side, it seems the more permissions that are added, the longer it can take.
I initially run terraform with overly permissive permissions, so as to allow iamlive to pick up on all the actual used permissions, so it sometimes adds in upwards of 40 permissions in one go.
It is only really noticeable I guess when running it as part of an automated workflow. Stopping iamlive as quickly as possible after terraform completed missed maybe 10 or so permissions out of about 50. Not a big deal as long as the user is aware to put in a sleep step.
Also - I wanted to say that iamlive is a fantastic tool - it has simplified setting the permissions so much, especially now that I have incorporated it into my GitHub Actions workflows.
Thanks.
Hey @scott-doyland-burrows,
Appreciate the feedback. There may be some internal buffering or similar going on so I'll have to look into that. Won't have anything in the short term though. Hopefully memory issues aren't affecting it either.
@scott-doyland-burrows any chance you can share the action?
This is my composite action - but it does more than just run iamlive so you will need to tweak it for your needs:
https://github.com/scott-doyland-burrows/gha-composite-terraform-iamlive
@scott-doyland-burrows any chance you can share the action?
This is my composite action - but it does more than just run iamlive so you will need to tweak it for your needs:
https://github.com/scott-doyland-burrows/gha-composite-terraform-iamlive
Is the link broken?
It was set to private - I have now set to public.
It isn't something you can just pick up and use, it requires quite a lot of other config in place, such as as GitHub App, AWS login etc.
Overall, all the action does is take in some values and pass them into a bash script to do the terraforming. The script also allows IAMlive to be run.
@scott-doyland-burrows,
Would you mind sharing your code? I'd love to use and contribute to this project.
Thanks
