How Do You Migrate from RBAC to OBAC with Terraform?
Originally posted on Squadcast.com
Introduction
In this blog post, we explore the transition from Role-Based Access Control (RBAC) to Object-Based Access Control (OBAC) using Terraform. This shift not only alters how permissions are managed but also impacts the configuration of various resources. We'll get into the steps involved in migrating key resources like Squadcast team role, Squadcast team member, and Squadcast squad, highlighting the changes required in Terraform configurations.
Squadcast Team Role
The shift from RBAC to OBAC significantly changes how permissions are managed within our infrastructure. One key difference is the absence of traditional 'Roles' in OBAC. This means that APIs previously utilized by squadcast_team_role resources will no longer be accessible.
Steps involved:
- Comment out or remove the relevant resources or data sources from your .tf files. For example, you may need to modify configurations like:
data "squadcast_team" "example_team" { | |
name = "example team name" | |
} | |
resource "squadcast_team_role" "example_team_role_1" { | |
name = "Test Role" | |
team_id = data.squadcast_team.example_team.id | |
abilities = ["create-escalation-policies", "read-escalation-policies", "update-escalation-policies"] | |
} | |
resource "squadcast_team_role" "example_team_role_2" { | |
name = "Sample Role" | |
team_id = data.squadcast_team.example_team.id | |
abilities = ["create-escalation-policies", "read-escalation-policies", "update-escalation-policies"] | |
} |
- After updating your configurations, use the terraform state rm command to remove the affected resources from the state file. For example:
terraform state rm squadcast_team_role.example_team_role_1 | |
terraform state rm squadcast_team_role.example_team_role_1 |
Squadcast Team Member
In the previous RBAC permission model, managing team members required an array of role_ids to define specific roles for each member within the team. However, with the transition to OBAC, the granularity of roles has been simplified. Now, team members can only have ‘owner’, ‘member’, or ‘stakeholder' roles assigned.
Let's explore how this change impacts the configuration of adding a team member:
data "squadcast_team" "example_team" { | |
name = "example team name" | |
} | |
data "squadcast_user" "example_user" { | |
email = "example@squadcast.com" | |
} | |
resource "squadcast_team_member" "example_team_member" { | |
team_id = data.squadcast_team.example_team.id | |
user_id = data.squadcast_user.example_user.id | |
role_ids = [data.squadcast_team_role.example_team_role.id] | |
} |
In OBAC, the process shifts to assigning a role directly to the member:
resource "squadcast_team_member" "example_team_member" { | |
team_id = data.squadcast_team.example_team.id | |
user_id = data.squadcast_user.example_user.id | |
role = “owner” # “member”, “stakeholder” | |
} |
Squadcast Squads
Creating Squads under the RBAC model was straightforward – simply passing an array of members to the squad sufficed.
For instance:
data "squadcast_team" "example_team" { | |
name = "example team name" | |
} | |
data "squadcast_user" "example_user" { | |
email = "example@squadcast.com" | |
} | |
data "squadcast_user" "example_user_2" { | |
email = "example2@squadcast.com" | |
} | |
resource "squadcast_squad" "squad" { | |
name = "My squad" | |
team_id = data.squadcast_team.example_team.id | |
members { | |
user_id = data.squadcast_user.example_user.id | |
} | |
members { | |
user_id = data.squadcast_user.example_user_2.id | |
} | |
} |
However, with the introduction of OBAC, each member of a squad needs to be assigned a specific role, either "owner" or "member", with at least one member designated as the owner.
In the new setup:
resource "squadcast_squad" "squad" { | |
name = "My squad" | |
team_id = data.squadcast_team.example_team.id | |
members { | |
user_id = data.squadcast_user.example_user.id | |
role = “owner” | |
} | |
members { | |
user_id = data.squadcast_user.example_user_2.id | |
role = “member” | |
} | |
} |
Migrating from RBAC to OBAC requires careful consideration and adjustments to Terraform configurations. By understanding the changes in permissions structure and updating configurations accordingly, you can ensure a smooth transition in managing permissions within Squadcast infrastructure.
Squadcast is an Incident Management tool that’s purpose-built for SRE. Get rid of unwanted alerts, receive relevant notifications and integrate with popular ChatOps tools. Work in collaboration using virtual incident war rooms and use automation to eliminate toil.