This affects a bunch of things and is done a couple of different ways presently. Current implementation will not work long term tho.
Problem is that any resource we deploy could have a dependency on any other resource. E.g. we may have an api endpoint lambda that needs access to a specific DynamoDB table. Or an EC2 instance that needs permission to access athena or s3. And these needs could change over time.
Additionally, this isn't just a "X needs access to Y" problem. Each resource type has specific permissions it can grant (e.g. read, write, list, etc).
We need a more general way to handle this at the config layer. Perhaps something like a registry where we can associate each resource with a unique id in the config file and reference that ID in other parts of the config, resolving the actual resource name after creation during deployment.
This affects a bunch of things and is done a couple of different ways presently. Current implementation will not work long term tho.
Problem is that any resource we deploy could have a dependency on any other resource. E.g. we may have an api endpoint lambda that needs access to a specific DynamoDB table. Or an EC2 instance that needs permission to access athena or s3. And these needs could change over time.
Additionally, this isn't just a "X needs access to Y" problem. Each resource type has specific permissions it can grant (e.g. read, write, list, etc).
We need a more general way to handle this at the config layer. Perhaps something like a registry where we can associate each resource with a unique id in the config file and reference that ID in other parts of the config, resolving the actual resource name after creation during deployment.