I’m working at a small to medium sized company doing DevOps.
I would like to know where I can find info about good ways to protect resources created through Terraform to not get edited by anyone else?
My DevOps colleagues each have admin accounts for the company AWS account. I’m worried my colleagues (or even I) would accidentally make small edits to AWS resources created via Terraform, because we forgot that that should be done through Terraform.
My idea was to make sure Terraform marks all resources with a specific default tag to indicate that I want that resource “protected” (e.g. ProtectedResource=1), and then I’d put all AWS users including admin users into a default group that would have policies checking that if whoever wants to make an edit to a resources is not the owner of the resource and the resource has a ProtectedResource=1 tag, then access to write should be denied.
I don’t know how I would write those policies though. Also this may not be the best approach. So I would appreciate being pointed in the right direction for this with good concrete examples, rather than just general theory e.g. “configure it with policies somehow”.