RBAC for Custom Modules
Role-Based Access Control (RBAC) for Custom Modules provides structured access control for managing infrastructure components within StackGen. It enables organizations to define roles that determine who can create, modify, and share custom modules across personal workspaces, teams, and enterprises.
Custom Module Management
The Custom Module system streamlines infrastructure provisioning, allowing users and teams to define reusable configurations. RBAC ensures that module creation and sharing align with organizational policies and governance structures.
Access Scope and Permissions
Custom modules operate within three access scopes:
- Enterprise Scope: Both Admin and DevOps users at the enterprise level can create and share modules across all teams within the enterprise.
- Team Scope: Admin and DevOps users at the team level can create and manage modules for their specific team.
- Personal Workspace Scope: Individual users with appropriate roles (Admin or DevOps) can create and manage modules within their private workspace.
Role-Based Permissions
| Role | Create Custom Modules | Custom Module Versioning | Import Custom Modules | Share with Teams | Share with Enterprise | Read Access |
|---|---|---|---|---|---|---|
| Developer | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
| DevOps (Team) | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| Admin (Team) | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ |
| DevOps (Enterprise) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Admin (Enterprise) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Custom Module Creation and Sharing
Create Custom Modules
You can create and configure custom modules directly within StackGen. The process includes:
Define Configuration
- Specifying a Resource Name and Resource Type
- Assigning a Version
- Providing a Terraform IaC configuration
Share Modules
- Selecting Enterprise to make the module available across all teams
- Selecting Teams to choose one or multiple teams for access
- Keeping in Personal Workspace for private use only
Import Modules
Custom modules can be imported from external sources, such as:
- Git repositories
- Terraform code snippets
Imported modules can be configured and integrated into infrastructure workflows.
Share Custom Modules
- Personal Workspace Level: Users can create modules for their own private use or choose to share them with teams or enterprise.
- Team-Level Sharing: DevOps and Admin users at the team level can share modules within their team.
- Enterprise-Level Sharing: DevOps and Admin users at the enterprise level can share modules across all teams, ensuring organization-wide consistency.
Personal Workspaces
Personal workspaces are private environments that only the individual user can access. These workspaces function as independent teams where users have exclusive control over their resources. However, role-based permissions still apply in personal workspaces - users with Developer role cannot create custom modules even in their personal workspace, while users with Admin or DevOps roles can create and manage custom modules within their own workspace.
Custom Modules in Personal Workspaces
Custom modules created within a personal workspace (by users with appropriate roles) can be:
- Used privately: Modules can be created for exclusive use by the user who created them
- Shared selectively: The creator can choose to share modules with specific teams or enterprise-wide
- Kept isolated: Modules can remain in the personal workspace without visibility to other users
This provides users with Admin or DevOps roles a private sandbox environment to experiment with infrastructure configurations before potentially sharing them more broadly.
Override Mapping Policy
Override Mapping Policies are used within Cloud to Code and tfstate import to map resources to custom configurations. These policies can be included in a governance configuration to ensure that infrastructure deployments align with organizational standards.
Key Features
- Module References: Override mapping policies can reference both built-in Terraform modules OR custom modules that have been imported.
- Enterprise-Level Mapping: Modules shared at the enterprise level can be referenced within override mapping policies created at the team level.
- Governance Compliance: Ensures consistency in infrastructure deployments across the organization.
Scope Restrictions
- Override mapping policies need to be explicitly created at the team level to leverage enterprise-shared modules.
- Team-specific override mapping policies can reference enterprise-level custom modules.
- Custom modules are not automatically included in team policies without explicit mapping.