Supporting Other Teams With IaC

What setup gives other teams access they need to configure infra while still keeping prod solid?

Author

Matt Gowie
January 14, 2025

Hey folks,

I ran across a question from a person who was the solo devops practitioner at his company. He was looking for AWS infra provisioning strategies to enable other departments, such as data science and research and development, to develop their infrastructure.

This practitioner wanted to leverage his skills to support and empower other departments, while still dictating best practices and making sure prod was solid.

If you are in this situation, my advice is the Sandbox Account pattern:

  • Create a “sandbox” AWS account and environment that you can give these other departments full admin level access to. They can use ClickOps in this environment for experimentation or whatever they want, but no infra configuration leaves the sandbox without being TF code.

  • Engineers can tf plan and tf apply against that environment from their machines all they want. This offers a "local" environment to test their TF changes against.

  • When their TF code looks good, engineers prep the changes for dev, stage, prod, or whatever environments in their PR. All changes go live on merge to main.

  • Want to make sure that this account doesn’t end up racking up resources on top of resources and costing you a lot of money? Run aws-nuke against that account on a daily or weekly basis to clean everything up! We wrote an open-source terraform module that does just that.

The Sandbox Account approach decreases the need to allow admin access in the dev environment, but you can always offer it if you must.

In prod, you should only provide read-only access to most team members. If that doesn’t work, give the PowerUserAccess role, which provides admin level access but blocks IAM operations. This prevents escalation.

For user access, I would suggest switching to AWS SSO. (I still don't want to call it Identity Center.)

Provision AWS SSO in your root account or better yet in a delegated "identity" account.

Together, these should solve your AWS infra provisioning problems.

May your users always be limited to read-only access in prod,

Matt @ Masterpoint

PS We recently helped a client migrate from Terraform to OpenTofu and save a ton. Learn more and download the case study here.