[Task]: Manage Infra privileges via Infra-as-code

[pabloem]

What needs to happen?

In the spirit of transparency and open-sourcedness, I think it would make sense to manage infra-access permissions openly in the Beam repository. This would create an open paper trail of who/how permissions are granted, and enable opening a discussion for who/how to assign them.

The way I imagine this is via terraform. We could have something like so:

• An admin module - limited to a select group, to have full privileges on the infrastructure
• A committer module - to encompass all committers, and to have the minimum access needed by all committers (e.g. Viewer, and perhaps a few others)
• A community_viewer module - to encompass special requests of access by non-committers that. Likely Viewer, but without access to secrets stored in infrastructure.

The specific permissions assigned to each module can be discussed, but in short, a PR would be required to grant permissions to anyone.

The current state of things is that those with access can grant access to anyone as they see fit. This has worked fine so far, but I believe the proposal above is an unequivocal improvement on openness.

Issue Priority

Priority: 2 (default / most normal work should be filed as P2)

Issue Components

• Component: Python SDK
• Component: Java SDK
• Component: Go SDK
• Component: Typescript SDK
• Component: IO connector
• Component: Beam YAML
• Component: Beam examples
• Component: Beam playground
• Component: Beam katas
• Component: Website
• Component: Infrastructure
• Component: Spark Runner
• Component: Flink Runner
• Component: Samza Runner
• Component: Twister2 Runner
• Component: Hazelcast Jet Runner
• Component: Google Cloud Dataflow Runner

[liferoad]

cc @Amar3tto