Re: [TREASURER #5526] Re: managing Huawei accounts
On Tue, Apr 05, 2022 at 08:19:43PM +0800, Aron Xu wrote:
> > On 2022/04/01 20:24, Ross Vandegrift via RT wrote:
> > > I'm not familiar with Huawei's cloud, so I can't offer any specific
> > > advice - but in general, I don't think so. Here's my understanding.
> > >
> > > If Debian delegates creation, then Debian or an individual member owns
> > > the account - not SPI. We want to avoid that because:
> > >
> > > - there's no way for Debian to shield members from the liability created
> > > by the provider's contract.
> > > - there's no way for Debian to ensure the member doesn't run off with
> > > the account, or disappear and lock us out.
> > >
> > > That means SPI needs to vet & accept those terms. When SPI is happy
> > > with the terms, they can sometimes delegate the actual acceptance
> > > process back to us.
> > Unfortunately, whatever route we take, it's going to take a long time
> > via SPI. would it work for the cloud team if we rather do this via
> > another TO?
> I'm quite curious how the AWS and GCP accounts are handled at the
> moment, and what are the differences for this new one?
At a high-level the cloud team requires the TO to own the accounts.
This is to ensure that ownership is not tied to an individual member.
But we handle the setup in the accounts. The cloud-specific details
make each case different.
In the case of AWS & GCP the process is quite disfunctional, due to the
cloud providers' internal rules. In case the details are useful or
interesting, here's my understanding.
A new AWS account must get it's billing setup & terms of service
accepted. We can create them, but due to Amazon limitations, setup is
1) AWS must do some internal setup to make the bill go away.
Unfortunately, that process precludes the use of using their
Organizations product to manage ToS acceptance & account setup. We have
some contacts in Amazon who do this step for us.
2) Because we can't use Organizations, each account needs to have it's
terms accepted individually. SPI has negotiated terms with Amazon and
must accept the agreement.
When both of these are done, we can use the account. A while back,
Bastian scripted the creation of a batch of accounts, and submitted them
all for the setups. So at least we can do these in chunks.
The cloud team doesn't own any GCP projects- Google's requires that they
own the project if they pay the bills. The cloud team requires a TO to
own the projects that we use. These are incompatible.
Google provides us some projects that we can use for image experiments.
But I don't think they're used very much.
GCP also requires the use of Gsuite for user accounts. SPI uses Gsuite
internally, and manages the users for the admins on the cloud team.