audit review with terraform

[havetisyan]

a lot of properties are moving to the IaC paradigm and using Terraform to manage their domain configuration including role and group memberships. Using Athenz UI to review roles and groups automatically changes the expiry dates for members which breaks the Terraform workflow. As part of the review process through UI, the server also maintains the last reviewed date to indicate that properties are carrying out periodic reviews.

So the goal is to come up with a solution that satisfies the Audit/Governance requirements wrt role/group membership review while utilizing Terraform to manage the membership.

The first item on the list - we should allow clients to set the last reviewed date as part of the role/group meta apis. then we can make the necessary changes in our terraform module to handle periodic reviews.

[havetisyan]

When reviews are done through TF, sometimes it's not necessary to generate alerts 28, and 14 days before the expiry since that just generates extra email noise. We currently provide 2 flags to disable all notifications for users and admins. We should add an extra bit to indicate that we don't want to generate notifications over a week. So effetely we'll skip 28 and 14 day checks and start with 7 day check.