📖 Implement Access to Cloud Platform Resources (Redo)

[julialawrence]

User Story

We have implemented a way to allow users to access Cloud Platform resources which fits well into new applications, but doesn't work for existing applications without substantial redesign. Therefore, we would like to amend the approach to allow the users of apps in all stages of development and deployment to take advantage of this service, which will require some additional development work.

Value / Purpose

Allowing users more flexibility in tooling will not only provide a better experience but would also mean that we don't have to manage additional infra such as databases and opensearch.

Useful Contacts

@julialawrence

User Types

App Authors

Hypothesis

If we allow this, the users will be able to write richer apps.

Proposal

The overall design is outlined here: https://mojdt.slack.com/archives/C04M8224WCV/p1736515756401529?thread_ts=1736512297.823089&cid=C04M8224WCV in a section titled Access via Cloud Platform = True
The approach outlined by green arrows is already implemented. We would like to implement the blue approach as well which involves:

• Allow Access to Cloud Platform to be toggled both on new and existing apps (still need to collect the role information)
• When toggled on, the cloud platform trust policy is added to the existing trust policy rather than replacing the existing trust policy
• The app role resource policy is amended with an sts:AssumeRole block that allows the app role to assume the provided Cloud Platform role
• Guidance on how the role must be structured in Cloud Platform is provided.

Additional Information

This is raised in response to this support request which needs to be a feature request: https://github.com/ministryofjustice/data-platform-support/issues/1060

Definition of Done

• Proposal Implemented