From 5d5e46697fe437cffed7acc03306f12bb063e00c Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 6 Jan 2025 16:06:25 +0000 Subject: [PATCH 1/2] Adding a new role and new groups to identity center to be managed in Control Panel --- management-account/terraform/data.tf | 2 + management-account/terraform/iam-roles.tf | 74 ++++++++++++++++++- .../identity-center-quicksight-groups.tf | 17 +++++ .../terraform/sso-admin-permission-sets.tf | 2 +- 4 files changed, 93 insertions(+), 2 deletions(-) create mode 100644 management-account/terraform/identity-center-quicksight-groups.tf diff --git a/management-account/terraform/data.tf b/management-account/terraform/data.tf index 8fc4b38c..436a51ca 100644 --- a/management-account/terraform/data.tf +++ b/management-account/terraform/data.tf @@ -1 +1,3 @@ data "aws_caller_identity" "current" {} + +data "aws_ssoadmin_instances" "moj" {} \ No newline at end of file diff --git a/management-account/terraform/iam-roles.tf b/management-account/terraform/iam-roles.tf index 46e831b3..1dbb1717 100644 --- a/management-account/terraform/iam-roles.tf +++ b/management-account/terraform/iam-roles.tf @@ -85,7 +85,7 @@ data "aws_iam_policy_document" "modernisation_platform_sso_administrator" { actions = ["sts:AssumeRole"] principals { - type = "AWS" + type = "AWS" identifiers = [ "arn:aws:iam::${aws_organizations_account.modernisation_platform.id}:root", "arn:aws:iam::${coalesce(local.modernisation_platform_accounts.sprinkler_id...)}:role/github-actions" @@ -188,4 +188,76 @@ data "aws_iam_policy_document" "modernisation_platform_github_actions_additional resources = [module.modernisation_platform_github_actions_role.role] } +} + +########################################## +# AnalyticalPlatformIdentityCenterRole # +########################################## + +data "aws_iam_policy_document" "analytical_platform_identity_center" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = [ + "arn:aws:iam::${local.accounts.active_only["analytical-platform-data-production"]}:role/prod_control_panel_api20210906102154527600000001", + "arn:aws:iam::${local.accounts.active_only["analytical-platform-development"]}:role/dev_control_panel_api20230420142935268800000001" + ] + } + } +} + +data "aws_iam_policy_document" "analytical_platform_identity_center" { + #checkov:skip=CKV_AWS_158:Won't implement + + statement { + effect = "Allow" + actions = [ + "identitystore:CreateGroup", + "identitystore:CreateGroupMembership", + "identitystore:CreateUser", + "identitystore:DeleteGroup", + "identitystore:DeleteGroupMembership", + "identitystore:DeleteUser", + "identitystore:DescribeGroup", + "identitystore:DescribeGroupMembership", + "identitystore:ListGroupMemberships", + "identitystore:ListGroups", + "identitystore:ListUsers", + "identitystore:DescribeUser", + ] + resources = [ + "arn:aws:identitystore::${data.aws_caller_identity.current.account_id}:identitystore/*", + "arn:aws:identitystore:::user/*", + "arn:aws:identitystore:::group/*", + "arn:aws:identitystore:::membership/*" + ] + } + + statement { + effect = "Allow" + actions = [ + "sso:ListInstances", + ] + resources = [ + "arn:aws:sso:::instance/*" + ] + } +} + +resource "aws_iam_policy" "analytical_platform_identity_center" { + name = "AnalyticalPlatformIdentityCenter" + policy = data.aws_iam_policy_document.analytical_platform_identity_center.json +} + +resource "aws_iam_role" "analytical_platform_identity_center" { + name = "AnalyticalPlatformIdentityCenter" + assume_role_policy = data.aws_iam_policy_document.analytical_platform_identity_center.json +} + +resource "aws_iam_role_policy_attachment" "analytical_platform_identity_center" { + role = aws_iam_role.analytical_platform_identity_center.name + policy_arn = aws_iam_policy.analytical_platform_identity_center.arn } \ No newline at end of file diff --git a/management-account/terraform/identity-center-quicksight-groups.tf b/management-account/terraform/identity-center-quicksight-groups.tf new file mode 100644 index 00000000..09db4f64 --- /dev/null +++ b/management-account/terraform/identity-center-quicksight-groups.tf @@ -0,0 +1,17 @@ +resource "aws_identitystore_group" "analytical_platform_qs_readers" { + display_name = "azure-aws-sso-analytical-platform-qs-readers" + description = "Analytical Platform QuickSight Readers (membership managed via AP Control Panel)" + identity_store_id = tolist(data.aws_ssoadmin_instances.moj.identity_store_ids)[0] +} + +resource "aws_identitystore_group" "analytical_platform_qs_authors" { + display_name = "azure-aws-sso-analytical-platform-qs-authors" + description = "Analytical Platform QuickSight Authors (membership managed via AP Control Panel)" + identity_store_id = tolist(data.aws_ssoadmin_instances.moj.identity_store_ids)[0] +} + +resource "aws_identitystore_group" "analytical_platform_qs_admins" { + display_name = "azure-aws-sso-analytical-platform-qs-admins" + description = "Analytical Platform QuickSight Admins (membership managed via AP Control Panel)" + identity_store_id = tolist(data.aws_ssoadmin_instances.moj.identity_store_ids)[0] +} \ No newline at end of file diff --git a/management-account/terraform/sso-admin-permission-sets.tf b/management-account/terraform/sso-admin-permission-sets.tf index 821cae59..bda7ed20 100644 --- a/management-account/terraform/sso-admin-permission-sets.tf +++ b/management-account/terraform/sso-admin-permission-sets.tf @@ -338,7 +338,7 @@ data "aws_iam_policy_document" "modernisation_platform_engineer" { effect = "Allow" actions = [ "dynamodb:PutItem", - "dynamodb:DeleteItem" + "dynamodb:DeleteItem" ] resources = ["arn:aws:dynamodb:eu-west-2:${coalesce(local.modernisation_platform_accounts.modernisation_platform_id...)}:table/modernisation-platform-terraform-state-lock"] } From c0b7b1e37bccaeb846a7d4c3dd12926b4fa5a755 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 6 Jan 2025 16:11:05 +0000 Subject: [PATCH 2/2] Fixing assume role policy reference --- management-account/terraform/iam-roles.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/management-account/terraform/iam-roles.tf b/management-account/terraform/iam-roles.tf index 1dbb1717..2f42938a 100644 --- a/management-account/terraform/iam-roles.tf +++ b/management-account/terraform/iam-roles.tf @@ -194,7 +194,7 @@ data "aws_iam_policy_document" "modernisation_platform_github_actions_additional # AnalyticalPlatformIdentityCenterRole # ########################################## -data "aws_iam_policy_document" "analytical_platform_identity_center" { +data "aws_iam_policy_document" "analytical_platform_identity_center_assume_role" { statement { effect = "Allow" actions = ["sts:AssumeRole"] @@ -254,7 +254,7 @@ resource "aws_iam_policy" "analytical_platform_identity_center" { resource "aws_iam_role" "analytical_platform_identity_center" { name = "AnalyticalPlatformIdentityCenter" - assume_role_policy = data.aws_iam_policy_document.analytical_platform_identity_center.json + assume_role_policy = data.aws_iam_policy_document.analytical_platform_identity_center_assume_role.json } resource "aws_iam_role_policy_attachment" "analytical_platform_identity_center" {