Add AssumeRole Permissions to Control Panel Dev Role (#5699)

* Adding assume role permissions to Control Panel Role * Checkov skips added for genralised policies
ministryofjustice · Oct 16, 2024 · c57c261 · c57c261
1 parent 7a9bd3c
commit c57c261
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/terraform/aws/analytical-platform-development/cluster/iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/iam-policies.tf
@@ -31,6 +31,8 @@ resource "aws_iam_policy" "cert_manager" {
 ##################################################
 
 data "aws_iam_policy_document" "cluster_autoscaler" {
+  #checkov:skip=CKV_AWS_111: skip requires access to multiple resources
+  #checkov:skip=CKV_AWS_356: skip requires access to multiple resources
   statement {
     sid    = "clusterAutoscalerAll"
     effect = "Allow"
@@ -311,6 +313,8 @@ resource "aws_iam_policy" "ebs_csi_driver" {
 ##################################################
 
 data "aws_iam_policy_document" "control_panel_api" {
+  #checkov:skip=CKV_AWS_111: skip requires access to multiple resources
+  #checkov:skip=CKV_AWS_356: skip requires access to multiple resources
   statement {
     sid    = "CanCreateBuckets"
     effect = "Allow"
@@ -515,6 +519,18 @@ data "aws_iam_policy_document" "control_panel_api" {
     ]
     resources = ["arn:aws:lakeformation:*:${var.account_ids["analytical-platform-development"]}:*"]
   }
+  statement {
+    sid    = "AssumeRoleComputeAccounnt"
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+      "sts:TagSession"
+    ]
+    resources = [
+      "arn:aws:iam::${var.account_ids["analytical-platform-compute-development"]}:role/analytical-platform-control-panel",
+      "arn:aws:iam::${var.account_ids["analytical-platform-compute-test"]}:role/analytical-platform-control-panel"
+    ]
+  }
 }
 
 resource "aws_iam_policy" "control_panel_api" {

diff --git a/terraform/aws/analytical-platform-development/cluster/terraform.tfvars b/terraform/aws/analytical-platform-development/cluster/terraform.tfvars
@@ -6,6 +6,8 @@ account_ids = {
   analytical-platform-development           = "525294151996"
   analytical-platform-management-production = "042130406152"
   analytical-platform-production            = "312423030077"
+  analytical-platform-compute-development   = "381491960855"
+  analytical-platform-compute-test          = "767397661611"
 }
 
 environment     = "development"