Skip to content

Commit

Permalink
Merge pull request #865 from ministryofjustice/feature/sso-read-only
Browse files Browse the repository at this point in the history 
Allow MP accounts to lookup SSO information
  • Loading branch information
@AntonyBishop
AntonyBishop authored Feb 6, 2024
2 parents 2183b15 + b1195cb commit 2ba3238
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions management-account/terraform/iam-roles.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,38 @@ resource "aws_iam_role_policy_attachment" "modernisation_platform_sso_administra
policy_arn = aws_iam_policy.sso_administrator_policy.arn
}

#########################################
# ModernisationPlatformSSOReadOnly #
#########################################
resource "aws_iam_role" "modernisation_platform_sso_readonly" {
name = "ModernisationPlatformSSOReadOnly"
assume_role_policy = data.aws_iam_policy_document.modernisation_platform_sso_readonly.json
}

data "aws_iam_policy_document" "modernisation_platform_sso_readonly" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
identifiers = ["*"]
}

condition {
test = "ForAnyValue:StringLike"
values = ["${data.aws_organizations_organization.root.id}/*/${aws_organizations_organizational_unit.platforms_and_architecture_modernisation_platform.id}/*"]
variable = "aws:PrincipalOrgPaths"
}
}
}

# Role policy attachments
resource "aws_iam_role_policy_attachment" "modernisation_platform_sso_readonly" {
role = aws_iam_role.modernisation_platform_sso_readonly.name
policy_arn = "arn:aws:iam::aws:policy/AWSSSOReadOnly"
}

##########################################
# ModernisationPlatformGithubActionsRole #
##########################################
Expand Down

0 comments on commit 2ba3238

Please sign in to comment.