Skip to content

Commit

Permalink
Merge pull request #1065 from ministryofjustice/feature/role-for-iden…
Browse files Browse the repository at this point in the history 
…tity-center-user-management

Adding a new role and new groups to identity center to be managed in Control Panel
  • Loading branch information
@julialawrence
julialawrence authored Jan 6, 2025
2 parents cb05172 + c0b7b1e commit b0bb665
Show file tree
Hide file tree
Showing 4 changed files with 93 additions and 2 deletions.
2 changes: 2 additions & 0 deletions management-account/terraform/data.tf
View file
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
data "aws_caller_identity" "current" {}

data "aws_ssoadmin_instances" "moj" {}
74 changes: 73 additions & 1 deletion management-account/terraform/iam-roles.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ data "aws_iam_policy_document" "modernisation_platform_sso_administrator" {
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
type = "AWS"
identifiers = [
"arn:aws:iam::${aws_organizations_account.modernisation_platform.id}:root",
"arn:aws:iam::${coalesce(local.modernisation_platform_accounts.sprinkler_id...)}:role/github-actions"
Expand Down Expand Up @@ -188,4 +188,76 @@ data "aws_iam_policy_document" "modernisation_platform_github_actions_additional

resources = [module.modernisation_platform_github_actions_role.role]
}
}

##########################################
# AnalyticalPlatformIdentityCenterRole #
##########################################

data "aws_iam_policy_document" "analytical_platform_identity_center_assume_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${local.accounts.active_only["analytical-platform-data-production"]}:role/prod_control_panel_api20210906102154527600000001",
"arn:aws:iam::${local.accounts.active_only["analytical-platform-development"]}:role/dev_control_panel_api20230420142935268800000001"
]
}
}
}

data "aws_iam_policy_document" "analytical_platform_identity_center" {
#checkov:skip=CKV_AWS_158:Won't implement

statement {
effect = "Allow"
actions = [
"identitystore:CreateGroup",
"identitystore:CreateGroupMembership",
"identitystore:CreateUser",
"identitystore:DeleteGroup",
"identitystore:DeleteGroupMembership",
"identitystore:DeleteUser",
"identitystore:DescribeGroup",
"identitystore:DescribeGroupMembership",
"identitystore:ListGroupMemberships",
"identitystore:ListGroups",
"identitystore:ListUsers",
"identitystore:DescribeUser",
]
resources = [
"arn:aws:identitystore::${data.aws_caller_identity.current.account_id}:identitystore/*",
"arn:aws:identitystore:::user/*",
"arn:aws:identitystore:::group/*",
"arn:aws:identitystore:::membership/*"
]
}

statement {
effect = "Allow"
actions = [
"sso:ListInstances",
]
resources = [
"arn:aws:sso:::instance/*"
]
}
}

resource "aws_iam_policy" "analytical_platform_identity_center" {
name = "AnalyticalPlatformIdentityCenter"
policy = data.aws_iam_policy_document.analytical_platform_identity_center.json
}

resource "aws_iam_role" "analytical_platform_identity_center" {
name = "AnalyticalPlatformIdentityCenter"
assume_role_policy = data.aws_iam_policy_document.analytical_platform_identity_center_assume_role.json
}

resource "aws_iam_role_policy_attachment" "analytical_platform_identity_center" {
role = aws_iam_role.analytical_platform_identity_center.name
policy_arn = aws_iam_policy.analytical_platform_identity_center.arn
}
17 changes: 17 additions & 0 deletions management-account/terraform/identity-center-quicksight-groups.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
resource "aws_identitystore_group" "analytical_platform_qs_readers" {
display_name = "azure-aws-sso-analytical-platform-qs-readers"
description = "Analytical Platform QuickSight Readers (membership managed via AP Control Panel)"
identity_store_id = tolist(data.aws_ssoadmin_instances.moj.identity_store_ids)[0]
}

resource "aws_identitystore_group" "analytical_platform_qs_authors" {
display_name = "azure-aws-sso-analytical-platform-qs-authors"
description = "Analytical Platform QuickSight Authors (membership managed via AP Control Panel)"
identity_store_id = tolist(data.aws_ssoadmin_instances.moj.identity_store_ids)[0]
}

resource "aws_identitystore_group" "analytical_platform_qs_admins" {
display_name = "azure-aws-sso-analytical-platform-qs-admins"
description = "Analytical Platform QuickSight Admins (membership managed via AP Control Panel)"
identity_store_id = tolist(data.aws_ssoadmin_instances.moj.identity_store_ids)[0]
}
2 changes: 1 addition & 1 deletion management-account/terraform/sso-admin-permission-sets.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -338,7 +338,7 @@ data "aws_iam_policy_document" "modernisation_platform_engineer" {
effect = "Allow"
actions = [
"dynamodb:PutItem",
"dynamodb:DeleteItem"
"dynamodb:DeleteItem"
]
resources = ["arn:aws:dynamodb:eu-west-2:${coalesce(local.modernisation_platform_accounts.modernisation_platform_id...)}:table/modernisation-platform-terraform-state-lock"]
}
Expand Down

0 comments on commit b0bb665

Please sign in to comment.