Testing pipeline permissions (#4199)

ministryofjustice · Dec 1, 2023 · 1db2933 · 1db2933
1 parent fe6668f
commit 1db2933
Show file tree

Hide file tree

Showing 5 changed files with 125 additions and 0 deletions.
diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf
@@ -0,0 +1,28 @@
+locals {
+  environment_configuration = local.environment_configurations[local.environment]
+  environment_configurations = {
+    development = {
+      source_accounts = [
+        local.environment_management.account_ids["data-platform-apps-and-tools-development"],
+        local.environment_management.account_ids["data-platform-development"],
+        local.environment_management.account_ids["data-platform-test"],
+        local.environment_management.account_ids["data-platform-preproduction"]
+      ]
+      data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"]
+    }
+    test = {
+      data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"]
+    }
+    preproduction = {
+      data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"]
+    }
+    production = {
+      source_accounts = [
+        local.environment_management.account_ids["data-platform-production"],
+        local.environment_management.account_ids["data-platform-apps-and-tools-production"]
+      ]
+      data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-production"]
+    }
+  }
+}
+
diff --git a/terraform/environments/observability-platform/iam-policies.tf b/terraform/environments/observability-platform/iam-policies.tf
@@ -0,0 +1,44 @@
+data "aws_iam_policy_document" "amazon_managed_prometheus" {
+  statement {
+    sid    = "AllowRemoteWrite"
+    effect = "Allow"
+    actions = [
+      "aps:RemoteWrite",
+      "aps:GetSeries",
+      "aps:GetLabels",
+      "aps:GetMetricMetadata"
+    ]
+    resources = [module.managed_prometheus.workspace_arn]
+  }
+}
+
+module "amazon_managed_prometheus_iam_policy" {
+  #checkov:skip=CKV_TF_1:Module is from Terraform registry
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~> 5.0"
+
+  name_prefix = "amazon-managed-prometheus"
+
+  policy = data.aws_iam_policy_document.amazon_managed_prometheus.json
+}
+
+data "aws_iam_policy_document" "amazon_managed_grafana_remote_cloudwatch" {
+  statement {
+    sid       = "AllowAssumeRole"
+    effect    = "Allow"
+    actions   = ["sts:AssumeRole"]
+    resources = formatlist("arn:aws:iam::%s:role/observability-platform", local.environment_configuration.source_accounts)
+  }
+}
+
+module "amazon_managed_grafana_remote_cloudwatch_iam_policy" {
+  #checkov:skip=CKV_TF_1:Module is from Terraform registry
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~> 5.0"
+
+  name_prefix = "amazon-managed-grafana-remote-cloudwatch"
+
+  policy = data.aws_iam_policy_document.amazon_managed_grafana_remote_cloudwatch.json
+}
diff --git a/terraform/environments/observability-platform/iam-roles.tf b/terraform/environments/observability-platform/iam-roles.tf
@@ -0,0 +1,13 @@
+module "data_platform_apps_tools_iam_role" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~> 5.0"
+
+  create_role             = true
+  role_name               = "data-platform-apps-and-tools"
+  trusted_role_arns       = ["arn:aws:iam::${local.environment_configuration.data_platform_apps_tools_account_id}:root"]
+  custom_role_policy_arns = [module.amazon_managed_prometheus_iam_policy.arn]
+  role_requires_mfa       = false
+
+  tags = local.tags
+}
diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf
@@ -0,0 +1,31 @@
+module "managed_grafana" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  source  = "terraform-aws-modules/managed-service-grafana/aws"
+  version = "~> 2.0"
+
+  name = local.application_name
+
+  # license_type = "ENTERPRISE_FREE_TRIAL"
+  associate_license = false
+
+  account_access_type       = "CURRENT_ACCOUNT"
+  authentication_providers  = ["AWS_SSO"]
+  permission_type           = "SERVICE_MANAGED"
+  data_sources              = ["CLOUDWATCH", "PROMETHEUS"]
+  notification_destinations = ["SNS"]
+
+  iam_role_policy_arns = [module.amazon_managed_grafana_remote_cloudwatch_iam_policy.arn]
+
+  role_associations = {
+    "ADMIN" = {
+      "group_ids" = ["16a2d234-1031-70b5-2657-7f744c55e48f"] # observability-platform
+    }
+    "EDITOR" = {
+      "group_ids" = [
+        "7652b2d4-d0d1-707f-66ae-0b176587547e" # data-platform-labs
+      ]
+    }
+  }
+
+  tags = local.tags
+}
diff --git a/terraform/environments/observability-platform/managed-prometheus.tf b/terraform/environments/observability-platform/managed-prometheus.tf
@@ -0,0 +1,9 @@
+module "managed_prometheus" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  source  = "terraform-aws-modules/managed-service-prometheus/aws"
+  version = "~> 2.0"
+
+  workspace_alias = local.application_name
+
+  tags = local.tags
+}