From 1db2933080d13946539a87fe243ae26f571b42c1 Mon Sep 17 00:00:00 2001 From: ep-93 <109581241+ep-93@users.noreply.github.com> Date: Fri, 1 Dec 2023 11:37:36 +0000 Subject: [PATCH] Testing pipeline permissions (#4199) --- .../environment-configurations.tf | 28 ++++++++++++ .../observability-platform/iam-policies.tf | 44 +++++++++++++++++++ .../observability-platform/iam-roles.tf | 13 ++++++ .../observability-platform/managed-grafana.tf | 31 +++++++++++++ .../managed-prometheus.tf | 9 ++++ 5 files changed, 125 insertions(+) create mode 100644 terraform/environments/observability-platform/environment-configurations.tf create mode 100644 terraform/environments/observability-platform/iam-policies.tf create mode 100644 terraform/environments/observability-platform/iam-roles.tf create mode 100644 terraform/environments/observability-platform/managed-grafana.tf create mode 100644 terraform/environments/observability-platform/managed-prometheus.tf diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf new file mode 100644 index 00000000000..b7991d5ecea --- /dev/null +++ b/terraform/environments/observability-platform/environment-configurations.tf @@ -0,0 +1,28 @@ +locals { + environment_configuration = local.environment_configurations[local.environment] + environment_configurations = { + development = { + source_accounts = [ + local.environment_management.account_ids["data-platform-apps-and-tools-development"], + local.environment_management.account_ids["data-platform-development"], + local.environment_management.account_ids["data-platform-test"], + local.environment_management.account_ids["data-platform-preproduction"] + ] + data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] + } + test = { + data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] + } + preproduction = { + data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] + } + production = { + source_accounts = [ + local.environment_management.account_ids["data-platform-production"], + local.environment_management.account_ids["data-platform-apps-and-tools-production"] + ] + data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-production"] + } + } +} + diff --git a/terraform/environments/observability-platform/iam-policies.tf b/terraform/environments/observability-platform/iam-policies.tf new file mode 100644 index 00000000000..fe9eddd0b9f --- /dev/null +++ b/terraform/environments/observability-platform/iam-policies.tf @@ -0,0 +1,44 @@ +data "aws_iam_policy_document" "amazon_managed_prometheus" { + statement { + sid = "AllowRemoteWrite" + effect = "Allow" + actions = [ + "aps:RemoteWrite", + "aps:GetSeries", + "aps:GetLabels", + "aps:GetMetricMetadata" + ] + resources = [module.managed_prometheus.workspace_arn] + } +} + +module "amazon_managed_prometheus_iam_policy" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "~> 5.0" + + name_prefix = "amazon-managed-prometheus" + + policy = data.aws_iam_policy_document.amazon_managed_prometheus.json +} + +data "aws_iam_policy_document" "amazon_managed_grafana_remote_cloudwatch" { + statement { + sid = "AllowAssumeRole" + effect = "Allow" + actions = ["sts:AssumeRole"] + resources = formatlist("arn:aws:iam::%s:role/observability-platform", local.environment_configuration.source_accounts) + } +} + +module "amazon_managed_grafana_remote_cloudwatch_iam_policy" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "~> 5.0" + + name_prefix = "amazon-managed-grafana-remote-cloudwatch" + + policy = data.aws_iam_policy_document.amazon_managed_grafana_remote_cloudwatch.json +} diff --git a/terraform/environments/observability-platform/iam-roles.tf b/terraform/environments/observability-platform/iam-roles.tf new file mode 100644 index 00000000000..d8590a4878e --- /dev/null +++ b/terraform/environments/observability-platform/iam-roles.tf @@ -0,0 +1,13 @@ +module "data_platform_apps_tools_iam_role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "~> 5.0" + + create_role = true + role_name = "data-platform-apps-and-tools" + trusted_role_arns = ["arn:aws:iam::${local.environment_configuration.data_platform_apps_tools_account_id}:root"] + custom_role_policy_arns = [module.amazon_managed_prometheus_iam_policy.arn] + role_requires_mfa = false + + tags = local.tags +} diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf new file mode 100644 index 00000000000..0d1b5b01b2b --- /dev/null +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -0,0 +1,31 @@ +module "managed_grafana" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/managed-service-grafana/aws" + version = "~> 2.0" + + name = local.application_name + + # license_type = "ENTERPRISE_FREE_TRIAL" + associate_license = false + + account_access_type = "CURRENT_ACCOUNT" + authentication_providers = ["AWS_SSO"] + permission_type = "SERVICE_MANAGED" + data_sources = ["CLOUDWATCH", "PROMETHEUS"] + notification_destinations = ["SNS"] + + iam_role_policy_arns = [module.amazon_managed_grafana_remote_cloudwatch_iam_policy.arn] + + role_associations = { + "ADMIN" = { + "group_ids" = ["16a2d234-1031-70b5-2657-7f744c55e48f"] # observability-platform + } + "EDITOR" = { + "group_ids" = [ + "7652b2d4-d0d1-707f-66ae-0b176587547e" # data-platform-labs + ] + } + } + + tags = local.tags +} diff --git a/terraform/environments/observability-platform/managed-prometheus.tf b/terraform/environments/observability-platform/managed-prometheus.tf new file mode 100644 index 00000000000..0846f1dcd23 --- /dev/null +++ b/terraform/environments/observability-platform/managed-prometheus.tf @@ -0,0 +1,9 @@ +module "managed_prometheus" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/managed-service-prometheus/aws" + version = "~> 2.0" + + workspace_alias = local.application_name + + tags = local.tags +}