Merge pull request #5374 from ministryofjustice/feature/observability…

…-platform-idc-lookup

♻️ Use named groups in Observability Platform

terraform/environments/observability-platform/data.tf

@@ -1,3 +1,31 @@
 data "aws_secretsmanager_secret_version" "grafana_api_key" {
   secret_id = aws_secretsmanager_secret.grafana_api_key.id
 }
+
+data "aws_ssoadmin_instances" "main" {
+  provider = aws.sso-readonly
+}
+
+data "aws_identitystore_group" "observability_platform" {
+  provider = aws.sso-readonly
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
+
+  filter {
+    attribute_path  = "DisplayName"
+    attribute_value = "observability-platform"
+  }
+}
+
+data "aws_identitystore_group" "all_identity_centre_teams" {
+  for_each = { for team in local.all_identity_centre_teams : team => team }
+
+  provider = aws.sso-readonly
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
+
+  filter {
+    attribute_path  = "DisplayName"
+    attribute_value = each.value
+  }
+}

terraform/environments/observability-platform/environment-configurations.tf

@@ -4,7 +4,7 @@ locals {
     development = {
       tenant_configuration = {
         "observability-platform" = {
-          identity_centre_team = "16a2d234-1031-70b5-2657-7f744c55e48f"
+          identity_centre_team = "observability-platform"
           aws_accounts = {
             "observability-platform-development" = {
               cloudwatch_enabled      = true
@@ -14,7 +14,7 @@ locals {
           }
         },
         "analytical-platform" = {
-          identity_centre_team = "9c6710dd7f-e2cdaf44-0510-48cd-8bb1-4b21552ae0f1"
+          identity_centre_team = "analytical-platform"
           aws_accounts = {
             "analytical-platform-ingestion-development" = {
               cloudwatch_enabled      = true
@@ -24,7 +24,7 @@ locals {
           }
         },
         "data-platform" = {
-          "identity_centre_team" = "a68242b4-b0a1-7085-25f4-dc60e4c122c0"
+          "identity_centre_team" = "data-platform"
           "aws_accounts" = {
             "data-platform-development" = {
               cloudwatch_enabled      = true
@@ -49,7 +49,7 @@ locals {
           }
         }
         "digital-studio-operations" = {
-          "identity_centre_team" = "9c6710dd7f-120a1f73-34c1-447a-b34c-6cdc2cd64b5e"
+          "identity_centre_team" = "studio-webops"
           "aws_accounts" = {
             "nomis-test" = {
               cloudwatch_enabled      = true
@@ -68,7 +68,7 @@ locals {
     production = {
       tenant_configuration = {
         "observability-platform" = {
-          identity_centre_team = "16a2d234-1031-70b5-2657-7f744c55e48f"
+          identity_centre_team = "observability-platform"
           aws_accounts = {
             "observability-platform-production" = {
               cloudwatch_enabled      = true
@@ -78,7 +78,7 @@ locals {
           }
         },
         "analytical-platform" = {
-          identity_centre_team = "9c6710dd7f-e2cdaf44-0510-48cd-8bb1-4b21552ae0f1"
+          identity_centre_team = "analytical-platform"
           aws_accounts = {
             "analytical-platform-ingestion-production" = {
               cloudwatch_enabled      = true
@@ -88,7 +88,7 @@ locals {
           }
         },
         "data-platform" = {
-          "identity_centre_team" = "a68242b4-b0a1-7085-25f4-dc60e4c122c0"
+          "identity_centre_team" = "data-platform"
           "aws_accounts" = {
             "data-platform-production" = {
               cloudwatch_enabled      = true

terraform/environments/observability-platform/managed-grafana.tf

@@ -27,10 +27,10 @@ module "managed_grafana" {
 
   role_associations = {
     "ADMIN" = {
-      "group_ids" = ["16a2d234-1031-70b5-2657-7f744c55e48f"] # observability-platform
+      "group_ids" = [data.aws_identitystore_group.observability_platform.id]
     }
     "EDITOR" = {
-      "group_ids" = local.all_identity_centre_teams
+      "group_ids" = [for team in data.aws_identitystore_group.all_identity_centre_teams : team.id]
     }
   }
 

terraform/environments/observability-platform/modules/grafana/team/data.tf

@@ -0,0 +1,10 @@
+data "aws_ssoadmin_instances" "main" {}
+
+data "aws_identitystore_group" "this" {
+  identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
+
+  filter {
+    attribute_path  = "DisplayName"
+    attribute_value = var.identity_centre_team
+  }
+}

terraform/environments/observability-platform/modules/grafana/team/main.tf

@@ -1,7 +1,7 @@
 resource "grafana_team" "this" {
   name = var.name
   team_sync {
-    groups = [var.identity_centre_team]
+    groups = [data.aws_identitystore_group.this.id]
   }
 }
 

terraform/environments/observability-platform/modules/grafana/team/providers.tf

@@ -1,5 +1,9 @@
 terraform {
   required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
     grafana = {
       source  = "grafana/grafana"
       version = "~> 2.0"

terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/main.tf

@@ -38,6 +38,10 @@ module "prometheus_push" {
 module "team" {
   source = "../../grafana/team"
 
+  providers = {
+    aws = aws.sso
+  }
+
   name                 = var.name
   identity_centre_team = var.identity_centre_team
   aws_accounts         = var.aws_accounts

terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source                = "hashicorp/aws"
+      configuration_aliases = [aws.sso]
+    }
+  }
+}

terraform/environments/observability-platform/tenant-configuration.tf

@@ -3,6 +3,10 @@ module "tenant_configuration" {
 
   source = "./modules/observability-platform/tenant-configuration"
 
+  providers = {
+    aws.sso = aws.sso-readonly
+  }
+
   environment_management = local.environment_management
   name                   = each.key
   identity_centre_team   = each.value.identity_centre_team