From 7cca0b052736769481c8665db4f8c7af5c857a81 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Mar 2024 19:04:36 +0000 Subject: [PATCH 1/8] Testing SSO ReadOnly Signed-off-by: Jacob Woffenden --- .../observability-platform/data.tf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/terraform/environments/observability-platform/data.tf b/terraform/environments/observability-platform/data.tf index 79b2929ff57..c9ee7e136a9 100644 --- a/terraform/environments/observability-platform/data.tf +++ b/terraform/environments/observability-platform/data.tf @@ -1,3 +1,22 @@ data "aws_secretsmanager_secret_version" "grafana_api_key" { secret_id = aws_secretsmanager_secret.grafana_api_key.id } + +data "aws_ssoadmin_instances" "main" { + provider = aws.sso-readonly +} + +data "aws_identitystore_group" "this" { + identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] + + alternate_identifier { + unique_attribute { + attribute_path = "DisplayName" + attribute_value = "analytical-platform" + } + } +} + +output "name" { + value = data.aws_identitystore_group.this.id +} From 42906cf96c4368aabd1b99be503d4b40bb9d5557 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Mar 2024 19:09:01 +0000 Subject: [PATCH 2/8] Add SSO provider to data.aws_identitystore_group.this Signed-off-by: Jacob Woffenden --- terraform/environments/observability-platform/data.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/environments/observability-platform/data.tf b/terraform/environments/observability-platform/data.tf index c9ee7e136a9..2e872a3a571 100644 --- a/terraform/environments/observability-platform/data.tf +++ b/terraform/environments/observability-platform/data.tf @@ -7,6 +7,8 @@ data "aws_ssoadmin_instances" "main" { } data "aws_identitystore_group" "this" { + provider = aws.sso-readonly + identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] alternate_identifier { From 9233d432bd4c3882c28a1772061eca2a59d9c147 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Mar 2024 19:19:00 +0000 Subject: [PATCH 3/8] Using deprecated filter attribute Signed-off-by: Jacob Woffenden --- .../observability-platform/data.tf | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/terraform/environments/observability-platform/data.tf b/terraform/environments/observability-platform/data.tf index 2e872a3a571..aac4cb3f3a9 100644 --- a/terraform/environments/observability-platform/data.tf +++ b/terraform/environments/observability-platform/data.tf @@ -11,11 +11,19 @@ data "aws_identitystore_group" "this" { identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] - alternate_identifier { - unique_attribute { - attribute_path = "DisplayName" - attribute_value = "analytical-platform" - } + # This fails with the following error: + # Error: reading AWS SSO Identity Store Group Data Source (d-XXXXXX): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 059df12d-84ce-4803-9a6b-0d41624d749f, ResourceNotFoundException: Group not found + # alternate_identifier { + # unique_attribute { + # attribute_path = "DisplayName" + # attribute_value = "analytical-platform" + # } + # } + + # This is deprecated, but @dms1981 said it works... + filter { + attribute_path = "DisplayName" + attribute_value = "analytical-platform" } } From 5abafc9ebafe63367db5969d34e7b4c7d16b6e4e Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Mar 2024 19:30:55 +0000 Subject: [PATCH 4/8] Getting names for migration Signed-off-by: Jacob Woffenden --- .../observability-platform/data.tf | 63 ++++++++++++++----- 1 file changed, 49 insertions(+), 14 deletions(-) diff --git a/terraform/environments/observability-platform/data.tf b/terraform/environments/observability-platform/data.tf index aac4cb3f3a9..1591391bab7 100644 --- a/terraform/environments/observability-platform/data.tf +++ b/terraform/environments/observability-platform/data.tf @@ -6,27 +6,62 @@ data "aws_ssoadmin_instances" "main" { provider = aws.sso-readonly } -data "aws_identitystore_group" "this" { +data "aws_identitystore_group" "observability_platform" { provider = aws.sso-readonly identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] - # This fails with the following error: - # Error: reading AWS SSO Identity Store Group Data Source (d-XXXXXX): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 059df12d-84ce-4803-9a6b-0d41624d749f, ResourceNotFoundException: Group not found - # alternate_identifier { - # unique_attribute { - # attribute_path = "DisplayName" - # attribute_value = "analytical-platform" - # } - # } + filter { + attribute_path = "GroupId" + attribute_value = "16a2d234-1031-70b5-2657-7f744c55e48f" + } +} + +output "observability_platform_display_name" { + value = data.aws_identitystore_group.observability_platform.display_name +} + +data "aws_identitystore_group" "analytical_platform" { + provider = aws.sso-readonly + + identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] + + filter { + attribute_path = "GroupId" + attribute_value = "9c6710dd7f-e2cdaf44-0510-48cd-8bb1-4b21552ae0f1" + } +} + +output "analytical_platform_display_name" { + value = data.aws_identitystore_group.analytical_platform.display_name +} + +data "aws_identitystore_group" "data_platform" { + provider = aws.sso-readonly + + identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] - # This is deprecated, but @dms1981 said it works... filter { - attribute_path = "DisplayName" - attribute_value = "analytical-platform" + attribute_path = "GroupId" + attribute_value = "a68242b4-b0a1-7085-25f4-dc60e4c122c0" } } -output "name" { - value = data.aws_identitystore_group.this.id +output "data_platform_display_name" { + value = data.aws_identitystore_group.data_platform.display_name +} + +data "aws_identitystore_group" "dso" { + provider = aws.sso-readonly + + identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] + + filter { + attribute_path = "GroupId" + attribute_value = "9c6710dd7f-120a1f73-34c1-447a-b34c-6cdc2cd64b5e" + } } + +output "dso_display_name" { + value = data.aws_identitystore_group.data_platform.display_name +} \ No newline at end of file From 83f3220290b4708e1e2eaeeda19d796b8f694edd Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Mar 2024 19:31:11 +0000 Subject: [PATCH 5/8] Fix display name reference in data.tf Signed-off-by: Jacob Woffenden --- terraform/environments/observability-platform/data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/observability-platform/data.tf b/terraform/environments/observability-platform/data.tf index 1591391bab7..0376e9f62e8 100644 --- a/terraform/environments/observability-platform/data.tf +++ b/terraform/environments/observability-platform/data.tf @@ -63,5 +63,5 @@ data "aws_identitystore_group" "dso" { } output "dso_display_name" { - value = data.aws_identitystore_group.data_platform.display_name + value = data.aws_identitystore_group.dso.display_name } \ No newline at end of file From 0dc1b316e5f670d928cd9377467089006cf18a80 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Mar 2024 20:03:51 +0000 Subject: [PATCH 6/8] its showtime Signed-off-by: Jacob Woffenden --- .../observability-platform/data.tf | 48 +++---------------- .../environment-configurations.tf | 14 +++--- .../observability-platform/managed-grafana.tf | 4 +- .../modules/grafana/team/data.tf | 10 ++++ .../modules/grafana/team/main.tf | 2 +- .../tenant-configuration/providers.tf | 8 ++++ .../tenant-configuration.tf | 4 ++ 7 files changed, 38 insertions(+), 52 deletions(-) create mode 100644 terraform/environments/observability-platform/modules/grafana/team/data.tf create mode 100644 terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf diff --git a/terraform/environments/observability-platform/data.tf b/terraform/environments/observability-platform/data.tf index 0376e9f62e8..8be462a0251 100644 --- a/terraform/environments/observability-platform/data.tf +++ b/terraform/environments/observability-platform/data.tf @@ -12,56 +12,20 @@ data "aws_identitystore_group" "observability_platform" { identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] filter { - attribute_path = "GroupId" - attribute_value = "16a2d234-1031-70b5-2657-7f744c55e48f" + attribute_path = "DisplayName" + attribute_value = "observability-platform" } } -output "observability_platform_display_name" { - value = data.aws_identitystore_group.observability_platform.display_name -} - -data "aws_identitystore_group" "analytical_platform" { - provider = aws.sso-readonly - - identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] - - filter { - attribute_path = "GroupId" - attribute_value = "9c6710dd7f-e2cdaf44-0510-48cd-8bb1-4b21552ae0f1" - } -} - -output "analytical_platform_display_name" { - value = data.aws_identitystore_group.analytical_platform.display_name -} +data "aws_identitystore_group" "all_identity_centre_teams" { + for_each = { for team in local.all_identity_centre_teams : team => team } -data "aws_identitystore_group" "data_platform" { provider = aws.sso-readonly identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] filter { - attribute_path = "GroupId" - attribute_value = "a68242b4-b0a1-7085-25f4-dc60e4c122c0" + attribute_path = "DisplayName" + attribute_value = each.value } } - -output "data_platform_display_name" { - value = data.aws_identitystore_group.data_platform.display_name -} - -data "aws_identitystore_group" "dso" { - provider = aws.sso-readonly - - identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] - - filter { - attribute_path = "GroupId" - attribute_value = "9c6710dd7f-120a1f73-34c1-447a-b34c-6cdc2cd64b5e" - } -} - -output "dso_display_name" { - value = data.aws_identitystore_group.dso.display_name -} \ No newline at end of file diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf index f64472aa5ad..4d296ab18e6 100644 --- a/terraform/environments/observability-platform/environment-configurations.tf +++ b/terraform/environments/observability-platform/environment-configurations.tf @@ -4,7 +4,7 @@ locals { development = { tenant_configuration = { "observability-platform" = { - identity_centre_team = "16a2d234-1031-70b5-2657-7f744c55e48f" + identity_centre_team = "observability-platform" aws_accounts = { "observability-platform-development" = { cloudwatch_enabled = true @@ -14,7 +14,7 @@ locals { } }, "analytical-platform" = { - identity_centre_team = "9c6710dd7f-e2cdaf44-0510-48cd-8bb1-4b21552ae0f1" + identity_centre_team = "analytical-platform" aws_accounts = { "analytical-platform-ingestion-development" = { cloudwatch_enabled = true @@ -24,7 +24,7 @@ locals { } }, "data-platform" = { - "identity_centre_team" = "a68242b4-b0a1-7085-25f4-dc60e4c122c0" + "identity_centre_team" = "data-platform" "aws_accounts" = { "data-platform-development" = { cloudwatch_enabled = true @@ -49,7 +49,7 @@ locals { } } "digital-studio-operations" = { - "identity_centre_team" = "9c6710dd7f-120a1f73-34c1-447a-b34c-6cdc2cd64b5e" + "identity_centre_team" = "studio-webops" "aws_accounts" = { "nomis-test" = { cloudwatch_enabled = true @@ -68,7 +68,7 @@ locals { production = { tenant_configuration = { "observability-platform" = { - identity_centre_team = "16a2d234-1031-70b5-2657-7f744c55e48f" + identity_centre_team = "observability-platform" aws_accounts = { "observability-platform-production" = { cloudwatch_enabled = true @@ -78,7 +78,7 @@ locals { } }, "analytical-platform" = { - identity_centre_team = "9c6710dd7f-e2cdaf44-0510-48cd-8bb1-4b21552ae0f1" + identity_centre_team = "analytical-platform" aws_accounts = { "analytical-platform-ingestion-production" = { cloudwatch_enabled = true @@ -88,7 +88,7 @@ locals { } }, "data-platform" = { - "identity_centre_team" = "a68242b4-b0a1-7085-25f4-dc60e4c122c0" + "identity_centre_team" = "data-platform" "aws_accounts" = { "data-platform-production" = { cloudwatch_enabled = true diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 8934d10ca44..23996081d30 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -27,10 +27,10 @@ module "managed_grafana" { role_associations = { "ADMIN" = { - "group_ids" = ["16a2d234-1031-70b5-2657-7f744c55e48f"] # observability-platform + "group_ids" = [data.aws_identitystore_group.observability_platform.id] } "EDITOR" = { - "group_ids" = local.all_identity_centre_teams + "group_ids" = [for team in data.aws_identitystore_group.all_identity_centre_teams : team.id] } } diff --git a/terraform/environments/observability-platform/modules/grafana/team/data.tf b/terraform/environments/observability-platform/modules/grafana/team/data.tf new file mode 100644 index 00000000000..c6161d07ee7 --- /dev/null +++ b/terraform/environments/observability-platform/modules/grafana/team/data.tf @@ -0,0 +1,10 @@ +data "aws_ssoadmin_instances" "main" {} + +data "aws_identitystore_group" "this" { + identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0] + + filter { + attribute_path = "DisplayName" + attribute_value = var.identity_centre_team + } +} diff --git a/terraform/environments/observability-platform/modules/grafana/team/main.tf b/terraform/environments/observability-platform/modules/grafana/team/main.tf index cd6e4b56d8f..78e7d7b04ef 100644 --- a/terraform/environments/observability-platform/modules/grafana/team/main.tf +++ b/terraform/environments/observability-platform/modules/grafana/team/main.tf @@ -1,7 +1,7 @@ resource "grafana_team" "this" { name = var.name team_sync { - groups = [var.identity_centre_team] + groups = [data.aws_identitystore_group.this.id] } } diff --git a/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf b/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf new file mode 100644 index 00000000000..4473798850b --- /dev/null +++ b/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + configuration_aliases = [aws.sso] + } + } +} \ No newline at end of file diff --git a/terraform/environments/observability-platform/tenant-configuration.tf b/terraform/environments/observability-platform/tenant-configuration.tf index 5b4efeb195c..446247e8484 100644 --- a/terraform/environments/observability-platform/tenant-configuration.tf +++ b/terraform/environments/observability-platform/tenant-configuration.tf @@ -3,6 +3,10 @@ module "tenant_configuration" { source = "./modules/observability-platform/tenant-configuration" + providers = { + aws.sso = aws.sso-readonly + } + environment_management = local.environment_management name = each.key identity_centre_team = each.value.identity_centre_team From f9fa2e27404b0c15fb1dffac096e5c5f57a94931 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Mar 2024 20:11:48 +0000 Subject: [PATCH 7/8] Update providers.tf and main.tf Signed-off-by: Jacob Woffenden --- .../observability-platform/modules/grafana/team/providers.tf | 4 ++++ .../observability-platform/tenant-configuration/main.tf | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/terraform/environments/observability-platform/modules/grafana/team/providers.tf b/terraform/environments/observability-platform/modules/grafana/team/providers.tf index 488291d9cc0..2443ffc12f6 100644 --- a/terraform/environments/observability-platform/modules/grafana/team/providers.tf +++ b/terraform/environments/observability-platform/modules/grafana/team/providers.tf @@ -1,5 +1,9 @@ terraform { required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } grafana = { source = "grafana/grafana" version = "~> 2.0" diff --git a/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/main.tf b/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/main.tf index a139f570571..c26d6013e60 100644 --- a/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/main.tf +++ b/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/main.tf @@ -38,6 +38,10 @@ module "prometheus_push" { module "team" { source = "../../grafana/team" + providers = { + aws = aws.sso + } + name = var.name identity_centre_team = var.identity_centre_team aws_accounts = var.aws_accounts From 2b7348688398cce04cfd67b84f18e6774e1469b9 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Mar 2024 20:15:35 +0000 Subject: [PATCH 8/8] newline please Signed-off-by: Jacob Woffenden --- .../observability-platform/tenant-configuration/providers.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf b/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf index 4473798850b..95b767b0e1d 100644 --- a/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf +++ b/terraform/environments/observability-platform/modules/observability-platform/tenant-configuration/providers.tf @@ -5,4 +5,4 @@ terraform { configuration_aliases = [aws.sso] } } -} \ No newline at end of file +}