remove test script permissions from pp-onr-bods-1 (#9080)

ministryofjustice · Dec 13, 2024 · ce10c3d · ce10c3d
1 parent 5b9b404
commit ce10c3d
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 39 deletions.
diff --git a/terraform/environments/oasys-national-reporting/locals_preproduction.tf b/terraform/environments/oasys-national-reporting/locals_preproduction.tf
@@ -84,7 +84,7 @@ locals {
             }
           ))
           instance_profile_policies = concat(local.ec2_instances.bods.config.instance_profile_policies, [
-            "Ec2SecretPolicy", "Ec2ValidateFSX",
+            "Ec2SecretPolicy",
           ])
         })
         # IMPORTANT: EBS volume initialization, labelling, formatting was carried out manually on this instance. It was not automated so these ebs_volume settings are bespoke. Additional volumes should NOT be /dev/xvd* see the local.ec2_instances.bods.ebs_volumes setting for the correct device names.
@@ -180,43 +180,6 @@ locals {
           }
         ]
       }
-      Ec2ValidateFSX = {
-        description = "Permissions required for instances to run fsx test scripts"
-        statements = [
-          {
-            effect = "Allow"
-            actions = [
-              "ec2:Describe*"
-            ]
-            resources = [
-              "*"
-            ]
-          },
-          {
-            effect = "Allow"
-            actions = [
-              "elasticloadbalancing:Describe*"
-            ]
-            resources = [
-              "*"
-            ]
-          },
-          {
-            effect = "Allow"
-            actions = [
-              "cloudwatch:ListMetrics",
-              "cloudwatch:GetMetricStatistics",
-              "cloudwatch:Describe*"
-            ]
-            resources = ["*"]
-          },
-          {
-            effect    = "Allow"
-            actions   = ["autoscaling:Describe*"]
-            resources = ["*"]
-          }
-        ]
-      }
     }
 
     # DO NOT DEPLOY YET AS OTHER THINGS AREN'T READY

diff --git a/terraform/environments/oasys-national-reporting/locals_production.tf b/terraform/environments/oasys-national-reporting/locals_production.tf
@@ -60,8 +60,9 @@ locals {
     #       module.ip_addresses.mp_ip.ad-hmpp-dc-b,
     #     ]
     #     domain_name          = "azure.hmpp.root"
-    #     username             = "svc_join_domain"
+    #     username             = "svc_fsx_windows"
     #     password_secret_name = "/sap/bods/pd/passwords"
+    #     file_system_administrators_group = "Domain Join"
     #   }
     #   tags = {
     #     backup = true

diff --git a/terraform/modules/fsx_windows/README.md b/terraform/modules/fsx_windows/README.md
@@ -17,6 +17,7 @@ NOTES:
 - Use Single-AZ solution for non-production environments to save cost.
 - Multi-AZ can only include 2 availability zones.
 - Set `skip_final_backup true` to avoid issues deleting the resource
+- See <https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/5343248588/AD+setup+for+fsx_windows+shared+drives> for specifics about AD setup and especially terraform values for joining the HMPP domain.
 
 ## Security Groups