From ce10c3d9655346e065dfc5dfab6705181d5c63bf Mon Sep 17 00:00:00 2001
From: Robert Sweetman <robertiansweetman@gmail.com>
Date: Fri, 13 Dec 2024 14:32:30 +0000
Subject: [PATCH] remove test script permissions from pp-onr-bods-1 (#9080)

---
 .../locals_preproduction.tf                   | 39 +------------------
 .../locals_production.tf                      |  3 +-
 terraform/modules/fsx_windows/README.md       |  1 +
 3 files changed, 4 insertions(+), 39 deletions(-)

diff --git a/terraform/environments/oasys-national-reporting/locals_preproduction.tf b/terraform/environments/oasys-national-reporting/locals_preproduction.tf
index 0a658a6dd4c..ac1ec74c4ce 100644
--- a/terraform/environments/oasys-national-reporting/locals_preproduction.tf
+++ b/terraform/environments/oasys-national-reporting/locals_preproduction.tf
@@ -84,7 +84,7 @@ locals {
             }
           ))
           instance_profile_policies = concat(local.ec2_instances.bods.config.instance_profile_policies, [
-            "Ec2SecretPolicy", "Ec2ValidateFSX",
+            "Ec2SecretPolicy",
           ])
         })
         # IMPORTANT: EBS volume initialization, labelling, formatting was carried out manually on this instance. It was not automated so these ebs_volume settings are bespoke. Additional volumes should NOT be /dev/xvd* see the local.ec2_instances.bods.ebs_volumes setting for the correct device names.
@@ -180,43 +180,6 @@ locals {
           }
         ]
       }
-      Ec2ValidateFSX = {
-        description = "Permissions required for instances to run fsx test scripts"
-        statements = [
-          {
-            effect = "Allow"
-            actions = [
-              "ec2:Describe*"
-            ]
-            resources = [
-              "*"
-            ]
-          },
-          {
-            effect = "Allow"
-            actions = [
-              "elasticloadbalancing:Describe*"
-            ]
-            resources = [
-              "*"
-            ]
-          },
-          {
-            effect = "Allow"
-            actions = [
-              "cloudwatch:ListMetrics",
-              "cloudwatch:GetMetricStatistics",
-              "cloudwatch:Describe*"
-            ]
-            resources = ["*"]
-          },
-          {
-            effect    = "Allow"
-            actions   = ["autoscaling:Describe*"]
-            resources = ["*"]
-          }
-        ]
-      }
     }
 
     # DO NOT DEPLOY YET AS OTHER THINGS AREN'T READY
diff --git a/terraform/environments/oasys-national-reporting/locals_production.tf b/terraform/environments/oasys-national-reporting/locals_production.tf
index e98b1f46173..7687bd73ea7 100644
--- a/terraform/environments/oasys-national-reporting/locals_production.tf
+++ b/terraform/environments/oasys-national-reporting/locals_production.tf
@@ -60,8 +60,9 @@ locals {
     #       module.ip_addresses.mp_ip.ad-hmpp-dc-b,
     #     ]
     #     domain_name          = "azure.hmpp.root"
-    #     username             = "svc_join_domain"
+    #     username             = "svc_fsx_windows"
     #     password_secret_name = "/sap/bods/pd/passwords"
+    #     file_system_administrators_group = "Domain Join"
     #   }
     #   tags = {
     #     backup = true
diff --git a/terraform/modules/fsx_windows/README.md b/terraform/modules/fsx_windows/README.md
index 13f8581883d..23208ba7de2 100644
--- a/terraform/modules/fsx_windows/README.md
+++ b/terraform/modules/fsx_windows/README.md
@@ -17,6 +17,7 @@ NOTES:
 - Use Single-AZ solution for non-production environments to save cost.
 - Multi-AZ can only include 2 availability zones.
 - Set `skip_final_backup true` to avoid issues deleting the resource
+- See <https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/5343248588/AD+setup+for+fsx_windows+shared+drives> for specifics about AD setup and especially terraform values for joining the HMPP domain.
 
 ## Security Groups