Update CMT front end role (#8896)

* Update CMT front end role * Update terraform/environments/electronic-monitoring-data/cloud_platform_share.tf suggested version add to make static analysis happy * Update cloud_platform_share.tf I got the assumed role bit wrong, I think * Update cloud_platform_share.tf removed requirement for MFA - not useful for service accounts * Adding roles and per-environment allocation logic --------- Co-authored-by: Jasper <[email protected]>
ministryofjustice · Dec 3, 2024 · d988b97 · d988b97
1 parent 883814c
commit d988b97
Showing 1 changed file with 33 additions and 2 deletions.
diff --git a/terraform/environments/electronic-monitoring-data/cloud_platform_share.tf b/terraform/environments/electronic-monitoring-data/cloud_platform_share.tf
@@ -1,13 +1,44 @@
+locals {
+  # Setting the IAM name that our Cloud Platform API will use to connect to this role
+
+  iam-dev     = local.environment_shorthand == "dev"     ? var.cloud-platform-iam-dev     : ""
+  iam-test    = local.environment_shorthand == "test"    ? var.cloud-platform-iam-preprod : ""
+  iam-preprod = local.environment_shorthand == "preprod" ? var.cloud-platform-iam-preprod : ""
+  iam-prod    = local.environment_shorthand == "prod"    ? var.cloud-platform-iam-prod    : ""
+
+  resolved-cloud-platform-iam-role = coalesce(local.iam-dev, local.iam-test, local.iam-preprod, local.iam-prod)
+}
+
+variable "cloud-platform-iam-dev" {
+  type        = string
+  description = "IAM role that our API in Cloud Platform will use to connect to this role."
+  default     = "arn:aws:iam::754256621582:role/cloud-platform-irsa-6ab6c596b45e90b3-live"
+}
+
+variable "cloud-platform-iam-preprod" {
+  type        = string
+  description = "IAM role that our API in Cloud Platform will use to connect to this role."
+  default     = "arn:aws:iam::754256621582:role/cloud-platform-irsa-bca231f5681d29c6-live"
+}
+
+variable "cloud-platform-iam-prod" {
+  type        = string
+  description = "IAM role that our API in Cloud Platform will use to connect to this role."
+  default     = "arn:aws:iam::754256621582:role/cloud-platform-irsa-7a81f92a48491ef0-live"
+}
+
 module "cmt_front_end_assumable_role" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
   source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-
+  version = "5.48.0"
+
   trusted_role_arns = [
-    "arn:aws:iam::754256621582:root"
+    local.resolved-cloud-platform-iam-role
   ]
 
   create_role = true
+  role_requires_mfa = false
 
   role_name = "cmt_read_emds_data_${local.environment_shorthand}"