IT-4237 Create SSO access for a JC aws-dca-prod-admins group (#1326)

brucehoff · web-flow · commit 3a12620b1ec2 · 2025-01-17T13:17:53.000-08:00
IT-4237: add dca-prod-admin group
diff --git a/org-formation/700-aws-sso/_tasks.yaml b/org-formation/700-aws-sso/_tasks.yaml
@@ -245,6 +245,10 @@ Parameters:
     Type: String
     Default: '540864c8-1021-7048-7142-4563c3f12645'
 
+  dcaProdAdminGroup:      # JC aws-dca-prod-admins
+    Type: String
+    Default: 'e4d814e8-c071-70fb-2b1e-931d3aed6a46'
+
   genieProdViewerGroup:      #JC aws-genie-prod-viewers
     Type: String
     Default: '9478a4f8-3001-707d-dadb-0c9fffb968be'
@@ -1916,6 +1920,23 @@ SsoDCAProdApplicationManager:
     principalId: !Ref dcaProdApplicationManagerGroup
     permissionSetArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-application-manager-permission-set-arn' ]
 
+SsoDCAProdAdmin:
+  Type: update-stacks
+  DependsOn: SsoAdministrator
+  Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.5.1/templates/SSO/aws-sso.njk
+  StackName: !Sub '${resourcePrefix}-${appName}-dca-prod-admin'
+  StackDescription: 'SSO: Administrator role used by DCA admin group'
+  DefaultOrganizationBindingRegion: !Ref primaryRegion
+  DefaultOrganizationBinding:
+    IncludeMasterAccount: true
+  OrganizationBindings:
+    TargetBinding:
+      Account: !Ref DCAProdAccount
+  Parameters:
+    instanceArn: !Ref instanceArn
+    principalId: !Ref dcaProdAdminGroup
+    permissionSetArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-admin-permission-set-arn' ]
+
 SsoGenieProdViewer:
   Type: update-stacks
   DependsOn: SsoViewer
