From 45150fec7fd143923f77ecce2a93dc526b35c370 Mon Sep 17 00:00:00 2001 From: Khai Do Date: Wed, 30 Jul 2025 11:53:03 -0700 Subject: [PATCH 1/2] [IT-4546] Setup access to AWS account Setup SSO user access to AWS org-sagebase-bixarena account. depends on #1447 --- org-formation/700-aws-sso/_tasks.yaml | 42 +++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/org-formation/700-aws-sso/_tasks.yaml b/org-formation/700-aws-sso/_tasks.yaml index 6f5858d7..a29ba66f 100644 --- a/org-formation/700-aws-sso/_tasks.yaml +++ b/org-formation/700-aws-sso/_tasks.yaml @@ -342,6 +342,14 @@ Parameters: Type: String Default: '04182458-5011-7026-862d-509a06438571' + BixArenaProdAdminGroup: # JC aws-bixarena-prod-admins + Type: String + Default: 'f4e8a418-10b1-70cc-a6b6-95aea41819d1' + + BixArenaProdDeveloperGroup: # JC aws-bixarena-prod-developers + Type: String + Default: '7478a468-8051-708a-24cc-0b07adfa1835' + #------------- personal AWS accounts ------------------ BuA2aDwAdminGroup: #JC aws-BuA2aDw-admins Type: String @@ -2291,3 +2299,37 @@ SsoGenAiIcDevDeveloper: instanceArn: !Ref instanceArn principalId: !Ref GenAiIcDevDevelopersGroup permissionSetArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-developer-permission-set-arn' ] + +SsoBixArenaProdAdmin: + Type: update-stacks + DependsOn: SsoAdministrator + Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.2.11/templates/SSO/aws-sso.yaml + StackName: !Sub '${resourcePrefix}-${appName}-bixarena-prod-admin' + StackDescription: 'SSO: admin role used by BixArena prod admin group' + DefaultOrganizationBindingRegion: !Ref primaryRegion + DefaultOrganizationBinding: + IncludeMasterAccount: true + OrganizationBindings: + TargetBinding: + Account: !Ref BixArenaProdAccount + Parameters: + instanceArn: !Ref instanceArn + principalId: !Ref BixArenaProdAdminGroup + permissionSetArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-admin-permission-set-arn' ] + +SsoBixArenaProdDeveloper: + Type: update-stacks + DependsOn: SsoDeveloper + Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.2.11/templates/SSO/aws-sso.yaml + StackName: !Sub '${resourcePrefix}-${appName}-bixarena-prod-developer' + StackDescription: 'SSO: developer role used by BixArena prod developer group' + DefaultOrganizationBindingRegion: !Ref primaryRegion + DefaultOrganizationBinding: + IncludeMasterAccount: true + OrganizationBindings: + TargetBinding: + Account: !Ref BixArenaProdAccount + Parameters: + instanceArn: !Ref instanceArn + principalId: !Ref BixArenaProdDeveloperGroup + permissionSetArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-developer-permission-set-arn' ] From 710bcffa651a09b5b3c0636cb5e0c9b2fff0430b Mon Sep 17 00:00:00 2001 From: Khai Do Date: Thu, 31 Jul 2025 10:14:31 -0700 Subject: [PATCH 2/2] update template version --- org-formation/700-aws-sso/_tasks.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/org-formation/700-aws-sso/_tasks.yaml b/org-formation/700-aws-sso/_tasks.yaml index a29ba66f..e83d218d 100644 --- a/org-formation/700-aws-sso/_tasks.yaml +++ b/org-formation/700-aws-sso/_tasks.yaml @@ -2303,7 +2303,8 @@ SsoGenAiIcDevDeveloper: SsoBixArenaProdAdmin: Type: update-stacks DependsOn: SsoAdministrator - Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.2.11/templates/SSO/aws-sso.yaml + Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.10.2/templates/SSO/aws-sso.njk + TemplatingContext: {} StackName: !Sub '${resourcePrefix}-${appName}-bixarena-prod-admin' StackDescription: 'SSO: admin role used by BixArena prod admin group' DefaultOrganizationBindingRegion: !Ref primaryRegion @@ -2320,7 +2321,8 @@ SsoBixArenaProdAdmin: SsoBixArenaProdDeveloper: Type: update-stacks DependsOn: SsoDeveloper - Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.2.11/templates/SSO/aws-sso.yaml + Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.10.2/templates/SSO/aws-sso.njk + TemplatingContext: {} StackName: !Sub '${resourcePrefix}-${appName}-bixarena-prod-developer' StackDescription: 'SSO: developer role used by BixArena prod developer group' DefaultOrganizationBindingRegion: !Ref primaryRegion