feat: create groups for DTO AI account (#389)

gcharest · web-flow · commit 6a5abc22ddc1 · 2025-11-04T11:35:22.000-05:00
diff --git a/terragrunt/org_account/iam_identity_center/digital_transformation_office_assignments.tf b/terragrunt/org_account/iam_identity_center/digital_transformation_office_assignments.tf
@@ -30,6 +30,20 @@ locals {
       permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access,
     },
   ]
+  digital_transformation_office_ai_staging_permission_sets = [
+    {
+      group          = aws_identitystore_group.digital_transformation_office_ai_staging_admin,
+      permission_set = data.aws_ssoadmin_permission_set.aws_administrator_access,
+    },
+    {
+      group          = aws_identitystore_group.digital_transformation_office_ai_staging_read_only,
+      permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access,
+    },
+    {
+      group          = aws_identitystore_group.digtal_transformation_office_ai_staging_billing_read_only,
+      permission_set = aws_ssoadmin_permission_set.read_only_billing,
+    },
+  ]
   cra_dashboard_staging_permission_sets = [
     {
       group          = aws_identitystore_group.cra_dashboard_staging_admin,
diff --git a/terragrunt/org_account/iam_identity_center/digital_transformation_office_groups.tf b/terragrunt/org_account/iam_identity_center/digital_transformation_office_groups.tf
@@ -37,6 +37,30 @@ resource "aws_identitystore_group" "digtal_transformation_office_staging_billing
   identity_store_id = local.sso_identity_store_id
 }
 
+
+#
+# AI Staging
+#
+resource "aws_identitystore_group" "digital_transformation_office_ai_staging_admin" {
+  display_name      = "DigitalTransformationOffice-AI-Staging-Admin"
+  description       = "Grants members administrator access to the Digital Transformation Office AI Staging account."
+  identity_store_id = local.sso_identity_store_id
+}
+
+resource "aws_identitystore_group" "digital_transformation_office_ai_staging_read_only" {
+  display_name      = "DigitalTransformationOffice-AI-Staging-ReadOnly"
+  description       = "Grants members read-only access to the Digital Transformation Office AI Staging account."
+  identity_store_id = local.sso_identity_store_id
+
+}
+
+resource "aws_identitystore_group" "digtal_transformation_office_ai_staging_billing_read_only" {
+  display_name      = "DigitalTransformationOffice-AI-Staging-Billing-ReadOnly"
+  description       = "Grants members read-only Billing and Cost Explorer access to the Digital Transformation office AI Staging account."
+  identity_store_id = local.sso_identity_store_id
+}
+
+
 # 
 # CRA Dashboard Staging 
 #
