Skip to content

Commit ddceea8

Browse files
Adding groups for SignIn dev2 account and cra dashboard prod (#394)
1 parent d2e75e1 commit ddceea8

File tree

6 files changed

+103
-1
lines changed

6 files changed

+103
-1
lines changed

terragrunt/org_account/iam_identity_center/digital_transformation_office_assignments.tf

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,24 @@ locals {
6262
permission_set = aws_ssoadmin_permission_set.cra_bucket_get_object,
6363
}
6464
]
65+
cra_dashboard_production_permission_sets = [
66+
{
67+
group = aws_identitystore_group.cra_dashboard_production_admin,
68+
permission_set = data.aws_ssoadmin_permission_set.aws_administrator_access,
69+
},
70+
{
71+
group = aws_identitystore_group.cra_dashboard_production_billing_read_only,
72+
permission_set = aws_ssoadmin_permission_set.read_only_billing,
73+
},
74+
{
75+
group = aws_identitystore_group.cra_dashboard_production_read_only,
76+
permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access,
77+
},
78+
{
79+
group = aws_identitystore_group.cra_dashboard_production_read_only,
80+
permission_set = aws_ssoadmin_permission_set.cra_bucket_get_object,
81+
}
82+
]
6583
}
6684

6785
resource "aws_ssoadmin_account_assignment" "digital_transformation_office_production" {
@@ -115,3 +133,16 @@ resource "aws_ssoadmin_account_assignment" "cra_dashboard_staging" {
115133
target_id = local.cra_dashboard_staging_account_id
116134
target_type = "AWS_ACCOUNT"
117135
}
136+
137+
resource "aws_ssoadmin_account_assignment" "cra_dashboard_production" {
138+
for_each = { for perm in local.cra_dashboard_production_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm }
139+
140+
instance_arn = local.sso_instance_arn
141+
permission_set_arn = each.value.permission_set.arn
142+
143+
principal_id = each.value.group.group_id
144+
principal_type = "GROUP"
145+
146+
target_id = local.cra_dashboard_production_account_id
147+
target_type = "AWS_ACCOUNT"
148+
}

terragrunt/org_account/iam_identity_center/digital_transformation_office_groups.tf

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,4 +78,24 @@ resource "aws_identitystore_group" "cra_dashboard_staging_billing_read_only" {
7878
display_name = "CRADashboard-Staging-Billing-ReadOnly"
7979
description = "Grants members read-only Billing and Cost Explorer access to the Digital Transformation office Staging account."
8080
identity_store_id = local.sso_identity_store_id
81+
}
82+
83+
84+
#
85+
# CRA Dashboard Production
86+
#
87+
resource "aws_identitystore_group" "cra_dashboard_production_admin" {
88+
display_name = "CRADashboard-Production-Admin"
89+
description = "Grants members administrator access to the CRA Dashboard Production account."
90+
identity_store_id = local.sso_identity_store_id
91+
}
92+
resource "aws_identitystore_group" "cra_dashboard_production_read_only" {
93+
display_name = "CRADashboard-Production-ReadOnly"
94+
description = "Grants members read-only access to the CRA Dashboard Production account."
95+
identity_store_id = local.sso_identity_store_id
96+
}
97+
resource "aws_identitystore_group" "cra_dashboard_production_billing_read_only" {
98+
display_name = "CRADashboard-Production-Billing-ReadOnly"
99+
description = "Grants members read-only Billing and Cost Explorer access to the CRA Dashboard Production account."
100+
identity_store_id = local.sso_identity_store_id
81101
}

terragrunt/org_account/iam_identity_center/digital_transformation_office_permissions.tf

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,9 @@ data "aws_iam_policy_document" "cra_bucket_get_object" {
2727
]
2828
resources = [
2929
"arn:aws:s3:::cra-upd-dashboard-data-staging/*",
30-
"arn:aws:s3:::cra-upd-dashboard-data-staging"
30+
"arn:aws:s3:::cra-upd-dashboard-data-staging",
31+
"arn:aws:s3:::cra-upd-dashboard-data-production/*",
32+
"arn:aws:s3:::cra-upd-dashboard-data-production"
3133
]
3234
}
3335
}

terragrunt/org_account/iam_identity_center/gc_signin_assignments.tf

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,21 @@ locals {
4646
permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access,
4747
}
4848
]
49+
# GCSignin-Dev2
50+
gc_signin_dev2_permission_sets = [
51+
{
52+
group = aws_identitystore_group.gc_signin_dev2_admin,
53+
permission_set = data.aws_ssoadmin_permission_set.aws_administrator_access,
54+
},
55+
{
56+
group = aws_identitystore_group.gc_signin_dev2_read_only_billing,
57+
permission_set = aws_ssoadmin_permission_set.read_only_billing,
58+
},
59+
{
60+
group = aws_identitystore_group.gc_signin_dev2_read_only,
61+
permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access,
62+
}
63+
]
4964
# GCSignin-Test
5065
gc_signin_test_permission_sets = [
5166
{
@@ -102,6 +117,19 @@ resource "aws_ssoadmin_account_assignment" "gc_signin_dev" {
102117
target_type = "AWS_ACCOUNT"
103118
}
104119

120+
resource "aws_ssoadmin_account_assignment" "gc_signin_dev2" {
121+
for_each = { for perm in local.gc_signin_dev2_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm }
122+
123+
instance_arn = local.sso_instance_arn
124+
permission_set_arn = each.value.permission_set.arn
125+
126+
principal_id = each.value.group.group_id
127+
principal_type = "GROUP"
128+
129+
target_id = local.gc_signin_dev2_account_id
130+
target_type = "AWS_ACCOUNT"
131+
}
132+
105133
resource "aws_ssoadmin_account_assignment" "gc_signin_test" {
106134
for_each = { for perm in local.gc_signin_test_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm }
107135

terragrunt/org_account/iam_identity_center/gc_signin_groups.tf

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,25 @@ resource "aws_identitystore_group" "gc_signin_dev_read_only_billing" {
5656
identity_store_id = local.sso_identity_store_id
5757
}
5858

59+
#
60+
# Dev2
61+
#
62+
resource "aws_identitystore_group" "gc_signin_dev2_admin" {
63+
display_name = "GCSignIn-Dev2-Admin"
64+
description = "Grants members administrator access to the GC Signin Dev2 account."
65+
identity_store_id = local.sso_identity_store_id
66+
}
67+
resource "aws_identitystore_group" "gc_signin_dev2_read_only" {
68+
display_name = "GCSignIn-Dev2-ReadOnly"
69+
description = "Grants members read-only access to the GC Signin Dev2 account."
70+
identity_store_id = local.sso_identity_store_id
71+
}
72+
resource "aws_identitystore_group" "gc_signin_dev2_read_only_billing" {
73+
display_name = "GCSignIn-Dev2-Billing-ReadOnly"
74+
description = "Grants members read-only Billing and Cost Explorer access to the GC Signin Dev2 account."
75+
identity_store_id = local.sso_identity_store_id
76+
}
77+
5978
#
6079
# Test
6180
#

terragrunt/org_account/iam_identity_center/locals.tf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,11 +19,13 @@ locals {
1919
gc_signin_production_account_id = "699475931199"
2020
gc_signin_staging_account_id = "565393049229"
2121
gc_signin_test_account_id = "768102297819"
22+
gc_signin_dev2_account_id = "780097021060"
2223

2324
digital_transformation_office_production_account_id = "730335533085"
2425
digital_transformation_office_staging_account_id = "992382783569"
2526
digital_transformation_office_ai_staging_account_id = "144414543732"
2627
cra_dashboard_staging_account_id = "211125499457"
28+
cra_dashboard_production_account_id = "480754269604"
2729

2830
forms_production_account_id = "957818836222"
2931
forms_staging_account_id = "687401027353"

0 commit comments

Comments
 (0)