Adding groups for SignIn dev2 account and cra dashboard prod (#394)

Author: sylviamclaughlin

terragrunt/org_account/iam_identity_center/digital_transformation_office_assignments.tf

@@ -62,6 +62,24 @@ locals {
       permission_set = aws_ssoadmin_permission_set.cra_bucket_get_object,
     }
   ]
+  cra_dashboard_production_permission_sets = [
+    {
+      group          = aws_identitystore_group.cra_dashboard_production_admin,
+      permission_set = data.aws_ssoadmin_permission_set.aws_administrator_access,
+    },
+    {
+      group          = aws_identitystore_group.cra_dashboard_production_billing_read_only,
+      permission_set = aws_ssoadmin_permission_set.read_only_billing,
+    },
+    {
+      group          = aws_identitystore_group.cra_dashboard_production_read_only,
+      permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access,
+    },
+    {
+      group          = aws_identitystore_group.cra_dashboard_production_read_only,
+      permission_set = aws_ssoadmin_permission_set.cra_bucket_get_object,
+    }
+  ]
 }
 
 resource "aws_ssoadmin_account_assignment" "digital_transformation_office_production" {
@@ -115,3 +133,16 @@ resource "aws_ssoadmin_account_assignment" "cra_dashboard_staging" {
   target_id   = local.cra_dashboard_staging_account_id
   target_type = "AWS_ACCOUNT"
 }
+
+resource "aws_ssoadmin_account_assignment" "cra_dashboard_production" {
+  for_each = { for perm in local.cra_dashboard_production_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm }
+
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = each.value.permission_set.arn
+
+  principal_id   = each.value.group.group_id
+  principal_type = "GROUP"
+
+  target_id   = local.cra_dashboard_production_account_id
+  target_type = "AWS_ACCOUNT"
+}

terragrunt/org_account/iam_identity_center/digital_transformation_office_groups.tf

@@ -78,4 +78,24 @@ resource "aws_identitystore_group" "cra_dashboard_staging_billing_read_only" {
   display_name      = "CRADashboard-Staging-Billing-ReadOnly"
   description       = "Grants members read-only Billing and Cost Explorer access to the Digital Transformation office Staging account."
   identity_store_id = local.sso_identity_store_id
+}
+
+
+# 
+# CRA Dashboard Production 
+#
+resource "aws_identitystore_group" "cra_dashboard_production_admin" {
+  display_name      = "CRADashboard-Production-Admin"
+  description       = "Grants members administrator access to the CRA Dashboard Production account."
+  identity_store_id = local.sso_identity_store_id
+}
+resource "aws_identitystore_group" "cra_dashboard_production_read_only" {
+  display_name      = "CRADashboard-Production-ReadOnly"
+  description       = "Grants members read-only access to the CRA Dashboard Production account."
+  identity_store_id = local.sso_identity_store_id
+}
+resource "aws_identitystore_group" "cra_dashboard_production_billing_read_only" {
+  display_name      = "CRADashboard-Production-Billing-ReadOnly"
+  description       = "Grants members read-only Billing and Cost Explorer access to the CRA Dashboard Production account."
+  identity_store_id = local.sso_identity_store_id
 }

terragrunt/org_account/iam_identity_center/digital_transformation_office_permissions.tf

@@ -27,7 +27,9 @@ data "aws_iam_policy_document" "cra_bucket_get_object" {
     ]
     resources = [
       "arn:aws:s3:::cra-upd-dashboard-data-staging/*",
-      "arn:aws:s3:::cra-upd-dashboard-data-staging"
+      "arn:aws:s3:::cra-upd-dashboard-data-staging",
+      "arn:aws:s3:::cra-upd-dashboard-data-production/*",
+      "arn:aws:s3:::cra-upd-dashboard-data-production"
     ]
   }
 }

terragrunt/org_account/iam_identity_center/gc_signin_assignments.tf

@@ -46,6 +46,21 @@ locals {
       permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access,
     }
   ]
+  # GCSignin-Dev2
+  gc_signin_dev2_permission_sets = [
+    {
+      group          = aws_identitystore_group.gc_signin_dev2_admin,
+      permission_set = data.aws_ssoadmin_permission_set.aws_administrator_access,
+    },
+    {
+      group          = aws_identitystore_group.gc_signin_dev2_read_only_billing,
+      permission_set = aws_ssoadmin_permission_set.read_only_billing,
+    },
+    {
+      group          = aws_identitystore_group.gc_signin_dev2_read_only,
+      permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access,
+    }
+  ]
   # GCSignin-Test
   gc_signin_test_permission_sets = [
     {
@@ -102,6 +117,19 @@ resource "aws_ssoadmin_account_assignment" "gc_signin_dev" {
   target_type = "AWS_ACCOUNT"
 }
 
+resource "aws_ssoadmin_account_assignment" "gc_signin_dev2" {
+  for_each = { for perm in local.gc_signin_dev2_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm }
+
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = each.value.permission_set.arn
+
+  principal_id   = each.value.group.group_id
+  principal_type = "GROUP"
+
+  target_id   = local.gc_signin_dev2_account_id
+  target_type = "AWS_ACCOUNT"
+}
+
 resource "aws_ssoadmin_account_assignment" "gc_signin_test" {
   for_each = { for perm in local.gc_signin_test_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm }
 

terragrunt/org_account/iam_identity_center/gc_signin_groups.tf

@@ -56,6 +56,25 @@ resource "aws_identitystore_group" "gc_signin_dev_read_only_billing" {
   identity_store_id = local.sso_identity_store_id
 }
 
+# 
+# Dev2
+#
+resource "aws_identitystore_group" "gc_signin_dev2_admin" {
+  display_name      = "GCSignIn-Dev2-Admin"
+  description       = "Grants members administrator access to the GC Signin Dev2 account."
+  identity_store_id = local.sso_identity_store_id
+}
+resource "aws_identitystore_group" "gc_signin_dev2_read_only" {
+  display_name      = "GCSignIn-Dev2-ReadOnly"
+  description       = "Grants members read-only access to the GC Signin Dev2 account."
+  identity_store_id = local.sso_identity_store_id
+}
+resource "aws_identitystore_group" "gc_signin_dev2_read_only_billing" {
+  display_name      = "GCSignIn-Dev2-Billing-ReadOnly"
+  description       = "Grants members read-only Billing and Cost Explorer access to the GC Signin Dev2 account."
+  identity_store_id = local.sso_identity_store_id
+}
+
 # 
 # Test 
 #

terragrunt/org_account/iam_identity_center/locals.tf

@@ -19,11 +19,13 @@ locals {
   gc_signin_production_account_id = "699475931199"
   gc_signin_staging_account_id    = "565393049229"
   gc_signin_test_account_id       = "768102297819"
+  gc_signin_dev2_account_id       = "780097021060"
 
   digital_transformation_office_production_account_id = "730335533085"
   digital_transformation_office_staging_account_id    = "992382783569"
   digital_transformation_office_ai_staging_account_id = "144414543732"
   cra_dashboard_staging_account_id                    = "211125499457"
+  cra_dashboard_production_account_id                 = "480754269604"
 
   forms_production_account_id = "957818836222"
   forms_staging_account_id    = "687401027353"