Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add roles and permissions prior to Migration #6160

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add roles and permissions prior to Migration #6160

wants to merge 10 commits into from

Conversation

BrianEllwood
Copy link
Contributor

@BrianEllwood BrianEllwood commented Nov 20, 2024
edited
Loading

Pull Request Objective

This piece of work is being tracked in
this
GitHub Issue.

As part of the work outlined in the ticket above this PR creates the roles for the following repositories

moj-analytical-services/data-engineering-database-access
role to be replaced - arn:aws:iam::{DATA_ACCOUNT_ID}:role/github-actions-infrastructure

ministryofjustice/create-a-derived-table-infrastructure
rrole to be replaced - arn:aws:iam::{DATA_ACCOUNT_ID}:role/github-actions-infrastructure

Console link for github-actions-infrastructure

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 20, 2024
edited
Loading

Terraform Component 🧱: aws-analytical-platform-oidc

Checkov 🛂: success

Trivy 🛂: success

Static Analysis Override Label 🏷️: false

Pusher: @BrianEllwood, Action: pull_request, Working Directory: terraform/aws/analytical-platform/oidc, Workflow: Terraform, Marker: aws-analytical-platform-oidc_static_analysis

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 20, 2024
edited
Loading

Terraform Component 🧱: aws-analytical-platform-oidc

Terraform Initialization ⚙️: success

Terraform Validation 🤖: success

Terraform Plan 🛠️: success

Pusher: @BrianEllwood, Action: pull_request, Working Directory: terraform/aws/analytical-platform/oidc, Workflow: Terraform, Marker: aws-analytical-platform-oidc_plan

@BrianEllwood BrianEllwood marked this pull request as ready for review November 22, 2024 12:03
@BrianEllwood BrianEllwood requested a review from a team as a code owner November 22, 2024 12:03
julialawrence
julialawrence requested changes Nov 25, 2024
View reviewed changes
Copy link
Contributor

@julialawrence julialawrence left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the roles these are meant to be replacing for easier review. Preferrably to the code defining them, but if that isn't possible, a console link will do.

terraform/aws/analytical-platform/oidc/configuration/assumable-roles.json
"stateLockingDetails": [],
"ssmParameterConfig": []
},
"data-engineering-database-access": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am pretty sure this at a minimum uses a state for Pulumi and now for terraform, so this will need amending.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both repositories are Pulumi Python and use the bucket s3://data-engineering-pulumi.analytics.justice.gov.uk/.pulumi/ and within the stacks folder are the files de-database-access.json and create-a-derived-table-infra.json which i have inferred are the state files for Pulumi. The stateConfig has been updated accordingly. I have been unable to find any reference to a terraform.tfstate in the data-engineering-database-access repository

terraform/aws/analytical-platform/oidc/configuration/assumable-roles.json
"targets": [],
"stateLockingDetails": [],
"ssmParameterConfig": [],
"lakeFormationSharePolicy": true
},
"create-a-derived-table-infrastructure": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you double-check this doesn't use a state? There's a mention of pulumi in the docs so I'd want to be careful.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both repositories are Pulumi Python and use the bucket s3://data-engineering-pulumi.analytics.justice.gov.uk/.pulumi/ and within the stacks folder are the files de-database-access.json and create-a-derived-table-infra.json which i have inferred are the state files for Pulumi. The stateConfig has been updated accordingly.

@BrianEllwood BrianEllwood mentioned this pull request Nov 25, 2024
Open
7 tasks
@BrianEllwood
Copy link
Contributor Author

BrianEllwood commented Nov 26, 2024
edited by tom-webber
Loading

Roles being replaced by this PR

data-engineering-database-access
role - arn:aws:iam::{DATA_ACCOUNT_ID}:role/github-actions-infrastructure

create-a-derived-table-infrastructure
role - arn:aws:iam::{DATA_ACCOUNT_ID}:role/github-actions-infrastructure

Console link for github-actions-infrastructure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julialawrence julialawrence Awaiting requested review from julialawrence

Requested changes must be addressed to merge this pull request.

Assignees

@BrianEllwood BrianEllwood

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BrianEllwood @julialawrence