Merge pull request #7876 from ministryofjustice/feature/assign-quicks…

…ight-set-to-ap QS Admin Permissions Set Assignment
ministryofjustice · Sep 6, 2024 · d967af0 · d967af0
2 parents 7dcc29f + e645032
commit d967af0
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 3 deletions.
diff --git a/environments/analytical-platform-compute.json b/environments/analytical-platform-compute.json
@@ -26,6 +26,10 @@
  {
  "sso_group_name": "analytical-platform",
  "level": "data-engineer"
+ },
+ {
+ "sso_group_name": "analytical-platform",
+ "level": "quicksight-admin"
  }
  ]
  },
@@ -39,6 +43,10 @@
  {
  "sso_group_name": "analytical-platform",
  "level": "data-engineer"
+ },
+ {
+ "sso_group_name": "analytical-platform",
+ "level": "quicksight-admin"
  }
  ]
  }

diff --git a/environments/sprinkler.json b/environments/sprinkler.json
@@ -33,6 +33,11 @@
  "sso_group_name": "modernisation-platform",
  "level": "fleet-manager",
  "nuke": "rebuild"
+ },
+ {
+ "sso_group_name": "modernisation-platform",
+ "level": "quicksight-admin",
+ "nuke": "rebuild"
  }
  ],
  "additional_reviewers": ["astrobinson"]

diff --git a/policies/environments/environment-definitions.rego b/policies/environments/environment-definitions.rego
@@ -27,7 +27,8 @@ allowed_access := [
  "security-audit",
  "view-only",
  "powerbi-user",
- "fleet-manager"
+ "fleet-manager",
+ "quicksight-admin"
 ]
 
 allowed_nuke := [

diff --git a/policies/environments/environment-definitions_test.rego b/policies/environments/environment-definitions_test.rego
@@ -43,7 +43,7 @@ test_business_units_character if {
 }
 
 test_unexpected_access if {
- deny["`example.json` uses an unexpected access level: got `incorrect-access`, expected one of: administrator, data-engineer, developer, instance-access, instance-management, migration, mwaa-user, read-only, reporting-operations, sandbox, security-audit, view-only, powerbi-user, fleet-manager"] with input as { "filename": "example.json", "environments": [{"access": [{"level": "incorrect-access"}]}]}
+ deny["`example.json` uses an unexpected access level: got `incorrect-access`, expected one of: administrator, data-engineer, developer, instance-access, instance-management, migration, mwaa-user, read-only, reporting-operations, sandbox, security-audit, view-only, powerbi-user, fleet-manager, quicksight-admin"] with input as { "filename": "example.json", "environments": [{"access": [{"level": "incorrect-access"}]}]}
 }
 
 test_unexpected_access_assignment if {
@@ -56,4 +56,4 @@ test_unexpected_nuke if {
 
 test_invalid_email if {
  deny["`example.json` infrastructure-support value is not a valid email address"] with input as { "filename": "example.json", "tags": { "infrastructure-support": "not-a-valid-email-address" } }
-}
+}
diff --git a/terraform/environments/bootstrap/single-sign-on/main.tf b/terraform/environments/bootstrap/single-sign-on/main.tf
@@ -400,3 +400,26 @@ resource "aws_ssoadmin_account_assignment" "fleet_manager" {
  target_id = local.environment_management.account_ids[terraform.workspace]
  target_type = "AWS_ACCOUNT"
 }
+
+resource "aws_ssoadmin_account_assignment" "quicksight_admin" {
+
+ for_each = {
+
+ for sso_assignment in local.sso_data[local.env_name][*] :
+
+ "${sso_assignment.sso_group_name}-${sso_assignment.level}" => sso_assignment
+
+ if(sso_assignment.level == "quicksight-admin")
+ }
+
+ provider = aws.sso-management
+
+ instance_arn = local.sso_instance_arn
+ permission_set_arn = data.terraform_remote_state.mp-sso-permissions-sets.outputs.quicksight_admin
+
+ principal_id = data.aws_identitystore_group.member[each.value.sso_group_name].group_id
+ principal_type = "GROUP"
+
+ target_id = local.environment_management.account_ids[terraform.workspace]
+ target_type = "AWS_ACCOUNT"
+}