From 06b6b2e6f01b82655b0dde29822ed96947c404c0 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 6 Sep 2024 15:35:29 +0100 Subject: [PATCH 1/5] Adding QS Admin to rego tests --- policies/environments/environment-definitions.rego | 3 ++- policies/environments/environment-definitions_test.rego | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/policies/environments/environment-definitions.rego b/policies/environments/environment-definitions.rego index 556df70b3..e696880cb 100644 --- a/policies/environments/environment-definitions.rego +++ b/policies/environments/environment-definitions.rego @@ -27,7 +27,8 @@ allowed_access := [ "security-audit", "view-only", "powerbi-user", - "fleet-manager" + "fleet-manager", + "quicksight-admin" ] allowed_nuke := [ diff --git a/policies/environments/environment-definitions_test.rego b/policies/environments/environment-definitions_test.rego index 876d88551..fdb069444 100644 --- a/policies/environments/environment-definitions_test.rego +++ b/policies/environments/environment-definitions_test.rego @@ -43,7 +43,7 @@ test_business_units_character if { } test_unexpected_access if { - deny["`example.json` uses an unexpected access level: got `incorrect-access`, expected one of: administrator, data-engineer, developer, instance-access, instance-management, migration, mwaa-user, read-only, reporting-operations, sandbox, security-audit, view-only, powerbi-user, fleet-manager"] with input as { "filename": "example.json", "environments": [{"access": [{"level": "incorrect-access"}]}]} + deny["`example.json` uses an unexpected access level: got `incorrect-access`, expected one of: administrator, data-engineer, developer, instance-access, instance-management, migration, mwaa-user, read-only, reporting-operations, sandbox, security-audit, view-only, powerbi-user, fleet-manager, quicksight-admin"] with input as { "filename": "example.json", "environments": [{"access": [{"level": "incorrect-access"}]}]} } test_unexpected_access_assignment if { @@ -56,4 +56,4 @@ test_unexpected_nuke if { test_invalid_email if { deny["`example.json` infrastructure-support value is not a valid email address"] with input as { "filename": "example.json", "tags": { "infrastructure-support": "not-a-valid-email-address" } } -} \ No newline at end of file +} From ce326bb2ad94d30f5ab3c4440c866dbdca7a9e0f Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 6 Sep 2024 15:42:07 +0100 Subject: [PATCH 2/5] Adding Permission Set assignmet and adding the access to APC and Sprinkler --- environments/analytical-platform-compute.json | 8 +++++++ environments/sprinkler.json | 5 ++++ .../bootstrap/single-sign-on/main.tf | 23 +++++++++++++++++++ 3 files changed, 36 insertions(+) diff --git a/environments/analytical-platform-compute.json b/environments/analytical-platform-compute.json index 41168ad7c..8f6a0cfbe 100644 --- a/environments/analytical-platform-compute.json +++ b/environments/analytical-platform-compute.json @@ -26,6 +26,10 @@ { "sso_group_name": "analytical-platform", "level": "data-engineer" + }, + { + "sso_group_name": "analytical-platform", + "level": "quicksight-admin" } ] }, @@ -39,6 +43,10 @@ { "sso_group_name": "analytical-platform", "level": "data-engineer" + }, + { + "sso_group_name": "analytical-platform", + "level": "quicksight-admin" } ] } diff --git a/environments/sprinkler.json b/environments/sprinkler.json index 4475480d0..6d5d985b7 100644 --- a/environments/sprinkler.json +++ b/environments/sprinkler.json @@ -33,6 +33,11 @@ "sso_group_name": "modernisation-platform", "level": "fleet-manager", "nuke": "rebuild" + }, + { + "sso_group_name": "modernisation-platform", + "level": "quicksight-admin", + "nuke": "rebuild" } ], "additional_reviewers": ["astrobinson"] diff --git a/terraform/environments/bootstrap/single-sign-on/main.tf b/terraform/environments/bootstrap/single-sign-on/main.tf index af10029fe..e1c8643e4 100644 --- a/terraform/environments/bootstrap/single-sign-on/main.tf +++ b/terraform/environments/bootstrap/single-sign-on/main.tf @@ -400,3 +400,26 @@ resource "aws_ssoadmin_account_assignment" "fleet_manager" { target_id = local.environment_management.account_ids[terraform.workspace] target_type = "AWS_ACCOUNT" } + +resource "aws_ssoadmin_account_assignment" "quicksight_admin" { + + for_each = { + + for sso_assignment in local.sso_data[local.env_name][*] : + + "${sso_assignment.sso_group_name}-${sso_assignment.level}" => sso_assignment + + if(sso_assignment.level == "quicksight-admin") + } + + provider = aws.sso-management + + instance_arn = local.sso_instance_arn + permission_set_arn = data.terraform_remote_state.mp-sso-permissions-sets.outputs.fleet_manager + + principal_id = data.aws_identitystore_group.member[each.value.sso_group_name].group_id + principal_type = "GROUP" + + target_id = local.environment_management.account_ids[terraform.workspace] + target_type = "AWS_ACCOUNT" +} \ No newline at end of file From e0ce5cd982d82ecb0c31e2250c10afe4566e6c48 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 6 Sep 2024 15:46:19 +0100 Subject: [PATCH 3/5] Fix EOF --- terraform/environments/bootstrap/single-sign-on/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/bootstrap/single-sign-on/main.tf b/terraform/environments/bootstrap/single-sign-on/main.tf index e1c8643e4..31b52c520 100644 --- a/terraform/environments/bootstrap/single-sign-on/main.tf +++ b/terraform/environments/bootstrap/single-sign-on/main.tf @@ -422,4 +422,4 @@ resource "aws_ssoadmin_account_assignment" "quicksight_admin" { target_id = local.environment_management.account_ids[terraform.workspace] target_type = "AWS_ACCOUNT" -} \ No newline at end of file +} From 0ee35a1974c2059055510d5962154fd4e4916a44 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 6 Sep 2024 15:50:38 +0100 Subject: [PATCH 4/5] Fix SSO Permission Set arn --- terraform/environments/bootstrap/single-sign-on/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/bootstrap/single-sign-on/main.tf b/terraform/environments/bootstrap/single-sign-on/main.tf index 31b52c520..d3f75a90c 100644 --- a/terraform/environments/bootstrap/single-sign-on/main.tf +++ b/terraform/environments/bootstrap/single-sign-on/main.tf @@ -415,7 +415,7 @@ resource "aws_ssoadmin_account_assignment" "quicksight_admin" { provider = aws.sso-management instance_arn = local.sso_instance_arn - permission_set_arn = data.terraform_remote_state.mp-sso-permissions-sets.outputs.fleet_manager + permission_set_arn = data.terraform_remote_state.mp-sso-permissions-sets.outputs.quicksight-admin principal_id = data.aws_identitystore_group.member[each.value.sso_group_name].group_id principal_type = "GROUP" From e6450323ca6f8aa8a3ff5445d451039a92881974 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 6 Sep 2024 15:53:42 +0100 Subject: [PATCH 5/5] Fixed the output ref --- terraform/environments/bootstrap/single-sign-on/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/bootstrap/single-sign-on/main.tf b/terraform/environments/bootstrap/single-sign-on/main.tf index d3f75a90c..4980c162b 100644 --- a/terraform/environments/bootstrap/single-sign-on/main.tf +++ b/terraform/environments/bootstrap/single-sign-on/main.tf @@ -415,7 +415,7 @@ resource "aws_ssoadmin_account_assignment" "quicksight_admin" { provider = aws.sso-management instance_arn = local.sso_instance_arn - permission_set_arn = data.terraform_remote_state.mp-sso-permissions-sets.outputs.quicksight-admin + permission_set_arn = data.terraform_remote_state.mp-sso-permissions-sets.outputs.quicksight_admin principal_id = data.aws_identitystore_group.member[each.value.sso_group_name].group_id principal_type = "GROUP"