Grant Kobzol access to infra group

This is needed for bors-staging log access. This also expands/creates a ReadOnlyAccess role that also grants read-only CloudWatch access to infra members (vs. infra-admins that get admin access).
rust-lang · Sep 13, 2023 · 1124d8d · 1124d8d
1 parent d24e1f3
commit 1124d8d
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 9 deletions.
diff --git a/terragrunt/accounts/root/aws-organization/terragrunt.hcl b/terragrunt/accounts/root/aws-organization/terragrunt.hcl
@@ -33,12 +33,6 @@ inputs = {
       email       = "[email protected]"
       groups      = ["infra"]
     }
-    "jynelson" = {
-      given_name  = "Joshua",
-      family_name = "Nelson",
-      email       = "[email protected]"
-      groups      = ["infra"]
-    }
     "shepmaster" = {
       given_name  = "Jake",
       family_name = "Goulding",
@@ -57,5 +51,11 @@ inputs = {
       email = "[email protected]"
       groups = ["billing"]
     }
+    "kobzol" = {
+      given_name = "Jakub"
+      family_name = "Beránek"
+      email = "[email protected]"
+      groups = ["infra"]
+    }
   }
 }
diff --git a/terragrunt/modules/aws-organization/groups.tf b/terragrunt/modules/aws-organization/groups.tf
@@ -63,6 +63,27 @@ resource "aws_ssoadmin_managed_policy_attachment" "view_only_access" {
   permission_set_arn = aws_ssoadmin_permission_set.view_only_access.arn
 }
 
+// Grants limited but additional access from ViewOnlyAccess -- e.g., to logs.
+// We will expand this mostly as needed without granting write access.
+// This role should only be granted in accounts that are scoped to a single
+// service (i.e., not our legacy account), because that automatically scopes access.
+resource "aws_ssoadmin_permission_set" "read_only_access" {
+  instance_arn = local.instance_arn
+  name         = "ReadOnlyAccess"
+}
+
+resource "aws_ssoadmin_managed_policy_attachment" "read_only_access" {
+  instance_arn       = local.instance_arn
+  managed_policy_arn = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
+  permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn
+}
+
+resource "aws_ssoadmin_managed_policy_attachment" "cloudwatch_readonly" {
+  instance_arn       = local.instance_arn
+  managed_policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess"
+  permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn
+}
+
 # The assignment of groups to accounts with their respective permission sets
 
 locals {
@@ -124,17 +145,17 @@ locals {
       account : aws_organizations_account.bors_staging,
       groups : [
         { group : aws_identitystore_group.infra,
-        permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
+        permissions : [aws_ssoadmin_permission_set.read_only_access] },
         { group : aws_identitystore_group.infra-admins,
-        permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
+        permissions : [aws_ssoadmin_permission_set.read_only_access, aws_ssoadmin_permission_set.administrator_access] },
       ]
     },
     # bors prod
     {
       account : aws_organizations_account.bors_prod,
       groups : [
         { group : aws_identitystore_group.infra-admins,
-        permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
+        permissions : [aws_ssoadmin_permission_set.read_only_access, aws_ssoadmin_permission_set.administrator_access] },
       ]
     },
   ]