Skip to content

Commit

Permalink
Merge pull request #396 from jdno/aws-access-crates-io
Browse files Browse the repository at this point in the history
Grant the crates.io team access to new AWS accounts
  • Loading branch information
jdno authored Mar 12, 2024
2 parents 10c525e + e2075c6 commit 9bef46d
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 13 deletions.
6 changes: 6 additions & 0 deletions terragrunt/accounts/root/aws-organization/terragrunt.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -57,5 +57,11 @@ inputs = {
email = "[email protected]"
groups = ["infra"]
}
"tobias" = {
given_name = "Tobias"
family_name = "Bieniek"
email = "[email protected]"
groups = ["crates-io"]
}
}
}
28 changes: 15 additions & 13 deletions terragrunt/modules/aws-organization/groups.tf
Original file line number Diff line number Diff line change
Expand Up @@ -81,13 +81,7 @@ resource "aws_ssoadmin_permission_set" "read_only_access" {

resource "aws_ssoadmin_managed_policy_attachment" "read_only_access" {
instance_arn = local.instance_arn
managed_policy_arn = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn
}

resource "aws_ssoadmin_managed_policy_attachment" "cloudwatch_readonly" {
instance_arn = local.instance_arn
managed_policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess"
managed_policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn
}

Expand Down Expand Up @@ -124,23 +118,31 @@ locals {
account : aws_organizations_account.crates_io_staging,
groups : [
{ group : aws_identitystore_group.infra-admins,
permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
permissions : [
aws_ssoadmin_permission_set.view_only_access,
aws_ssoadmin_permission_set.read_only_access,
aws_ssoadmin_permission_set.administrator_access
] },
{ group : aws_identitystore_group.infra,
permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
permissions : [aws_ssoadmin_permission_set.read_only_access, aws_ssoadmin_permission_set.administrator_access] },
{ group : aws_identitystore_group.crates_io,
permissions : [aws_ssoadmin_permission_set.view_only_access] },
permissions : [aws_ssoadmin_permission_set.read_only_access] },
]
},
# crates-io Production
{
account : aws_organizations_account.crates_io_prod,
groups : [
{ group : aws_identitystore_group.infra-admins,
permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
permissions : [
aws_ssoadmin_permission_set.view_only_access,
aws_ssoadmin_permission_set.read_only_access,
aws_ssoadmin_permission_set.administrator_access
] },
{ group : aws_identitystore_group.infra,
permissions : [aws_ssoadmin_permission_set.view_only_access] },
permissions : [aws_ssoadmin_permission_set.read_only_access, aws_ssoadmin_permission_set.administrator_access] },
{ group : aws_identitystore_group.crates_io,
permissions : [aws_ssoadmin_permission_set.view_only_access] },
permissions : [aws_ssoadmin_permission_set.read_only_access] },
]
},
# docs-rs Staging
Expand Down
1 change: 1 addition & 0 deletions terragrunt/modules/aws-organization/users.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ locals {
billing : aws_identitystore_group.billing
infra : aws_identitystore_group.infra
infra-admins : aws_identitystore_group.infra-admins
crates-io : aws_identitystore_group.crates_io
}

# Expand var.users into collection of group memberships associations
Expand Down

0 comments on commit 9bef46d

Please sign in to comment.