Allowing Control Panel to Assume Role in Parent Account

ministryofjustice · Jan 16, 2025 · 8c92fd6 · 8c92fd6
1 parent 688ca19
commit 8c92fd6
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 3 deletions.
diff --git a/terraform/aws/analytical-platform-development/cluster/iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/iam-policies.tf
@@ -531,7 +531,8 @@ data "aws_iam_policy_document" "control_panel_api" {
     ]
     resources = [
       "arn:aws:iam::${var.account_ids["analytical-platform-compute-development"]}:role/analytical-platform-control-panel",
-      "arn:aws:iam::${var.account_ids["analytical-platform-compute-test"]}:role/analytical-platform-control-panel"
+      "arn:aws:iam::${var.account_ids["analytical-platform-compute-test"]}:role/analytical-platform-control-panel",
+      "arn:aws:iam::${var.account_ids["parent-account"]}:role/AnalyticalPlatformIdentityCenter"
     ]
   }
   statement {

diff --git a/terraform/aws/analytical-platform-development/cluster/terraform.tfvars b/terraform/aws/analytical-platform-development/cluster/terraform.tfvars
@@ -8,6 +8,7 @@ account_ids = {
   analytical-platform-production            = "312423030077"
   analytical-platform-compute-development   = "381491960855"
   analytical-platform-compute-test          = "767397661611"
+  parent-account                            = "295814833350"
 }
 
 environment     = "development"

diff --git a/terraform/aws/analytical-platform-production/cluster/iam-policies.tf b/terraform/aws/analytical-platform-production/cluster/iam-policies.tf
@@ -260,7 +260,8 @@ data "aws_iam_policy_document" "control_panel_api" {
     ]
     resources = [
       "arn:aws:iam::${var.account_ids["analytical-platform-compute-production"]}:role/analytical-platform-control-panel",
-      "arn:aws:iam::${var.account_ids["analytical-platform-compute-test"]}:role/analytical-platform-control-panel"
+      "arn:aws:iam::${var.account_ids["analytical-platform-compute-test"]}:role/analytical-platform-control-panel",
+      "arn:aws:iam::${var.account_ids["parent-account"]}:role/AnalyticalPlatformIdentityCenter"
     ]
   }
   statement {

diff --git a/terraform/aws/analytical-platform-production/cluster/terraform.tfvars b/terraform/aws/analytical-platform-production/cluster/terraform.tfvars
@@ -8,7 +8,8 @@ account_ids = {
   analytical-platform-management-production = "042130406152"
   analytical-platform-production            = "312423030077"
   analytical-platform-compute-test          = "767397661611"
-  analytical-platform-compute-production    = "992382429243"
+  analytical-platform-compute-production    = "992382429243",
+  parent-account                            = "295814833350"
 }
 
 environment     = "production"