From 8c92fd6771954378975b5675ddc07633d7db1f32 Mon Sep 17 00:00:00 2001
From: julialawrence <julia.lawrence@digital.justice.gov.uk>
Date: Thu, 16 Jan 2025 11:27:25 +0000
Subject: [PATCH] Allowing Control Panel to Assume Role in Parent Account

---
 .../analytical-platform-development/cluster/iam-policies.tf    | 3 ++-
 .../analytical-platform-development/cluster/terraform.tfvars   | 1 +
 .../aws/analytical-platform-production/cluster/iam-policies.tf | 3 ++-
 .../analytical-platform-production/cluster/terraform.tfvars    | 3 ++-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/terraform/aws/analytical-platform-development/cluster/iam-policies.tf b/terraform/aws/analytical-platform-development/cluster/iam-policies.tf
index 2e466930a4..bc1beefc52 100644
--- a/terraform/aws/analytical-platform-development/cluster/iam-policies.tf
+++ b/terraform/aws/analytical-platform-development/cluster/iam-policies.tf
@@ -531,7 +531,8 @@ data "aws_iam_policy_document" "control_panel_api" {
     ]
     resources = [
       "arn:aws:iam::${var.account_ids["analytical-platform-compute-development"]}:role/analytical-platform-control-panel",
-      "arn:aws:iam::${var.account_ids["analytical-platform-compute-test"]}:role/analytical-platform-control-panel"
+      "arn:aws:iam::${var.account_ids["analytical-platform-compute-test"]}:role/analytical-platform-control-panel",
+      "arn:aws:iam::${var.account_ids["parent-account"]}:role/AnalyticalPlatformIdentityCenter"
     ]
   }
   statement {
diff --git a/terraform/aws/analytical-platform-development/cluster/terraform.tfvars b/terraform/aws/analytical-platform-development/cluster/terraform.tfvars
index 65fc0dcb9b..7029f6cd8a 100644
--- a/terraform/aws/analytical-platform-development/cluster/terraform.tfvars
+++ b/terraform/aws/analytical-platform-development/cluster/terraform.tfvars
@@ -8,6 +8,7 @@ account_ids = {
   analytical-platform-production            = "312423030077"
   analytical-platform-compute-development   = "381491960855"
   analytical-platform-compute-test          = "767397661611"
+  parent-account                            = "295814833350"
 }
 
 environment     = "development"
diff --git a/terraform/aws/analytical-platform-production/cluster/iam-policies.tf b/terraform/aws/analytical-platform-production/cluster/iam-policies.tf
index eabfdf893a..6259243b8d 100644
--- a/terraform/aws/analytical-platform-production/cluster/iam-policies.tf
+++ b/terraform/aws/analytical-platform-production/cluster/iam-policies.tf
@@ -260,7 +260,8 @@ data "aws_iam_policy_document" "control_panel_api" {
     ]
     resources = [
       "arn:aws:iam::${var.account_ids["analytical-platform-compute-production"]}:role/analytical-platform-control-panel",
-      "arn:aws:iam::${var.account_ids["analytical-platform-compute-test"]}:role/analytical-platform-control-panel"
+      "arn:aws:iam::${var.account_ids["analytical-platform-compute-test"]}:role/analytical-platform-control-panel",
+      "arn:aws:iam::${var.account_ids["parent-account"]}:role/AnalyticalPlatformIdentityCenter"
     ]
   }
   statement {
diff --git a/terraform/aws/analytical-platform-production/cluster/terraform.tfvars b/terraform/aws/analytical-platform-production/cluster/terraform.tfvars
index 467f439a29..bea490c645 100644
--- a/terraform/aws/analytical-platform-production/cluster/terraform.tfvars
+++ b/terraform/aws/analytical-platform-production/cluster/terraform.tfvars
@@ -8,7 +8,8 @@ account_ids = {
   analytical-platform-management-production = "042130406152"
   analytical-platform-production            = "312423030077"
   analytical-platform-compute-test          = "767397661611"
-  analytical-platform-compute-production    = "992382429243"
+  analytical-platform-compute-production    = "992382429243",
+  parent-account                            = "295814833350"
 }
 
 environment     = "production"