Create component for quicksight policy in development

terraform/aws/analytical-platform-data-production/tooling-iam/tooling-integration-iam-policies.tf

@@ -63,7 +63,14 @@ data "aws_iam_policy_document" "bedrock_integration" {
     }
   }
 }
-#tfsec:ignore:aws-iam-no-policy-wildcards
+
+resource "aws_iam_policy" "bedrock_integration" {
+  name        = "analytical-platform-bedrock-integration"
+  description = "Permissions needed to allow access to Bedrock in Frankfurt from tooling."
+  policy      = data.aws_iam_policy_document.bedrock_integration.json
+}
+
+#trivy:ignore:aws-iam-no-policy-wildcards
 data "aws_iam_policy_document" "quicksight_author" {
   #checkov:skip=CKV_AWS_111: This is a service policy
   #checkov:skip=CKV_AWS_356: Needs to access multiple resources
@@ -72,7 +79,7 @@ data "aws_iam_policy_document" "quicksight_author" {
     sid       = "CreateAuthor"
     effect    = "Allow"
     actions   = ["quicksight:CreateUser"]
-    resources = ["arn:aws:quicksight::593291632749:user/${data.aws_caller_identity.current.user_id}"]
+    resources = ["arn:aws:quicksight::${var.account_ids["analytical-platform-data-production"]}:user/$${aws:userid}"]
   }
 
   statement {
@@ -105,13 +112,8 @@ data "aws_iam_policy_document" "quicksight_author" {
     resources = ["*"]
   }
 }
-resource "aws_iam_policy" "bedrock_integration" {
-  name        = "analytical-platform-bedrock-integration"
-  description = "Permissions needed to allow access to Bedrock in Frankfurt from tooling."
-  policy      = data.aws_iam_policy_document.bedrock_integration.json
-}
+
 resource "aws_iam_policy" "quicksight_author" {
-  name        = "alpha-quicksight-author-access"
-  description = "Permissions needed to for author access to Quicksight"
-  policy      = data.aws_iam_policy_document.quicksight_author.json
+  name   = "alpha-quicksight-author-access"
+  policy = data.aws_iam_policy_document.quicksight_author.json
 }

terraform/aws/analytical-platform-development/cluster/tooling-integration-iam-policies.tf

@@ -61,57 +61,8 @@ data "aws_iam_policy_document" "bedrock_integration" {
   }
 }
 
-#tfsec:ignore:aws-iam-no-policy-wildcards
-data "aws_iam_policy_document" "quicksight_author" {
-  #checkov:skip=CKV_AWS_111: This is a service policy
-  #checkov:skip=CKV_AWS_356: Needs to access multiple resources
-
-  statement {
-    sid       = "CreateAuthor"
-    effect    = "Allow"
-    actions   = ["quicksight:CreateUser"]
-    resources = ["arn:aws:quicksight::593291632749:user/${data.aws_caller_identity.current.user_id}"]
-  }
-
-  statement {
-    sid    = "QuicksightAuthor"
-    effect = "Allow"
-
-    actions = [
-      "quicksight:UpdateTemplate",
-      "quicksight:ListUsers",
-      "quicksight:UpdateDashboard",
-      "quicksight:CreateTemplate",
-      "quicksight:ListTemplates",
-      "quicksight:DescribeTemplate",
-      "quicksight:DescribeDataSource",
-      "quicksight:DescribeDataSourcePermissions",
-      "quicksight:PassDataSource",
-      "quicksight:UpdateDataSource",
-      "quicksight:UpdateDataSetPermissions",
-      "quicksight:DescribeDataSet",
-      "quicksight:DescribeDataSetPermissions",
-      "quicksight:PassDataSet",
-      "quicksight:DescribeIngestion",
-      "quicksight:ListIngestions",
-      "quicksight:UpdateDataSet",
-      "quicksight:DeleteDataSet",
-      "quicksight:CreateIngestion",
-      "quicksight:CancelIngestion"
-    ]
-
-    resources = ["*"]
-  }
-}
-
 resource "aws_iam_policy" "bedrock_integration" {
   name        = "analytical-platform-bedrock-integration"
   description = "Permissions needed to allow access to Bedrock in Frankfurt from tooling."
   policy      = data.aws_iam_policy_document.bedrock_integration.json
 }
-
-resource "aws_iam_policy" "quicksight_author" {
-  name        = "dev-quicksight-author-access"
-  description = "Permissions needed to for author access to Quicksight"
-  policy      = data.aws_iam_policy_document.quicksight_author.json
-}

terraform/aws/analytical-platform-development/tooling-iam/terraform.tf

@@ -0,0 +1,38 @@
+terraform {
+  backend "s3" {
+    acl            = "private"
+    bucket         = "global-tf-state-aqsvzyd5u9"
+    encrypt        = true
+    key            = "aws/analytical-platform-development/tooling-iam/terraform.tfstate"
+    region         = "eu-west-2"
+    dynamodb_table = "global-tf-state-aqsvzyd5u9-locks"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.52.0"
+    }
+  }
+  required_version = "~> 1.5"
+}
+
+provider "aws" {
+  region = "eu-west-1"
+  assume_role {
+    role_arn = "arn:aws:iam::${var.account_ids["analytical-platform-development"]}:role/GlobalGitHubActionAdmin"
+  }
+  default_tags {
+    tags = var.tags
+  }
+}
+
+provider "aws" {
+  alias  = "analytical-platform-management-production"
+  region = "eu-west-1"
+  assume_role {
+    role_arn = can(regex("AdministratorAccess", data.aws_iam_session_context.session.issuer_arn)) ? null : "arn:aws:iam::${var.account_ids["analytical-platform-management-production"]}:role/GlobalGitHubActionAdmin"
+  }
+  default_tags {
+    tags = var.tags
+  }
+}

terraform/aws/analytical-platform-development/tooling-iam/terraform.tfvars

@@ -0,0 +1,19 @@
+##################################################
+# General
+##################################################
+
+account_ids = {
+  analytical-platform-development           = "525294151996"
+  analytical-platform-management-production = "042130406152"
+}
+
+tags = {
+  business-unit          = "Platforms"
+  application            = "Analytical Platform"
+  component              = "Tooling IAM"
+  environment            = "development"
+  is-production          = "false"
+  owner                  = "analytical-platform:analytics-platform-tech@digital.justice.gov.uk"
+  infrastructure-support = "analytical-platform:analytics-platform-tech@digital.justice.gov.uk"
+  source-code            = "github.com/ministryofjustice/analytical-platform/terraform/aws/analytical-platform-development/tooling-iam"
+}

terraform/aws/analytical-platform-development/tooling-iam/tooling-integration-iam-policies.tf

@@ -0,0 +1,47 @@
+#trivy:ignore:aws-iam-no-policy-wildcards
+data "aws_iam_policy_document" "quicksight_author" {
+  #checkov:skip=CKV_AWS_111: This is a service policy
+  #checkov:skip=CKV_AWS_356: Needs to access multiple resources
+
+  statement {
+    sid       = "CreateAuthor"
+    effect    = "Allow"
+    actions   = ["quicksight:CreateUser"]
+    resources = ["arn:aws:quicksight::${var.account_ids["analytical-platform-development"]}:user/$${aws:userid}"]
+  }
+
+  statement {
+    sid    = "QuicksightAuthor"
+    effect = "Allow"
+
+    actions = [
+      "quicksight:UpdateTemplate",
+      "quicksight:ListUsers",
+      "quicksight:UpdateDashboard",
+      "quicksight:CreateTemplate",
+      "quicksight:ListTemplates",
+      "quicksight:DescribeTemplate",
+      "quicksight:DescribeDataSource",
+      "quicksight:DescribeDataSourcePermissions",
+      "quicksight:PassDataSource",
+      "quicksight:UpdateDataSource",
+      "quicksight:UpdateDataSetPermissions",
+      "quicksight:DescribeDataSet",
+      "quicksight:DescribeDataSetPermissions",
+      "quicksight:PassDataSet",
+      "quicksight:DescribeIngestion",
+      "quicksight:ListIngestions",
+      "quicksight:UpdateDataSet",
+      "quicksight:DeleteDataSet",
+      "quicksight:CreateIngestion",
+      "quicksight:CancelIngestion"
+    ]
+
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "quicksight_author" {
+  name   = "alpha-quicksight-author-access"
+  policy = data.aws_iam_policy_document.quicksight_author.json
+}

terraform/aws/analytical-platform-development/tooling-iam/variables.tf

@@ -0,0 +1,13 @@
+##################################################
+# General
+##################################################
+
+variable "account_ids" {
+  type        = map(string)
+  description = "Map of account names to account IDs"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Map of tags to apply to resources"
+}