add ecs log reading permission to departmental sso role (#2600)

Tian-2017 · web-flow · commit 766573c35fef · 2025-12-12T15:06:58.000Z
* Added DataHubGlueReadRole to the iam:PassRole policy for the data-and-insight department

* add ecs log reading permission to departmental sso role
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -809,6 +809,41 @@ resource "aws_iam_policy" "parameter_store_read_only" {
   policy = data.aws_iam_policy_document.parameter_store_read_only.json
 }
 
+// CloudWatch and ECS logs access policy for departmental SSO users
+data "aws_iam_policy_document" "departmental_cloudwatch_and_ecs_logs_access" {
+  statement {
+    sid    = "ECSLogsAccess"
+    effect = "Allow"
+    actions = [
+      "logs:DescribeLogStreams",
+      "logs:GetLogEvents",
+      "logs:DescribeLogGroups"
+    ]
+    resources = [
+      "arn:aws:logs:*:*:/ecs/*${local.department_identifier}*"
+    ]
+  }
+
+  statement {
+    sid    = "CloudWatchMetricsAccess"
+    effect = "Allow"
+    actions = [
+      "cloudwatch:GetMetricData",
+      "cloudwatch:GetMetricStatistics",
+      "cloudwatch:ListMetrics"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "departmental_cloudwatch_and_ecs_logs_access" {
+  tags = var.tags
+
+  name        = lower("${var.identifier_prefix}-${local.department_identifier}-cloudwatch-ecs-logs-access")
+  description = "Allows departmental access to CloudWatch metrics and department-specific ECS log groups"
+  policy      = data.aws_iam_policy_document.departmental_cloudwatch_and_ecs_logs_access.json
+}
+
 // Glue Agent Read only policy for glue scripts and mwaa bucket and run athena
 data "aws_iam_policy_document" "read_glue_scripts_and_mwaa_and_athena" {
   statement {
diff --git a/terraform/modules/department/60-aws-sso.tf b/terraform/modules/department/60-aws-sso.tf
@@ -25,6 +25,20 @@ resource "aws_ssoadmin_permission_set_inline_policy" "department" {
   permission_set_arn = aws_ssoadmin_permission_set.department[0].arn
 }
 
+resource "aws_ssoadmin_customer_managed_policy_attachment" "departmental_cloudwatch_ecs_logs" {
+  count = local.deploy_sso ? 1 : 0
+
+  provider = aws.aws_hackit_account
+
+  instance_arn       = var.sso_instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.department[0].arn
+
+  customer_managed_policy_reference {
+    name = aws_iam_policy.departmental_cloudwatch_and_ecs_logs_access.name
+    path = "/"
+  }
+}
+
 data "aws_identitystore_group" "department" {
   count = local.deploy_sso ? 1 : 0
 
