DL-169 allow sso users to access Airflow UI as Viewer by default

Tian-2017 · Tian-2017 · commit c57b4c871f2d · 2026-01-28T12:10:57.000Z
diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf
@@ -1159,8 +1159,7 @@ data "aws_iam_policy_document" "redshift_department_read_access" {
   }
 }
 
-// MWAA Access
-
+// MWAA Access - Used in Staging
 data "aws_iam_policy_document" "mwaa_department_web_server_access" {
   statement {
     effect = "Allow"
@@ -1176,6 +1175,46 @@ data "aws_iam_policy_document" "mwaa_department_web_server_access" {
   }
 }
 
+// MWAA Access - Production (allow sso users to access Airflow UI as Viewer by default)
+data "aws_iam_policy_document" "mwaa_department_web_server_access_production" {
+  statement {
+    sid    = "MWAAListEnvironments"
+    effect = "Allow"
+
+    actions = [
+      "airflow:ListEnvironments",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "MWAAGetEnvironment"
+    effect = "Allow"
+
+    actions = [
+      "airflow:GetEnvironment",
+    ]
+
+    resources = [
+      "arn:aws:airflow:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:environment/${var.identifier_prefix}-mwaa-environment"
+    ]
+  }
+
+  statement {
+    sid    = "MWAACreateWebLoginToken"
+    effect = "Allow"
+
+    actions = [
+      "airflow:CreateWebLoginToken",
+    ]
+
+    resources = [
+      "arn:aws:airflow:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:role/${var.identifier_prefix}-mwaa-environment/Viewer"
+    ]
+  }
+}
+
 // Glue job runner pass role to glue for notebook use
 data "aws_iam_policy_document" "glue_runner_pass_role_to_glue_for_notebook_use" {
   statement {
diff --git a/terraform/modules/department/50-aws-iam-roles.tf b/terraform/modules/department/50-aws-iam-roles.tf
@@ -24,6 +24,7 @@ data "aws_iam_policy_document" "sso_production_user_policy" {
     data.aws_iam_policy_document.read_only_glue_access.json,
     data.aws_iam_policy_document.secrets_manager_read_only.json,
     data.aws_iam_policy_document.athena_can_write_to_s3.json,
+    data.aws_iam_policy_document.mwaa_department_web_server_access_production.json,
   ]
 }
 

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ data "aws_iam_policy_document" "sso_production_user_policy" {`
`24`	`24`	`data.aws_iam_policy_document.read_only_glue_access.json,`
`25`	`25`	`data.aws_iam_policy_document.secrets_manager_read_only.json,`
`26`	`26`	`data.aws_iam_policy_document.athena_can_write_to_s3.json,`
	`27`	`+ data.aws_iam_policy_document.mwaa_department_web_server_access_production.json,`
`27`	`28`	`]`
`28`	`29`	`}`
`29`	`30`