Skip to content

Commit f8d1a5c

Browse files
timburke-hackittimburke-hackit
authored
Fix policy length (#2499)
* break up large inline policy to multiple managed policies * add notebook conditions
1 parent e84e303 commit f8d1a5c

File tree

2 files changed

+61
-18
lines changed

2 files changed

+61
-18
lines changed

terraform/modules/department/50-aws-iam-roles.tf

Lines changed: 14 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,25 @@
1-
// User Role for staging account - This role is a combination of policies ready to be applied to SSO
2-
data "aws_iam_policy_document" "sso_staging_user_policy" {
3-
override_policy_documents = local.create_notebook ? [
4-
data.aws_iam_policy_document.s3_department_access.json,
5-
data.aws_iam_policy_document.glue_access.json,
6-
data.aws_iam_policy_document.secrets_manager_read_only.json,
1+
data "aws_iam_policy_document" "sso_staging_additional_with_notebook" {
2+
count = local.create_notebook ? 1 : 0
3+
4+
override_policy_documents = [
75
data.aws_iam_policy_document.redshift_department_read_access.json,
86
data.aws_iam_policy_document.notebook_access[0].json
9-
] : [
10-
data.aws_iam_policy_document.s3_department_access.json,
11-
data.aws_iam_policy_document.glue_access.json,
12-
data.aws_iam_policy_document.secrets_manager_read_only.json,
7+
]
8+
}
9+
10+
data "aws_iam_policy_document" "sso_staging_additional" {
11+
count = local.create_notebook ? 0 : 1
12+
13+
override_policy_documents = [
1314
data.aws_iam_policy_document.redshift_department_read_access.json,
1415
data.aws_iam_policy_document.mwaa_department_web_server_access.json
1516
]
1617
}
1718

18-
// User Role for production account - This role is a combination of policies ready to be applied to SSO
19-
data "aws_iam_policy_document" "sso_production_user_policy" {
19+
data "aws_iam_policy_document" "sso_production_additional" {
2020
override_policy_documents = [
21-
data.aws_iam_policy_document.read_only_s3_department_access.json,
22-
data.aws_iam_policy_document.read_only_glue_access.json,
23-
data.aws_iam_policy_document.secrets_manager_read_only.json,
24-
data.aws_iam_policy_document.athena_can_write_to_s3.json
21+
data.aws_iam_policy_document.athena_can_write_to_s3.json,
22+
data.aws_iam_policy_document.redshift_department_read_access.json
2523
]
2624
}
2725

terraform/modules/department/60-aws-sso.tf

Lines changed: 47 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,59 @@ resource "aws_ssoadmin_permission_set" "department" {
1515
tags = var.tags
1616
}
1717

18-
resource "aws_ssoadmin_permission_set_inline_policy" "department" {
18+
resource "aws_ssoadmin_managed_policy_attachment" "department_s3" {
1919
count = local.deploy_sso ? 1 : 0
2020

2121
provider = aws.aws_hackit_account
2222

23-
inline_policy = var.environment == "stg" ? data.aws_iam_policy_document.sso_staging_user_policy.json : data.aws_iam_policy_document.sso_production_user_policy.json
2423
instance_arn = var.sso_instance_arn
2524
permission_set_arn = aws_ssoadmin_permission_set.department[0].arn
25+
managed_policy_arn = var.environment == "stg" ? aws_iam_policy.s3_access.arn : aws_iam_policy.read_only_s3_access.arn
26+
}
27+
28+
resource "aws_ssoadmin_managed_policy_attachment" "department_glue" {
29+
count = local.deploy_sso ? 1 : 0
30+
31+
provider = aws.aws_hackit_account
32+
33+
instance_arn = var.sso_instance_arn
34+
permission_set_arn = aws_ssoadmin_permission_set.department[0].arn
35+
managed_policy_arn = var.environment == "stg" ? aws_iam_policy.glue_access.arn : aws_iam_policy.read_only_glue_access.arn
36+
}
37+
38+
resource "aws_ssoadmin_managed_policy_attachment" "department_secrets" {
39+
count = local.deploy_sso ? 1 : 0
40+
41+
provider = aws.aws_hackit_account
42+
43+
instance_arn = var.sso_instance_arn
44+
permission_set_arn = aws_ssoadmin_permission_set.department[0].arn
45+
managed_policy_arn = aws_iam_policy.secrets_manager_read_only.arn
46+
}
47+
48+
resource "aws_iam_policy" "sso_department_additional_policy" {
49+
count = local.deploy_sso ? 1 : 0
50+
51+
name = lower("${var.identifier_prefix}-${local.department_identifier}-sso-additional-policy")
52+
description = "Additional SSO policy for ${local.department_identifier} department in ${var.environment} environment"
53+
policy = var.environment == "stg" ? (
54+
local.create_notebook ?
55+
data.aws_iam_policy_document.sso_staging_additional_with_notebook[0].json :
56+
data.aws_iam_policy_document.sso_staging_additional[0].json
57+
) : (
58+
data.aws_iam_policy_document.sso_production_additional.json
59+
)
60+
tags = var.tags
61+
}
62+
63+
resource "aws_ssoadmin_managed_policy_attachment" "department_additional" {
64+
count = local.deploy_sso ? 1 : 0
65+
66+
provider = aws.aws_hackit_account
67+
68+
instance_arn = var.sso_instance_arn
69+
permission_set_arn = aws_ssoadmin_permission_set.department[0].arn
70+
managed_policy_arn = aws_iam_policy.sso_department_additional_policy[0].arn
2671
}
2772

2873
data "aws_identitystore_group" "department" {

0 commit comments

Comments
 (0)