Add mgmt support policies

jameslinnell · jameslinnell · commit 8d8550b98488 · 2025-04-01T17:02:02.000+01:00
diff --git a/scripts/infrastructure/roles.mk b/scripts/infrastructure/roles.mk
@@ -15,6 +15,9 @@ manage--mgmt-development-policies: aws--login ## Create or update IAM Policies
 manage--non-mgmt-support-policies: aws--login ## Create or update IAM Policies
 	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-support-policies.sh
 
+manage--mgmt-support-policies: aws--login ## Create or update IAM Policies
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-mgmt-aws-support-policies.sh
+
 manage--non-mgmt-test-policies: aws--login ## Create or update IAM Policies
 	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-support-integration-policies.sh
 
diff --git a/scripts/infrastructure/roles/manage-mgmt-aws-support-policies.sh b/scripts/infrastructure/roles/manage-mgmt-aws-support-policies.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+function _substitute_environment_variables() {
+  eval "cat << EOF
+$(cat $1)
+EOF"
+}
+
+AWS_REGION_NAME="eu-west-2"
+
+ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account)
+
+#
+# Check we're running this against MGMT
+#
+. "./scripts/aws/helpers.sh"
+if ! _validate_current_account "MGMT"; then
+  echo "Please login to mgmt profile before running this script"
+  exit 1
+fi
+
+#
+# Create the NHSDevelopmentPolicy that will be used for Developer access and
+# NHSDevelopmentRole. This policy is split into 2 as the file size was too large.
+#
+
+policy_name="NHSSupportPolicy"
+
+for policy_number in "1" "2"; do
+  tf_policy=$(_substitute_environment_variables ./scripts/infrastructure/policies/support${policy_number}-policy.json)
+  aws iam get-policy --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${policy_name}${policy_number}" &>/dev/null
+  if [ $? != 0 ]; then
+    aws iam create-policy \
+      --policy-name "${policy_name}${policy_number}" \
+      --policy-document "${tf_policy}" \
+      --region "${AWS_REGION_NAME}" ||
+      exit 1
+  fi
+  # We update the version because this updates all roles and we don't have to detach and delete.
+  versions=$(aws iam list-policy-versions --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${policy_name}${policy_number}" --region "${AWS_REGION_NAME}")
+  num_versions=$(echo "$versions" | jq -r '.Versions | length')
+  # There has got to be at least 2 versions.
+  if [ "$num_versions" -ge 2 ]; then
+    # Extract the oldest version using jq
+    oldest_version=$(echo "$versions" | jq -r '.Versions | sort_by(.CreateDate) | .[0].VersionId')
+
+    aws iam delete-policy-version \
+      --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${policy_name}${policy_number}" \
+      --version-id "${oldest_version}" ||
+      exit 1
+  fi
+
+  aws iam create-policy-version \
+    --policy-arn "arn:aws:iam::${ACCOUNT_ID}:policy/${policy_name}${policy_number}" \
+    --policy-document "${tf_policy}" \
+    --set-as-default \
+    --region "${AWS_REGION_NAME}" ||
+    exit 1
+done
