Merge pull request #320 from NHSDigital/feature/CCM-8742_grafana

CCM-8742: grafana iam role

Author: sidnhs

infrastructure/terraform/components/acct/README.md

@@ -19,7 +19,6 @@
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_initial_cli_secrets_provision_override"></a> [initial\_cli\_secrets\_provision\_override](#input\_initial\_cli\_secrets\_provision\_override) | A map of default value to intialise SSM secret values with. Only useful for initial setup of the account due to lifecycle rules. | `map(string)` | `{}` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
-| <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_root_domain_name"></a> [root\_domain\_name](#input\_root\_domain\_name) | The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk | `string` | `"nonprod.nhsnotify.national.nhs.uk"` | no |

infrastructure/terraform/components/acct/variables.tf

@@ -70,8 +70,3 @@ variable "initial_cli_secrets_provision_override" {
   # Usage like:
   #  ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"}
 }
-
-variable "observability_account_id" {
-  type        = string
-  description = "The Observability Account ID that needs access"
-}

infrastructure/terraform/components/app/README.md

@@ -37,6 +37,7 @@
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |

…mponents/acct/iam_role_grafana_access.tf …omponents/app/iam_role_grafana_access.tfinfrastructure/terraform/components/acct/iam_role_grafana_access.tf renamed to infrastructure/terraform/components/app/iam_role_grafana_access.tf infrastructure/terraform/components/acct/iam_role_grafana_access.tf renamed to infrastructure/terraform/components/app/iam_role_grafana_access.tf

@@ -1,5 +1,5 @@
 resource "aws_iam_role" "grafana_access" {
-  name               = "${local.csi}-grafana-cross-access-role"
+  name               = replace("${local.csi}-grafana-cross-access-role", "-${var.component}", "")
   assume_role_policy = data.aws_iam_policy_document.observability_grafana_role_assume_role_policy.json
 }
 
@@ -8,8 +8,18 @@ data "aws_iam_policy_document" "observability_grafana_role_assume_role_policy" {
     actions = ["sts:AssumeRole"]
     effect  = "Allow"
     principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.observability_account_id}:role/${local.csi}-grafana-workspace-role"]
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.observability_account_id}:root"
+      ]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:PrincipalArn"
+
+      values = [
+        "arn:aws:iam::${var.observability_account_id}:role/*grafana-workspace-role"
+      ]
     }
   }
 }

infrastructure/terraform/components/app/module_nhse_backup_vault.tf

@@ -1,6 +1,6 @@
 module "nhse_backup_vault" {
   source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/aws-backup-source?ref=v1.0.8"
-  count = var.destination_vault_arn != null ? 1:0
+  count  = var.destination_vault_arn != null ? 1 : 0
 
   component                    = var.component
   environment                  = var.environment

infrastructure/terraform/components/app/variables.tf

@@ -187,3 +187,8 @@ variable "enable_letters" {
   description = "Feature flag for letters"
   default     = false
 }
+
+variable "observability_account_id" {
+  type        = string
+  description = "The Observability Account ID that needs access"
+}