Skip to content

Commit 44f3669

Browse files
aidenvaines-cgiaidenvaines-cgi
authored
Merge pull request #303 from NHSDigital/feature/CCM-8202_Grafana_Cross_Account_Access
CCM-8202: Grafana Cross Account Access
2 parents 0f1d202 + a0ac679 commit 44f3669

File tree

2 files changed

+25
-0
lines changed

2 files changed

+25
-0
lines changed

infrastructure/terraform/components/acct/iam_role_grafana_access.tf

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
resource "aws_iam_role" "grafana_access" {
2+
name = "${local.csi}-grafana-cross-access-role"
3+
assume_role_policy = data.aws_iam_policy_document.observability_grafana_role_assume_role_policy.json
4+
}
5+
6+
data "aws_iam_policy_document" "observability_grafana_role_assume_role_policy" {
7+
statement {
8+
actions = ["sts:AssumeRole"]
9+
effect = "Allow"
10+
principals {
11+
type = "AWS"
12+
identifiers = ["arn:aws:iam::${var.observability_account_id}:role/${local.csi}-grafana-workspace-role"]
13+
}
14+
}
15+
}
16+
17+
resource "aws_iam_role_policy_attachment" "grafana_workspace_cloudwatch" {
18+
role = aws_iam_role.grafana_access.name
19+
policy_arn = "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess"
20+
}

infrastructure/terraform/components/acct/variables.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,3 +70,8 @@ variable "initial_cli_secrets_provision_override" {
7070
# Usage like:
7171
# ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"}
7272
}
73+
74+
variable "observability_account_id" {
75+
type = string
76+
description = "The Observability Account ID that needs access"
77+
}

0 commit comments

Comments
 (0)