CCM-8742: Grafana cross account access trust pol condition

sidnhs · sidnhs · commit aecb597590fc · 2025-02-27T16:39:51.000Z
diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf
@@ -70,8 +70,3 @@ variable "initial_cli_secrets_provision_override" {
   # Usage like:
   #  ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"}
 }
-
-variable "observability_account_id" {
-  type        = string
-  description = "The Observability Account ID that needs access"
-}
diff --git a/infrastructure/terraform/components/app/iam_role_grafana_access.tf b/infrastructure/terraform/components/app/iam_role_grafana_access.tf
@@ -1,5 +1,5 @@
 resource "aws_iam_role" "grafana_access" {
-  name               = "${local.csi}-grafana-cross-access-role"
+  name               = replace("${local.csi}-grafana-cross-access-role", "-${var.component}", "")
   assume_role_policy = data.aws_iam_policy_document.observability_grafana_role_assume_role_policy.json
 }
 
@@ -9,7 +9,17 @@ data "aws_iam_policy_document" "observability_grafana_role_assume_role_policy" {
     effect  = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.observability_account_id}:role/${local.csi}-grafana-workspace-role"]
+      identifiers = [
+         "arn:aws:iam::${var.observability_account_id}:root"
+      ]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:PrincipalArn"
+
+      values = [
+        "arn:aws:iam::${var.observability_account_id}:role/*grafana-workspace-role"
+      ]
     }
   }
 }
diff --git a/infrastructure/terraform/components/app/variables.tf b/infrastructure/terraform/components/app/variables.tf
@@ -187,3 +187,8 @@ variable "enable_letters" {
   description = "Feature flag for letters"
   default     = false
 }
+
+variable "observability_account_id" {
+  type        = string
+  description = "The Observability Account ID that needs access"
+}

Original file line number	Diff line number	Diff line change
`@@ -70,8 +70,3 @@ variable "initial_cli_secrets_provision_override" {`
`70`	`70`	`# Usage like:`
`71`	`71`	`# ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"}`
`72`	`72`	`}`
`73`		`-`
`74`		`-variable "observability_account_id" {`
`75`		`- type = string`
`76`		`- description = "The Observability Account ID that needs access"`
`77`		`-}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`resource "aws_iam_role" "grafana_access" {`
`2`		`- name = "${local.csi}-grafana-cross-access-role"`
	`2`	`+ name = replace("${local.csi}-grafana-cross-access-role", "-${var.component}", "")`
`3`	`3`	`assume_role_policy = data.aws_iam_policy_document.observability_grafana_role_assume_role_policy.json`
`4`	`4`	`}`
`5`	`5`
`@@ -9,7 +9,17 @@ data "aws_iam_policy_document" "observability_grafana_role_assume_role_policy" {`
`9`	`9`	`effect = "Allow"`
`10`	`10`	`principals {`
`11`	`11`	`type = "AWS"`
`12`		`- identifiers = ["arn:aws:iam::${var.observability_account_id}:role/${local.csi}-grafana-workspace-role"]`
	`12`	`+ identifiers = [`
	`13`	`+ "arn:aws:iam::${var.observability_account_id}:root"`
	`14`	`+ ]`
	`15`	`+ }`
	`16`	`+ condition {`
	`17`	`+ test = "ArnLike"`
	`18`	`+ variable = "aws:PrincipalArn"`
	`19`	`+`
	`20`	`+ values = [`
	`21`	`+ "arn:aws:iam::${var.observability_account_id}:role/*grafana-workspace-role"`
	`22`	`+ ]`
`13`	`23`	`}`
`14`	`24`	`}`
`15`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -187,3 +187,8 @@ variable "enable_letters" {`
`187`	`187`	`description = "Feature flag for letters"`
`188`	`188`	`default = false`
`189`	`189`	`}`
	`190`	`+`
	`191`	`+variable "observability_account_id" {`
	`192`	`+ type = string`
	`193`	`+ description = "The Observability Account ID that needs access"`
	`194`	`+}`