🔀 Merge pull request #3559 from ministryofjustice/oidc-iam

🔧 Add cross account role for apps and tools

terraform/environments/data-platform/environment-configurations.tf

@@ -0,0 +1,17 @@
+locals {
+  environment_configuration = local.environment_configurations[local.environment]
+  environment_configurations = {
+    development = {
+      apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"]
+    }
+    test = {
+      apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"]
+    }
+    preproduction = {
+      apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"]
+    }
+    production = {
+      apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-production"]
+    }
+  }
+}

terraform/environments/data-platform/iam-policies.tf

@@ -0,0 +1,25 @@
+// TODO Scope this down... 
+
+data "aws_iam_policy_document" "openmetadata" {
+  statement {
+    sid    = "openmetadata"
+    effect = "Allow"
+    actions = [
+      "s3:*",
+      "athena:*",
+      "glue:*"
+    ]
+    resources = ["*"]
+  }
+}
+
+module "openmetadata_iam_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "~> 5.0"
+
+  name_prefix = "openmetadata"
+
+  policy = data.aws_iam_policy_document.openmetadata.json
+
+  tags = local.tags
+}

terraform/environments/data-platform/iam-roles.tf

@@ -0,0 +1,18 @@
+module "openmetadata_iam_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~> 5.0"
+
+  create_role = true
+
+  role_name_prefix  = "openmetadata"
+  role_requires_mfa = false
+
+  trusted_role_arns = ["arn:aws:iam::${local.environment_configuration.apps_tools_account_id}:root"]
+
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/service-role/AWSQuicksightAthenaAccess",
+    module.openmetadata_iam_policy.arn
+  ]
+
+  tags = local.tags
+}