testing out restricted management role

ministryofjustice · Dec 12, 2024 · da7de2d · da7de2d
1 parent 356d7e8
commit da7de2d
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 8 deletions.
diff --git a/terraform/environment/region/elasticache_sg.tf b/terraform/environment/region/elasticache_sg.tf
@@ -5,10 +5,6 @@ data "aws_elasticache_replication_group" "front_cache_cluster" {
   replication_group_id = "frontend-redis-${var.account.name}"
 }
 
-data "aws_security_group" "front_cache_sg" {
-  name = "${var.account.name}-account-cache-frontend"
-}
-
 data "aws_security_group" "cache_front_sg" {
   name = "${var.account.name}-shared-cache-front"
 }
@@ -39,10 +35,6 @@ data "aws_elasticache_replication_group" "api_cache_cluster" {
   replication_group_id = "api-redis-${var.account.name}"
 }
 
-data "aws_security_group" "api_cache_sg" {
-  name = "${var.account.name}-account-cache-api"
-}
-
 data "aws_security_group" "cache_api_sg" {
   name = "${var.account.name}-shared-cache-api"
 }

diff --git a/terraform/environment/region/iam_temporary_management_test.tf b/terraform/environment/region/iam_temporary_management_test.tf
@@ -0,0 +1,101 @@
+resource "aws_iam_role" "ci_test" {
+  assume_role_policy = data.aws_iam_policy_document.ci_test_assume_policy.json
+  name               = "digideps-test-ci"
+  tags               = var.default_tags
+  provider           = aws.management
+}
+
+data "aws_iam_policy_document" "ci_test_assume_policy" {
+  statement {
+    sid    = "Trust relations"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::631181914621:role/oidc-digideps-development"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role_policy" "ci_test" {
+  name     = "digideps-test-ci"
+  policy   = data.aws_iam_policy_document.ci_test.json
+  role     = aws_iam_role.ci_test.id
+  provider = aws.management
+}
+
+data "aws_iam_policy_document" "ci_test" {
+  statement {
+    sid    = "Write DNS access"
+    effect = "Allow"
+    actions = [
+      "route53:Change*",
+      "route53:Create*",
+      "route53:Delete*",
+      "route53:Associate*",
+      "route53:Activate*",
+      "route53:Deactivate*",
+    ]
+    resources = [
+      "arn:aws:route53:::hostedzone/Z07336273PD3FH7YGYOLV",
+      "arn:aws:route53:::hostedzone/Z0818402Q9ADP2GK9BOL"
+    ]
+  }
+
+  statement {
+    sid    = "Read DNS"
+    effect = "Allow"
+    actions = [
+      "route53:Get*",
+      "route53:List*"
+    ]
+    resources = [
+      "*"
+    ]
+  }
+
+  statement {
+    sid    = "ECR Allow List"
+    effect = "Allow"
+    actions = [
+      "ecr:List*",
+      "ecr:Describe*"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "ECR Allow Read"
+    effect = "Allow"
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetRepositoryPolicy",
+      "ecr:DescribeRepositories",
+      "ecr:ListImages",
+      "ecr:DescribeImages",
+      "ecr:BatchGetImage",
+      "ecr:GetLifecyclePolicy",
+      "ecr:GetLifecyclePolicyPreview",
+      "ecr:ListTagsForResource",
+      "ecr:DescribeImageScanFindings"
+    ]
+    resources = [
+      "311462405659.dkr.ecr.eu-west-1.amazonaws.com/digideps/*"
+    ]
+  }
+
+  statement {
+    sid    = "GetSecrets"
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+    resources = [
+      "arn:aws:secretsmanager:eu-west-1:311462405659:secret:digideps/*"
+    ]
+  }
+}