feat: add Superset Staging SSO groups (#322)

Add SSO groups for the Superset Staging account.
cds-snc · Dec 9, 2024 · 629276e · 629276e
1 parent 8785287
commit 629276e
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 1 deletion.
diff --git a/terragrunt/org_account/iam_identity_center/locals.tf b/terragrunt/org_account/iam_identity_center/locals.tf
@@ -26,6 +26,7 @@ locals {
   notify_sandbox_account_id    = "891376947407"
 
   superset_production_account_id = "066023111852"
+  superset_staging_account_id    = "257394494478"
 
   sso_identity_store_id = "d-9d67173bdd"
   sso_instance_id       = "ssoins-8824c710b5ddb452"

diff --git a/terragrunt/org_account/iam_identity_center/platform_superset_assignments.tf b/terragrunt/org_account/iam_identity_center/platform_superset_assignments.tf
@@ -17,9 +17,23 @@ locals {
       permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access,
     }
   ]
+  # Superset-Staging
+  superset_staging_permission_sets = [
+    {
+      group          = aws_identitystore_group.superset_staging_admin,
+      permission_set = data.aws_ssoadmin_permission_set.aws_administrator_access,
+    },
+    {
+      group          = aws_identitystore_group.superset_staging_read_only_billing,
+      permission_set = aws_ssoadmin_permission_set.read_only_billing,
+    },
+    {
+      group          = aws_identitystore_group.superset_staging_read_only,
+      permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access,
+    }
+  ]
 }
 
-
 resource "aws_ssoadmin_account_assignment" "superset_production" {
   for_each = { for perm in local.superset_production_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm }
 
@@ -32,3 +46,16 @@ resource "aws_ssoadmin_account_assignment" "superset_production" {
   target_id   = local.superset_production_account_id
   target_type = "AWS_ACCOUNT"
 }
+
+resource "aws_ssoadmin_account_assignment" "superset_staging" {
+  for_each = { for perm in local.superset_staging_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm }
+
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = each.value.permission_set.arn
+
+  principal_id   = each.value.group.group_id
+  principal_type = "GROUP"
+
+  target_id   = local.superset_staging_account_id
+  target_type = "AWS_ACCOUNT"
+}
diff --git a/terragrunt/org_account/iam_identity_center/platform_superset_groups.tf b/terragrunt/org_account/iam_identity_center/platform_superset_groups.tf
@@ -18,3 +18,24 @@ resource "aws_identitystore_group" "superset_production_read_only" {
   description       = "Grants members read-only access to the Superset Production account."
   identity_store_id = local.sso_identity_store_id
 }
+
+#
+# Staging
+#
+resource "aws_identitystore_group" "superset_staging_admin" {
+  display_name      = "Superset-Staging-Admin"
+  description       = "Grants members administrator access to the Superset Staging account."
+  identity_store_id = local.sso_identity_store_id
+}
+
+resource "aws_identitystore_group" "superset_staging_read_only_billing" {
+  display_name      = "Superset-Staging-Billing-ReadOnly"
+  description       = "Grants members read-only Billing and Cost Explorer access to the Superset Staging account."
+  identity_store_id = local.sso_identity_store_id
+}
+
+resource "aws_identitystore_group" "superset_staging_read_only" {
+  display_name      = "Superset-Staging-ReadOnly"
+  description       = "Grants members read-only access to the Superset Staging account."
+  identity_store_id = local.sso_identity_store_id
+}