From 629276e6cafa2cc9a216c414ff3a323fbaebaa59 Mon Sep 17 00:00:00 2001 From: Pat Heard Date: Mon, 9 Dec 2024 08:54:59 -0500 Subject: [PATCH] feat: add Superset Staging SSO groups (#322) Add SSO groups for the Superset Staging account. --- .../org_account/iam_identity_center/locals.tf | 1 + .../platform_superset_assignments.tf | 29 ++++++++++++++++++- .../platform_superset_groups.tf | 21 ++++++++++++++ 3 files changed, 50 insertions(+), 1 deletion(-) diff --git a/terragrunt/org_account/iam_identity_center/locals.tf b/terragrunt/org_account/iam_identity_center/locals.tf index 0fe61c45..5bffc159 100644 --- a/terragrunt/org_account/iam_identity_center/locals.tf +++ b/terragrunt/org_account/iam_identity_center/locals.tf @@ -26,6 +26,7 @@ locals { notify_sandbox_account_id = "891376947407" superset_production_account_id = "066023111852" + superset_staging_account_id = "257394494478" sso_identity_store_id = "d-9d67173bdd" sso_instance_id = "ssoins-8824c710b5ddb452" diff --git a/terragrunt/org_account/iam_identity_center/platform_superset_assignments.tf b/terragrunt/org_account/iam_identity_center/platform_superset_assignments.tf index 8756665c..cf082822 100644 --- a/terragrunt/org_account/iam_identity_center/platform_superset_assignments.tf +++ b/terragrunt/org_account/iam_identity_center/platform_superset_assignments.tf @@ -17,9 +17,23 @@ locals { permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access, } ] + # Superset-Staging + superset_staging_permission_sets = [ + { + group = aws_identitystore_group.superset_staging_admin, + permission_set = data.aws_ssoadmin_permission_set.aws_administrator_access, + }, + { + group = aws_identitystore_group.superset_staging_read_only_billing, + permission_set = aws_ssoadmin_permission_set.read_only_billing, + }, + { + group = aws_identitystore_group.superset_staging_read_only, + permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access, + } + ] } - resource "aws_ssoadmin_account_assignment" "superset_production" { for_each = { for perm in local.superset_production_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm } @@ -32,3 +46,16 @@ resource "aws_ssoadmin_account_assignment" "superset_production" { target_id = local.superset_production_account_id target_type = "AWS_ACCOUNT" } + +resource "aws_ssoadmin_account_assignment" "superset_staging" { + for_each = { for perm in local.superset_staging_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm } + + instance_arn = local.sso_instance_arn + permission_set_arn = each.value.permission_set.arn + + principal_id = each.value.group.group_id + principal_type = "GROUP" + + target_id = local.superset_staging_account_id + target_type = "AWS_ACCOUNT" +} diff --git a/terragrunt/org_account/iam_identity_center/platform_superset_groups.tf b/terragrunt/org_account/iam_identity_center/platform_superset_groups.tf index ab5241b4..4778109a 100644 --- a/terragrunt/org_account/iam_identity_center/platform_superset_groups.tf +++ b/terragrunt/org_account/iam_identity_center/platform_superset_groups.tf @@ -18,3 +18,24 @@ resource "aws_identitystore_group" "superset_production_read_only" { description = "Grants members read-only access to the Superset Production account." identity_store_id = local.sso_identity_store_id } + +# +# Staging +# +resource "aws_identitystore_group" "superset_staging_admin" { + display_name = "Superset-Staging-Admin" + description = "Grants members administrator access to the Superset Staging account." + identity_store_id = local.sso_identity_store_id +} + +resource "aws_identitystore_group" "superset_staging_read_only_billing" { + display_name = "Superset-Staging-Billing-ReadOnly" + description = "Grants members read-only Billing and Cost Explorer access to the Superset Staging account." + identity_store_id = local.sso_identity_store_id +} + +resource "aws_identitystore_group" "superset_staging_read_only" { + display_name = "Superset-Staging-ReadOnly" + description = "Grants members read-only access to the Superset Staging account." + identity_store_id = local.sso_identity_store_id +}