Skip to content

Commit

Permalink
Grant ehuss and spastorino access to triagebot logs
Browse files Browse the repository at this point in the history 
This grants scoped-down access to just the triagebot log group in our
legacy AWS account. The console appears to still be usable with the
access granted here, so it seems good enough. Note that we do grant
ability to list all log groups but this is not particularly meaningful.
  • Loading branch information
@Mark-Simulacrum
Mark-Simulacrum committed Apr 27, 2024
1 parent 7f265f0 commit 5e9cec8
Show file tree
Hide file tree
Showing 3 changed files with 75 additions and 6 deletions.
14 changes: 13 additions & 1 deletion terragrunt/accounts/root/aws-organization/terragrunt.hcl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ inputs = {
given_name = "Mark",
family_name = "Rousskov"
email = "mark.simulacrum@gmail.com"
groups = ["infra", "infra-admins"]
groups = ["infra", "infra-admins", "triagebot"]
}
"rylev" = {
given_name = "Ryan",
Expand Down Expand Up @@ -69,5 +69,17 @@ inputs = {
email = "adam@adamharvey.name"
groups = ["crates-io"]
}
"ehuss" = {
given_name = "Eric"
family_name = "Huss"
email = "eric@huss.org"
groups = ["triagebot"]
}
"spastorino" = {
given_name = "Santiago"
family_name = "Pastorino"
email = "spastorino@gmail.com"
groups = ["triagebot"]
}
}
}
66 changes: 61 additions & 5 deletions terragrunt/modules/aws-organization/groups.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,13 @@ resource "aws_identitystore_group" "crates_io" {
description = "The crates.io team"
}

resource "aws_identitystore_group" "triagebot" {
identity_store_id = local.identity_store_id

display_name = "triagebot"
description = "The triagebot maintainers"
}

# The different permission sets a group may have assigned to it

resource "aws_ssoadmin_permission_set" "administrator_access" {
Expand Down Expand Up @@ -85,6 +92,55 @@ resource "aws_ssoadmin_managed_policy_attachment" "read_only_access" {
permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn
}

// Triagebot team read-only access into the legacy account.
resource "aws_ssoadmin_permission_set" "triagebot_access" {
instance_arn = local.instance_arn
name = "TriagebotReadOnly"
}

data "aws_iam_policy_document" "triagebot_access" {
statement {
sid = "ReadLogs"
effect = "Allow"
actions = [
// Subset of CloudwatchReadOnlyAccess
// See https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchReadOnlyAccess.html
"logs:Get*",
"logs:List*",
"logs:StartQuery",
"logs:Describe*",
"logs:FilterLogEvents",
"logs:StartLiveTail",
"logs:StopLiveTail",
]
resources = [
"arn:aws:logs:us-west-1:890664054962:log-group:/ecs/triagebot",
"arn:aws:logs:us-west-1:890664054962:log-group:/ecs/triagebot:*",
]
}

statement {
sid = "NonResourceStatement"
effect = "Allow"
actions = [
// Subset of CloudwatchReadOnlyAccess
// See https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchReadOnlyAccess.html
"logs:StopQuery",
"logs:DescribeLogGroups",
"logs:DescribeQueries",
"logs:DescribeQueryDefinitions",
"logs:TestMetricFilter",
]
resources = ["*"]
}
}

resource "aws_ssoadmin_permission_set_inline_policy" "triagebot_access" {
inline_policy = data.aws_iam_policy_document.triagebot_access.json
instance_arn = local.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.triagebot_access.arn
}

# The assignment of groups to accounts with their respective permission sets

locals {
Expand All @@ -94,7 +150,7 @@ locals {
account : aws_organizations_account.admin,
groups : [
{ group : aws_identitystore_group.infra-admins,
permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
permissions : [aws_ssoadmin_permission_set.read_only_access, aws_ssoadmin_permission_set.administrator_access] },
{ group : aws_identitystore_group.billing,
permissions : [aws_ssoadmin_permission_set.billing_access] },
{ group : aws_identitystore_group.infra,
Expand All @@ -106,11 +162,13 @@ locals {
account : aws_organizations_account.legacy,
groups : [
{ group : aws_identitystore_group.infra-admins,
permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
permissions : [aws_ssoadmin_permission_set.read_only_access, aws_ssoadmin_permission_set.administrator_access] },
{ group : aws_identitystore_group.billing,
permissions : [aws_ssoadmin_permission_set.billing_access] },
{ group : aws_identitystore_group.infra,
permissions : [aws_ssoadmin_permission_set.view_only_access] }
permissions : [aws_ssoadmin_permission_set.view_only_access] },
{ group : aws_identitystore_group.triagebot,
permissions : [aws_ssoadmin_permission_set.triagebot_access] },
]
},
# crates-io Staging
Expand All @@ -119,7 +177,6 @@ locals {
groups : [
{ group : aws_identitystore_group.infra-admins,
permissions : [
aws_ssoadmin_permission_set.view_only_access,
aws_ssoadmin_permission_set.read_only_access,
aws_ssoadmin_permission_set.administrator_access
] },
Expand All @@ -135,7 +192,6 @@ locals {
groups : [
{ group : aws_identitystore_group.infra-admins,
permissions : [
aws_ssoadmin_permission_set.view_only_access,
aws_ssoadmin_permission_set.read_only_access,
aws_ssoadmin_permission_set.administrator_access
] },
Expand Down
1 change: 1 addition & 0 deletions terragrunt/modules/aws-organization/users.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ locals {
infra : aws_identitystore_group.infra
infra-admins : aws_identitystore_group.infra-admins
crates-io : aws_identitystore_group.crates_io
triagebot : aws_identitystore_group.triagebot
}

# Expand var.users into collection of group memberships associations
Expand Down

0 comments on commit 5e9cec8

Please sign in to comment.