Skip to content

Commit

Permalink
Add read-only access to infra
Browse files Browse the repository at this point in the history 
Also drops access from read-only roles to kms:Decrypt. That operation
isn't considered a write operation, but grants e.g. access to SSM
secret values, which doesn't seem ideal.
  • Loading branch information
@Mark-Simulacrum
Mark-Simulacrum committed Jun 29, 2024
1 parent 5e3adf4 commit 45302ed
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions terragrunt/modules/aws-organization/groups.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,21 @@ resource "aws_ssoadmin_managed_policy_attachment" "read_only_access" {
permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn
}

resource "aws_ssoadmin_permission_set_inline_policy" "no_kms" {
inline_policy = data.aws_iam_policy_document.no_kms.json
instance_arn = local.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn
}

data "aws_iam_policy_document" "no_kms" {
statement {
sid = "DropKMSDecrypt"
effect = "Deny"
actions = ["kms:Decrypt"]
resources = ["*"]
}
}

// Triagebot team read-only access into the legacy account.
resource "aws_ssoadmin_permission_set" "triagebot_access" {
instance_arn = local.instance_arn
Expand Down Expand Up @@ -245,6 +260,8 @@ locals {
groups : [
{ group : aws_identitystore_group.infra-admins,
permissions : [aws_ssoadmin_permission_set.read_only_access, aws_ssoadmin_permission_set.administrator_access] },
{ group : aws_identitystore_group.infra,
permissions : [aws_ssoadmin_permission_set.read_only_access] },
]
},
]
Expand Down

0 comments on commit 45302ed

Please sign in to comment.