DDLS-425 restrict management ci to limited access (#1772)

* DDLS-425 add restricted management CI role to digideps
ministryofjustice · Dec 19, 2024 · c201538 · c201538
1 parent 4c2a20c
commit c201538
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 9 deletions.
diff --git a/terraform/account/.envrc b/terraform/account/.envrc
@@ -1,4 +1,5 @@
 source ../../scripts/pipeline/terraform/switch-terraform-version.sh
 export TF_WORKSPACE=development
 export TF_VAR_DEFAULT_ROLE=operator
+export TF_VAR_DEFAULT_ROLE_MGMT=operator
 export TF_CLI_ARGS_init="-backend-config=\"assume_role={role_arn=\\\"arn:aws:iam::311462405659:role/operator\\\"}\""
diff --git a/terraform/account/provider.tf b/terraform/account/provider.tf
@@ -30,7 +30,7 @@ provider "aws" {
     tags = local.default_tags
   }
   assume_role {
-    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE}"
+    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE_MGMT}"
     session_name = "terraform-session"
   }
 }
@@ -54,7 +54,7 @@ provider "aws" {
     tags = local.default_tags
   }
   assume_role {
-    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE}"
+    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE_MGMT}"
     session_name = "terraform-session"
   }
 }

diff --git a/terraform/account/variables.tf b/terraform/account/variables.tf
@@ -1,6 +1,13 @@
 variable "DEFAULT_ROLE" {
-  default = "digideps-ci"
-  type    = string
+  type        = string
+  description = "Default role to use for providers"
+  default     = "digideps-ci"
+}
+
+variable "DEFAULT_ROLE_MGMT" {
+  type        = string
+  description = "Default role to use for management providers"
+  default     = "digideps-custom-ci"
 }
 
 variable "accounts" {

diff --git a/terraform/environment/.envrc b/terraform/environment/.envrc
@@ -1,4 +1,5 @@
 source ../../scripts/pipeline/terraform/switch-terraform-version.sh
 export TF_WORKSPACE=development
 export TF_VAR_DEFAULT_ROLE=operator
+export TF_VAR_DEFAULT_ROLE_MGMT=operator
 export TF_CLI_ARGS_init="-backend-config=\"assume_role={role_arn=\\\"arn:aws:iam::311462405659:role/operator\\\"}\""
diff --git a/terraform/environment/provider.tf b/terraform/environment/provider.tf
@@ -29,7 +29,7 @@ provider "aws" {
     tags = local.default_tags
   }
   assume_role {
-    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE}"
+    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE_MGMT}"
     session_name = "terraform-session"
   }
 }
@@ -54,7 +54,7 @@ provider "aws" {
     tags = local.default_tags
   }
   assume_role {
-    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE}"
+    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE_MGMT}"
     session_name = "terraform-session"
   }
 }
@@ -78,7 +78,7 @@ provider "aws" {
     tags = local.default_tags
   }
   assume_role {
-    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE}"
+    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE_MGMT}"
     session_name = "terraform-session"
   }
 }

diff --git a/terraform/environment/variables.tf b/terraform/environment/variables.tf
@@ -1,6 +1,13 @@
 variable "DEFAULT_ROLE" {
-  default = "digideps-ci"
-  type    = string
+  type        = string
+  description = "Default role to use for providers"
+  default     = "digideps-ci"
+}
+
+variable "DEFAULT_ROLE_MGMT" {
+  type        = string
+  description = "Default role to use for management providers"
+  default     = "digideps-custom-ci"
 }
 
 variable "OPG_DOCKER_TAG" {