From c201538e6755c7a79cd30a014e537e57d417e7bf Mon Sep 17 00:00:00 2001
From: Jim <58939809+jamesrwarren@users.noreply.github.com>
Date: Thu, 19 Dec 2024 09:43:38 +0000
Subject: [PATCH] DDLS-425 restrict management ci to limited access (#1772)

* DDLS-425 add restricted management CI role to digideps
---
 terraform/account/.envrc           |  1 +
 terraform/account/provider.tf      |  4 ++--
 terraform/account/variables.tf     | 11 +++++++++--
 terraform/environment/.envrc       |  1 +
 terraform/environment/provider.tf  |  6 +++---
 terraform/environment/variables.tf | 11 +++++++++--
 6 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/terraform/account/.envrc b/terraform/account/.envrc
index a994427609..d20567110e 100644
--- a/terraform/account/.envrc
+++ b/terraform/account/.envrc
@@ -1,4 +1,5 @@
 source ../../scripts/pipeline/terraform/switch-terraform-version.sh
 export TF_WORKSPACE=development
 export TF_VAR_DEFAULT_ROLE=operator
+export TF_VAR_DEFAULT_ROLE_MGMT=operator
 export TF_CLI_ARGS_init="-backend-config=\"assume_role={role_arn=\\\"arn:aws:iam::311462405659:role/operator\\\"}\""
diff --git a/terraform/account/provider.tf b/terraform/account/provider.tf
index 976a41dc52..e664f910c8 100644
--- a/terraform/account/provider.tf
+++ b/terraform/account/provider.tf
@@ -30,7 +30,7 @@ provider "aws" {
     tags = local.default_tags
   }
   assume_role {
-    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE}"
+    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE_MGMT}"
     session_name = "terraform-session"
   }
 }
@@ -54,7 +54,7 @@ provider "aws" {
     tags = local.default_tags
   }
   assume_role {
-    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE}"
+    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE_MGMT}"
     session_name = "terraform-session"
   }
 }
diff --git a/terraform/account/variables.tf b/terraform/account/variables.tf
index 3c01afea5f..8d07b22ee6 100644
--- a/terraform/account/variables.tf
+++ b/terraform/account/variables.tf
@@ -1,6 +1,13 @@
 variable "DEFAULT_ROLE" {
-  default = "digideps-ci"
-  type    = string
+  type        = string
+  description = "Default role to use for providers"
+  default     = "digideps-ci"
+}
+
+variable "DEFAULT_ROLE_MGMT" {
+  type        = string
+  description = "Default role to use for management providers"
+  default     = "digideps-custom-ci"
 }
 
 variable "accounts" {
diff --git a/terraform/environment/.envrc b/terraform/environment/.envrc
index a994427609..d20567110e 100644
--- a/terraform/environment/.envrc
+++ b/terraform/environment/.envrc
@@ -1,4 +1,5 @@
 source ../../scripts/pipeline/terraform/switch-terraform-version.sh
 export TF_WORKSPACE=development
 export TF_VAR_DEFAULT_ROLE=operator
+export TF_VAR_DEFAULT_ROLE_MGMT=operator
 export TF_CLI_ARGS_init="-backend-config=\"assume_role={role_arn=\\\"arn:aws:iam::311462405659:role/operator\\\"}\""
diff --git a/terraform/environment/provider.tf b/terraform/environment/provider.tf
index a50d873da5..e96f474a72 100644
--- a/terraform/environment/provider.tf
+++ b/terraform/environment/provider.tf
@@ -29,7 +29,7 @@ provider "aws" {
     tags = local.default_tags
   }
   assume_role {
-    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE}"
+    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE_MGMT}"
     session_name = "terraform-session"
   }
 }
@@ -54,7 +54,7 @@ provider "aws" {
     tags = local.default_tags
   }
   assume_role {
-    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE}"
+    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE_MGMT}"
     session_name = "terraform-session"
   }
 }
@@ -78,7 +78,7 @@ provider "aws" {
     tags = local.default_tags
   }
   assume_role {
-    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE}"
+    role_arn     = "arn:aws:iam::311462405659:role/${var.DEFAULT_ROLE_MGMT}"
     session_name = "terraform-session"
   }
 }
diff --git a/terraform/environment/variables.tf b/terraform/environment/variables.tf
index 148827ec2a..d25535ba15 100644
--- a/terraform/environment/variables.tf
+++ b/terraform/environment/variables.tf
@@ -1,6 +1,13 @@
 variable "DEFAULT_ROLE" {
-  default = "digideps-ci"
-  type    = string
+  type        = string
+  description = "Default role to use for providers"
+  default     = "digideps-ci"
+}
+
+variable "DEFAULT_ROLE_MGMT" {
+  type        = string
+  description = "Default role to use for management providers"
+  default     = "digideps-custom-ci"
 }
 
 variable "OPG_DOCKER_TAG" {