How do I have account specific SSH grunt IAM roles?

[yorinasub17]

I’m currently working with something that looks like this in security/_global/account-baseline/users.yml:

userwithlowaccess:
  create_access_keys: false
  create_login_profile: true
  groups:
  - _account.dev-full-access
  - _account.logs-read-only
  - _account.shared-read-only
  - _account.prod-read-only
  - _account.stage-read-only
  - ssh-grunt-sudo-users

The problem I’m running into is that ssh-grunt-sudo-users is creating ssh+sudo-able accounts across the whole environment.
The state I’m trying to get to would look (theoreticaly) something like this instead:

...
  groups:
  - _account.dev-full-access
  - _account.logs-read-only
  - _account.shared-read-only
  - _account.prod-read-only
  - _account.stage-read-only
  - _account.dev-ssh-grunt-sudo-users

(User has ssh+sudo only in a specified tenancy/role)

What’s the correct way to get there?

[yorinasub17]

To achieve individual account level SSH access, you need to first configure it in each account in ssh-grunt on the servers. In each server module, there are variables ssh_grunt_iam_group and ssh_grunt_iam_group_sudo which specifies which IAM group to look for when allowing SSH access (e.g., in OpenVPN server, here is the definition). You can specify this to be any IAM group you like. You can have fine grained access by specifying a different value for each account.

Once that IAM group is specified in each account, you can then construct blank IAM groups in the security account that has those names. Note that SSH grunt doesn’t require any permissions in those IAM groups.

To create the IAM group, you can use the custom-iam-entity module.