Skip to content

Commit 0d24b69

Browse files
cadmiumcatcadmiumcat
authored
Merge pull request #2075 from alphagov/allow-support-access-to-sustainability
Allow support/readonly roles to access AWS Sustainability
2 parents 1a46f30 + 525c202 commit 0d24b69

2 files changed

Lines changed: 30 additions & 14 deletions

File tree

infra/modules/engineer-access/policies.tf

Lines changed: 27 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -195,12 +195,12 @@ resource "aws_iam_policy" "manage_parameter_store" {
195195
})
196196
}
197197

198-
resource "aws_iam_policy" "manage_dashboards" {
198+
resource "aws_iam_policy" "manage_dashboards_and_maintenance_page" {
199199
#checkov:skip=CKV_AWS_290: We're OK with unlimited access to CloudWatch dashboards
200200
#checkov:skip=CKV_AWS_355: We're OK with unlimited access to CloudWatch dashboards
201-
name = "manage-dashboards"
201+
name = "manage-dashboards-and-maintenance-page"
202202
path = "/"
203-
description = "Create, update and delete CloudWatch dashbaords"
203+
description = "Manage CloudWatch dashboards and maintenance page"
204204

205205
policy = jsonencode({
206206
Version = "2012-10-17"
@@ -214,16 +214,7 @@ resource "aws_iam_policy" "manage_dashboards" {
214214
Resource = ["*"]
215215
}
216216
]
217-
})
218-
}
219-
220-
resource "aws_iam_policy" "manage_maintenance_page" {
221-
name = "manage-maintenance-page"
222-
path = "/"
223-
description = "Permission to manage maintenance page"
224217

225-
policy = jsonencode({
226-
Version = "2012-10-17"
227218
Statement = [
228219
{
229220
Action = [
@@ -330,3 +321,27 @@ resource "aws_iam_policy" "get_ux_customisation" {
330321
]
331322
})
332323
}
324+
325+
resource "aws_iam_policy" "get_sustainability_data" {
326+
name = "allow-get-sustainability_data"
327+
path = "/"
328+
329+
description = "Allow access to AWS Sustainability"
330+
331+
policy = jsonencode({
332+
Version = "2012-10-17"
333+
Statement = [
334+
{
335+
Action = [
336+
"sustainability:GetCarbonFootprintSummary",
337+
"sustainability:GetEstimatedCarbonEmissions",
338+
"sustainability:GetEstimatedCarbonEmissionsDimensionValues",
339+
]
340+
Effect = "Allow"
341+
Resource = [
342+
"*"
343+
]
344+
}
345+
]
346+
})
347+
}

infra/modules/engineer-access/roles.tf

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,13 +26,13 @@ module "support_role" {
2626
"arn:aws:iam::aws:policy/ReadOnlyAccess",
2727
aws_iam_policy.access_aws_support_centre.arn,
2828
aws_iam_policy.manage_parameter_store.arn,
29-
aws_iam_policy.manage_dashboards.arn,
29+
aws_iam_policy.manage_dashboards_and_maintenance_page.arn,
3030
aws_iam_policy.manage_deployments.arn,
31-
aws_iam_policy.manage_maintenance_page.arn,
3231
aws_iam_policy.lock_state_files.arn,
3332
var.allow_rds_data_api_access ? [aws_iam_policy.query_rds_with_data_api[0].arn] : [],
3433
var.allow_ecs_task_usage ? [aws_iam_policy.manage_ecs_task[0].arn] : [],
3534
aws_iam_policy.get_ux_customisation.arn,
35+
aws_iam_policy.get_sustainability_data.arn,
3636
])
3737
ip_restrictions = local.vpn_ip_restrictions
3838
}
@@ -47,6 +47,7 @@ module "readonly_role" {
4747
"arn:aws:iam::aws:policy/ReadOnlyAccess",
4848
aws_iam_policy.lock_state_files.arn,
4949
aws_iam_policy.get_ux_customisation.arn,
50+
aws_iam_policy.get_sustainability_data.arn,
5051
]
5152
ip_restrictions = local.vpn_ip_restrictions
5253
}

0 commit comments

Comments
 (0)