Add wmaug-member account, groups and permissionset

West-Michigan-AWS-Users-Group · Sep 16, 2024 · e309b04 · e309b04
1 parent 417f7f9
commit e309b04
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 3 deletions.
diff --git a/.github/workflows/cdk_deploy.yml b/.github/workflows/cdk_deploy.yml
@@ -41,4 +41,7 @@ jobs:
           --parameters wmaugModeratorAccountNumberParam=${{ secrets.WMAUG_MODERATOR_ACCOUNT_NUMBER }} \
           --parameters wmaugModeratorAdminGroupId=${{ secrets.WMAUG_MODERATOR_ADMIN_GUID }} \
           --parameters wmaugFullAdminGroupId=${{ secrets.WMAUG_MGMT_ADMIN_GUID }} \
+          --parameters wmaugMemberAccountNumberParam=${{ secrets.WMAUG_MEMBER_ACCOUNT_NUMBER }} \
+          --parameters wmaugMemberAdminGroupId=${{ secrets.WMAUG_MEMBER_ADMIN_GUID }} \
+          --parameters wmaugMemberGroupId=${{ secrets.WMAUG_MEMBER_MEMBER_GUID }} \
           --require-approval=never && npx cdk deploy Scp --require-approval=never
diff --git a/lib/wmaug-management-infrastructure-sso.ts b/lib/wmaug-management-infrastructure-sso.ts
@@ -21,6 +21,15 @@ export class Sso extends cdk.Stack {
       },
     );
 
+    const wmaugMemberAccountNumberParam = new cdk.CfnParameter(
+      this,
+      "wmaugMemberAccountNumberParam",
+      {
+        type: "String",
+        description: "The account number of the WMAUG member account",
+      },
+    );
+
     const wmaugModeratorAccountNumberParam = new cdk.CfnParameter(
       this,
       "wmaugModeratorAccountNumberParam",
@@ -41,6 +50,24 @@ export class Sso extends cdk.Stack {
       },
     );
 
+    const wmaugMemberAdminGroupId = new cdk.CfnParameter(
+      this,
+      "wmaugMemberAdminGroupId",
+      {
+        type: "String",
+        description: "The GUID of the wmaugMemberAdmin SSO group",
+      },
+    );
+
+    const wmaugMemberGroupId = new cdk.CfnParameter(
+      this,
+      "wmaugMemberGroupId",
+      {
+        type: "String",
+        description: "The GUID of the wmaugMember SSO group",
+      },
+    );
+
     const wmaugFullAdminGroupId = new cdk.CfnParameter(
       this,
       "wmaugFullAdminGroupId",
@@ -50,7 +77,7 @@ export class Sso extends cdk.Stack {
       },
     );
 
-    // Start permission set policy creation
+    // Moderator permission set
     const wmaugModeratorAdminPermissionSet = new sso.CfnPermissionSet(
       this,
       "wmaugModeratorAdminPermissionSet",
@@ -63,19 +90,40 @@ export class Sso extends cdk.Stack {
         managedPolicies: ["arn:aws:iam::aws:policy/AdministratorAccess"],
       },
     );
-
+    // Owner permission set
     const wmaugFullAdminPermissionSet = new sso.CfnPermissionSet(
       this,
       "wmaugFullAdminPermissionSet",
       {
-        // Use the value of the CFN parameter
         instanceArn: instanceArnParam.valueAsString,
         name: "wmaugFullAdminPermissionSet",
         description: "Permission set WMAUG owners will use",
         managedPolicies: ["arn:aws:iam::aws:policy/AdministratorAccess"],
         sessionDuration: "PT12H",
       },
     );
+    // Member permission set
+    const wmaugMemberPermissionSet = new sso.CfnPermissionSet(
+      this,
+      "wmaugMemberPermissionSet",
+      {
+        instanceArn: instanceArnParam.valueAsString,
+        name: "wmaugMemberPermissionSet",
+        description: "Permission set WMAUG members will use",
+        managedPolicies: ["arn:aws:iam::aws:policy/ReadOnlyAccess"],
+        sessionDuration: "PT12H",
+      },
+    );
+
+    // Assign member users to member account
+    new sso.CfnAssignment(this, "wmaugMemberAssignment", {
+      instanceArn: instanceArnParam.valueAsString,
+      permissionSetArn: wmaugMemberPermissionSet.attrPermissionSetArn,
+      principalType: "GROUP",
+      principalId: wmaugMemberGroupId.valueAsString,
+      targetId: wmaugMemberAccountNumberParam.valueAsString,
+      targetType: "AWS_ACCOUNT",
+    });
 
     // Assign moderator admin to moderator account
     new sso.CfnAssignment(this, "wmaugModeratorAdminModeratorAssignment", {
@@ -87,6 +135,16 @@ export class Sso extends cdk.Stack {
       targetType: "AWS_ACCOUNT",
     });
 
+    // Assign member admin to member account
+    new sso.CfnAssignment(this, "wmaugMemberAdminModeratorAssignment", {
+      instanceArn: instanceArnParam.valueAsString,
+      permissionSetArn: wmaugModeratorAdminPermissionSet.attrPermissionSetArn,
+      principalType: "GROUP",
+      principalId: wmaugMemberAdminGroupId.valueAsString,
+      targetId: wmaugMemberAccountNumberParam.valueAsString,
+      targetType: "AWS_ACCOUNT",
+    });
+
     // Assign full admin to management account
     new sso.CfnAssignment(this, "wmaugFullAdminManagementAssignment", {
       instanceArn: instanceArnParam.valueAsString,
@@ -97,6 +155,16 @@ export class Sso extends cdk.Stack {
       targetType: "AWS_ACCOUNT",
     });
 
+    // Assign full admin to member account
+    new sso.CfnAssignment(this, "wmaugFullAdminMemberAssignment", {
+      instanceArn: instanceArnParam.valueAsString,
+      permissionSetArn: wmaugFullAdminPermissionSet.attrPermissionSetArn,
+      principalType: "GROUP",
+      principalId: wmaugFullAdminGroupId.valueAsString,
+      targetId: wmaugMemberAccountNumberParam.valueAsString,
+      targetType: "AWS_ACCOUNT",
+    });
+
     // Assign full admin to moderator account
     new sso.CfnAssignment(this, "wmaugFullAdminModeratorAssignment", {
       instanceArn: instanceArnParam.valueAsString,