Create DataScience account, set up permission sets and assignments, a… (

#562) * Create DataScience account, set up permission sets and assignments, also create new data scientist group and update membership, also add missing users * Fix format * Grant permissions on SageMaker * Grant DevOps access to Data Science account, also grant it permissions on SageMaker * Grant Quicksight too
binbashar · Apr 8, 2024 · 36521e3 · 36521e3
1 parent 1190087
commit 36521e3
Show file tree

Hide file tree

Showing 6 changed files with 143 additions and 1 deletion.
diff --git a/config/common.tfvars.example b/config/common.tfvars.example
@@ -36,6 +36,10 @@ accounts = {
     email = "binbash-apps-prd@binbash.com.ar",
     id    = 666666666666
   }
+  data-science = {
+    email = "binbash-data-science@binbash.com.ar",
+    id    = 666666666666
+  }
 }
 
 

diff --git a/management/global/organizations/locals.tf b/management/global/organizations/locals.tf
@@ -30,6 +30,12 @@ locals {
     bbl_apps_prd = {
       policy = aws_organizations_policy.standard
     }
+    #
+    # Data Science: Organizational Unit Policies
+    #
+    bbl_data_science = {
+      policy = aws_organizations_policy.standard
+    }
   }
 
   root_account = {
@@ -81,5 +87,12 @@ locals {
       email     = "aws+apps-prd@binbash.com.ar",
       parent_ou = "bbl_apps_prd"
     }
+    #
+    # DataScience: data science workloads, MLOps, and such.
+    #
+    data-science = {
+      email     = "aws+data-science@binbash.com.ar",
+      parent_ou = "bbl_data_science"
+    }
   }
 }
diff --git a/management/global/sso/account_assignments.tf b/management/global/sso/account_assignments.tf
@@ -99,6 +99,13 @@ module "account_assignments" {
       principal_name      = local.groups["devops"].name
       account             = var.accounts.network.id
     },
+    {
+      permission_set_arn  = module.permission_sets.permission_sets["DevOps"].arn
+      permission_set_name = "DevOps"
+      principal_type      = local.principal_type_group
+      principal_name      = local.groups["devops"].name
+      account             = var.accounts.data-science.id
+    },
 
     # -------------------------------------------------------------------------
     # FinOps Permissions
@@ -185,5 +192,16 @@ module "account_assignments" {
       principal_name      = local.groups["marketplaceseller"].name
       account             = var.accounts.shared.id
     },
+
+    # -------------------------------------------------------------------------
+    # DataScientist Permissions
+    # -------------------------------------------------------------------------
+    {
+      permission_set_arn  = module.permission_sets.permission_sets["DataScientist"].arn
+      permission_set_name = "DataScientist"
+      principal_type      = local.principal_type_group
+      principal_name      = local.groups["datascientists"].name
+      account             = var.accounts.data-science.id
+    },
   ]
 }
diff --git a/management/global/sso/locals.tf b/management/global/sso/locals.tf
@@ -173,6 +173,23 @@ locals {
         "marketplaceseller",
       ]
     }
+    "osvaldo.demo" = {
+      first_name = "Osvaldo"
+      last_name  = "Demo"
+      email      = "osvaldo.demo@binbash.com.ar"
+      groups = [
+        "administrators",
+        "devops",
+      ]
+    }
+    "matias.sorozabal" = {
+      first_name = "Matias"
+      last_name  = "Sorozabal"
+      email      = "matias.sorozabal@binbash.com.ar"
+      groups = [
+        "datascientists",
+      ]
+    }
   }
 
   #----------------------------------------------------------------------------
@@ -203,6 +220,10 @@ locals {
       name        = "MarketplaceSeller"
       description = "Provides access to the AWS MaketPlace Seller."
     }
+    datascientists = {
+      name        = "DataScientists"
+      description = "Provides access to the Data Science related services."
+    }
   }
 
   #----------------------------------------------------------------------------

diff --git a/management/global/sso/permission_sets.tf b/management/global/sso/permission_sets.tf
@@ -78,5 +78,15 @@ module "permission_sets" {
       ]
       customer_managed_policy_attachments = []
     },
+    {
+      name                                = "DataScientist"
+      description                         = "Provides access to AWS services that have to do with Data Science and MLOps."
+      relay_state                         = local.default_relay_state
+      session_duration                    = "PT2H"
+      tags                                = local.tags
+      inline_policy                       = data.aws_iam_policy_document.data_scientist.json
+      policy_attachments                  = []
+      customer_managed_policy_attachments = []
+    },
   ]
 }
diff --git a/management/global/sso/policies.tf b/management/global/sso/policies.tf
@@ -17,6 +17,7 @@ data "aws_iam_policy_document" "devops" {
       "aws-marketplace:*",
       "backup:*",
       "backup-storage:*",
+      "bedrock:*",
       "ce:*",
       "cloudformation:*",
       "cloudfront:*",
@@ -53,7 +54,9 @@ data "aws_iam_policy_document" "devops" {
       "logs:*",
       "network-firewall:*",
       "networkmanager:*",
+      "pipes:*",
       "q:*",
+      "quicksight:*",
       "ram:*",
       "rds:*",
       "redshift:*",
@@ -64,15 +67,19 @@ data "aws_iam_policy_document" "devops" {
       "route53domains:*",
       "route53resolver:*",
       "s3:*",
+      "sagemaker:*",
       "ses:*",
       "secretsmanager:*",
+      "securityhub:*",
+      "servicediscovery:*",
       "shield:*",
       "sns:*",
       "sqs:*",
       "ssm:*",
+      "states:*",
       "sts:*",
       "support:*",
-      "servicediscovery:*",
+      "synthetics:*",
       "tag:*",
       "transfer:*",
       "trustedadvisor:*",
@@ -155,3 +162,72 @@ data "aws_iam_policy_document" "github_automation" {
     resources = ["*"]
   }
 }
+
+#------------------------------------------------------------------------------
+# Data Scientist
+#------------------------------------------------------------------------------
+data "aws_iam_policy_document" "data_scientist" {
+  statement {
+    sid = "Default"
+    actions = [
+      "athena:*",
+      "autoscaling:*",
+      "aws-portal:*",
+      "bedrock:*",
+      "ce:*",
+      "cloudformation:*",
+      "cloudwatch:*",
+      "config:*",
+      "dynamodb:*",
+      "ec2:*",
+      "ecr:*",
+      "ecr-public:*",
+      "ecs:*",
+      "eks:*",
+      "elasticloadbalancing:*",
+      "elasticfilesystem:*",
+      "es:*",
+      "events:*",
+      "glue:*",
+      "health:*",
+      "iam:*",
+      "kms:*",
+      "lambda:*",
+      "logs:*",
+      "aws-marketplace:*",
+      "pipes:*",
+      "q:*",
+      "quicksight:*",
+      "ram:*",
+      "rds:*",
+      "redshift:*",
+      "resource-explorer:*",
+      "resource-explorer-2:*",
+      "resource-groups:*",
+      "route53:*",
+      "route53domains:*",
+      "route53resolver:*",
+      "s3:*",
+      "sagemaker:*",
+      "secretsmanager:*",
+      "sns:*",
+      "sqs:*",
+      "ssm:*",
+      "states:*",
+      "sts:*",
+      "support:*",
+      "tag:*",
+      "vpc:*",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestedRegion"
+      values = [
+        "${var.region}",
+        "${var.region_secondary}",
+        "us-east-1", # The original region is needed to have IAM working
+      ]
+    }
+  }
+}