AWS Console Access
New joiners for Cloud platform team will need AWS Console access for most things. IAM resources (users, groups, roles, etc) are managed by terraform so new users are nothing more than new resources in terraform.
Related repositories:
Steps to create/delete Cloud Platform team users
1) Check the user is in the webops GitHub team, which authorizes access to this AWS account.
2) Create a git branch and add (or delete) the user as terraform code. Do not forget to link the user to a group.
3) Using terraform plan in cloud-platform-infrastructure/terraform/aws-accounts/cloud-platform-aws/accounts to verify you’re happy with the terraform changes.
4) Create the PR, ask the team to review it, and merge it.
5) Create a release.
6) In the infrastructure repository, edit the terraform config that calls that module, to use the new release - see example
7) Create the PR, ask the team to review it, and merge it.
8) Apply the changes.
Note: The accounts concourse pipeline intentionally fails. See here for further details.
9) Verify the user is created. (You can use AWS Console for this.)
10) Tell them they can login here: https://aws-login.cloud-platform.service.justice.gov.uk
Activating MFA for new users
Unfortunately terraform can’t activate MFA for users, this process must be done done manually either through AWS Console (UI) or through the AWS CLI.
Modifying Cloud Platform users permissions
This part is the guideline for handling requests arise to add or modify read only access to any aws resources that are created for Cloud Platform users.
Related resource:
cloud-platform-infrastructure (/terraform/aws-accounts/cloud-platform-aws/account)
Make sure you have the MoJ 1Password access
1) Have a discussion within the Cloud Platform Team to assess and agree on the requested permission changes.
2) Navigate to the cloud-platform-terraform-aws-sso to update or create a new Terraform file (e.g. elasticache.tf) with the new IAM policy for the specified resource.
3) For the newly added resource, modify the aws.tf to include the new policy in the latest data "aws_iam_policy_document" "combined" block.
4) Create the PR and request a review from the team.
5) Create a new release.
6) In the cloud-platform-infrastructure repository, go to terraform/aws-accounts/cloud-platform-aws/account/main.tf, bump and update the sso module version to the newly released version.
7) Create a PR for the module update, monitor and observe the terraform plan result.
8) Request a review from the team, and merge it.
10) Use the cloud-platform-dummy-user with the credentials from MoJ 1Password to verify the newly granted access on the AWS console.
11) Once verified, inform the user/requester that the permissions have been updated accordingly.
Troubleshooting for modifying Cloud Platform users permissions
Sometimes when you add the newly created resource to the data "aws_iam_policy_document" "combined" block, you may see the below error. This is because there is a limitation of 6144 characters per managed policy.
│ Error: updating IAM Policy (arn:aws:iam::xxxxxxxxxxxx:policy/access-via-github): LimitExceeded: Cannot exceed quota for PolicySize: 6144
│ status code: 409, request id: 63ce8d71-4992-4043-a656-a67be75210a7
To solve this error, you may follow the below steps.
1) Go to the aws.tf, create a new AWS IAM Policy document block data "aws_iam_policy_document" "combined_x" with next numerical suffix pattern.
data "aws_iam_policy_document" "combined_x" {
source_policy_documents = [
data.aws_iam_policy_document.elasticache_for_github.json,
]
}
2) Create a new AWS IAM policy block resource "aws_iam_policy" "github_access_x" with next numerical suffix pattern.
resource "aws_iam_policy" "github_access_x" {
policy = data.aws_iam_policy_document.combined_x.json
name = "access-via-github-0x"
tags = {
GithubTeam = "webops"
}
}
3) Create a new AWS IAM policy attachment block resource "aws_iam_role_policy_attachment" "github_access_x" with next numerical suffix pattern.
resource "aws_iam_role_policy_attachment" "github_access_x" {
role = aws_iam_role.github_access.name
policy_arn = aws_iam_policy.github_access_x.arn
}
4) Create the PR and request a review from the team.
5) Create a new release.
6) Follow the steps 6-10 in Modifying External User Permissions to make changes on cloud-platform-infrastructure repository.