From 8fb7961a37c0dd64bbe2bfd32e5613ba8759a551 Mon Sep 17 00:00:00 2001 From: timburke-hackit <61045197+timburke-hackit@users.noreply.github.com> Date: Wed, 17 Jan 2024 15:04:45 +0000 Subject: [PATCH] add read policies for departments to access redshift (#1556) * add read policies for departments to access redshift * allow departments with notebook access to see redshift resources --- .../modules/department/50-aws-iam-policies.tf | 24 +++++++++++++++++++ .../modules/department/50-aws-iam-roles.tf | 4 +++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/terraform/modules/department/50-aws-iam-policies.tf b/terraform/modules/department/50-aws-iam-policies.tf index a2904645a..76c7b6f95 100644 --- a/terraform/modules/department/50-aws-iam-policies.tf +++ b/terraform/modules/department/50-aws-iam-policies.tf @@ -720,3 +720,27 @@ data "aws_iam_policy_document" "glue_access_to_watermarks_table" { } } + +//Redshfift + +data "aws_iam_policy_document" "redshift_department_read_access" { + + statement { + effect = "Allow" + actions = [ + "redshift:DescribeClusters", + "redshift:DescribeClusterSnapshots", + "redshift:DescribeEvents", + ] + resources = ["*"] + } + + statement { + effect = "Allow" + actions = [ + "sqlworkbench:GetUserInfo", + "sqlworkbench:GetAccountInfo" + ] + resources = ["*"] + } +} diff --git a/terraform/modules/department/50-aws-iam-roles.tf b/terraform/modules/department/50-aws-iam-roles.tf index 190ce8d69..47dd52679 100644 --- a/terraform/modules/department/50-aws-iam-roles.tf +++ b/terraform/modules/department/50-aws-iam-roles.tf @@ -4,11 +4,13 @@ data "aws_iam_policy_document" "sso_staging_user_policy" { data.aws_iam_policy_document.s3_department_access.json, data.aws_iam_policy_document.glue_access.json, data.aws_iam_policy_document.secrets_manager_read_only.json, + data.aws_iam_policy_document.redshift_department_read_access.json, data.aws_iam_policy_document.notebook_access[0].json ] : [ data.aws_iam_policy_document.s3_department_access.json, data.aws_iam_policy_document.glue_access.json, - data.aws_iam_policy_document.secrets_manager_read_only.json + data.aws_iam_policy_document.secrets_manager_read_only.json, + data.aws_iam_policy_document.redshift_department_read_access.json ] }