🛂 cjs-dashboard-app GitHub Actions role

[jacobwoffenden]

This pull request:

• Resolves ✨ Create new OIDC role for GitHub runner #2951
• Adds a new component for cjs-dashboard-app in analytical-platform-data-production
• Adds a policy and role to allow ministryofjustice/cjs_scorecard_exploratory_analysis access to arn:aws:s3:::mojap-cjs-dashboard

Note(s) for the reviewer:

• I did briefly explore adding this into https://github.com/ministryofjustice/data-platform/blob/main/terraform/aws/analytical-platform/oidc/oidc-roles.tf, however I am unsure if that code allows for specifying granular policy statements other than just allowing the subject to assume either github-actions-infrastructure or data-engineering-infrastructure, which allow usage of the AdministratorAccess policy
• Based on the above, a separate (or update to the existing) component might be more appropriate for hosting these policies and roles, however I've created a new one like we did for create-a-derived-table, but we should look at consolidating them longer term 🏗️ Create a process for providing granular access to Analytical Platform data from GitHub Actions #2976

Signed-off-by: Jacob Woffenden jacob.woffenden@digital.justice.gov.uk

[github-actions]

Terraform Component 🧱: aws-analytical-platform-data-production-cjs-dashboard-app

Checkov 🛂: success

Trivy 🛂: success

Static Analysis Override Label 🏷️: false

Pusher: @jacobwoffenden, Action: pull_request, Working Directory: terraform/aws/analytical-platform-data-production/cjs-dashboard-app, Workflow: Terraform, Marker: aws-analytical-platform-data-production-cjs-dashboard-app_static_analysis

[github-actions]

Terraform Component 🧱: aws-analytical-platform-data-production-cjs-dashboard-app

Terraform Initialization ⚙️: success

Terraform Validation 🤖: success

Terraform Plan 🛠️: success

Pusher: @jacobwoffenden, Action: pull_request, Working Directory: terraform/aws/analytical-platform-data-production/cjs-dashboard-app, Workflow: Terraform, Marker: aws-analytical-platform-data-production-cjs-dashboard-app_plan

[michaeljcollinsuk]

Not a blocker to this, but out of interest do we know how the bucket mojap-cjs-dashboard was created/is managed? As does not appear to have been created in control panel (as does not have the alpha prefix and does not appear in the UI) and also cannot find reference to it being defined in terraform.

[michaeljcollinsuk]

LGTM

[julialawrence]

LGTM

[laura-auburn]

Not a blocker to this, but out of interest do we know how the bucket mojap-cjs-dashboard was created/is managed? As does not appear to have been created in control panel (as does not have the alpha prefix and does not appear in the UI) and also cannot find reference to it being defined in terraform.

Sorry was just taking a look at this PR as I lead on the CJS dashboard and not sure if anyone responded to your question @michaeljcollinsuk. The bucket was created/is managed by the data engineering exports repo as a pull dataset. This was required as we needed the bucket to sit on the AP but with its contents visible to a specific external user (our cloud platform app).