Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🛂 Add MWAA User access for Data Platform Apps and Tools #5235

Merged
merged 2 commits into from
Oct 18, 2023
Merged

🛂 Add MWAA User access for Data Platform Apps and Tools #5235

merged 2 commits into from
Oct 18, 2023

Conversation

jacobwoffenden
Copy link
Member

@jacobwoffenden jacobwoffenden commented Oct 13, 2023
edited
Loading

Add MWAA user access
721c85e 
Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>
@jacobwoffenden jacobwoffenden self-assigned this Oct 13, 2023
@github-actions github-actions bot added the onboarding Tasks to onboard teams label Oct 13, 2023
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@julialawrence julialawrence mentioned this pull request Oct 17, 2023
Closed
2 tasks
Add permission set assignment
a0de5f6 
Update OPA tests

Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>
@jacobwoffenden jacobwoffenden temporarily deployed to production October 17, 2023 21:49 — with GitHub Actions Inactive
@jacobwoffenden jacobwoffenden temporarily deployed to production October 17, 2023 21:49 — with GitHub Actions Inactive
@jacobwoffenden jacobwoffenden temporarily deployed to production October 17, 2023 21:49 — with GitHub Actions Inactive
@jacobwoffenden jacobwoffenden temporarily deployed to production October 17, 2023 21:49 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@jacobwoffenden jacobwoffenden marked this pull request as ready for review October 17, 2023 21:57
@jacobwoffenden jacobwoffenden requested a review from a team as a code owner October 17, 2023 21:57
@davidkelliott
Copy link
Contributor

So normally we would have the policy created in the Modernisation Platform repo, I’ve just had a look at the policy in the root account -

data "aws_iam_policy_document" "modernisation_platform_data_mwaa_user" {
  statement {
    actions = [
      "airflow:CreateWebLoginToken"
    ]
    resources = ["arn:aws:airflow:*:*:role/*/User"]
  }
}

This is just one statement + read only is attached, can this not be added to one of the existing data engineering roles? It doesn’t feel like we need a new access level just for this.

davidkelliott
davidkelliott approved these changes Oct 18, 2023
View reviewed changes
Copy link
Contributor

@davidkelliott davidkelliott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved following a discussion with data platform team https://mojdt.slack.com/archives/C01A7QK5VM1/p1697620199412489

Airflow is that it's made available to analysts who require it for their work, but is not a system everyone will (or should) be interacting with. Given it drives a large amount of ETL in the org we want to minimise the risk of users who shouldn't really be using it being able to make changes that would affect our ETL pipelines that Airflow will need to drive.

If in future we find they need to add a lot more roles we should re-evaluate how platforms on MP access is given.

@davidkelliott davidkelliott merged commit 67deca2 into main Oct 18, 2023
31 checks passed
@davidkelliott davidkelliott deleted the feature/add-mwaa-user branch October 18, 2023 10:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidkelliott davidkelliott davidkelliott approved these changes

Assignees

@jacobwoffenden jacobwoffenden

Labels
onboarding Tasks to onboard teams testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Authenticating With Airflow UI
2 participants
@jacobwoffenden @davidkelliott