Replace ViewOnlyAccess with ReadOnlyAccess

jdno · jdno · commit 5f8f21c022b0 · 2024-02-01T11:06:16.000+01:00
ViewOnlyAccess[^1] provides only very little access, certainly not enough for teams to inspect and manage the resources in their accounts themselves. The permission set for read-only access has thus been elevated to grant the ReadOnlyAccess[^2] policy, which is much more usable in practice. [^1]: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ViewOnlyAccess.html [^2]: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html
diff --git a/terragrunt/modules/aws-organization/groups.tf b/terragrunt/modules/aws-organization/groups.tf
@@ -81,13 +81,7 @@ resource "aws_ssoadmin_permission_set" "read_only_access" {
 
 resource "aws_ssoadmin_managed_policy_attachment" "read_only_access" {
   instance_arn       = local.instance_arn
-  managed_policy_arn = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
-  permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn
-}
-
-resource "aws_ssoadmin_managed_policy_attachment" "cloudwatch_readonly" {
-  instance_arn       = local.instance_arn
-  managed_policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess"
+  managed_policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
   permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn
 }
 
@@ -124,23 +118,31 @@ locals {
       account : aws_organizations_account.crates_io_staging,
       groups : [
         { group : aws_identitystore_group.infra-admins,
-        permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
+        permissions : [
+          aws_ssoadmin_permission_set.view_only_access,
+          aws_ssoadmin_permission_set.read_only_access,
+          aws_ssoadmin_permission_set.administrator_access
+        ] },
         { group : aws_identitystore_group.infra,
-        permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
+        permissions : [aws_ssoadmin_permission_set.read_only_access, aws_ssoadmin_permission_set.administrator_access] },
         { group : aws_identitystore_group.crates_io,
-        permissions : [aws_ssoadmin_permission_set.view_only_access] },
+        permissions : [aws_ssoadmin_permission_set.read_only_access] },
       ]
     },
     # crates-io Production
     {
       account : aws_organizations_account.crates_io_prod,
       groups : [
         { group : aws_identitystore_group.infra-admins,
-        permissions : [aws_ssoadmin_permission_set.view_only_access, aws_ssoadmin_permission_set.administrator_access] },
+        permissions : [
+          aws_ssoadmin_permission_set.view_only_access,
+          aws_ssoadmin_permission_set.read_only_access,
+          aws_ssoadmin_permission_set.administrator_access
+        ] },
         { group : aws_identitystore_group.infra,
-        permissions : [aws_ssoadmin_permission_set.view_only_access] },
+        permissions : [aws_ssoadmin_permission_set.read_only_access, aws_ssoadmin_permission_set.administrator_access] },
         { group : aws_identitystore_group.crates_io,
-        permissions : [aws_ssoadmin_permission_set.view_only_access] },
+        permissions : [aws_ssoadmin_permission_set.read_only_access] },
       ]
     },
     # docs-rs Staging
