ELI-545 - service account creation

Karthikeyannhs · Karthikeyannhs · commit bb38daea3b09 · 2026-03-16T14:32:14.000Z
diff --git a/infrastructure/stacks/api-layer/s3_buckets.tf b/infrastructure/stacks/api-layer/s3_buckets.tf
@@ -57,3 +57,12 @@ module "s3_dq_metrics_bucket" {
   stack_name   = local.stack_name
   workspace    = terraform.workspace
 }
+
+module "s3_athena_dq_query_bucket" {
+  source       = "../../modules/s3"
+  bucket_name  = "athena-stage"
+  environment  = var.environment
+  project_name = var.project_name
+  stack_name   = local.stack_name
+  workspace    = terraform.workspace
+}
diff --git a/infrastructure/stacks/api-layer/service_account.tf b/infrastructure/stacks/api-layer/service_account.tf
@@ -0,0 +1,83 @@
+resource "aws_iam_user" "tableau_service" {
+  name = "tableau-athena-service-account"
+}
+
+resource "time_rotating" "athena_key_rotation" {
+  rotation_days = 90
+}
+
+resource "aws_iam_access_key" "tableau_key" {
+  user = aws_iam_user.tableau_service.name
+
+  lifecycle {
+    replace_triggered_by = [time_rotating.athena_key_rotation]
+  }
+}
+
+resource "aws_iam_user_policy" "tableau_athena_policy" {
+  name = "TableauAthenaAccess"
+  user = aws_iam_user.tableau_service.name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        # Athena Query Actions
+        Effect = "Allow"
+        Action = [
+          "athena:GetQueryExecution",
+          "athena:GetQueryResults",
+          "athena:StartQueryExecution",
+          "athena:GetWorkGroup",
+          "athena:StopQueryExecution",
+          "athena:GetDataCatalog"
+        ]
+        Resource = [
+          "arn:aws:athena:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:workgroup/primary"
+        ]
+      },
+      {
+        # Metadata Discovery
+        Effect = "Allow"
+        Action = [
+          "glue:GetDatabase",
+          "glue:GetTable",
+          "glue:GetTables",
+          "glue:GetDatabases"
+        ]
+        Resource = [
+          "arn:aws:glue:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:catalog",
+          "arn:aws:glue:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:database/elid_dq",
+          "arn:aws:glue:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:table/elid_dq/cohort_metrics"
+        ]
+      },
+      {
+        # 3. Data Access (Your specific S3 bucket)
+        Effect = "Allow"
+        Action = [
+          "s3:GetBucketLocation",
+          "s3:GetObject",
+          "s3:ListBucket"
+        ]
+        Resource = [
+          "arn:aws:s3:::${module.s3_dq_metrics_bucket.storage_bucket_name}",
+          "arn:aws:s3:::${module.s3_dq_metrics_bucket.storage_bucket_name}/*"
+        ]
+      },
+      {
+        # Athena Results - Staging Directory
+        Effect = "Allow"
+        Action = [
+          "s3:GetBucketLocation",
+          "s3:GetObject",
+          "s3:ListBucket",
+          "s3:PutObject"
+        ]
+        Resource = [
+          "arn:aws:s3:::${module.s3_athena_dq_query_bucket.storage_bucket_name}",
+          "arn:aws:s3:::${module.s3_athena_dq_query_bucket.storage_bucket_name}/*"
+        ]
+      }
+    ]
+  })
+}
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -235,6 +235,10 @@ resource "aws_iam_policy" "s3_management" {
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics/*",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs",
           "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-dq-metrics-access-logs/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-athena-stage",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-athena-stage/*",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-athena-stage-access-logs",
+          "arn:aws:s3:::*eligibility-signposting-api-${var.environment}-athena-stage-access-logs/*",
         ]
       }
     ]
@@ -607,6 +611,25 @@ resource "aws_iam_policy" "iam_management" {
           "arn:aws:iam::*:role/secret_rotation_lambda_role",
           "arn:aws:iam::*:role/secret_rotation_workflow_role"
         ]
+      },
+      # Scoped User management for Tableau
+      {
+        Effect = "Allow",
+        Action = [
+          "iam:CreateUser",
+          "iam:DeleteUser",
+          "iam:UpdateUser",
+          "iam:TagUser",
+          "iam:CreateAccessKey",
+          "iam:DeleteAccessKey",
+          "iam:UpdateAccessKey",
+          "iam:PutUserPolicy",
+          "iam:DeleteUserPolicy",
+          "iam:GetUser"
+        ],
+        Resource = [
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/tableau-athena-service-account"
+        ]
       }
     ]
   })
@@ -743,6 +766,65 @@ resource "aws_iam_policy" "cloudwatch_management" {
   tags = merge(local.tags, { Name = "cloudwatch-management" })
 }
 
+# Athena/Glue Infrastructure Management Policy for GitHub Actions
+resource "aws_iam_policy" "athena_glue_management" {
+  name        = "athena-glue-management"
+  description = "Allows GitHub Actions to create and manage Athena/Glue resources"
+  path        = "/service-policies/"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        # 1. Permission to manage the Glue Metadata (The "Athena Database/Table")
+        Effect = "Allow",
+        Action = [
+          "glue:CreateDatabase",
+          "glue:DeleteDatabase",
+          "glue:GetDatabase",
+          "glue:UpdateDatabase",
+          "glue:CreateTable",
+          "glue:DeleteTable",
+          "glue:UpdateTable",
+          "glue:GetTable",
+          "glue:GetTables",
+          "glue:BatchCreatePartition",
+          "glue:CreatePartition",
+          "glue:DeletePartition",
+          "glue:GetPartitions"
+        ],
+        Resource = [
+          "arn:aws:glue:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:catalog",
+          "arn:aws:glue:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:database/elid_dq",
+          "arn:aws:glue:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:table/elid_dq/*"
+        ]
+      },
+      {
+        # 2. Permission to manage Athena Workgroups or Named Queries
+        Effect = "Allow",
+        Action = [
+          "athena:CreateWorkGroup",
+          "athena:DeleteWorkGroup",
+          "athena:UpdateWorkGroup",
+          "athena:GetWorkGroup",
+          "athena:CreateNamedQuery",
+          "athena:DeleteNamedQuery",
+          "athena:GetNamedQuery",
+          "athena:ListDataCatalogs",
+          "athena:CreateDataCatalog",
+          "athena:DeleteDataCatalog"
+        ],
+        Resource = [
+          "arn:aws:athena:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:workgroup/*",
+          "arn:aws:athena:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:datacatalog/*"
+        ]
+      }
+    ]
+  })
+
+  tags = merge(local.tags, { Name = "athena-glue-management" })
+}
+
 # Attach the policies to the role
 resource "aws_iam_role_policy_attachment" "terraform_state" {
   role       = aws_iam_role.github_actions.name
@@ -788,3 +870,8 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_management" {
   role       = aws_iam_role.github_actions.name
   policy_arn = aws_iam_policy.cloudwatch_management.arn
 }
+
+resource "aws_iam_role_policy_attachment" "athena_glue_management" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = aws_iam_policy.athena_glue_management.arn
+}
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -221,6 +221,23 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "states:CreateStateMachine",
       "states:TagResource",
       "states:UpdateStateMachine",
+
+      # Athena
+      "athena:CreateWorkGroup",
+      "athena:UpdateWorkGroup",
+      "athena:GetQueryExecution",
+      "athena:GetQueryResults",
+      "athena:StartQueryExecution",
+      "athena:GetWorkGroup",
+      "athena:StopQueryExecution",
+      "athena:GetDataCatalog",
+
+      # Glue
+      "glue:CreateDatabase",
+      "glue:GetDatabase",
+      "glue:GetTable",
+      "glue:GetTables",
+      "glue:GetDatabases"
     ]
 
     resources = ["*"]
@@ -349,6 +366,26 @@ data "aws_iam_policy_document" "iam_bootstrap_permissions_boundary" {
     ]
   }
 
+  # Specific management for Tableau Athena Service Account
+  statement {
+    sid    = "AllowTableauServiceAccountManagement"
+    effect = "Allow"
+    actions = [
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:UpdateAccessKey",
+      "iam:PutUserPolicy",
+      "iam:DeleteUserPolicy",
+      "iam:GetUserPolicy",
+      "iam:TagUser",
+      "iam:UntagUser",
+      "iam:GetUser"
+    ]
+    resources = [
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/tableau-athena-service-account"
+    ]
+  }
+
   # Allow read-only IAM access for Terraform plan/state discovery
   statement {
     sid    = "AllowIamReadAccess"
