Add ds-data actions to GitHub OIDC role

Question

Add ds-data actions to GitHub OIDC role

Closed this issue 2 months ago · 1 comments

User Story

As a hosting migrations engineer
I need/want/expect to be able to manage AWS Directory Service users and groups using the AWS API
So that we can stop manually managing users and groups

Value / Purpose

In the past month, AWS have added the functionality to be able to manage Directory Service users and groups using the AWS API:
https://aws.amazon.com/about-aws/whats-new/2024/09/aws-managed-microsoft-ad-users-groups-using-apis/

Currently, for delius-mis-* and delius-iaps-* accounts, all Directory Service objects are managed manually. This leads to poor management where leavers aren't removed, new joiners aren't added etc.

Ideally, we'd like to manage this in Terraform, but the required functionality isn't there yet. For now, we'd like to manage the objects using a GitHub Actions workflow. Once the functionality is made available in Terraform, we'll switch to that and import existing resources.

Useful Contacts

@andrewmooreio Andrew Moore on Slack

Additional Information

Existing PR: #8276

Definition of Done

Decision made on whether to allow access to the ds-data API for the OIDC role.
If allowed, merge and deploy #8276

Answer 1 · 2024-11-07T10:24:18.000Z

ds-data permissions have been added to the OIDC role so closing this ticket.