MSOCI-2084 Adds Role and Okta linkage for feed management

should be tagged v4.0.6

submodules/iam/common_services_roles/role-mdr_feedmgmt_readonly.tf

@@ -0,0 +1,22 @@
+#------------------------------------------------------------------------------------------
+# Feed Management SAML role, for feed management people
+#
+# As of now, this doesn't have any cross-account trusts to assume role
+#------------------------------------------------------------------------------------------
+
+module "role-mdr_feedmgmt_readonly" {
+  source = "./modules/saml_linked_role"
+
+  name                  = "mdr_feedmgmt_readonly"
+  account_friendly_name = aws_iam_account_alias.alias.account_alias
+  path                  = "/user/"
+  assume_role_policy    = data.aws_iam_policy_document.okta_saml_assume_role_policy.json
+  okta_app_id           = data.okta_app.awsapp.id
+  max_session_duration  = 28800
+}
+
+resource "aws_iam_role_policy_attachment" "mdr_feedmgmt_readonly_ViewOnlyAccess" {
+  role       = module.role-mdr_feedmgmt_readonly.name
+  policy_arn = "arn:${local.aws_partition}:iam::aws:policy/job-function/ViewOnlyAccess"
+}
+

submodules/iam/standard_iam_policies/outputs.tf

@@ -5,6 +5,7 @@ output arns {
         "mdr_engineer" = aws_iam_policy.mdr_engineer.arn,
         "iam_admin_kms" = aws_iam_policy.iam_admin_kms.arn,
         "mdr_readonly_assumerole" = aws_iam_policy.mdr_engineer_readonly_assumerole.arn,
-        "mdr_terraformer" = aws_iam_policy.mdr_terraformer.arn
+        "mdr_terraformer" = aws_iam_policy.mdr_terraformer.arn,
+        "mdr_feedmgmt_s3access" = aws_iam_policy.mdr_feedmgmt_s3access.arn
     }
 }

submodules/iam/standard_iam_policies/policy-mdr_feedmgmt.tf

@@ -0,0 +1,24 @@
+#------------------------------------------------------------------------------------------
+# For feedmgmt
+#------------------------------------------------------------------------------------------
+data "aws_iam_policy_document" "mdr_feedmgmt_s3access" {
+  statement {
+    sid     = "S3BucketAccess"
+    effect = "Allow"
+    actions = [
+			"s3:GetObject",
+			"s3:GetObjectVersion",
+			"s3:PutObject",
+    ]
+
+    resources = [
+      "arn:${local.aws_partition}:s3:::xdr-codebuild-artifacts/*",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "mdr_feedmgmt_s3access" {
+  name   = "mdr_feedmgmt_s3access"
+  path   = "/user/"
+  policy = data.aws_iam_policy_document.mdr_feedmgmt_s3access.json
+}