feat: add platform specific instructions for project deletion

meshcloud · Apr 24, 2024 · 1b2d99c · 1b2d99c
1 parent bc22f43
commit 1b2d99c
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/docs/meshstack.how-to.integrate-meshplatform-aws-manually.md b/docs/meshstack.how-to.integrate-meshplatform-aws-manually.md
@@ -149,6 +149,24 @@ This `MeshfedServiceRole` should be created in the management account with the f
 }
 ```
 
+In order to enable meshStack to close AWS accounts as part of [tenant deletion](./administration.delete-tenants.md), please also include the following statement. We strongly recommend you constrain the permission to close accounts to those OUs you use in your landing zones using an [ResourceOrgPath](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data-orgs.html#access_policies_access-advisor-viewing-orgs-entity-path).
+
+```json
+{
+    "Action": "organizations:CloseAccount",
+    "Condition": {
+        "ForAnyValue:StringLike": {
+            "aws:ResourceOrgPaths": [
+                "o-orgid/r-rootid/ou-ouid/*"
+            ]
+        }
+    },
+    "Effect": "Allow",
+    "Resource": "arn:aws:organizations::*:account/o-*/*",
+    "Sid": "OrgManagementAccessCloseAccount"
+},
+  ```
+
 The following trust relationship needs to be attached to the MeshfedServiceRole so that the meshfed-service-user can assume the role.
 
 ```json

diff --git a/docs/meshstack.how-to.integrate-meshplatform-azure-manually.md b/docs/meshstack.how-to.integrate-meshplatform-azure-manually.md
@@ -97,6 +97,13 @@ You must grant the meshcloud Service Principal this access to all [Management Gr
 
 > Access to the Management Groups may require the "Global Administrator" role with [elevated access](https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin). In case you're not able to see all management groups after elevating access, try signing out and back in to Azure Portal.
 
+In order to enable meshStack to cancel Azure Subscriptions as part of [tenant deletion](./administration.delete-tenants.md), please also include the following permission. We strongly recommend you assign this permission only on Management Groups where you want to allow automated tenant deletion.
+
+
+```hcl
+"Microsoft.Subscription/cancel/action"
+```
+
 ### Set up a policy to prevent Privilege Escalation
 
 Furthermore in order to prevent the replicator from assigning itself more permissions, we recommended to add the following policy on a root management group level:

diff --git a/docs/meshstack.how-to.integrate-meshplatform-gcp-manually.md b/docs/meshstack.how-to.integrate-meshplatform-gcp-manually.md
@@ -34,6 +34,12 @@ deploymentmanager.deployments.update
 deploymentmanager.deployments.get
 ```
 
+In order to enable meshStack to delete GCP Projects as part of [tenant deletion](./administration.delete-tenants.md), please also include the following permission. We strongly recommend you assign this permission only on those Folders where you want to allow automated tenant deletion.
+
+```text
+resourcemanager.project.delete
+```
+
 ### Configure the Root Project
 
 meshStack requires a project in GCP for some of the resources it uses. It is reserved for use by meshstack and Platform Operators. For this guide, we’ll call the project `meshstack-root`.