diff --git a/docs/meshstack.how-to.integrate-meshplatform-aws-manually.md b/docs/meshstack.how-to.integrate-meshplatform-aws-manually.md index cd25cea7c..0b70a8fd6 100644 --- a/docs/meshstack.how-to.integrate-meshplatform-aws-manually.md +++ b/docs/meshstack.how-to.integrate-meshplatform-aws-manually.md @@ -149,6 +149,24 @@ This `MeshfedServiceRole` should be created in the management account with the f } ``` +In order to enable meshStack to close AWS accounts as part of [tenant deletion](./administration.delete-tenants.md), please also include the following statement. We strongly recommend you constrain the permission to close accounts to those OUs you use in your landing zones using an [ResourceOrgPath](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data-orgs.html#access_policies_access-advisor-viewing-orgs-entity-path). + +```json +{ + "Action": "organizations:CloseAccount", + "Condition": { + "ForAnyValue:StringLike": { + "aws:ResourceOrgPaths": [ + "o-orgid/r-rootid/ou-ouid/*" + ] + } + }, + "Effect": "Allow", + "Resource": "arn:aws:organizations::*:account/o-*/*", + "Sid": "OrgManagementAccessCloseAccount" +}, + ``` + The following trust relationship needs to be attached to the MeshfedServiceRole so that the meshfed-service-user can assume the role. ```json diff --git a/docs/meshstack.how-to.integrate-meshplatform-azure-manually.md b/docs/meshstack.how-to.integrate-meshplatform-azure-manually.md index 798209a97..892e21740 100644 --- a/docs/meshstack.how-to.integrate-meshplatform-azure-manually.md +++ b/docs/meshstack.how-to.integrate-meshplatform-azure-manually.md @@ -97,6 +97,13 @@ You must grant the meshcloud Service Principal this access to all [Management Gr > Access to the Management Groups may require the "Global Administrator" role with [elevated access](https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin). In case you're not able to see all management groups after elevating access, try signing out and back in to Azure Portal. +In order to enable meshStack to cancel Azure Subscriptions as part of [tenant deletion](./administration.delete-tenants.md), please also include the following permission. We strongly recommend you assign this permission only on Management Groups where you want to allow automated tenant deletion. + + +```hcl +"Microsoft.Subscription/cancel/action" +``` + ### Set up a policy to prevent Privilege Escalation Furthermore in order to prevent the replicator from assigning itself more permissions, we recommended to add the following policy on a root management group level: diff --git a/docs/meshstack.how-to.integrate-meshplatform-gcp-manually.md b/docs/meshstack.how-to.integrate-meshplatform-gcp-manually.md index baa9ebedb..231fe2d0e 100644 --- a/docs/meshstack.how-to.integrate-meshplatform-gcp-manually.md +++ b/docs/meshstack.how-to.integrate-meshplatform-gcp-manually.md @@ -34,6 +34,12 @@ deploymentmanager.deployments.update deploymentmanager.deployments.get ``` +In order to enable meshStack to delete GCP Projects as part of [tenant deletion](./administration.delete-tenants.md), please also include the following permission. We strongly recommend you assign this permission only on those Folders where you want to allow automated tenant deletion. + +```text +resourcemanager.project.delete +``` + ### Configure the Root Project meshStack requires a project in GCP for some of the resources it uses. It is reserved for use by meshstack and Platform Operators. For this guide, we’ll call the project `meshstack-root`.