initial

CHANGELOG.md

@@ -1,5 +1,5 @@
 # Versions
 
-* v1.0.0 -- {{ yyyy-mm-dd }}
+* 1.0.0 -- 2023-09-08
   - initial creation
 

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "0.0.0"
+  _module_version = "1.0.0"
 }

common/versions.tf

@@ -5,5 +5,5 @@ terraform {
       version = ">= 3.66.0"
     }
   }
-#  required_version = ">= 0.13"
+  #  required_version = ">= 0.13"
 }

permissionset/availabilty_zones.tf

@@ -0,0 +1 @@
+../common/availabilty_zones.tf

permissionset/data.tf

@@ -0,0 +1 @@
+../common/data.tf

permissionset/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

permissionset/locals.tf

@@ -0,0 +1,12 @@
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = data.aws_region.current.name
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:tf_module_name"    = local._module_name
+    "boc:created_by"        = "terraform"
+  }
+}

permissionset/main.tf

@@ -0,0 +1,44 @@
+locals {
+  description = coalesce(var.description, var.name)
+}
+
+resource "aws_ssoadmin_permission_set" "pset" {
+  name             = var.name
+  description      = local.description
+  instance_arn     = var.instance_arn
+  session_duration = var.session_duration
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+  )
+}
+
+data "aws_iam_policy" "pset" {
+  for_each = toset(var.managed_policy_names)
+  name     = each.key
+}
+
+resource "aws_ssoadmin_managed_policy_attachment" "pset" {
+  for_each           = data.aws_iam_policy.pset
+  instance_arn       = var.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
+  managed_policy_arn = each.value.arn
+}
+
+resource "aws_ssoadmin_customer_managed_policy_attachment" "pset" {
+  for_each           = var.customer_managed_policy_names
+  instance_arn       = var.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
+
+  customer_managed_policy_reference {
+    name = each.key
+    path = one(each.value, "/")
+  }
+}
+
+resource "aws_ssoadmin_permission_set_inline_policy" "pset" {
+  instance_arn       = var.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
+  inline_policy      = var.inline_policy
+}

permissionset/module_name.tf

@@ -0,0 +1,3 @@
+locals {
+  _module_name = "aws-sso/permissionset"
+}

permissionset/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

permissionset/variables.common.availability_zones.tf

@@ -0,0 +1 @@
+../common/variables.common.availability_zones.tf

permissionset/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

permissionset/variables.tf

@@ -0,0 +1,39 @@
+variable "name" {
+  description = "Permission set name"
+  type        = string
+}
+
+variable "description" {
+  description = "Permission set description"
+  type        = string
+  default     = null
+}
+
+variable "instance_arn" {
+  description = "AWS SSO/IDC Instance ARN"
+  type        = string
+}
+
+variable "session_duration" {
+  description = "Permission set duration (default 8H)"
+  type        = string
+  default     = "PT8H"
+}
+
+variable "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  type        = list(string)
+  default     = []
+}
+
+variable "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  type        = map(string)
+  default     = {}
+}
+
+variable "inline_policy" {
+  description = "AWS Policy document for the single allowed inline policy"
+  type        = string
+  default     = null
+}

permissionset/version.tf

@@ -0,0 +1 @@
+../common/version.tf

permissionset/versions.tf

@@ -0,0 +1 @@
+../common/versions.tf