From 7b2dc0b5991c16f7181c3d51d8b849dcfe9d6704 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 8 Sep 2023 12:57:23 -0400 Subject: [PATCH] initial --- CHANGELOG.md | 2 +- common/version.tf | 2 +- common/versions.tf | 2 +- permissionset/availabilty_zones.tf | 1 + permissionset/data.tf | 1 + permissionset/defaults.tf | 1 + permissionset/locals.tf | 12 +++++ permissionset/main.tf | 44 +++++++++++++++++++ permissionset/module_name.tf | 3 ++ permissionset/prefixes.tf | 1 + .../variables.common.availability_zones.tf | 1 + permissionset/variables.common.tf | 1 + permissionset/variables.tf | 39 ++++++++++++++++ permissionset/version.tf | 1 + permissionset/versions.tf | 1 + 15 files changed, 109 insertions(+), 3 deletions(-) create mode 120000 permissionset/availabilty_zones.tf create mode 120000 permissionset/data.tf create mode 120000 permissionset/defaults.tf create mode 100644 permissionset/locals.tf create mode 100644 permissionset/main.tf create mode 100644 permissionset/module_name.tf create mode 120000 permissionset/prefixes.tf create mode 120000 permissionset/variables.common.availability_zones.tf create mode 120000 permissionset/variables.common.tf create mode 100644 permissionset/variables.tf create mode 120000 permissionset/version.tf create mode 120000 permissionset/versions.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ce3418..17cc870 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ # Versions -* v1.0.0 -- {{ yyyy-mm-dd }} +* 1.0.0 -- 2023-09-08 - initial creation diff --git a/common/version.tf b/common/version.tf index a0cd862..fa2705b 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "0.0.0" + _module_version = "1.0.0" } diff --git a/common/versions.tf b/common/versions.tf index 4ba10ce..34eb3b9 100644 --- a/common/versions.tf +++ b/common/versions.tf @@ -5,5 +5,5 @@ terraform { version = ">= 3.66.0" } } -# required_version = ">= 0.13" + # required_version = ">= 0.13" } diff --git a/permissionset/availabilty_zones.tf b/permissionset/availabilty_zones.tf new file mode 120000 index 0000000..00a240c --- /dev/null +++ b/permissionset/availabilty_zones.tf @@ -0,0 +1 @@ +../common/availabilty_zones.tf \ No newline at end of file diff --git a/permissionset/data.tf b/permissionset/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/permissionset/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/permissionset/defaults.tf b/permissionset/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/permissionset/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/permissionset/locals.tf b/permissionset/locals.tf new file mode 100644 index 0000000..5cba936 --- /dev/null +++ b/permissionset/locals.tf @@ -0,0 +1,12 @@ +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + region = data.aws_region.current.name + region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) + + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:tf_module_name" = local._module_name + "boc:created_by" = "terraform" + } +} diff --git a/permissionset/main.tf b/permissionset/main.tf new file mode 100644 index 0000000..65e310d --- /dev/null +++ b/permissionset/main.tf @@ -0,0 +1,44 @@ +locals { + description = coalesce(var.description, var.name) +} + +resource "aws_ssoadmin_permission_set" "pset" { + name = var.name + description = local.description + instance_arn = var.instance_arn + session_duration = var.session_duration + + tags = merge( + local.base_tags, + var.tags, + ) +} + +data "aws_iam_policy" "pset" { + for_each = toset(var.managed_policy_names) + name = each.key +} + +resource "aws_ssoadmin_managed_policy_attachment" "pset" { + for_each = data.aws_iam_policy.pset + instance_arn = var.instance_arn + permission_set_arn = aws_ssoadmin_permission_set.pset.arn + managed_policy_arn = each.value.arn +} + +resource "aws_ssoadmin_customer_managed_policy_attachment" "pset" { + for_each = var.customer_managed_policy_names + instance_arn = var.instance_arn + permission_set_arn = aws_ssoadmin_permission_set.pset.arn + + customer_managed_policy_reference { + name = each.key + path = one(each.value, "/") + } +} + +resource "aws_ssoadmin_permission_set_inline_policy" "pset" { + instance_arn = var.instance_arn + permission_set_arn = aws_ssoadmin_permission_set.pset.arn + inline_policy = var.inline_policy +} diff --git a/permissionset/module_name.tf b/permissionset/module_name.tf new file mode 100644 index 0000000..1ad630f --- /dev/null +++ b/permissionset/module_name.tf @@ -0,0 +1,3 @@ +locals { + _module_name = "aws-sso/permissionset" +} diff --git a/permissionset/prefixes.tf b/permissionset/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/permissionset/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/permissionset/variables.common.availability_zones.tf b/permissionset/variables.common.availability_zones.tf new file mode 120000 index 0000000..dca20a3 --- /dev/null +++ b/permissionset/variables.common.availability_zones.tf @@ -0,0 +1 @@ +../common/variables.common.availability_zones.tf \ No newline at end of file diff --git a/permissionset/variables.common.tf b/permissionset/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/permissionset/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/permissionset/variables.tf b/permissionset/variables.tf new file mode 100644 index 0000000..56a3155 --- /dev/null +++ b/permissionset/variables.tf @@ -0,0 +1,39 @@ +variable "name" { + description = "Permission set name" + type = string +} + +variable "description" { + description = "Permission set description" + type = string + default = null +} + +variable "instance_arn" { + description = "AWS SSO/IDC Instance ARN" + type = string +} + +variable "session_duration" { + description = "Permission set duration (default 8H)" + type = string + default = "PT8H" +} + +variable "managed_policy_names" { + description = "Names of AWS Managed Policy to attach to the permissionset" + type = list(string) + default = [] +} + +variable "customer_managed_policy_names" { + description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset" + type = map(string) + default = {} +} + +variable "inline_policy" { + description = "AWS Policy document for the single allowed inline policy" + type = string + default = null +} diff --git a/permissionset/version.tf b/permissionset/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/permissionset/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/permissionset/versions.tf b/permissionset/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/permissionset/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file