* 1.1.0 -- 2024-02-08

- permissionset - add auto_policy_count for generating policies of the form: * 0 => p-sso-{permissionsetname} * 1-20 => p-sso-{permissionsetname}-p{number}
terraform-modules · Feb 8, 2024 · dd48fd4 · dd48fd4
1 parent 419b73b
commit dd48fd4
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,3 +21,9 @@
 
 * 1.0.6 -- 2024-01-31
   - output in users valid_ldap_users and invalid_ldap_users
+
+* 1.1.0 -- 2024-02-08
+  - permissionset
+    - add auto_policy_count for generating policies of the form:
+      * 0 => p-sso-{permissionsetname}
+      * 1-20 => p-sso-{permissionsetname}-p{number}
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.6"
+  _module_version = "1.1.0"
 }
diff --git a/permissionset/README.md b/permissionset/README.md
@@ -18,6 +18,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_ssoadmin_customer_managed_policy_attachment.auto_pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
 | [aws_ssoadmin_customer_managed_policy_attachment.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
 | [aws_ssoadmin_managed_policy_attachment.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
 | [aws_ssoadmin_permission_set.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
@@ -33,6 +34,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_auto_policy_count"></a> [auto\_policy\_count](#input\_auto\_policy\_count) | Automatic customer policy generation as s-sso-{permissionsetname}-p{number}.  Use 0 for no -p{number} suffix. | `number` | `null` | no |
 | <a name="input_customer_managed_policy_names"></a> [customer\_managed\_policy\_names](#input\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset | `map(string)` | `{}` | no |
 | <a name="input_description"></a> [description](#input\_description) | Permission set description | `string` | `null` | no |
 | <a name="input_inline_policy"></a> [inline\_policy](#input\_inline\_policy) | AWS Policy document for the single allowed inline policy | `string` | `null` | no |

diff --git a/permissionset/main.tf b/permissionset/main.tf
@@ -1,5 +1,14 @@
 locals {
   description = coalesce(var.description, var.name)
+  auto_policy_name_format = var.auto_policy_count == null ? {} : {
+    single   = "p-sso-%v"
+    multiple = "p-sso-%v-p%v"
+  }
+  auto_policy_name_single   = var.auto_policy_count == 0 ? [format(local.auto_policy_name_format["single"], var.name)] : []
+  auto_policy_name_multiple = (var.auto_policy_count > 0 && var.auto_policy_count <= 20) ? [for i in range(1, var.auto_policy_count + 1) : format(local.auto_policy_name_format["multiple"], var.name, i)] : []
+  auto_policy_names         = compact(concat(local.auto_policy_name_single, local.auto_policy_name_multiple))
+
+  total_policies = length(compact(concat(keys(var.customer_managed_policy_names), local.auto_policy_names)))
 }
 
 resource "aws_ssoadmin_permission_set" "pset" {
@@ -38,6 +47,24 @@ resource "aws_ssoadmin_customer_managed_policy_attachment" "pset" {
   }
 }
 
+resource "aws_ssoadmin_customer_managed_policy_attachment" "auto_pset" {
+  for_each           = toset(local.auto_policy_names)
+  instance_arn       = var.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
+
+  customer_managed_policy_reference {
+    name = each.key
+    path = "/"
+  }
+
+  lifecycle {
+    precondition {
+      condition     = local.total_policies <= 20
+      error_message = "The total number of customer managed polices must be 20 or less."
+    }
+  }
+}
+
 resource "aws_ssoadmin_permission_set_inline_policy" "pset" {
   count              = var.inline_policy != null ? 1 : 0
   instance_arn       = var.instance_arn

diff --git a/permissionset/variables.tf b/permissionset/variables.tf
@@ -43,3 +43,14 @@ variable "relay_state" {
   type        = string
   default     = null
 }
+
+variable "auto_policy_count" {
+  description = "Automatic customer policy generation as s-sso-{permissionsetname}-p{number}.  Use 0 for no -p{number} suffix."
+  type        = number
+  default     = null
+
+  validation {
+    condition     = var.auto_policy_count == null || (var.auto_policy_count > 0 && var.auto_policy_count <= 20)
+    error_message = "auto_policy_coount may be null or between 0 and 20, inclusive."
+  }
+}