diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0a8e2f3..6b607d0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,3 +21,9 @@
* 1.0.6 -- 2024-01-31
- output in users valid_ldap_users and invalid_ldap_users
+
+* 1.1.0 -- 2024-02-08
+ - permissionset
+ - add auto_policy_count for generating policies of the form:
+ * 0 => p-sso-{permissionsetname}
+ * 1-20 => p-sso-{permissionsetname}-p{number}
diff --git a/common/version.tf b/common/version.tf
index 8fb8d08..9c489cd 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.0.6"
+ _module_version = "1.1.0"
}
diff --git a/permissionset/README.md b/permissionset/README.md
index f0b0113..26e2e9d 100644
--- a/permissionset/README.md
+++ b/permissionset/README.md
@@ -18,6 +18,7 @@ No modules.
| Name | Type |
|------|------|
+| [aws_ssoadmin_customer_managed_policy_attachment.auto_pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
| [aws_ssoadmin_customer_managed_policy_attachment.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
| [aws_ssoadmin_managed_policy_attachment.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
| [aws_ssoadmin_permission_set.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
@@ -33,6 +34,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [auto\_policy\_count](#input\_auto\_policy\_count) | Automatic customer policy generation as s-sso-{permissionsetname}-p{number}. Use 0 for no -p{number} suffix. | `number` | `null` | no |
| [customer\_managed\_policy\_names](#input\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset | `map(string)` | `{}` | no |
| [description](#input\_description) | Permission set description | `string` | `null` | no |
| [inline\_policy](#input\_inline\_policy) | AWS Policy document for the single allowed inline policy | `string` | `null` | no |
diff --git a/permissionset/main.tf b/permissionset/main.tf
index ad458a3..202b5e5 100644
--- a/permissionset/main.tf
+++ b/permissionset/main.tf
@@ -1,5 +1,14 @@
locals {
description = coalesce(var.description, var.name)
+ auto_policy_name_format = var.auto_policy_count == null ? {} : {
+ single = "p-sso-%v"
+ multiple = "p-sso-%v-p%v"
+ }
+ auto_policy_name_single = var.auto_policy_count == 0 ? [format(local.auto_policy_name_format["single"], var.name)] : []
+ auto_policy_name_multiple = (var.auto_policy_count > 0 && var.auto_policy_count <= 20) ? [for i in range(1, var.auto_policy_count + 1) : format(local.auto_policy_name_format["multiple"], var.name, i)] : []
+ auto_policy_names = compact(concat(local.auto_policy_name_single, local.auto_policy_name_multiple))
+
+ total_policies = length(compact(concat(keys(var.customer_managed_policy_names), local.auto_policy_names)))
}
resource "aws_ssoadmin_permission_set" "pset" {
@@ -38,6 +47,24 @@ resource "aws_ssoadmin_customer_managed_policy_attachment" "pset" {
}
}
+resource "aws_ssoadmin_customer_managed_policy_attachment" "auto_pset" {
+ for_each = toset(local.auto_policy_names)
+ instance_arn = var.instance_arn
+ permission_set_arn = aws_ssoadmin_permission_set.pset.arn
+
+ customer_managed_policy_reference {
+ name = each.key
+ path = "/"
+ }
+
+ lifecycle {
+ precondition {
+ condition = local.total_policies <= 20
+ error_message = "The total number of customer managed polices must be 20 or less."
+ }
+ }
+}
+
resource "aws_ssoadmin_permission_set_inline_policy" "pset" {
count = var.inline_policy != null ? 1 : 0
instance_arn = var.instance_arn
diff --git a/permissionset/variables.tf b/permissionset/variables.tf
index 029738b..98e6f6a 100644
--- a/permissionset/variables.tf
+++ b/permissionset/variables.tf
@@ -43,3 +43,14 @@ variable "relay_state" {
type = string
default = null
}
+
+variable "auto_policy_count" {
+ description = "Automatic customer policy generation as s-sso-{permissionsetname}-p{number}. Use 0 for no -p{number} suffix."
+ type = number
+ default = null
+
+ validation {
+ condition = var.auto_policy_count == null || (var.auto_policy_count > 0 && var.auto_policy_count <= 20)
+ error_message = "auto_policy_coount may be null or between 0 and 20, inclusive."
+ }
+}