From 81cdbf09e59abafc0294478b083c84cc4bbd0b84 Mon Sep 17 00:00:00 2001 From: Liam MacPherson Date: Wed, 6 Mar 2024 08:10:57 +0000 Subject: [PATCH] LZA-133: add permission set module Add the permission set module that supports inline policies. --- .../aws/permission_sets/.terraform.lock.hcl | 25 +++++++++ modules/aws/permission_sets/README.md | 52 +++++++++++++++++++ modules/aws/permission_sets/main.tf | 32 ++++++++++++ modules/aws/permission_sets/variables.tf | 33 ++++++++++++ 4 files changed, 142 insertions(+) create mode 100644 modules/aws/permission_sets/.terraform.lock.hcl create mode 100644 modules/aws/permission_sets/README.md create mode 100644 modules/aws/permission_sets/main.tf create mode 100644 modules/aws/permission_sets/variables.tf diff --git a/modules/aws/permission_sets/.terraform.lock.hcl b/modules/aws/permission_sets/.terraform.lock.hcl new file mode 100644 index 0000000..2658425 --- /dev/null +++ b/modules/aws/permission_sets/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.39.1" + constraints = "~> 5.39.0" + hashes = [ + "h1:cXnNy35JewgDL4IZ0X9afy8crWMxUZY640V+uvVdGHI=", + "zh:05c50a5d8edb3ba4ebc4eb6e0d0b5e319142f5983b27821710ed7d475d335bdc", + "zh:082986a5784dd21957e632371b289e549f051a4ea21d5c78c6d744c3537f03c5", + "zh:192ae622ba562eacc4921ed549a794506179233d724fdd15a4f147f3400724a0", + "zh:19a1d4637a62de90b0da174c0bf01000cd900488f7e8f709d8a37f082c59756b", + "zh:1d7689a8583515f1705972d7ce57ccfab96215b19905530d2c78c02dcfaff583", + "zh:22c446a21209a52ab74b4ba1ede0b220531e97ce479430047e493a2c45e1d8cb", + "zh:4154de82290ab4e9f81bac1ea62342de8b3b7a608f99258c190d4dd1c6663e47", + "zh:6bc4859ccdc54f28af9286b2fa090a31dcb345138d68c471510b737f6a052011", + "zh:73c69e000e0b321e78a4a12fef60d37285f2afec0ea7be9e06163d985101cb59", + "zh:890a3422f5e445b49bae30facf448d0ec9cd647e9155d0b685b5b39e9d331a94", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9cd88bec0f5205df9032e3126d4e57edd1c5cc8d45cda25626882dafc485a3b0", + "zh:a3a8e3276d0fbf051bbafa192a2998b05745f2cf285ac8c36a9ad167a75c037f", + "zh:d47e4dcf4c0ad71b9a7c720be4f3a89f6786a82e77bbe8d950794562792a1da5", + "zh:f74e5b2af508c7de80a6ae5198df54a795eeba5058a0cd247828943f0c54f6e0", + ] +} diff --git a/modules/aws/permission_sets/README.md b/modules/aws/permission_sets/README.md new file mode 100644 index 0000000..db7032d --- /dev/null +++ b/modules/aws/permission_sets/README.md @@ -0,0 +1,52 @@ +# Core Cloud AWS Identity Center Permission Set Module + +This module is responsible for creating and managing permission sets through Identity Center in AWS. + +## Usage + +### Permission Set + +```hcl +module "permission_sets" { + source = "git::ssh://git@github.com/UKHomeOffice/core-cloud-terraform-modules.git//modules/aws/permission_sets" + + name = + description = + identity_store_arn = + inline_policies = ARRAY() +} +``` + +## Validation + +This module expects the variables to conform to the following: +- `name` - Must be a string between 1 and 64 characters. +- `description` - Must be a string between 1 and 256 characters. +- `identity_store_arn` - Must be a valid Identity Store ARN. +- `inline_policies` - Must be a list of objects that conforms to [Inline Policy](#inline-policy) schema. + +### Inline Policy + +```hcl +{ + sid = OPTIONAL() + actions = ARRAY() + resources = ARRAY() +} +``` + +## Examples + +### Simple Inline Policy + +```yaml +name: "PermissionSetName" +description: "This is an example permission set." +identity_store_arn: "arn:aws:sso:::instance/ssoins-1234567890abcdef0" +inline_policies: + - sid: "TestPolicy" + actions: + - s3:ListBucket + resources: + - "*" +``` diff --git a/modules/aws/permission_sets/main.tf b/modules/aws/permission_sets/main.tf new file mode 100644 index 0000000..cab52f0 --- /dev/null +++ b/modules/aws/permission_sets/main.tf @@ -0,0 +1,32 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.39.0" + } + } +} + +resource "aws_ssoadmin_permission_set" "identity_store_permission_set" { + name = var.name + description = var.description + instance_arn = var.identity_store_arn +} + +data "aws_iam_policy_document" "iam_policy_document" { + dynamic "statement" { + for_each = var.inline_policies + + content { + sid = try(statement.value.sid, null) + actions = statement.value.actions + resources = statement.value.resources + } + } +} + +resource "aws_ssoadmin_permission_set_inline_policy" "permission_set_inline_policy" { + inline_policy = data.aws_iam_policy_document.iam_policy_document.json + instance_arn = var.identity_store_arn + permission_set_arn = aws_ssoadmin_permission_set.identity_store_permission_set.arn +} diff --git a/modules/aws/permission_sets/variables.tf b/modules/aws/permission_sets/variables.tf new file mode 100644 index 0000000..314acc0 --- /dev/null +++ b/modules/aws/permission_sets/variables.tf @@ -0,0 +1,33 @@ +variable "name" { + type = string + description = "The name of the permission set to create." + + validation { + condition = length(var.name) >= 1 && length(var.name) <= 64 + error_message = "The group name must be less than 64 characters." + } +} + +variable "description" { + type = string + description = "The description of the permission set to create." + + validation { + condition = length(var.description) >= 1 && length(var.description) <= 256 + error_message = "The description must be less than 256 characters." + } +} + +variable "identity_store_arn" { + description = "The ARN of the Identity Center instance to create the permission set in." + type = string +} + +variable "inline_policies" { + description = "The inline policy to attach to the permission set." + type = list(object({ + sid = optional(string) + actions = list(string) + resources = list(string) + })) +}