From 5a0f4fa73160b53d04bfbdde9bdfe3a8be30a98d Mon Sep 17 00:00:00 2001
From: cybershady <zjrundle@gmail.com>
Date: Sun, 18 Aug 2024 21:02:04 -0600
Subject: [PATCH] start sso module

---
 modules/iam_identity_center/main.tf      | 66 ++++++++++++++++++++++++
 modules/iam_identity_center/variables.tf | 21 ++++++++
 users.tf                                 |  0
 3 files changed, 87 insertions(+)
 create mode 100644 modules/iam_identity_center/main.tf
 create mode 100644 modules/iam_identity_center/variables.tf
 create mode 100644 users.tf

diff --git a/modules/iam_identity_center/main.tf b/modules/iam_identity_center/main.tf
new file mode 100644
index 0000000..7f9d385
--- /dev/null
+++ b/modules/iam_identity_center/main.tf
@@ -0,0 +1,66 @@
+data "aws_ssoadmin_instances" "this" {}
+
+locals {
+  sso_instance_arn    = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+  permission_set_map  = { for ps in var.permission_sets : ps.name => ps }
+  inline_policies_map = { for ps in var.permission_sets : ps.name => ps.inline_policy if ps.inline_policy != "" }
+  managed_policy_map  = { for ps in var.permission_sets : ps.name => ps.policy_attachments if length(ps.policy_attachments) > 0 }
+  managed_policy_attachments = flatten([
+    for ps_name, policy_list in local.managed_policy_map : [
+      for policy in policy_list : {
+        policy_set = ps_name
+        policy_arn = policy
+      }
+    ]
+  ])
+  managed_policy_attachments_map = {
+    for policy in local.managed_policy_attachments : "${policy.policy_set}.${policy.policy_arn}" => policy
+  }
+  customer_managed_policy_map = { for ps in var.permission_sets : ps.name => ps.customer_managed_policy_attachments if length(ps.customer_managed_policy_attachments) > 0 }
+  customer_managed_policy_attachments = flatten([
+    for ps_name, policy_list in local.customer_managed_policy_map : [
+      for policy in policy_list : {
+        policy_set  = ps_name
+        policy_name = policy.name
+        policy_path = policy.path
+      }
+    ]
+  ])
+  customer_managed_policy_attachments_map = {
+    for policy in local.customer_managed_policy_attachments : "${policy.policy_set}.${policy.policy_path}${policy.policy_name}" => policy
+  }
+}
+
+resource "aws_ssoadmin_permission_set" "this" {
+  for_each         = local.permission_set_map
+  name             = each.key
+  description      = each.value.description
+  instance_arn     = local.sso_instance_arn
+  relay_state      = each.value.relay_state != "" ? each.value.relay_state : null
+  session_duration = each.value.session_duration != "" ? each.value.session_duration : null
+  tags             = each.value.tags != "" ? each.value.tags : null
+}
+
+resource "aws_ssoadmin_permission_set_inline_policy" "this" {
+  for_each           = local.inline_policies_map
+  inline_policy      = each.value
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn
+}
+
+resource "aws_ssoadmin_managed_policy_attachment" "this" {
+  for_each           = local.managed_policy_attachments_map
+  instance_arn       = local.sso_instance_arn
+  managed_policy_arn = each.value.policy_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn
+}
+
+resource "aws_ssoadmin_customer_managed_policy_attachment" "this" {
+  for_each           = local.customer_managed_policy_attachments_map
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn
+  customer_managed_policy_reference {
+    name = each.value.policy_name
+    path = coalesce(each.value.policy_path, "/")
+  }
+}
diff --git a/modules/iam_identity_center/variables.tf b/modules/iam_identity_center/variables.tf
new file mode 100644
index 0000000..b246f7e
--- /dev/null
+++ b/modules/iam_identity_center/variables.tf
@@ -0,0 +1,21 @@
+variable "aws_account" {
+  description = "Account number to create aws resources in. This variable should be defined in the terraform cloud workspace settings"
+}
+
+variable "permission_sets" {
+  type = list(object({
+    name               = string
+    description        = string
+    relay_state        = string
+    session_duration   = string
+    tags               = map(string)
+    inline_policy      = string
+    policy_attachments = list(string)
+    customer_managed_policy_attachments = list(object({
+      name = string
+      path = optional(string, "/")
+    }))
+  }))
+
+  default = []
+}
\ No newline at end of file
diff --git a/users.tf b/users.tf
new file mode 100644
index 0000000..e69de29