Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

start sso module #6

Merged
merged 1 commit into from
Aug 19, 2024
Merged

start sso module #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions modules/iam_identity_center/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
data "aws_ssoadmin_instances" "this" {}

locals {
sso_instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
permission_set_map = { for ps in var.permission_sets : ps.name => ps }
inline_policies_map = { for ps in var.permission_sets : ps.name => ps.inline_policy if ps.inline_policy != "" }
managed_policy_map = { for ps in var.permission_sets : ps.name => ps.policy_attachments if length(ps.policy_attachments) > 0 }
managed_policy_attachments = flatten([
for ps_name, policy_list in local.managed_policy_map : [
for policy in policy_list : {
policy_set = ps_name
policy_arn = policy
}
]
])
managed_policy_attachments_map = {
for policy in local.managed_policy_attachments : "${policy.policy_set}.${policy.policy_arn}" => policy
}
customer_managed_policy_map = { for ps in var.permission_sets : ps.name => ps.customer_managed_policy_attachments if length(ps.customer_managed_policy_attachments) > 0 }
customer_managed_policy_attachments = flatten([
for ps_name, policy_list in local.customer_managed_policy_map : [
for policy in policy_list : {
policy_set = ps_name
policy_name = policy.name
policy_path = policy.path
}
]
])
customer_managed_policy_attachments_map = {
for policy in local.customer_managed_policy_attachments : "${policy.policy_set}.${policy.policy_path}${policy.policy_name}" => policy
}
}

resource "aws_ssoadmin_permission_set" "this" {
for_each = local.permission_set_map
name = each.key
description = each.value.description
instance_arn = local.sso_instance_arn
relay_state = each.value.relay_state != "" ? each.value.relay_state : null
session_duration = each.value.session_duration != "" ? each.value.session_duration : null
tags = each.value.tags != "" ? each.value.tags : null
}

resource "aws_ssoadmin_permission_set_inline_policy" "this" {
for_each = local.inline_policies_map
inline_policy = each.value
instance_arn = local.sso_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn
}

resource "aws_ssoadmin_managed_policy_attachment" "this" {
for_each = local.managed_policy_attachments_map
instance_arn = local.sso_instance_arn
managed_policy_arn = each.value.policy_arn
permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn
}

resource "aws_ssoadmin_customer_managed_policy_attachment" "this" {
for_each = local.customer_managed_policy_attachments_map
instance_arn = local.sso_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn
customer_managed_policy_reference {
name = each.value.policy_name
path = coalesce(each.value.policy_path, "/")
}
}
21 changes: 21 additions & 0 deletions modules/iam_identity_center/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
variable "aws_account" {
description = "Account number to create aws resources in. This variable should be defined in the terraform cloud workspace settings"
}

variable "permission_sets" {
type = list(object({
name = string
description = string
relay_state = string
session_duration = string
tags = map(string)
inline_policy = string
policy_attachments = list(string)
customer_managed_policy_attachments = list(object({
name = string
path = optional(string, "/")
}))
}))

default = []
}
Empty file added users.tf
View file
Open in desktop
Empty file.