initial commit

aws-sso/locals.tf

@@ -0,0 +1,15 @@
+data "aws_caller_identity" "this" {}
+
+locals {
+  default-tags = merge({
+    ServiceProvider = "None"
+    Environment     = var.environment
+    Project         = var.project
+    Application     = var.application
+    TerraformMode   = "managed"
+    TerraformDir    = trimprefix(path.cwd, "/my/work/xpk-git/")
+    CreatedBy       = data.aws_caller_identity.this.arn
+    BuildDate       = formatdate("YYYYMMDD", timestamp())
+  })
+  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
+}

aws-sso/main.tf

@@ -0,0 +1,28 @@
+module sso {
+source = "../../modules/security_identity_compliance/sso-permissionsets"
+
+  for_each = { for item in local.items : item.name => item }
+
+  default-tags            = local.default-tags
+  pset-name               = each.value.name
+  pset-desc               = each.value.desc
+  pset-managed-policy-arn = each.value.mpolicy
+  pset-session-duration   = each.value.session
+
+}
+
+locals {
+  csv_data = <<-CSV
+    name,desc,mpolicy,session
+    ViewOnly,View only access,arn:aws:iam::aws:policy/job-function/ViewOnlyAccess,PT4H
+    ReadOnly,Read only access,arn:aws:iam::aws:policy/ReadOnlyAccess,PT4H
+    FullAccess,Full admin access,arn:aws:iam::aws:policy/AdministratorAccess,PT4H
+    NetworkAdmin,Network admin access,arn:aws:iam::aws:policy/job-function/NetworkAdministrator,PT4H
+    DatabaseAdmin,Database admin access,arn:aws:iam::aws:policy/job-function/DatabaseAdministrator,PT4H
+    BillingAdmin,Billing admin access,arn:aws:iam::aws:policy/job-function/Billing,PT4H
+    SecurityAudit,Security admin access,arn:aws:iam::aws:policy/SecurityAudit,PT4H
+    PowerUser,Full access excluding IAM,arn:aws:iam::aws:policy/PowerUserAccess,PT4H
+  CSV
+
+  items = csvdecode(local.csv_data)
+}

aws-sso/provider.tf

@@ -0,0 +1,13 @@
+provider "aws" {
+  region = var.aws-region
+}
+
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.25"
+    }
+  }
+}

aws-sso/sso-users.tf

@@ -0,0 +1,64 @@
+data "aws_ssoadmin_instances" "sso1" {}
+
+locals {
+  csv_data2 = <<-CSV
+    username,email,lastName,firstName
+    user1,user1@acme.local,Doe,John
+    user2,user2@acme.local,Smith,Jane
+  CSV
+
+  users = csvdecode(local.csv_data2)
+}
+
+resource "aws_identitystore_user" "sso-user" {
+  for_each = { for item in local.users : item.username => item }
+  identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
+  display_name      = "${each.value.firstName} ${each.value.lastName}"
+  user_name         = each.value.username
+  nickname          = each.value.username
+  emails {
+    primary = true
+    value   = each.value.email
+  }
+
+  name {
+    family_name = each.value.lastName
+    given_name  = each.value.firstName
+  }
+}
+
+resource "aws_identitystore_group" "sso-group" {
+  identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
+  display_name      = "Viewers"
+  description       = "Users with view permission"
+}
+
+resource "aws_identitystore_group_membership" "sso-group-membership" {
+  for_each = aws_identitystore_user.sso-user
+  identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
+  group_id          = aws_identitystore_group.sso-group.group_id
+  member_id         = each.value.user_id
+}
+
+locals {
+  csv_data3 = <<-CSV
+    seq,groupName,permission,accountId
+    1,Viewers,ViewOnly,865184416664
+    2,Viewers,ViewOnly,572802010687
+  CSV
+
+  accounts = csvdecode(local.csv_data3)
+}
+
+resource "aws_ssoadmin_account_assignment" "pset-assignment" {
+  for_each = { for item in local.accounts : item.seq => item }
+
+  instance_arn       = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
+  permission_set_arn = module.sso[each.value.permission].pset-arn
+
+  principal_id   = aws_identitystore_group.sso-group.group_id
+  principal_type = "GROUP"
+
+  target_id   = each.value.accountId
+  target_type = "AWS_ACCOUNT"
+}

aws-sso/terraform.tfvars

@@ -0,0 +1,7 @@
+aws-region       = "ap-east-1"
+aws-region-short = "ape1"
+customer-name    = "acme"
+environment      = "preview"
+project          = "security"
+application      = "sso"
+

aws-sso/variables.tf

@@ -0,0 +1,6 @@
+variable "aws-region" {}
+variable "aws-region-short" {}
+variable "customer-name" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}