initial commit
This commit is contained in:
@@ -0,0 +1,33 @@
|
||||
# SSO permission set module
|
||||
|
||||
## Root module example
|
||||
```
|
||||
module sso {
|
||||
source = "../modules/sso"
|
||||
|
||||
for_each = { for item in local.items : item.name => item }
|
||||
|
||||
default-tags = local.default-tags
|
||||
pset-name = each.value.name
|
||||
pset-desc = each.value.desc
|
||||
pset-managed-policy-arn = each.value.mpolicy
|
||||
pset-session-duration = each.value.session
|
||||
|
||||
}
|
||||
|
||||
locals {
|
||||
csv_data = <<-CSV
|
||||
name,desc,mpolicy,session
|
||||
ViewOnly,View only access,arn:aws:iam::aws:policy/job-function/ViewOnlyAccess,PT4H
|
||||
ReadOnly,Read only access,arn:aws:iam::aws:policy/ReadOnlyAccess,PT4H
|
||||
FullAccess,Full admin access,arn:aws:iam::aws:policy/AdministratorAccess,PT4H
|
||||
NetworkAdmin,Network admin access,arn:aws:iam::aws:policy/job-function/NetworkAdministrator,PT4H
|
||||
DatabaseAdmin,Database admin access,arn:aws:iam::aws:policy/job-function/DatabaseAdministrator,PT4H
|
||||
BillingAdmin,Billing admin access,arn:aws:iam::aws:policy/job-function/Billing,PT4H
|
||||
SecurityAudit,Security admin access,arn:aws:iam::aws:policy/SecurityAudit,PT4H
|
||||
PowerUser,Full access excluding IAM,arn:aws:iam::aws:policy/PowerUserAccess,PT4H
|
||||
CSV
|
||||
|
||||
items = csvdecode(local.csv_data)
|
||||
}
|
||||
```
|
||||
@@ -0,0 +1,25 @@
|
||||
data "aws_ssoadmin_instances" "sso1" {}
|
||||
|
||||
resource "aws_ssoadmin_permission_set" "pset" {
|
||||
name = var.pset-name
|
||||
description = var.pset-desc
|
||||
instance_arn = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
|
||||
session_duration = var.pset-session-duration
|
||||
tags = var.default-tags
|
||||
}
|
||||
|
||||
resource "aws_ssoadmin_managed_policy_attachment" "psetatt" {
|
||||
instance_arn = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
|
||||
managed_policy_arn = var.pset-managed-policy-arn
|
||||
permission_set_arn = aws_ssoadmin_permission_set.pset.arn
|
||||
}
|
||||
|
||||
# use inline policy for additional permissions. aws sso will populate this policy to target accounts
|
||||
# automatically. customer managed policies, on the other hand, needs to be created manually in the target accounts.
|
||||
resource "aws_ssoadmin_permission_set_inline_policy" "pset-inline-policy1" {
|
||||
count = length(var.inline-policy-json) > 0 ? 1 : 0
|
||||
instance_arn = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
|
||||
permission_set_arn = aws_ssoadmin_permission_set.pset.arn
|
||||
inline_policy = var.inline-policy-json
|
||||
}
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
output pset-name {
|
||||
value = aws_ssoadmin_permission_set.pset.name
|
||||
}
|
||||
|
||||
output pset-arn {
|
||||
value = aws_ssoadmin_permission_set.pset.arn
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
variable pset-name {}
|
||||
variable pset-desc {}
|
||||
variable pset-session-duration {}
|
||||
variable default-tags {}
|
||||
variable pset-managed-policy-arn {}
|
||||
variable inline-policy-json {}
|
||||
Reference in New Issue
Block a user