initial commit

modules/security_identity_compliance/sso-permissionsets/main.tf

@@ -0,0 +1,25 @@
+data "aws_ssoadmin_instances" "sso1" {}
+
+resource "aws_ssoadmin_permission_set" "pset" {
+  name             = var.pset-name
+  description      = var.pset-desc
+  instance_arn     = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
+  session_duration = var.pset-session-duration
+  tags             = var.default-tags
+}
+
+resource "aws_ssoadmin_managed_policy_attachment" "psetatt" {
+  instance_arn       = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
+  managed_policy_arn = var.pset-managed-policy-arn
+  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
+}
+
+# use inline policy for additional permissions. aws sso will populate this policy to target accounts
+# automatically. customer managed policies, on the other hand, needs to be created manually in the target accounts.
+resource "aws_ssoadmin_permission_set_inline_policy" "pset-inline-policy1" {
+  count              = length(var.inline-policy-json) > 0 ? 1 : 0
+  instance_arn       = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
+  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
+  inline_policy      = var.inline-policy-json
+}
+