📦 NEW: initial commit

mhmdio · mhmdio · commit d0f017a5b3b2 · 2021-01-15T09:05:36.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,65 @@
+
+# Created by https://www.gitignore.io/api/macos,terraform
+# Edit at https://www.gitignore.io/?templates=macos,terraform
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Terraform ###
+.terraform.lock.hcl
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# End of https://www.gitignore.io/api/macos,terraform
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,5 @@
+# Changelog
+
+## V0.1.0
+
+Initial release.
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <https://unlicense.org>
diff --git a/README.md b/README.md
@@ -0,0 +1,7 @@
+# terraform-aws-sso
+
+## Requirements/Assumptions
+
+- AWS ORG created, with SSO enabled.
+- AWS SSO enabled in target Account.
+- AWS SSO Group is created.
diff --git a/data.tf b/data.tf
@@ -0,0 +1,16 @@
+data "aws_organizations_organization" "this" {}
+
+data "aws_ssoadmin_instances" "this" {}
+
+data "aws_identitystore_group" "this" {
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+  filter {
+    attribute_path  = "DisplayName"
+    attribute_value = var.group_display_name
+  }
+}
+
+# Future use
+# data "aws_identitystore_user" "this" {
+#
+# }
diff --git a/examples/simple/README.md b/examples/simple/README.md
@@ -0,0 +1,17 @@
+# Simple AWS SSO Permission Set
+
+This example will create an SSO Permission Set, attach managed policy and existing Group to target account.
+
+## How to apply
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+## How to destroy
+
+```bash
+terraform destroy
+```
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -0,0 +1,21 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+module "permission_set" {
+  source = "../../"
+
+  name               = "DevAdmins"
+  description        = "DevAdmins permission set"
+  group_display_name = "Developers"
+  session_duration   = "PT2H"
+  target_id          = "123456789000"
+  managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+
+  tags = {
+    Just_For_Testing = "True"
+    Remove_Me        = "Please"
+  }
+}
+
+
diff --git a/main.tf b/main.tf
@@ -0,0 +1,31 @@
+resource "aws_ssoadmin_account_assignment" "this" {
+  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this.arn
+  principal_id       = data.aws_identitystore_group.this.group_id
+  principal_type     = "GROUP"
+  target_type        = "AWS_ACCOUNT"
+  target_id          = var.target_id
+}
+
+resource "aws_ssoadmin_permission_set" "this" {
+  name             = var.name
+  description      = var.description
+  instance_arn     = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+  relay_state      = var.relay_state
+  session_duration = var.session_duration
+  tags             = var.tags
+}
+
+resource "aws_ssoadmin_managed_policy_attachment" "this" {
+  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this.arn
+  managed_policy_arn = var.managed_policy_arn
+}
+
+
+# Future use
+# resource "aws_ssoadmin_permission_set_inline_policy" "this" {
+#   inline_policy      = var.inline_policy
+#   instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
+#   permission_set_arn = aws_ssoadmin_permission_set.this.arn
+# }
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,15 @@
+output "account_names" {
+  value = data.aws_organizations_organization.this.accounts[*].name
+}
+
+output "account_ids" {
+  value = data.aws_organizations_organization.this.accounts[*].id
+}
+
+output "ssoadmin_instance_arn" {
+  value = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+}
+
+output "identity_store_id" {
+  value = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,48 @@
+variable "group_display_name" {
+  type        = string
+  description = "The group's display name value"
+}
+
+variable "name" {
+  type        = string
+  description = "(Required, Forces new resource) The name of the Permission Set."
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "(Optional) Key-value map of resource tags."
+  default = {
+    Terraform = "Yes"
+  }
+}
+variable "description" {
+  type        = string
+  default     = ""
+  description = "(Optional) The description of the Permission Set."
+}
+variable "relay_state" {
+  type        = string
+  default     = null
+  description = "(Optional) The relay state URL used to redirect users within the application during the federation authentication process."
+}
+variable "session_duration" {
+  type        = string
+  default     = "PT1H"
+  description = "(Optional) The length of time that the application user sessions are valid in the ISO-8601 standard. Default: PT1H."
+}
+
+variable "target_id" {
+  type        = string
+  description = "(Required, Forces new resource) An AWS account identifier, typically a 10-12 digit string."
+}
+
+variable "managed_policy_arn" {
+  type        = string
+  description = "describe your variable"
+}
+
+# future use
+# variable "inline_policy" {
+#   type        = any
+#   description = "describe your variable"
+# }
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_version = ">= 0.14.0"
+
+  required_providers {
+    aws = ">= 3.24.0"
+  }
+}
