Skip to content

Commit

Permalink
fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@hacker65536
hacker65536 committed May 20, 2024
1 parent 620b386 commit 00a6ffa
Show file tree
Hide file tree
Showing 5 changed files with 56 additions and 41 deletions.
19 changes: 19 additions & 0 deletions .header.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,25 @@ module "aws-iam-identity-center" {
aws_managed_policies = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
tags = { ManagedBy = "Terraform" }
},
CustomPermissionAccess = {
description = "Provides CustomPoweruser permissions.",
session_duration = "PT3H", // how long until session expires - this means 3 hours. max is 12 hours
aws_managed_policies = [
"arn:aws:iam::aws:policy/ReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
]
inline_policy = data.aws_iam_policy_document.CustomPermissionInlinePolicy.json
permissions_boundary = {
// either managed_policy_arn or customer_managed_policy_reference
// managed_policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
customer_managed_policy_reference = {
name = "ExamplePermissionsBoundaryPolicy"
// path = "/"
}
}
tags = { ManagedBy = "Terraform" }
},
}
// Assign users/groups access to accounts with the specified permissions
Expand Down
21 changes: 21 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,25 @@ module "aws-iam-identity-center" {
aws_managed_policies = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
tags = { ManagedBy = "Terraform" }
},
CustomPermissionAccess = {
description = "Provides CustomPoweruser permissions.",
session_duration = "PT3H", // how long until session expires - this means 3 hours. max is 12 hours
aws_managed_policies = [
"arn:aws:iam::aws:policy/ReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
]
inline_policy = data.aws_iam_policy_document.CustomPermissionInlinePolicy.json
permissions_boundary = {
// either managed_policy_arn or customer_managed_policy_reference
// managed_policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
customer_managed_policy_reference = {
name = "ExamplePermissionsBoundaryPolicy"
// path = "/"
}
}
tags = { ManagedBy = "Terraform" }
},
}
// Assign users/groups access to accounts with the specified permissions
Expand Down Expand Up @@ -140,6 +159,8 @@ No modules.
| [aws_ssoadmin_managed_policy_attachment.pset_aws_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
| [aws_ssoadmin_permission_set.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
| [aws_ssoadmin_permission_set_inline_policy.pset_inline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
| [aws_ssoadmin_permissions_boundary_attachment.pset_permissions_boundary_aws_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permissions_boundary_attachment) | resource |
| [aws_ssoadmin_permissions_boundary_attachment.pset_permissions_boundary_customer_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permissions_boundary_attachment) | resource |
| [aws_identitystore_group.existing_sso_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
| [aws_identitystore_group.identity_store_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
| [aws_identitystore_user.existing_sso_users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
Expand Down
16 changes: 11 additions & 5 deletions locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,9 @@ locals {
for pset_name, pset_index in local.permissions_boundary_aws_managed_permission_sets : [
{
pset_name = pset_name
boundary = pset_index.permissions_boundary.managed_policy_arn
boundary = {
managed_policy_arn = pset_index.permissions_boundary.managed_policy_arn
}
}
]
])
Expand All @@ -92,7 +94,12 @@ locals {
for pset_name, pset_index in local.permissions_boundary_customer_managed_permission_sets : [
{
pset_name = pset_name
boundary = pset_index.permissions_boundary.customer_managed_policy_reference
boundary = {
customer_managed_policy_reference = pset_index.permissions_boundary.customer_managed_policy_reference
}



}
]
])
Expand All @@ -104,14 +111,13 @@ locals {
locals {

accounts_non_master_ids_maps = {
for idx, account in data.aws_organizations_organization.organization.non_master_accounts :
account.name => account.id
for idx, account in data.aws_organizations_organization.organization.non_master_accounts : account.name => account.id
// if account.status == "ACTIVE" && can(data.aws_organizations_organization.organization.non_master_accounts)
}
accounts_ids_maps = merge(
{
// require terraform-provider-aws v5.46.0
"${data.aws_organizations_organization.organization.master_account_name}" = "${data.aws_organizations_organization.organization.master_account_id}"
(data.aws_organizations_organization.organization.master_account_name) = (data.aws_organizations_organization.organization.master_account_id)
},
local.accounts_non_master_ids_maps
)
Expand Down
10 changes: 5 additions & 5 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,25 +197,25 @@ resource "aws_ssoadmin_permission_set_inline_policy" "pset_inline_policy" {

# - Permissions Boundary -
resource "aws_ssoadmin_permissions_boundary_attachment" "pset_permissions_boundary_aws_managed" {
for_each = { for pset in local.pset_permissions_boundary_aws_managed_maps : pset.pset_name => pset if can(pset.boundary) }
for_each = { for pset in local.pset_permissions_boundary_aws_managed_maps : pset.pset_name => pset if can(pset.boundary.managed_policy_arn) }

instance_arn = local.ssoadmin_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.pset[each.key].arn
permissions_boundary {
managed_policy_arn = each.value.boundary
managed_policy_arn = each.value.boundary.managed_policy_arn

}
}

resource "aws_ssoadmin_permissions_boundary_attachment" "pset_permissions_boundary_customer_managed" {
for_each = { for pset in local.pset_permissions_boundary_customer_managed_maps : pset.pset_name => pset if can(pset.boundary) }
for_each = { for pset in local.pset_permissions_boundary_customer_managed_maps : pset.pset_name => pset if can(pset.boundary.customer_managed_policy_reference) }

instance_arn = local.ssoadmin_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.pset[each.key].arn
permissions_boundary {
customer_managed_policy_reference {
name = each.value.boundary
path = "/"
name = each.value.boundary.customer_managed_policy_reference.name
path = can(each.value.boundary.customer_managed_policy_reference.path) ? each.value.boundary.customer_managed_policy_reference.path : "/"
}

}
Expand Down
31 changes: 0 additions & 31 deletions outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,34 +14,3 @@ output "sso_groups_ids" {
value = { for k, v in aws_identitystore_group.sso_groups : k => v.group_id }
description = "A map of SSO groups ids created by this module"
}



output "principals_and_their_account_assignments" {
value = local.principals_and_their_account_assignments
description = "Map of principals and their account assignments"

}
/* debug output
output "accounts_ids_maps" {
value = local.accounts_ids_maps
description = "A map of account ids"
}
output "pset_inline_policy_maps" {
value = local.pset_inline_policy_maps
description = "A map of inline policies for permission sets"
}
output "pset_permissions_boundary_aws_managed_maps" {
value = local.pset_permissions_boundary_aws_managed_maps
description = "A map of permissions boundary for permission"
}
output "pset_permissions_boundary_customer_managed_maps" {
value = local.pset_permissions_boundary_customer_managed_maps
description = "A map of permissions boundary for permission"
}
*/

0 comments on commit 00a6ffa

Please sign in to comment.