From 00a6ffa7bfcf2b1d490ed889f856d36f7b88c32a Mon Sep 17 00:00:00 2001
From: hacker65536 <s.hacker65536@gmail.com>
Date: Mon, 20 May 2024 16:28:03 +0900
Subject: [PATCH] fix

---
 .header.md | 19 +++++++++++++++++++
 README.md  | 21 +++++++++++++++++++++
 locals.tf  | 16 +++++++++++-----
 main.tf    | 10 +++++-----
 outputs.tf | 31 -------------------------------
 5 files changed, 56 insertions(+), 41 deletions(-)

diff --git a/.header.md b/.header.md
index bf7c0fe..e930a20 100644
--- a/.header.md
+++ b/.header.md
@@ -78,6 +78,25 @@ module "aws-iam-identity-center" {
       aws_managed_policies = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
       tags                 = { ManagedBy = "Terraform" }
     },
+    CustomPermissionAccess = {
+      description          = "Provides CustomPoweruser permissions.",
+      session_duration     = "PT3H", // how long until session expires - this means 3 hours. max is 12 hours
+      aws_managed_policies = [
+        "arn:aws:iam::aws:policy/ReadOnlyAccess",
+        "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+      ]
+      inline_policy        = data.aws_iam_policy_document.CustomPermissionInlinePolicy.json
+      permissions_boundary = {
+        // either managed_policy_arn or customer_managed_policy_reference
+
+        // managed_policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
+        customer_managed_policy_reference = {
+          name = "ExamplePermissionsBoundaryPolicy"
+          // path = "/"
+        }
+      }
+      tags                 = { ManagedBy = "Terraform" }
+    },
   }
 
   // Assign users/groups access to accounts with the specified permissions
diff --git a/README.md b/README.md
index 44f1e17..2f757ab 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,25 @@ module "aws-iam-identity-center" {
       aws_managed_policies = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
       tags                 = { ManagedBy = "Terraform" }
     },
+    CustomPermissionAccess = {
+      description          = "Provides CustomPoweruser permissions.",
+      session_duration     = "PT3H", // how long until session expires - this means 3 hours. max is 12 hours
+      aws_managed_policies = [
+        "arn:aws:iam::aws:policy/ReadOnlyAccess",
+        "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+      ]
+      inline_policy        = data.aws_iam_policy_document.CustomPermissionInlinePolicy.json
+      permissions_boundary = {
+        // either managed_policy_arn or customer_managed_policy_reference
+
+        // managed_policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
+        customer_managed_policy_reference = {
+          name = "ExamplePermissionsBoundaryPolicy"
+          // path = "/"
+        }
+      }
+      tags                 = { ManagedBy = "Terraform" }
+    },
   }
 
   // Assign users/groups access to accounts with the specified permissions
@@ -140,6 +159,8 @@ No modules.
 | [aws_ssoadmin_managed_policy_attachment.pset_aws_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
 | [aws_ssoadmin_permission_set.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
 | [aws_ssoadmin_permission_set_inline_policy.pset_inline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
+| [aws_ssoadmin_permissions_boundary_attachment.pset_permissions_boundary_aws_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permissions_boundary_attachment) | resource |
+| [aws_ssoadmin_permissions_boundary_attachment.pset_permissions_boundary_customer_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permissions_boundary_attachment) | resource |
 | [aws_identitystore_group.existing_sso_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
 | [aws_identitystore_group.identity_store_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
 | [aws_identitystore_user.existing_sso_users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
diff --git a/locals.tf b/locals.tf
index a5918e2..ea86914 100644
--- a/locals.tf
+++ b/locals.tf
@@ -83,7 +83,9 @@ locals {
     for pset_name, pset_index in local.permissions_boundary_aws_managed_permission_sets : [
       {
         pset_name = pset_name
-        boundary  = pset_index.permissions_boundary.managed_policy_arn
+        boundary = {
+          managed_policy_arn = pset_index.permissions_boundary.managed_policy_arn
+        }
       }
     ]
   ])
@@ -92,7 +94,12 @@ locals {
     for pset_name, pset_index in local.permissions_boundary_customer_managed_permission_sets : [
       {
         pset_name = pset_name
-        boundary  = pset_index.permissions_boundary.customer_managed_policy_reference
+        boundary = {
+          customer_managed_policy_reference = pset_index.permissions_boundary.customer_managed_policy_reference
+        }
+
+
+
       }
     ]
   ])
@@ -104,14 +111,13 @@ locals {
 locals {
 
   accounts_non_master_ids_maps = {
-    for idx, account in data.aws_organizations_organization.organization.non_master_accounts :
-    account.name => account.id
+    for idx, account in data.aws_organizations_organization.organization.non_master_accounts : account.name => account.id
     //     if account.status == "ACTIVE" && can(data.aws_organizations_organization.organization.non_master_accounts)
   }
   accounts_ids_maps = merge(
     {
       // require terraform-provider-aws v5.46.0
-      "${data.aws_organizations_organization.organization.master_account_name}" = "${data.aws_organizations_organization.organization.master_account_id}"
+      (data.aws_organizations_organization.organization.master_account_name) = (data.aws_organizations_organization.organization.master_account_id)
     },
     local.accounts_non_master_ids_maps
   )
diff --git a/main.tf b/main.tf
index d8eeef7..461cc6a 100644
--- a/main.tf
+++ b/main.tf
@@ -197,25 +197,25 @@ resource "aws_ssoadmin_permission_set_inline_policy" "pset_inline_policy" {
 
 # - Permissions Boundary -
 resource "aws_ssoadmin_permissions_boundary_attachment" "pset_permissions_boundary_aws_managed" {
-  for_each = { for pset in local.pset_permissions_boundary_aws_managed_maps : pset.pset_name => pset if can(pset.boundary) }
+  for_each = { for pset in local.pset_permissions_boundary_aws_managed_maps : pset.pset_name => pset if can(pset.boundary.managed_policy_arn) }
 
   instance_arn       = local.ssoadmin_instance_arn
   permission_set_arn = aws_ssoadmin_permission_set.pset[each.key].arn
   permissions_boundary {
-    managed_policy_arn = each.value.boundary
+    managed_policy_arn = each.value.boundary.managed_policy_arn
 
   }
 }
 
 resource "aws_ssoadmin_permissions_boundary_attachment" "pset_permissions_boundary_customer_managed" {
-  for_each = { for pset in local.pset_permissions_boundary_customer_managed_maps : pset.pset_name => pset if can(pset.boundary) }
+  for_each = { for pset in local.pset_permissions_boundary_customer_managed_maps : pset.pset_name => pset if can(pset.boundary.customer_managed_policy_reference) }
 
   instance_arn       = local.ssoadmin_instance_arn
   permission_set_arn = aws_ssoadmin_permission_set.pset[each.key].arn
   permissions_boundary {
     customer_managed_policy_reference {
-      name = each.value.boundary
-      path = "/"
+      name = each.value.boundary.customer_managed_policy_reference.name
+      path = can(each.value.boundary.customer_managed_policy_reference.path) ? each.value.boundary.customer_managed_policy_reference.path : "/"
     }
 
   }
diff --git a/outputs.tf b/outputs.tf
index 828f3ca..234989c 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -14,34 +14,3 @@ output "sso_groups_ids" {
   value       = { for k, v in aws_identitystore_group.sso_groups : k => v.group_id }
   description = "A map of SSO groups ids created by this module"
 }
-
-
-
-output "principals_and_their_account_assignments" {
-  value       = local.principals_and_their_account_assignments
-  description = "Map of principals and their account assignments"
-
-}
-/* debug output 
-output "accounts_ids_maps" {
-  value       = local.accounts_ids_maps
-  description = "A map of account ids"
-}
-
-output "pset_inline_policy_maps" {
-  value       = local.pset_inline_policy_maps
-  description = "A map of inline policies for permission sets"
-
-}
-
-output "pset_permissions_boundary_aws_managed_maps" {
-  value       = local.pset_permissions_boundary_aws_managed_maps
-  description = "A map of permissions boundary for permission"
-}
-
-output "pset_permissions_boundary_customer_managed_maps" {
-  value       = local.pset_permissions_boundary_customer_managed_maps
-  description = "A map of permissions boundary for permission"
-}
-
-*/