support inline_policy and permissions boundary

[hacker65536]

This module looks great and I would love to use it.
I have modified the code a bit and would be happy to review it if you would like.

[mbuotidem]

This is a much needed addition due to the inherent difficulty of using customer managed policies.

[matiasbertani]

This would be a great feature to have.

[novekm]

/do-e2e-tests

[aws-ia-automator-prod]

End to end test has been scheduled

[aws-ia-automator-prod]

E2E tests in progress

[aws-ia-automator-prod]

E2E tests completed successfully

[hacker65536]

@novekm
I have updated files to support inline policy and permissions boundary.
Please review this when you have time.

[novekm]

Hi there - initially I went down the path of adding support for inline policies, however stopped as it's not an AWS best practice. It's recommended to use AWS Managed Policies, or Customer Managed policies where possible see this doc for more info on this. However, I acknowledge the current limitation with IAM IdC that the customer managed policy must exist in each account before you can actually use it outlined in this answer on AWS re:Post.

Unfortunately, there isn't a simple native way to deploy a Terraform configuration to multiple accounts, regions, etc. at once (something like CloudFormation StackSets). This means that with the current functionality of the module, you would need to first provision the customer managed policy in each account before referencing it in the module. Terraform Stacks seems to be something that will aid in these type of use cases once GA.

In the meantime, I'll review the PR for adding support for inline policies when I get some time

[novekm]

@hacker65536 I see you have been doing a few additional commits to the PR. Let me know when it is ready for review

[hacker65536]

@novekm
I have done some testing with the following code. It seems to work fine.
Please review it when you have time.

example code

data "aws_organizations_organization" "org" {}
data "aws_iam_policy_document" "restrictAccessInlinePolicy" {
  statement {
    sid = "Restrict"
    actions = [
      "*",
    ]
    effect = "Deny"
    resources = [
      "*",
    ]
    condition {
      test     = "NotIpAddress"
      variable = "aws:SourceIp"
      values = [
        // replace with your own IP address
        "0.0.0.0/0",
      ]
    }
    condition {
      test     = "Bool"
      variable = "aws:ViaAWSService"
      values = [
        "false"
      ]
    }
    condition {
      test     = "StringNotLike"
      variable = "aws:userAgent"
      values = [
        "*exec-env/CloudShell*"
      ]
    }
  }
}

locals {
  active_accounts = [for a in data.aws_organizations_organization.org.accounts : a if a.status == "ACTIVE"]
  tags = {
    "Owner" = "SRE Team"
  }
}


module "aws-iam-identity-center" {
  //source = "aws-ia/iam-identity-center/aws"
  //source = "./terraform-aws-iam-identity-center"
  source = "git::https://github.com/hacker65536/terraform-aws-iam-identity-center?ref=4a55c75"


  sso_groups = {
    // sections 
    SectionSre : {
      group_name        = "SectionSre"
      group_description = "Section SRE"
    }
  }
  sso_users = {
    testuser1 : {
      group_membership = ["SectionSre", "AWSControlTowerAdmins"]
      user_name        = "testuser1"
      given_name       = "aaa"
      family_name      = "bbb"
      email            = "[email protected]"
    }
  }

  permission_sets = {

    AdministratorAccess = {
      description          = "Provides full access to AWS services and resources",
      session_duration     = "PT3H",
      aws_managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"]
      inline_policy        = data.aws_iam_policy_document.restrictAccessInlinePolicy.json
      tags                 = local.tags
    },
    PowerUserAccess = {
      description          = "Provides full access to AWS services and resources, but does not allow management of Users and groups",
      session_duration     = "PT3H",
      aws_managed_policies = ["arn:aws:iam::aws:policy/PowerUserAccess"]
      //inline_policy        = data.aws_iam_policy_document.restrictAccessInlinePolicy.json
      tags = local.tags
    },
    ViewOnlyAccess = {
      description          = "This policy grants permissions to view resources and basic metadata across all AWS services",
      session_duration     = "PT3H",
      aws_managed_policies = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
      //inline_policy        = data.aws_iam_policy_document.restrictAccessInlinePolicy.json
      managed_policy_arn = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
      permissions_boundary = {
        managed_policy_arn = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
        /*
        customer_managed_policy_reference = {
          name = "existing_policy_name"
          path = "/service-role/"
        }
        */
      }
      tags = local.tags
    },
    ReadOnlyAccess = {
      description          = "This policy grants permissions to view resources and basic metadata across all AWS services",
      session_duration     = "PT3H",
      aws_managed_policies = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
      //inline_policy        = data.aws_iam_policy_document.restrictAccessInlinePolicy.json
      managed_policy_arn = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
      tags               = local.tags
    },
  }
  account_assignments = {
    SectionSre : {
      principal_name = "SectionSre"
      principal_type = "GROUP"
      permission_sets = [
        "AdministratorAccess",
        "PowerUserAccess",
        "ViewOnlyAccess",
        // existing permission set
        "AWSAdministratorAccess",
      ]
      account_ids = [
        // replace with your own account id
        "111111111111",
        "222222222222",
      ]
      //account_ids     = toset(local.active_accounts[*].id)
    },
    testuser1 : {
      principal_name = "testuser1"
      principal_type = "USER"
      permission_sets = [
        "AdministratorAccess",
        "PowerUserAccess",
        "ViewOnlyAccess",
        // existing permission set
        "AWSAdministratorAccess",
      ]
      account_ids = [
        // replace with your own account id
        "111111111111",
      ]
    },

  }
}

[novekm]

Hi @hacker65536, I'm testing the PR and all seems to be well with the inline policy, however it's still mentioning the forced replacements as with the current version of the module. Is the same showing on your end? This is what I'm getting after adding an additional group:

# module.aws-iam-identity-center.aws_identitystore_group_membership.sso_group_membership["testuser1_AWSControlTowerAdmins"] must be replaced
-/+ resource "aws_identitystore_group_membership" "sso_group_membership" {
      ~ group_id          = "xx" # forces replacement -> (known after apply) # forces replacement
      ~ id                = "xx/xx" -> (known after apply)
      ~ membership_id     = "xx" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.aws-iam-identity-center.aws_identitystore_group_membership.sso_group_membership["testuser1_SectionSre"] must be replaced
-/+ resource "aws_identitystore_group_membership" "sso_group_membership" {
      ~ group_id          = "xx" # forces replacement -> (known after apply) # forces replacement
      ~ id                = "xx" -> (known after apply)
      ~ membership_id     = "xx" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

Plan: 3 to add, 0 to change, 2 to destroy.

[hacker65536]

Same situation.
Perhaps the problem can be solved.
Plz give me a moment.

[hacker65536]

@novekm
I've simplified references to resources defined within this module and to resources defined outside of this module.
How about this?

[novekm]

Hi @hacker65536, doing some testing today but initial tests look good. Will update later today