forked from aws-ia/terraform-aws-permission-sets
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
74 lines (62 loc) · 3.12 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
resource "aws_ssoadmin_permission_set" "permission_set" {
for_each = local.ps_definition
name = each.value.Name
description = each.value.Description
instance_arn = local.sso_instance_arn
session_duration = try(each.value.SessionDuration, "PT1H")
tags = merge(var.tags, lookup(each.value, "Tags", {}))
}
resource "aws_ssoadmin_permission_set_inline_policy" "inline_policy" {
for_each = { for k, v in local.ps_definition : k => v if length(lookup(v, "CustomPolicy", {})) > 1 }
instance_arn = local.sso_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission_set[each.key].arn
inline_policy = jsonencode(each.value.CustomPolicy)
}
resource "aws_ssoadmin_managed_policy_attachment" "managed_policy" {
for_each = local.ps_managed_policies
instance_arn = local.sso_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission_set[each.value.permission_set].arn
managed_policy_arn = each.value.managed_policy
}
resource "aws_ssoadmin_customer_managed_policy_attachment" "customer_policy" {
for_each = local.ps_customer_policies
instance_arn = local.sso_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission_set[each.value.permission_set].arn
customer_managed_policy_reference {
name = each.value.customer_policy
path = "/"
}
}
resource "aws_ssoadmin_permissions_boundary_attachment" "boundary" {
for_each = { for k, v in local.ps_boundaries : k => v if v.managed_policy != "" || v.customer_policy != "" }
instance_arn = local.sso_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission_set[each.value.permission_set].arn
permissions_boundary {
managed_policy_arn = each.value.managed_policy == "" ? null : each.value.managed_policy
dynamic "customer_managed_policy_reference" {
for_each = toset(each.value.customer_policy == "" ? [] : [each.value.customer_policy])
content {
name = customer_managed_policy_reference.value
path = "/"
}
}
}
}
resource "aws_ssoadmin_account_assignment" "assignment" {
for_each = { for assignment in local.assignments : "${assignment.permission_set}_${assignment.principal_id}_${assignment.principal_type}_${assignment.account_id}" => assignment }
depends_on = [
aws_ssoadmin_permission_set.permission_set,
aws_ssoadmin_permission_set_inline_policy.inline_policy,
aws_ssoadmin_managed_policy_attachment.managed_policy,
aws_ssoadmin_customer_managed_policy_attachment.customer_policy,
aws_ssoadmin_permissions_boundary_attachment.boundary
]
instance_arn = local.sso_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission_set[each.value.permission_set].arn
principal_id = each.value.principal_type == "GROUP" ? data.aws_identitystore_group.sso[each.value.principal_id].id : data.aws_identitystore_user.sso[each.value.principal_id].id
principal_type = each.value.principal_type
target_id = each.value.account_id
target_type = "AWS_ACCOUNT"
}