Skip to content

Commit

Permalink
feat: Support customer managed policy attachment
Browse files Browse the repository at this point in the history
  • Loading branch information
Mina Slater authored Feb 12, 2024
2 parents 8b5e6be + 91fe8a5 commit 4e94ad6
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 7 deletions.
3 changes: 2 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ No modules.
| Name | Type |
|------|------|
| [aws_ssoadmin_account_assignment.groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
| [aws_ssoadmin_customer_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
| [aws_ssoadmin_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
| [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
| [aws_ssoadmin_permission_set_inline_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
Expand All @@ -83,7 +84,7 @@ No modules.
| <a name="input_account_ids"></a> [account\_ids](#input\_account\_ids) | Account ID for each account name referenced in an assignment | `map(string)` | n/a | yes |
| <a name="input_default_session_duration"></a> [default\_session\_duration](#input\_default\_session\_duration) | Session duration for permission sets without an explicit value | `string` | n/a | yes |
| <a name="input_group_assignments"></a> [group\_assignments](#input\_group\_assignments) | Permission sets to be assigned to each group and account | `map(map(list(string)))` | n/a | yes |
| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | Permission sets which should be defined by this module | <pre>list(object({<br> description = string,<br> inline_policy = optional(string),<br> managed_policies = list(string),<br> name = string,<br> relay_state = optional(string),<br> session_duration = optional(string),<br> }))</pre> | n/a | yes |
| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | Permission sets which should be defined by this module | <pre>list(object({<br> description = string,<br> inline_policy = optional(string),<br> managed_policies = optional(list(string), []),<br> customer_managed_policies = optional(list(string), []),<br> name = string,<br> relay_state = optional(string),<br> session_duration = optional(string),<br> }))</pre> | n/a | yes |

## Outputs

Expand Down
29 changes: 29 additions & 0 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,23 @@ locals {
local.managed_policies[*].id,
local.managed_policies
)

customer_managed_policies = flatten([
for permission_set in var.permission_sets :
[
for policy in permission_set.customer_managed_policies :
{
id = join("/", [permission_set.name, policy])
permission_set_name = permission_set.name
policy_name = policy
}
]
])

customer_managed_policy_map = zipmap(
local.customer_managed_policies[*].id,
local.customer_managed_policies
)
}

resource "aws_ssoadmin_permission_set" "this" {
Expand All @@ -73,6 +90,18 @@ resource "aws_ssoadmin_managed_policy_attachment" "this" {
permission_set_arn = aws_ssoadmin_permission_set.this[each.value.permission_set_name].arn
}

resource "aws_ssoadmin_customer_managed_policy_attachment" "this" {
for_each = local.customer_managed_policy_map

instance_arn = local.sso_instance
permission_set_arn = aws_ssoadmin_permission_set.this[each.value.permission_set_name].arn

customer_managed_policy_reference {
name = each.value.policy_name
path = "/"
}
}

resource "aws_ssoadmin_permission_set_inline_policy" "this" {
for_each = local.inline_policy_map

Expand Down
13 changes: 7 additions & 6 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,12 @@ variable "group_assignments" {
variable "permission_sets" {
description = "Permission sets which should be defined by this module"
type = list(object({
description = string,
inline_policy = optional(string),
managed_policies = list(string),
name = string,
relay_state = optional(string),
session_duration = optional(string),
description = string,
inline_policy = optional(string),
managed_policies = optional(list(string), []),
customer_managed_policies = optional(list(string), []),
name = string,
relay_state = optional(string),
session_duration = optional(string),
}))
}

0 comments on commit 4e94ad6

Please sign in to comment.