feat: Add permission-sets sub module

ShivaniBanke · ShivaniBanke · commit 8f3c3c411c40 · 2024-07-11T10:19:33.000+05:30
diff --git a/modules/permission_sets/.header.md b/modules/permission_sets/.header.md
@@ -0,0 +1,2 @@
+# Terraform AWS Organizations Permission-Sets Module
+A Terraform module for creating and managing AWS SSO (Single Sign-On) Permission Sets within AWS Organizations 
diff --git a/modules/permission_sets/README.md b/modules/permission_sets/README.md
@@ -0,0 +1,42 @@
+# Terraform AWS Organizations Permission-Sets Module
+A Terraform module for creating and managing AWS SSO (Single Sign-On) Permission Sets within AWS Organizations 
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.65.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.57.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ssoadmin_customer_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
+| [aws_ssoadmin_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
+| [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
+| [aws_ssoadmin_permission_set_inline_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
+| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | n/a | <pre>list(object({<br>    name             = string<br>    description      = string<br>    session_duration = optional(string, "PT1H")<br>    tags             = optional(map(string), null)<br>    inline_policy    = optional(string, null)     # Inline policy in JSON format <br>    managed_policies = optional(list(string), []) # list of ARN's of managed policies<br>    customer_managed_policies = optional(list(object({<br>      name = string<br>      path = optional(string, "/") # list of customer-managed policies with their names and paths to be attached to each.<br>    })), [])<br>  }))</pre> | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Key-value map of resource tags. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_permission_sets"></a> [permission\_sets](#output\_permission\_sets) | A map of the permission sets that were created. Each key is the name of the permission set, and the value contains the details of the created permission set. |
diff --git a/modules/permission_sets/main.tf b/modules/permission_sets/main.tf
@@ -0,0 +1,76 @@
+locals {
+  sso_instance_arn    = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+  permission_set_map  = { for ps in var.permission_sets : ps.name => ps }
+  inline_policies_map = { for ps in var.permission_sets : ps.name => ps.inline_policy if ps.inline_policy != null }
+  managed_policy_map  = { for ps in var.permission_sets : ps.name => ps.managed_policies if length(ps.managed_policies) > 0 }
+  managed_policy_attachments = flatten([
+    for ps_name, policy_list in local.managed_policy_map : [
+      for policy_arn in policy_list : {
+        permission_set = ps_name
+        policy_arn     = policy_arn
+      }
+    ]
+  ])
+  managed_policy_attachments_map = {
+    for policy in local.managed_policy_attachments : "${policy.permission_set}.${policy.policy_arn}" => policy
+  }
+  customer_managed_policy_map = { for ps in var.permission_sets : ps.name => ps.customer_managed_policies if length(ps.customer_managed_policies) > 0 }
+  customer_managed_policy_attachments = flatten([
+    for ps_name, policy_list in local.customer_managed_policy_map : [
+      for policy in policy_list : {
+        permission_set = ps_name
+        policy_name    = policy.name
+        policy_path    = policy.path
+      }
+    ]
+  ])
+  customer_managed_policy_attachments_map = {
+    for policy in local.customer_managed_policy_attachments : "${policy.permission_set}.${policy.policy_path}${policy.policy_name}" => policy
+  }
+}
+
+data "aws_ssoadmin_instances" "this" {}
+
+# CREATE THE PERMISSION SETS
+resource "aws_ssoadmin_permission_set" "this" {
+  for_each = local.permission_set_map
+
+  name             = each.key
+  description      = each.value.description
+  instance_arn     = local.sso_instance_arn
+  session_duration = each.value.session_duration
+  tags             = merge(each.value.tags, var.tags)
+}
+
+# ATTACH INLINE POLICIES
+resource "aws_ssoadmin_permission_set_inline_policy" "this" {
+  for_each = local.inline_policies_map
+
+  inline_policy      = each.value
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn
+  depends_on         = [aws_ssoadmin_permission_set_inline_policy.this]
+}
+
+# ATTACH MANAGED POLICIES
+resource "aws_ssoadmin_managed_policy_attachment" "this" {
+  for_each = local.managed_policy_attachments_map
+
+  instance_arn       = local.sso_instance_arn
+  managed_policy_arn = each.value.policy_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn
+  depends_on         = [aws_ssoadmin_permission_set_inline_policy.this]
+}
+
+# ATTACH CUSTOMER MANAGED POLICIES
+resource "aws_ssoadmin_customer_managed_policy_attachment" "this" {
+  for_each           = local.customer_managed_policy_attachments_map
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn
+  customer_managed_policy_reference {
+    name = each.value.policy_name
+    path = each.value.policy_path
+  }
+  depends_on = [aws_ssoadmin_permission_set_inline_policy.this]
+}
+
diff --git a/modules/permission_sets/outputs.tf b/modules/permission_sets/outputs.tf
@@ -0,0 +1,4 @@
+output "permission_sets" {
+  description = "A map of the permission sets that were created. Each key is the name of the permission set, and the value contains the details of the created permission set."
+  value = aws_ssoadmin_permission_set.this
+}
diff --git a/modules/permission_sets/variables.tf b/modules/permission_sets/variables.tf
@@ -0,0 +1,21 @@
+variable "permission_sets" {
+  type = list(object({
+    name             = string
+    description      = string
+    session_duration = optional(string, "PT1H")
+    tags             = optional(map(string), null)
+    inline_policy    = optional(string, null)     # Inline policy in JSON format 
+    managed_policies = optional(list(string), []) # list of ARN's of managed policies
+    customer_managed_policies = optional(list(object({
+      name = string
+      path = optional(string, "/") # list of customer-managed policies with their names and paths to be attached to each.
+    })), [])
+  }))
+  default = []
+}
+
+variable "tags" {
+  description = "(Optional) Key-value map of resource tags."
+  type        = map(string)
+  default     = null
+}
diff --git a/modules/permission_sets/versions.tf b/modules/permission_sets/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.4.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.65.0"
+    }
+  }
+}
diff --git a/tests/permission_sets_unit-tests.tftest.hcl b/tests/permission_sets_unit-tests.tftest.hcl
@@ -0,0 +1,60 @@
+# Attribute validations for permission_sets sub module
+run "check_permission_set_creation" {
+  module {
+    source = "./modules/permission_sets"
+  }
+  variables {
+    permission_sets = [
+      {
+        name        = "dummy"
+        description = "This is only used for testing purpose"
+      }
+    ]
+  }
+  command = plan
+
+  assert {
+    condition     = length(aws_ssoadmin_permission_set.this) == 1
+    error_message = "Permission set `dummy` was not created"
+  }
+}
+
+run "validate_permission_set_name" {
+  module {
+    source = "./modules/permission_sets"
+  }
+  variables {
+    permission_sets = [
+      {
+        name        = "dummy"
+        description = "This is only used for testing purpose"
+      }
+    ]
+  }
+  command = plan
+
+  assert {
+    condition     = aws_ssoadmin_permission_set.this[var.permission_sets[0].name].name == var.permission_sets[0].name
+    error_message = "Invalid permission set name"
+  }
+}
+
+run "validate_permission_set_description" {
+  module {
+    source = "./modules/permission_sets"
+  }
+  variables {
+    permission_sets = [
+      {
+        name        = "dummy"
+        description = "This is only used for testing purpose"
+      }
+    ]
+  }
+  command = plan
+
+  assert {
+    condition     = aws_ssoadmin_permission_set.this[var.permission_sets[0].name].description == var.permission_sets[0].description
+    error_message = "Invalid permission set name"
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Terraform AWS Organizations Permission-Sets Module`
	`2`	`+A Terraform module for creating and managing AWS SSO (Single Sign-On) Permission Sets within AWS Organizations`