Merge pull request #10 from infraspecdev/feat/permission_sets

feat: Permission sets

Author: ShivaniBanke

examples/create-permission-set/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  aws_region = "us-east-1"
+}

examples/create-permission-set/main.tf

@@ -0,0 +1,5 @@
+module "permission_sets" {
+  source = "../../modules/permission_sets"
+
+  permission_sets = var.permission_sets
+}

examples/create-permission-set/outputs.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = local.aws_region
+}

examples/create-permission-set/provider.tf

@@ -0,0 +1,28 @@
+variable "permission_sets" {
+  description = <<EOF
+  (Required)A map of permission set objects with key as the permission set name. Each object contains:
+  - name: The name of the permission set.
+  - description: A brief description of the permission set.
+  - session_duration: Optional session duration for the permission set (default is null).
+  - relay_state: Optional relay state for the permission set (default is null).
+  - tags: Optional map of tags to associate with the permission set.
+  - inline_policy: The inline policy content in JSON format.
+  - managed_policies: A list of ARNs of managed policies to attach to the permission set.
+  - customer_managed_policies: A list of customer-managed policies to attach to the permission set. Each policy includes:
+      - name: The name of the customer-managed policy.
+      - path: The path of the customer-managed policy (default is "/").
+  EOF
+  type = map(object({
+    name             = string
+    description      = string
+    session_duration = optional(string, null)
+    relay_state      = optional(string, null)
+    tags             = optional(map(string))
+    inline_policy    = string
+    managed_policies = list(string)
+    customer_managed_policies = list(object({
+      name = string
+      path = optional(string, "/")
+    }))
+  }))
+}

examples/create-permission-set/variables.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.4.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.65.0"
+    }
+  }
+}

examples/create-permission-set/versions.tf

@@ -0,0 +1,2 @@
+# Terraform AWS Organizations Permission-Sets Module
+A Terraform module for creating and managing AWS SSO (Single Sign-On) Permission Sets within AWS Organizations

modules/permission_sets/.header.md

@@ -0,0 +1,39 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.65.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.58.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ssoadmin_customer_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
+| [aws_ssoadmin_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
+| [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
+| [aws_ssoadmin_permission_set_inline_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
+| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) |(Required) A map of permission set objects with permission set name as the key. Each object contains:<br>  - name: The name of the permission set.<br>  - description: A brief description of the permission set.<br>  - session\_duration: Optional session duration for the permission set (default is PT1H).<br>  - relay\_state: Optional relay state for the permission set (default is null).<br>  - tags: Optional map of tags to associate with the permission set.<br>  - inline\_policy: The inline policy content in JSON format.<br>  - managed\_policies: A list of ARNs of managed policies to attach to the permission set.<br>  - customer\_managed\_policies: A list of customer-managed policies to attach to the permission set. Each policy includes:<br>      - name: The name of the customer-managed policy.<br>      - path: The path of the customer-managed policy (default is "/"). | <pre>map(object({<br>    name             = string<br>    description      = string<br>    session_duration = optional(string, null)<br>    relay_state      = optional(string, null)<br>    tags             = optional(map(string))<br>    inline_policy    = string       #  Inline policy <br>    managed_policies = list(string) # list of ARN's of managed policies<br>    customer_managed_policies = list(object({<br>      name = string<br>      path = optional(string, "/") # list of customer-managed policies with their names and paths to be attached to each.<br>    }))<br>  }))</pre> | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Key-value map of resource tags. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_permission_sets"></a> [permission\_sets](#output\_permission\_sets) | A map of the permission sets that were created. Each key is the name of the permission set, and the value contains the details of the created permission set. |

modules/permission_sets/README.md

@@ -0,0 +1 @@
+data "aws_ssoadmin_instances" "default" {}

modules/permission_sets/data.tf

@@ -0,0 +1,30 @@
+locals {
+  sso_instance_arn    = tolist(data.aws_ssoadmin_instances.default.arns)[0]
+  permission_set_map  = { for ps_name, ps in var.permission_sets : ps_name => ps }
+  inline_policies_map = { for ps_name, ps in var.permission_sets : ps_name => ps.inline_policy if ps.inline_policy != "" }
+  managed_policy_map  = { for ps_name, ps in var.permission_sets : ps_name => ps.managed_policies if length(ps.managed_policies) > 0 }
+  managed_policy_attachments = flatten([
+    for ps_name, policy_list in local.managed_policy_map : [
+      for policy_arn in policy_list : {
+        ps_name    = ps_name
+        policy_arn = policy_arn
+      }
+    ]
+  ])
+  managed_policy_attachments_map = {
+    for policy in local.managed_policy_attachments : "${policy.ps_name}.${policy.policy_arn}" => policy
+  }
+  customer_managed_policy_map = { for ps_name, ps in var.permission_sets : ps_name => ps.customer_managed_policies if length(ps.customer_managed_policies) > 0 }
+  customer_managed_policy_attachments = flatten([
+    for ps_name, policy_list in local.customer_managed_policy_map : [
+      for policy in policy_list : {
+        ps_name     = ps_name
+        policy_name = policy.name
+        policy_path = policy.path
+      }
+    ]
+  ])
+  customer_managed_policy_attachments_map = {
+    for policy in local.customer_managed_policy_attachments : "${policy.ps_name}.${policy.policy_path}${policy.policy_name}" => policy
+  }
+}