Merge pull request #34 from aws-ia/inlinepolicy

Inlinepolicy

.header.md

@@ -78,6 +78,28 @@ module "aws-iam-identity-center" {
       aws_managed_policies = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
       tags                 = { ManagedBy = "Terraform" }
     },
+    CustomPermissionAccess = {
+      description          = "Provides CustomPoweruser permissions.",
+      session_duration     = "PT3H", // how long until session expires - this means 3 hours. max is 12 hours
+      aws_managed_policies = [
+        "arn:aws:iam::aws:policy/ReadOnlyAccess",
+        "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+      ]
+      inline_policy        = data.aws_iam_policy_document.CustomPermissionInlinePolicy.json
+
+      // Only either managed_policy_arn or customer_managed_policy_reference can be specified.
+      // Before using customer_managed_policy_reference, first deploy the policy to the account.
+      // Don't in-place managed_policy_arn to/from customer_managed_policy_reference, delete it once.
+      permissions_boundary = {
+        // managed_policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
+
+        customer_managed_policy_reference = {
+          name = "ExamplePermissionsBoundaryPolicy"
+          // path = "/"
+        }
+      }
+      tags                 = { ManagedBy = "Terraform" }
+    },
   }
 
   // Assign users/groups access to accounts with the specified permissions

README.md

@@ -79,6 +79,28 @@ module "aws-iam-identity-center" {
       aws_managed_policies = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
       tags                 = { ManagedBy = "Terraform" }
     },
+    CustomPermissionAccess = {
+      description          = "Provides CustomPoweruser permissions.",
+      session_duration     = "PT3H", // how long until session expires - this means 3 hours. max is 12 hours
+      aws_managed_policies = [
+        "arn:aws:iam::aws:policy/ReadOnlyAccess",
+        "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+      ]
+      inline_policy        = data.aws_iam_policy_document.CustomPermissionInlinePolicy.json
+
+      // Only either managed_policy_arn or customer_managed_policy_reference can be specified.
+      // Before using customer_managed_policy_reference, first deploy the policy to the account.
+      // Don't in-place managed_policy_arn to/from customer_managed_policy_reference, delete it once.
+      permissions_boundary = {
+        // managed_policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
+
+        customer_managed_policy_reference = {
+          name = "ExamplePermissionsBoundaryPolicy"
+          // path = "/"
+        }
+      }
+      tags                 = { ManagedBy = "Terraform" }
+    },
   }
 
   // Assign users/groups access to accounts with the specified permissions
@@ -139,10 +161,12 @@ No modules.
 | [aws_ssoadmin_customer_managed_policy_attachment.pset_customer_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
 | [aws_ssoadmin_managed_policy_attachment.pset_aws_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
 | [aws_ssoadmin_permission_set.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
+| [aws_ssoadmin_permission_set_inline_policy.pset_inline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
+| [aws_ssoadmin_permissions_boundary_attachment.pset_permissions_boundary_aws_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permissions_boundary_attachment) | resource |
+| [aws_ssoadmin_permissions_boundary_attachment.pset_permissions_boundary_customer_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permissions_boundary_attachment) | resource |
 | [aws_identitystore_group.existing_sso_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
-| [aws_identitystore_group.identity_store_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
 | [aws_identitystore_user.existing_sso_users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
-| [aws_identitystore_user.identity_store_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
+| [aws_organizations_organization.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [aws_ssoadmin_instances.sso_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
 | [aws_ssoadmin_permission_set.existing_permission_sets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_permission_set) | data source |
 

VERSION

@@ -1 +1 @@
-v0.0.2
+v0.0.3

data.tf

@@ -1,6 +1,9 @@
 # Fetch existing SSO Instance
 data "aws_ssoadmin_instances" "sso_instance" {}
 
+# Fetch existing AWS Organization
+data "aws_organizations_organization" "organization" {}
+
 
 # The local variable 'users_and_their_groups' is a map of values for relevant user information.
 # It contians a list of all users with the name of their group_assignments appended to the end of the string.
@@ -20,70 +23,42 @@ data "aws_ssoadmin_instances" "sso_instance" {}
 # user_name = "suchiha"
 #     }
 
-# - Fetch of SSO Groups to be used for group membership assignment -
+# - Fetch of SSO Groups (externally defined) to be used for group membership assignment -
 data "aws_identitystore_group" "existing_sso_groups" {
-  for_each          = local.users_and_their_groups
+  for_each          = toset(local.existing_sso_groups)
   identity_store_id = local.sso_instance_id
   alternate_identifier {
     unique_attribute {
       attribute_path  = "DisplayName"
-      attribute_value = each.value.group_name
+      attribute_value = each.value
     }
   }
-  // Prevents failure if data fetch is attempted before GROUPS are created
-  depends_on = [aws_identitystore_group.sso_groups]
 }
 
 
-# - Fetch of SSO Users to be used for group membership assignment -
+# - Fetch of SSO Users (externally defined) to be used for group membership assignment -
 data "aws_identitystore_user" "existing_sso_users" {
-  for_each          = local.users_and_their_groups
+  for_each          = toset(local.existing_sso_users)
   identity_store_id = local.sso_instance_id
 
   alternate_identifier {
     # Filter users by user_name (nuzumaki, suchiha, dovis, etc.)
     unique_attribute {
       attribute_path  = "UserName"
-      attribute_value = each.value.user_name
-    }
-  }
-  // Prevents failure if data fetch is attempted before USERS are created
-  depends_on = [aws_identitystore_user.sso_users]
-}
-
-
-# - Fetch of SSO Groups to be used for account assignments (for GROUPS) -
-data "aws_identitystore_group" "identity_store_group" {
-  for_each          = toset(local.account_assignments_for_groups)
-  identity_store_id = local.sso_instance_id
-
-  alternate_identifier {
-    unique_attribute {
-      attribute_path  = "DisplayName"
       attribute_value = each.value
     }
   }
-  // Prevents failure if data fetch is attempted before GROUPS are created
-  depends_on = [aws_identitystore_group.sso_groups]
 }
 
-
-# - Fetch of SSO Groups to be used for account assignments (for USERS) -
-data "aws_identitystore_user" "identity_store_user" {
-  for_each          = toset(local.account_assignments_for_users)
-  identity_store_id = local.sso_instance_id
-
-  alternate_identifier {
-    unique_attribute {
-      attribute_path  = "UserName"
-      attribute_value = each.value
-    }
-  }
-  // Prevents failure if data fetch is attempted before USERS are created
-  depends_on = [aws_identitystore_user.sso_users]
+# - Fetch of Permissions sets (externally defined) to be used for account assignment -
+data "aws_ssoadmin_permission_set" "existing_permission_sets" {
+  for_each     = toset(local.existing_permission_sets)
+  instance_arn = local.ssoadmin_instance_arn
+  name         = each.value
 }
 
 
+
 # The local variable 'principals_and_their_permission_sets' is a map of values for relevant user information.
 # It contians a list of all users with the name of their group_assignments appended to the end of the string.
 # This map is then fed into the 'aws_ssoadmin_permission_set' data source with the 'for_each'meta argument to
@@ -110,10 +85,6 @@ data "aws_identitystore_user" "identity_store_user" {
 # account_ids = "111111111111"
 #     }
 
-data "aws_ssoadmin_permission_set" "existing_permission_sets" {
-  for_each     = local.principals_and_their_account_assignments
-  instance_arn = local.ssoadmin_instance_arn
-  name         = each.value.permission_set
-  // Prevents failure if data fetch is attempted before Permission Sets are created
-  depends_on = [aws_ssoadmin_permission_set.pset]
-}
+
+
+

examples/create-users-and-groups/main.tf

@@ -24,14 +24,14 @@ module "aws-iam-identity-center" {
 
   // Create desired USERS in IAM Identity Center
   sso_users = {
-    NarutoUzumaki : {
+    nuzumaki : {
       group_membership = ["Admin", "Dev", "QA", "Audit"]
       user_name        = "nuzumaki"
       given_name       = "Naruto"
       family_name      = "Uzumaki"
       email            = "[email protected]"
     },
-    SasukeUchiha : {
+    suchiha : {
       group_membership = ["QA", "Audit"]
       user_name        = "suchiha"
       given_name       = "Sasuke"

examples/inline-policy/.header.md

@@ -0,0 +1 @@
+This directory contains examples of using the module to create users and groups and assign permissions with **Inline Policies**.

examples/inline-policy/README.md

@@ -0,0 +1,35 @@
+<!-- BEGIN_TF_DOCS -->
+This directory contains examples of using the module to create users and groups and assign permissions with **Inline Policies**.
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws-iam-identity-center"></a> [aws-iam-identity-center](#module\_aws-iam-identity-center) | ../.. | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy_document.restrictAccessInlinePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_ssm_parameter.account1_account_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/inline-policy/locals.tf

@@ -0,0 +1,14 @@
+# Fetch Account Id from SSM Parameter Store
+data "aws_ssm_parameter" "account1_account_id" {
+  name = "tf-aws-iam-idc-module-testing-account1-account-id" // replace with your SSM Parameter Key
+}
+
+locals {
+  # Account IDs
+  account1_account_id = nonsensitive(data.aws_ssm_parameter.account1_account_id.value)
+  # account1_account_id = "111111111111"
+  # account2_account_id = "222222222222"
+  # account3_account_id = "333333333333"
+  # account4_account_id = "444444444444"
+
+}