Merge pull request #1 from gadgetry-io/develop

Initial Commit for Gadgetry's terraform-aws-sso-group-assignment module

README.md

@@ -1,2 +1,85 @@
-# terraform-aws-sso-account-assignment
-Terraform AWS SSO Account Assignment Module
+# terraform-aws-sso-group-assignment
+
+[Gadgetry's](https://gadgetry.io) Terraform AWS SSO Group Assignment Module
+
+This module is designed to be used with Gadgetry's [terraform-aws-sso-permission-set](https://github.com/gadgetry-io/terraform-aws-sso-permission-set) module. If you are using an SSO External Identity Provider (IdP) with SCIM enabled the `group_name` would be the groups you are importing from your IdP into AWS Single Sign-On (SSO).
+
+## Usage
+
+### Administrator
+
+**Provision AWSAdministrator Permission Set**
+
+    module "AWSAdministrator" {
+      source = ".github.com/gadgetry-io/aws/sso-permission-set"
+      version = "1.0.0"
+
+      name        = "AWSAdministrator"
+      description = "AWSAdministrator provides administrator access within an account, but no ability to manage users, roles, or orgs"
+
+      managed_policy_arns = [
+        "arn:aws:iam::aws:policy/AdministratorAccess",
+      ]
+    }
+
+**Provision ExampleAdministrator SSO Group for Dev, Test, and Prod Accounts**
+
+    module "ExampleAdministrator" {
+      source = ".github.com/gadgetry-io/aws/sso-group-assignment"
+      version = "1.0.0"
+
+      group_name = "ExampleAdministrator"
+
+      group_assignments = {
+        "Example_DEV" = module.AWSAdministrator.name
+        "Example_TST" = module.AWSAdministrator.name
+        "Example_PRD" = module.AWSAdministrator.name
+      }
+    }
+
+### Developer
+
+**Provision AWSDeveloper Permission Set**
+
+    module "AWSDeveloper" {
+      source = ".github.com/gadgetry-io/aws/sso-permission-set"
+      version = "1.0.0"
+
+      name        = "AWSDeveloper"
+      description = "AWSDeveloper provides PowerUser access to AWS services and resources, but does no allow management of users and groups."
+
+      managed_policy_arns = [
+        "arn:aws:iam::aws:policy/PowerUserAccess",
+      ]
+    }
+
+**Provision AWSSupport Permission Set**
+
+    module "AWSSupport" {
+      source = ".github.com/gadgetry-io/aws/sso-permission-set"
+      version = "1.0.0"
+
+      name        = "AWSSupport"
+      description = "AWSSupport grants permissions to troubleshoot and resolve issues in an AWS account. Also enables permissions to contact AWS support to create and manage cases in addition to read-only access to AWS services and resources."
+
+      managed_policy_arns = [
+        "arn:aws:iam::aws:policy/ReadOnlyAccess",
+        "arn:aws:iam::aws:policy/job-function/SupportUser",
+      ]
+    }
+
+**Provision ExampleDeveloper SSO Group for Dev, Test, and Prod Accounts** 
+
+    module "ExampleDeveloper" {
+      source = ".github.com/gadgetry-io/aws/sso-group-assignment"
+      version = "1.0.0"
+
+      group_name = "ExampleDeveloper"
+
+      group_assignments = {
+        "Example_DEV" = module.AWSDeveloper.name
+        "Example_TST" = module.AWSSupport.name
+        "Example_PRD" = module.AWSSupport.name
+      }
+    }
+

main.tf

@@ -0,0 +1,50 @@
+###############################################################################
+### SSO ADMIN ACCOUNT ASSIGNMENT
+###############################################################################
+
+# LOOKUP AWS ORGANIZATION
+data "aws_organizations_organization" "main" {}
+
+# LOOKUP AWS SSO PERMISSION SET ARNS
+data "aws_ssoadmin_permission_set" "main" {
+  for_each     = var.group_assignments
+  instance_arn = var.instance_arn
+  name         = each.value
+}
+
+# LOOKUP AWS SSO GROUP
+data "aws_identitystore_group" "main" {
+  identity_store_id = var.instance_arn
+
+  filter {
+    attribute_path  = "DisplayName"
+    attribute_value = var.group_name
+  }
+}
+
+# SSO GROUP ASSIGNMENT
+# - For a specific SSO group_name, loop through group_assignments map
+#   to provision a named Permission_Set for each group to the
+#   named AWS Account.
+# - Data Lookups are used to find the ids and arns required
+resource "aws_ssoadmin_account_assignment" "main" {
+  for_each = var.group_assignments
+
+  instance_arn       = var.instance_arn
+  permission_set_arn = data.aws_ssoadmin_permission_set.main[each.key].arn
+
+  principal_id   = data.aws_identitystore_group.main.group_id
+  principal_type = var.principal_type
+
+  target_id   = [for id, account in data.aws_organizations_organization.main.accounts : account.id if account.name == each.key][0]
+  target_type = var.target_type
+}
+
+#######################################
+# OUTPUTS
+#######################################
+
+output "id" {
+  description = "The identifier of the SSO Group Assignment i.e. principal_id, principal_type, target_id, target_type, permission_set_arn, instance_arn separated by commas (,)."
+  value       = aws_ssoadmin_account_assignment.id
+}

variables.tf

@@ -0,0 +1,42 @@
+################################################################################
+### SSO GROUP ASSIGNMENT
+################################################################################
+
+# SSO INSTANCE
+variable "instance_arn" {
+  description = "(Optional, Forces new resource) The Amazon Resource Name (ARN) of the SSO Instance. If not set via variable, module uses data lookup for SSO Admin Instance[0]."
+  type        = string
+  default     = ""
+}
+
+# GROUP NAME
+variable "group_name" {
+  description = "(Required, Forces new resource) The entity type for which the assignment will be created. Valid values Principal ID, uses AWS Identity Store Data Lookup by DisplayName."
+  type        = string
+}
+
+# PRINCIPAL TYPE (GROUP)
+variable "principal_type" {
+  description = "(Required, Forces new resource) The entity type for which the assignment will be created. Valid values: USER, GROUP. Defaults to GROUP."
+  type        = string
+  default     = "GROUP"
+}
+
+# TARGET ID (AWS_ACCOUNT_ID)
+variable "target_id" {
+  description = "(Required, Forces new resource) An AWS account identifier, typically a 10-12 digit string."
+  type        = string
+}
+
+# TARGET TYPE (AWS_ACCOUNT)
+variable "target_type" {
+  description = "(Optional, Forces new resource) The entity type for which the assignment will be created. Valid values: AWS_ACCOUNT"
+  type        = string
+  default     = "AWS_ACCOUNT"
+}
+
+# GROUP PERMISSION_SET ASSIGNMENTS
+variable "group_assignments" {
+  description = "(Required) Map of AWS Account Names and SSO Permission Sets" 
+  type        = map(string)
+}

versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.50.0"
+    }
+  }
+}