From 629c2cf13f255b7dbbccf6af968122f1c00f9907 Mon Sep 17 00:00:00 2001 From: Brian Hooper Date: Sun, 22 Aug 2021 12:55:34 -0500 Subject: [PATCH 1/2] Initial Commit of Gadgetry's terraform-aws-sso-group-assignment module --- README.md | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++-- main.tf | 50 ++++++++++++++++++++++++++++++ variables.tf | 42 +++++++++++++++++++++++++ versions.tf | 10 ++++++ 4 files changed, 187 insertions(+), 2 deletions(-) create mode 100644 main.tf create mode 100644 variables.tf create mode 100644 versions.tf diff --git a/README.md b/README.md index 416a9f0..eba519a 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,85 @@ -# terraform-aws-sso-account-assignment -Terraform AWS SSO Account Assignment Module +# terraform-aws-sso-group-assignment + +[Gadgetry's](https://gadgetry.io) Terraform AWS SSO Group Assignment Module + +This module is designed to be used with Gadgetry's [terraform-aws-sso-permission-set](https://github.com/gadgetry-io/terraform-aws-sso-permission-set) module. If you are using an SSO External Identity Provider (IdP) with SCIM enabled the `group_name` would be the groups you are importing from your dP into AWS Single Sign-On (SSO). + +## Usage + +### Administrator + +**Provision AWSAdministrator Permission Set** + + module "AWSAdministrator" { + source = ".github.com/gadgetry-io/aws/sso-permission-set" + version = "1.0.0" + + name = "AWSAdministrator" + description = "AWSAdministrator provides administrator access within an account, but no ability to manage users, roles, or orgs" + + managed_policy_arns = [ + "arn:aws:iam::aws:policy/AdministratorAccess", + ] + } + +**Provision ExampleAdministrator SSO Group for Dev, Test, and Prod Accounts** + + module "ExampleAdministrator" { + source = ".github.com/gadgetry-io/aws/sso-group-assignment" + version = "1.0.0" + + group_name = "ExampleAdministrator" + + group_assignments = { + "Example_DEV" = module.AWSAdministrator.name + "Example_TST" = module.AWSAdministrator.name + "Example_PRD" = module.AWSAdministrator.name + } + } + +### Developer + +**Provision AWSDeveloper Permission Set** + + module "AWSDeveloper" { + source = ".github.com/gadgetry-io/aws/sso-permission-set" + version = "1.0.0" + + name = "AWSDeveloper" + description = "AWSDeveloper provides PowerUser access to AWS services and resources, but does no allow management of users and groups." + + managed_policy_arns = [ + "arn:aws:iam::aws:policy/PowerUserAccess", + ] + } + +**Provision AWSSupport Permission Set** + + module "AWSSupport" { + source = ".github.com/gadgetry-io/aws/sso-permission-set" + version = "1.0.0" + + name = "AWSSupport" + description = "AWSSupport grants permissions to troubleshoot and resolve issues in an AWS account. Also enables permissions to contact AWS support to create and manage cases in addition to read-only access to AWS services and resources." + + managed_policy_arns = [ + "arn:aws:iam::aws:policy/ReadOnlyAccess", + "arn:aws:iam::aws:policy/job-function/SupportUser", + ] + } + +**Provision ExampleDeveloper SSO Group for Dev, Test, and Prod Accounts** + + module "ExampleDeveloper" { + source = ".github.com/gadgetry-io/aws/sso-group-assignment" + version = "1.0.0" + + group_name = "ExampleDeveloper" + + group_assignments = { + "Example_DEV" = module.AWSDeveloper.name + "Example_TST" = module.AWSSupport.name + "Example_PRD" = module.AWSSupport.name + } + } + diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..0ff8e47 --- /dev/null +++ b/main.tf @@ -0,0 +1,50 @@ +############################################################################### +### SSO ADMIN ACCOUNT ASSIGNMENT +############################################################################### + +# LOOKUP AWS ORGANIZATION +data "aws_organizations_organization" "main" {} + +# LOOKUP AWS SSO PERMISSION SET ARNS +data "aws_ssoadmin_permission_set" "main" { + for_each = var.group_assignments + instance_arn = var.instance_arn + name = each.value +} + +# LOOKUP AWS SSO GROUP +data "aws_identitystore_group" "main" { + identity_store_id = var.instance_arn + + filter { + attribute_path = "DisplayName" + attribute_value = var.group_name + } +} + +# SSO GROUP ASSIGNMENT +# - For a specific SSO group_name, loop through group_assignments map +# to provision a named Permission_Set for each group to the +# named AWS Account. +# - Data Lookups are used to find the ids and arns required +resource "aws_ssoadmin_account_assignment" "main" { + for_each = var.group_assignments + + instance_arn = var.instance_arn + permission_set_arn = data.aws_ssoadmin_permission_set.main[each.key].arn + + principal_id = data.aws_identitystore_group.main.group_id + principal_type = var.principal_type + + target_id = [for id, account in data.aws_organizations_organization.main.accounts : account.id if account.name == each.key][0] + target_type = var.target_type +} + +####################################### +# OUTPUTS +####################################### + +output "id" { + description = "The identifier of the SSO Group Assignment i.e. principal_id, principal_type, target_id, target_type, permission_set_arn, instance_arn separated by commas (,)." + value = aws_ssoadmin_account_assignment.id +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..126b3be --- /dev/null +++ b/variables.tf @@ -0,0 +1,42 @@ +################################################################################ +### SSO GROUP ASSIGNMENT +################################################################################ + +# SSO INSTANCE +variable "instance_arn" { + description = "(Optional, Forces new resource) The Amazon Resource Name (ARN) of the SSO Instance. If not set via variable, module uses data lookup for SSO Admin Instance[0]." + type = string + default = "" +} + +# GROUP NAME +variable "group_name" { + description = "(Required, Forces new resource) The entity type for which the assignment will be created. Valid values Principal ID, uses AWS Identity Store Data Lookup by DisplayName." + type = string +} + +# PRINCIPAL TYPE (GROUP) +variable "principal_type" { + description = "(Required, Forces new resource) The entity type for which the assignment will be created. Valid values: USER, GROUP. Defaults to GROUP." + type = string + default = "GROUP" +} + +# TARGET ID (AWS_ACCOUNT_ID) +variable "target_id" { + description = "(Required, Forces new resource) An AWS account identifier, typically a 10-12 digit string." + type = string +} + +# TARGET TYPE (AWS_ACCOUNT) +variable "target_type" { + description = "(Optional, Forces new resource) The entity type for which the assignment will be created. Valid values: AWS_ACCOUNT" + type = string + default = "AWS_ACCOUNT" +} + +# GROUP PERMISSION_SET ASSIGNMENTS +variable "group_assignments" { + description = "(Required) Map of AWS Account Names and SSO Permission Sets" + type = map(string) +} diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..ffb401c --- /dev/null +++ b/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.50.0" + } + } +} From 0403c910d87103c6a3cf4197e835452a75c4c7c2 Mon Sep 17 00:00:00 2001 From: Brian Hooper Date: Sun, 22 Aug 2021 12:59:54 -0500 Subject: [PATCH 2/2] Updating ReadMe.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eba519a..40e9a2b 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [Gadgetry's](https://gadgetry.io) Terraform AWS SSO Group Assignment Module -This module is designed to be used with Gadgetry's [terraform-aws-sso-permission-set](https://github.com/gadgetry-io/terraform-aws-sso-permission-set) module. If you are using an SSO External Identity Provider (IdP) with SCIM enabled the `group_name` would be the groups you are importing from your dP into AWS Single Sign-On (SSO). +This module is designed to be used with Gadgetry's [terraform-aws-sso-permission-set](https://github.com/gadgetry-io/terraform-aws-sso-permission-set) module. If you are using an SSO External Identity Provider (IdP) with SCIM enabled the `group_name` would be the groups you are importing from your IdP into AWS Single Sign-On (SSO). ## Usage