This module can be used to manage permission sets and assignments within AWS Identity Center. Permission sets can use both managed and customer managed policies to define permissions. Note this module does not create the custom policies in the target accounts, it is assumed to be performed by another function.
The following example will provision a permission set with a managed policy and a customer managed policy attached to it, assigning the permission set to two groups.
data "aws_ssoadmin_instances" "this" {}
locals {
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
}
# Lookup all the sso groups
data "aws_identitystore_group" "groups" {
for_each = toset(var.sso_groups)
identity_store_id = local.identity_store_id
alternate_identifier {
unique_attribute {
attribute_path = "DisplayName"
attribute_value = each.value
}
}
}
module "permissionset" {
source = "appvia/permissionset/aws"
version = "0.1.1"
name = "MyPermissionSet"
description = "Permission to do something in the cloud"
instance_arn = local.instance_arn
tags = var.tags
# The managed policy arns to be attached to the permission set
managed_policy_arns = [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
# The customer managed policy references to be attached to the permission set
customer_managed_policy_references = [
{
name = "MyCustomerManagedPolicy"
}
]
assignments = [
{
principal_id = data.aws_identitystore_group.groups["Cloud Administrators"].group_id
targets = var.another_list_of_accounts_ids
},
{
principal_id = data.aws_identitystore_group.groups["Cloud Solutions"].group_id
targets = var.list_of_accounts_ids
},
]
}
Name | Version |
---|---|
terraform | >= 1.0 |
aws | ~> 5.0 |
Name | Version |
---|---|
aws | ~> 5.0 |
Name | Source | Version |
---|---|---|
assignments | ./modules/assignment | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
description | The description of this permission set to be created | string |
n/a | yes |
instance_arn | The arn of the instance to which the permission set is to be attached | string |
n/a | yes |
name | The name of this permission set to be created | string |
n/a | yes |
tags | The tags to be attached to the permission set | map(string) |
n/a | yes |
assignments | An optional list of assignments to be attached to the permission set | list(object({ |
[] |
no |
customer_managed_boundary_policy_references | The list of customer managed boundary policy references to be attached to the permission set | list(object({ |
[] |
no |
customer_managed_inline_policy | An optional inline policy to be attached to the permission set | string |
null |
no |
customer_managed_policy_references | The list of customer managed policy references to be attached to the permission set | list(object({ |
[] |
no |
managed_boundary_policy_arns | The list of managed boundary policy arns to be attached to the permission set | list(string) |
[] |
no |
managed_policy_arns | The list of managed policy arns to be attached to the permission set | list(string) |
[] |
no |
relay_state | The relay state of the permission set, used to redirect users to a specific page after login | string |
null |
no |
session_duration | The duration of the session | string |
"PT2H" |
no |
Name | Description |
---|---|
permission_set_arn | The ARN of the permission set provisioned |