Skip to content

appvia/terraform-aws-permissionset

Repository files navigation

Github Actions

Terraform AWS Permission Set

This module can be used to manage permission sets and assignments within AWS Identity Center. Permission sets can use both managed and customer managed policies to define permissions. Note this module does not create the custom policies in the target accounts, it is assumed to be performed by another function.

Usage

The following example will provision a permission set with a managed policy and a customer managed policy attached to it, assigning the permission set to two groups.

data "aws_ssoadmin_instances" "this" {}

locals {
  instance_arn      = tolist(data.aws_ssoadmin_instances.this.arns)[0]
}

# Lookup all the sso groups
data "aws_identitystore_group" "groups" {
  for_each = toset(var.sso_groups)

  identity_store_id = local.identity_store_id

  alternate_identifier {
    unique_attribute {
      attribute_path  = "DisplayName"
      attribute_value = each.value
    }
  }
}

module "permissionset" {
  source  = "appvia/permissionset/aws"
  version = "0.1.1"

  name                = "MyPermissionSet"
  description         = "Permission to do something in the cloud"
  instance_arn        = local.instance_arn
  tags                = var.tags

  # The managed policy arns to be attached to the permission set
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/ReadOnlyAccess"
  ]

  # The customer managed policy references to be attached to the permission set
  customer_managed_policy_references = [
    {
      name = "MyCustomerManagedPolicy"
    }
  ]

  assignments = [
    {
      principal_id = data.aws_identitystore_group.groups["Cloud Administrators"].group_id
      targets      = var.another_list_of_accounts_ids
    },
    {
      principal_id = data.aws_identitystore_group.groups["Cloud Solutions"].group_id
      targets      = var.list_of_accounts_ids
    },
  ]
}

Requirements

Name Version
terraform >= 1.0
aws ~> 5.0

Providers

Name Version
aws ~> 5.0

Modules

Name Source Version
assignments ./modules/assignment n/a

Resources

Name Type
aws_ssoadmin_customer_managed_policy_attachment.customer resource
aws_ssoadmin_managed_policy_attachment.managed resource
aws_ssoadmin_permission_set.this resource
aws_ssoadmin_permission_set_inline_policy.customer resource
aws_ssoadmin_permissions_boundary_attachment.customer resource
aws_ssoadmin_permissions_boundary_attachment.managed resource

Inputs

Name Description Type Default Required
description The description of this permission set to be created string n/a yes
instance_arn The arn of the instance to which the permission set is to be attached string n/a yes
name The name of this permission set to be created string n/a yes
tags The tags to be attached to the permission set map(string) n/a yes
assignments An optional list of assignments to be attached to the permission set
list(object({
principal_id = string
principal_type = optional(string, "GROUP")
targets = list(string)
}))
[] no
customer_managed_boundary_policy_references The list of customer managed boundary policy references to be attached to the permission set
list(object({
name = string
path = optional(string, "/")
}))
[] no
customer_managed_inline_policy An optional inline policy to be attached to the permission set string null no
customer_managed_policy_references The list of customer managed policy references to be attached to the permission set
list(object({
name = string
path = optional(string, "/")
}))
[] no
managed_boundary_policy_arns The list of managed boundary policy arns to be attached to the permission set list(string) [] no
managed_policy_arns The list of managed policy arns to be attached to the permission set list(string) [] no
relay_state The relay state of the permission set, used to redirect users to a specific page after login string null no
session_duration The duration of the session string "PT2H" no

Outputs

Name Description
permission_set_arn The ARN of the permission set provisioned