NEW: AWS SSO module

2022-11-24 09:52:27 +08:00 · 2022-11-24 09:52:27 +08:00 · 8a16ee5dc1
commit 8a16ee5dc1
parent 597aa0736f
3 changed files with 54 additions and 0 deletions
--- a/modules/security_identity_compliance/sso/README.md
+++ b/modules/security_identity_compliance/sso/README.md
@ -0,0 +1,33 @@
+# SSO module
+
+## Root module example
+```
+module sso {
+  source = "../modules/sso"
+
+  for_each = { for item in local.items : item.name => item }
+
+  default-tags            = local.default-tags
+  pset-name               = each.value.name
+  pset-desc               = each.value.desc
+  pset-managed-policy-arn = each.value.mpolicy
+  pset-session-duration   = each.value.session
+
+}
+
+locals {
+  csv_data = <<-CSV
+    name,desc,mpolicy,session
+    ViewOnly,View only access,arn:aws:iam::aws:policy/job-function/ViewOnlyAccess,PT4H
+    ReadOnly,Read only access,arn:aws:iam::aws:policy/ReadOnlyAccess,PT4H
+    FullAccess,Full admin access,arn:aws:iam::aws:policy/AdministratorAccess,PT4H
+    NetworkAdmin,Network admin access,arn:aws:iam::aws:policy/job-function/NetworkAdministrator,PT4H
+    DatabaseAdmin,Database admin access,arn:aws:iam::aws:policy/job-function/DatabaseAdministrator,PT4H
+    BillingAdmin,Billing admin access,arn:aws:iam::aws:policy/job-function/Billing,PT4H
+    SecurityAudit,Security admin access,arn:aws:iam::aws:policy/SecurityAudit,PT4H
+    PowerUser,Full access excluding IAM,arn:aws:iam::aws:policy/PowerUserAccess,PT4H
+  CSV
+
+  items = csvdecode(local.csv_data)
+}
+```
--- a/modules/security_identity_compliance/sso/main.tf
+++ b/modules/security_identity_compliance/sso/main.tf
@ -0,0 +1,15 @@
+data "aws_ssoadmin_instances" "sso1" {}
+
+resource "aws_ssoadmin_permission_set" "pset" {
+  name             = var.pset-name
+  description      = var.pset-desc
+  instance_arn     = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
+  session_duration = var.pset-session-duration
+  tags = var.default-tags
+}
+
+resource "aws_ssoadmin_managed_policy_attachment" "psetatt" {
+  instance_arn       = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
+  managed_policy_arn = var.pset-managed-policy-arn
+  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
+}
--- a/modules/security_identity_compliance/sso/variables.tf
+++ b/modules/security_identity_compliance/sso/variables.tf
@ -0,0 +1,6 @@
+variable pset-name {}
+variable pset-desc {}
+variable pset-session-duration {}
+variable default-tags {}
+variable pset-managed-policy-arn {}
+