NEW: new SSO modules

This commit is contained in:
xpk 2022-12-08 14:34:42 +08:00
parent 4d61d0943e
commit a79fe1f365
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
5 changed files with 52 additions and 2 deletions

View File

@ -0,0 +1,3 @@
# Module sso-aws-id-store
This module creates aws sso user using aws's builtin identity store, and put the user in a group.
The group must be created in advance.

View File

@ -0,0 +1,33 @@
data "aws_ssoadmin_instances" "sso1" {}
resource "aws_identitystore_user" "sso-user" {
identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
display_name = "${var.firstName} ${var.lastName}"
user_name = var.username
nickname = var.username
emails {
primary = true
value = var.email
}
name {
family_name = var.lastName
given_name = var.firstName
}
}
data "aws_identitystore_group" "sso-group" {
identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
alternate_identifier {
unique_attribute {
attribute_path = "DisplayName"
attribute_value = var.groupName
}
}
}
resource "aws_identitystore_group_membership" "sso-group-membership" {
identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
group_id = data.aws_identitystore_group.sso-group.group_id
member_id = aws_identitystore_user.sso-user.user_id
}

View File

@ -0,0 +1,5 @@
variable username {}
variable firstName {}
variable lastName {}
variable email {}
variable groupName {}

View File

@ -5,7 +5,7 @@ resource "aws_ssoadmin_permission_set" "pset" {
description = var.pset-desc
instance_arn = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
session_duration = var.pset-session-duration
tags = var.default-tags
tags = var.default-tags
}
resource "aws_ssoadmin_managed_policy_attachment" "psetatt" {
@ -14,3 +14,12 @@ resource "aws_ssoadmin_managed_policy_attachment" "psetatt" {
permission_set_arn = aws_ssoadmin_permission_set.pset.arn
}
# use inline policy for additional permissions. aws sso will populate this policy to target accounts
# automatically. customer managed policies, on the other hand, needs to be created manually in the target accounts.
resource "aws_ssoadmin_permission_set_inline_policy" "pset-inline-policy1" {
count = length(var.inline-policy-json) > 0 ? 1 : 0
instance_arn = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
permission_set_arn = aws_ssoadmin_permission_set.pset.arn
inline_policy = var.inline-policy-json
}

View File

@ -3,4 +3,4 @@ variable pset-desc {}
variable pset-session-duration {}
variable default-tags {}
variable pset-managed-policy-arn {}
variable inline-policy-json {}