diff --git a/modules/security_identity_compliance/sso-aws-id-store/README.md b/modules/security_identity_compliance/sso-aws-id-store/README.md new file mode 100644 index 0000000..f7cbd52 --- /dev/null +++ b/modules/security_identity_compliance/sso-aws-id-store/README.md @@ -0,0 +1,3 @@ +# Module sso-aws-id-store +This module creates aws sso user using aws's builtin identity store, and put the user in a group. +The group must be created in advance. \ No newline at end of file diff --git a/modules/security_identity_compliance/sso-aws-id-store/main.tf b/modules/security_identity_compliance/sso-aws-id-store/main.tf new file mode 100644 index 0000000..998b9d1 --- /dev/null +++ b/modules/security_identity_compliance/sso-aws-id-store/main.tf @@ -0,0 +1,33 @@ +data "aws_ssoadmin_instances" "sso1" {} + +resource "aws_identitystore_user" "sso-user" { + identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0] + display_name = "${var.firstName} ${var.lastName}" + user_name = var.username + nickname = var.username + emails { + primary = true + value = var.email + } + + name { + family_name = var.lastName + given_name = var.firstName + } +} + +data "aws_identitystore_group" "sso-group" { + identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0] + alternate_identifier { + unique_attribute { + attribute_path = "DisplayName" + attribute_value = var.groupName + } + } +} + +resource "aws_identitystore_group_membership" "sso-group-membership" { + identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0] + group_id = data.aws_identitystore_group.sso-group.group_id + member_id = aws_identitystore_user.sso-user.user_id +} \ No newline at end of file diff --git a/modules/security_identity_compliance/sso-aws-id-store/variables.tf b/modules/security_identity_compliance/sso-aws-id-store/variables.tf new file mode 100644 index 0000000..4285eef --- /dev/null +++ b/modules/security_identity_compliance/sso-aws-id-store/variables.tf @@ -0,0 +1,5 @@ +variable username {} +variable firstName {} +variable lastName {} +variable email {} +variable groupName {} \ No newline at end of file diff --git a/modules/security_identity_compliance/sso-permissionsets/main.tf b/modules/security_identity_compliance/sso-permissionsets/main.tf index b71bc24..764afc4 100644 --- a/modules/security_identity_compliance/sso-permissionsets/main.tf +++ b/modules/security_identity_compliance/sso-permissionsets/main.tf @@ -5,7 +5,7 @@ resource "aws_ssoadmin_permission_set" "pset" { description = var.pset-desc instance_arn = tolist(data.aws_ssoadmin_instances.sso1.arns)[0] session_duration = var.pset-session-duration - tags = var.default-tags + tags = var.default-tags } resource "aws_ssoadmin_managed_policy_attachment" "psetatt" { @@ -14,3 +14,12 @@ resource "aws_ssoadmin_managed_policy_attachment" "psetatt" { permission_set_arn = aws_ssoadmin_permission_set.pset.arn } +# use inline policy for additional permissions. aws sso will populate this policy to target accounts +# automatically. customer managed policies, on the other hand, needs to be created manually in the target accounts. +resource "aws_ssoadmin_permission_set_inline_policy" "pset-inline-policy1" { + count = length(var.inline-policy-json) > 0 ? 1 : 0 + instance_arn = tolist(data.aws_ssoadmin_instances.sso1.arns)[0] + permission_set_arn = aws_ssoadmin_permission_set.pset.arn + inline_policy = var.inline-policy-json +} + diff --git a/modules/security_identity_compliance/sso-permissionsets/variables.tf b/modules/security_identity_compliance/sso-permissionsets/variables.tf index f9b7be7..20cd66e 100644 --- a/modules/security_identity_compliance/sso-permissionsets/variables.tf +++ b/modules/security_identity_compliance/sso-permissionsets/variables.tf @@ -3,4 +3,4 @@ variable pset-desc {} variable pset-session-duration {} variable default-tags {} variable pset-managed-policy-arn {} - +variable inline-policy-json {}