NEW: new SSO modules

modules/security_identity_compliance/sso-aws-id-store/README.md

@@ -0,0 +1,3 @@
+# Module sso-aws-id-store
+This module creates aws sso user using aws's builtin identity store, and put the user in a group. 
+The group must be created in advance.

modules/security_identity_compliance/sso-aws-id-store/main.tf

@@ -0,0 +1,33 @@
+data "aws_ssoadmin_instances" "sso1" {}
+
+resource "aws_identitystore_user" "sso-user" {
+  identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
+  display_name      = "${var.firstName} ${var.lastName}"
+  user_name         = var.username
+  nickname          = var.username
+  emails {
+    primary = true
+    value   = var.email
+  }
+
+  name {
+    family_name = var.lastName
+    given_name  = var.firstName
+  }
+}
+
+data "aws_identitystore_group" "sso-group" {
+  identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "DisplayName"
+      attribute_value = var.groupName
+    }
+  }
+}
+
+resource "aws_identitystore_group_membership" "sso-group-membership" {
+  identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
+  group_id          = data.aws_identitystore_group.sso-group.group_id
+  member_id         = aws_identitystore_user.sso-user.user_id
+}

modules/security_identity_compliance/sso-aws-id-store/variables.tf

@@ -0,0 +1,5 @@
+variable username {}
+variable firstName {}
+variable lastName {}
+variable email {}
+variable groupName {}

modules/security_identity_compliance/sso-permissionsets/main.tf

@@ -14,3 +14,12 @@ resource "aws_ssoadmin_managed_policy_attachment" "psetatt" {
   permission_set_arn = aws_ssoadmin_permission_set.pset.arn
 }
 
+# use inline policy for additional permissions. aws sso will populate this policy to target accounts
+# automatically. customer managed policies, on the other hand, needs to be created manually in the target accounts.
+resource "aws_ssoadmin_permission_set_inline_policy" "pset-inline-policy1" {
+  count              = length(var.inline-policy-json) > 0 ? 1 : 0
+  instance_arn       = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
+  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
+  inline_policy      = var.inline-policy-json
+}
+

modules/security_identity_compliance/sso-permissionsets/variables.tf

@@ -3,4 +3,4 @@ variable pset-desc {}
 variable pset-session-duration {}
 variable default-tags {}
 variable pset-managed-policy-arn {}
-
+variable inline-policy-json {}