data "aws_ssoadmin_instances" "sso1" {}

resource "aws_ssoadmin_permission_set" "pset" {
  name             = var.pset-name
  description      = var.pset-desc
  instance_arn     = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
  session_duration = var.pset-session-duration
  tags             = var.default-tags
}

resource "aws_ssoadmin_managed_policy_attachment" "psetatt" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
  managed_policy_arn = var.pset-managed-policy-arn
  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
}

# use inline policy for additional permissions. aws sso will populate this policy to target accounts
# automatically. customer managed policies, on the other hand, needs to be created manually in the target accounts.
resource "aws_ssoadmin_permission_set_inline_policy" "pset-inline-policy1" {
  count              = length(var.inline-policy-json) > 0 ? 1 : 0
  instance_arn       = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
  inline_policy      = var.inline-policy-json
}