forked from avlcloudtechnologies/terraform-aws-sso
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsso_resources.tf
51 lines (42 loc) · 2.2 KB
/
sso_resources.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
resource "aws_ssoadmin_permission_set" "this" {
for_each = var.permission_sets
name = each.key
# description = each.value.description
description = lookup(each.value, "description", null)
instance_arn = local.ssoadmin_instance_arn
relay_state = lookup(each.value, "relay_state", null)
session_duration = lookup(each.value, "session_duration", null)
tags = lookup(each.value, "tags", {})
}
resource "aws_ssoadmin_permissions_boundary_attachment" "this" {
for_each = {for key,permission_set in var.permission_sets: key => permission_set if permission_set.boundary_customer != null}
instance_arn = local.ssoadmin_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn
permissions_boundary {
customer_managed_policy_reference {
name = each.value.boundary_customer
path = "/boundaries/"
}
}
}
resource "aws_ssoadmin_permission_set_inline_policy" "this" {
for_each = { for ps_name, ps_attrs in var.permission_sets : ps_name => ps_attrs if can(ps_attrs.inline_policy) && ps_attrs.inline_policy != null }
inline_policy = each.value.inline_policy
instance_arn = local.ssoadmin_instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn
}
resource "aws_ssoadmin_managed_policy_attachment" "this" {
for_each = { for ps in local.ps_policy_maps : "${ps.ps_name}.${ps.policy_arn}" => ps }
instance_arn = local.ssoadmin_instance_arn
managed_policy_arn = each.value.policy_arn
permission_set_arn = aws_ssoadmin_permission_set.this[each.value.ps_name].arn
}
resource "aws_ssoadmin_account_assignment" "this" {
for_each = { for assignment in local.account_assignments : "${assignment.principal_name}.${assignment.permission_set.name}.${assignment.account_id}" => assignment }
instance_arn = each.value.permission_set.instance_arn
permission_set_arn = each.value.permission_set.arn
principal_id = each.value.principal_type == "GROUP" ? data.aws_identitystore_group.this[each.value.principal_name].id : data.aws_identitystore_user.this[each.value.principal_name].id
principal_type = each.value.principal_type
target_id = each.value.account_id
target_type = "AWS_ACCOUNT"
}