diff --git a/modules/sso/main.tf b/modules/sso/main.tf index fd60ac8..5ac6af4 100644 --- a/modules/sso/main.tf +++ b/modules/sso/main.tf @@ -4,9 +4,42 @@ resource "aws_ssoadmin_permission_set" "this" { name = each.value.name description = each.value.description instance_arn = local.sso_instance_arn - session_duration = try(each.value.session_duration, "PT12H") + session_duration = each.value.session_duration } +# attaches permission boundaries +resource "aws_ssoadmin_permissions_boundary_attachment" "this" { + for_each = { + for p in concat(var.managed_permission_sets, var.inline_permission_sets) : + p.name => p if p.permissions_boundary != null + } + + instance_arn = local.sso_instance_arn + permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn + + # the two dynamic blocks are enforced to be mutually exclusive + # sets customer_managed policy if not null + dynamic "permissions_boundary" { + for_each = each.value.permissions_boundary.customer_managed_policy_reference != null ? [each.value.permissions_boundary.customer_managed_policy_reference] : [] + content { + dynamic "customer_managed_policy_reference" { + for_each = [permissions_boundary.value] + content { + name = customer_managed_policy_reference.value.name + path = customer_managed_policy_reference.value.path + } + } + } + } + + # sets managed_policy_arn if not null + dynamic "permissions_boundary" { + for_each = each.value.permissions_boundary.managed_policy_arn != null ? [each.value.permissions_boundary.managed_policy_arn] : [] + content { + managed_policy_arn = permissions_boundary.value + } + } +} # attaches an AWS Managed IAM Policy to a permission set resource "aws_ssoadmin_managed_policy_attachment" "this" { diff --git a/modules/sso/variables.tf b/modules/sso/variables.tf index 0110acb..95fb21e 100644 --- a/modules/sso/variables.tf +++ b/modules/sso/variables.tf @@ -1,11 +1,58 @@ variable "managed_permission_sets" { - type = list(any) + type = list(object({ + name = string + description = string + attached_policies = list(string) + session_duration = optional(string, "PT12H") + permissions_boundary = optional(object({ + managed_policy_arn = optional(string) + customer_managed_policy_reference = optional(object({ + name = string + path = optional(string, "/") + })) + })) + })) description = "List of the required Permission Sets that contain AWS Managed Policies" + + validation { + condition = alltrue([ + for ps in var.managed_permission_sets : + ps.permissions_boundary == null || + ( + (try(ps.permissions_boundary.managed_policy_arn, null) != null) != + (try(ps.permissions_boundary.customer_managed_policy_reference, null) != null) + ) + ]) + error_message = "When permissions_boundary is set, exactly one of managed_policy_arn or customer_managed_policy_reference must be provided." + } } variable "inline_permission_sets" { - type = list(any) + type = list(object({ + name = string + description = string + inline_policy = string + session_duration = optional(string, "PT12H") + permissions_boundary = optional(object({ + managed_policy_arn = optional(string) + customer_managed_policy_reference = optional(object({ + name = string + path = optional(string, "/") + })) + })) + })) description = "List of the required Permission Sets that are comprised of inline IAM Policies" + validation { + condition = alltrue([ + for ps in var.inline_permission_sets : + ps.permissions_boundary == null || + ( + (try(ps.permissions_boundary.managed_policy_arn, null) != null) != + (try(ps.permissions_boundary.customer_managed_policy_reference, null) != null) + ) + ]) + error_message = "When permissions_boundary is set, exactly one of managed_policy_arn or customer_managed_policy_reference must be provided." + } } variable "sso_groups" {