harrison-ai · DavideNale · Feb 17, 2025 · Feb 18, 2025 · Feb 26, 2025 · Feb 26, 2025
@@ -7,6 +7,39 @@ resource "aws_ssoadmin_permission_set" "this" {
   session_duration = try(each.value.session_duration, "PT12H")
 }
 
+#  attaches permission boundaries
+resource "aws_ssoadmin_permissions_boundary_attachment" "this" {
+  for_each = {
+    for p in concat(var.managed_permission_sets, var.inline_permission_sets) :
+    p.name => p if p.permissions_boundary != null
+  }
+
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn
+
+  #  the two dynamic blocks are enforced to be mutually exclusive
+  #  sets customer_managed policy if not null
+  dynamic "permissions_boundary" {
+    for_each = each.value.permissions_boundary.customer_managed_policy_reference != null ? [each.value.permissions_boundary.customer_managed_policy_reference] : []
+    content {
+      dynamic "customer_managed_policy_reference" {
+        for_each = [permissions_boundary.value]
+        content {
+          name = customer_managed_policy_reference.value.name
+          path = customer_managed_policy_reference.value.path
+        }
+      }
+    }
+  }
+
+  #  sets managed_policy_arn if not null
+  dynamic "permissions_boundary" {
+    for_each = each.value.permissions_boundary.managed_policy_arn != null ? [each.value.permissions_boundary.managed_policy_arn] : []
+    content {
+      managed_policy_arn = permissions_boundary.value
+    }
+  }
+}
 
 #  attaches an AWS Managed IAM Policy to a permission set
 resource "aws_ssoadmin_managed_policy_attachment" "this" {

@@ -1,11 +1,55 @@
 variable "managed_permission_sets" {
-  type        = list(any)
+  type = list(object({
+    name              = string
+    description       = string
+    attached_policies = list(string)
+    session_duration  = optional(string, "PT12H")
+    permissions_boundary = optional(object({
+      managed_policy_arn = optional(string)
+      customer_managed_policy_reference = optional(object({
+        name = string
+        path = optional(string, "/")
+      }))
+    }))
+  }))
   description = "List of the required Permission Sets that contain AWS Managed Policies"
+
+  validation {
+    condition = alltrue([
+      for ps in var.managed_permission_sets :
+      ps.permissions_boundary == null ||
+      (ps.permissions_boundary.managed_policy_arn != null) !=
+      (ps.permissions_boundary.customer_managed_policy_reference != null)
+    ])
+    error_message = "When permissions_boundary is set, exactly one of managed_policy_arn or customer_managed_policy_reference must be provided."
+  }
 }
 
 variable "inline_permission_sets" {
-  type        = list(any)
+  type = list(object({
+    name             = string
+    description      = string
+    inline_policy    = string
+    session_duration = optional(string)
-    session_duration = optional(string)
+    session_duration = optional(string, "PT12H")
-    session_duration = optional(string)
+    session_duration = optional(string, "PT12H")
+    permissions_boundary = optional(object({
+      managed_policy_arn = optional(string)
+      customer_managed_policy_reference = optional(object({
+        name = string
+        path = optional(string, "/")
+      }))
+    }))
+  }))
   description = "List of the required Permission Sets that are comprised of inline IAM Policies"
+
+  validation {
+    condition = alltrue([
+      for ps in var.inline_permission_sets :
+      ps.permissions_boundary == null ||
+      (ps.permissions_boundary.managed_policy_arn != null) !=
+      (ps.permissions_boundary.customer_managed_policy_reference != null)
+    ])
+    error_message = "When permissions_boundary is set, exactly one of managed_policy_arn or customer_managed_policy_reference must be provided."
+  }
 }
 
 variable "sso_groups" {