Skip to content

Terraform module to provision and assign permission sets for an AWS landing zone

License

Notifications You must be signed in to change notification settings

thoughtbot/terraform-aws-iam-permission-sets

Repository files navigation

Terraform Modules AWS IAM Identity Center Permission Sets

This module is intended to run in the delegated identity administrator account for IAM Identity Center. This module can be used to provision and assign permission sets to groups and accounts. This allows permissions for an AWS landing zone to be managed via Terraform CI/CD in the Identity account.

Usage:

module "permission_sets" {
  source = "github.com/thoughtbot/terraform-aws-iam-permission-sets?ref=VERSION"

  # Define your permission sets here. You can include managed policies as well
  # as an inline policy.
  permission_sets = [
    {
      description      = "Describe what your permission set allows"
      managed_policies = ["arn:aws:iam::aws:policy/PowerUserAccess"]
      name             = "Example"
    }
  ]

  # For each group, assign a list of permission sets to each account.
  group_assignments = {
    "aws-admins@example.com.com" = {
      Identity   = ["Example"]
      Production = ["Example"]
      Sandbox    = ["Example"]
    }
  }

  # Because the identity account doesn't have access to list the accounts in the
  # AWS organization, any accounts to which you'd like to assign permission sets
  # must be explicitly listed here.
  account_ids = {
    Identity   = "123456789010"
    Production = "123456789010"
    Sandbox    = "123456789010"
  }

  # How long a user can assume a permission set without logging in again.
  default_session_duration = "PT8H"
}

Requirements

Name Version
terraform >= 1.4.0
aws ~> 5.0

Providers

Name Version
aws ~> 5.0

Modules

No modules.

Resources

Name Type
aws_ssoadmin_account_assignment.groups resource
aws_ssoadmin_customer_managed_policy_attachment.this resource
aws_ssoadmin_managed_policy_attachment.this resource
aws_ssoadmin_permission_set.this resource
aws_ssoadmin_permission_set_inline_policy.this resource
aws_identitystore_group.this data source
aws_ssoadmin_instances.this data source

Inputs

Name Description Type Default Required
account_ids Account ID for each account name referenced in an assignment map(string) n/a yes
default_session_duration Session duration for permission sets without an explicit value string n/a yes
group_assignments Permission sets to be assigned to each group and account map(map(list(string))) n/a yes
permission_sets Permission sets which should be defined by this module
list(object({
description = string,
inline_policy = optional(string),
managed_policies = optional(list(string), []),
customer_managed_policies = optional(list(string), []),
name = string,
relay_state = optional(string),
session_duration = optional(string),
}))
n/a yes

Outputs

No outputs.

About

Terraform module to provision and assign permission sets for an AWS landing zone

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Sponsor this project

 

Packages

No packages published