This module is intended to run in the delegated identity administrator account for IAM Identity Center. This module can be used to provision and assign permission sets to groups and accounts. This allows permissions for an AWS landing zone to be managed via Terraform CI/CD in the Identity account.
Usage:
module "permission_sets" {
source = "github.com/thoughtbot/terraform-aws-iam-permission-sets?ref=VERSION"
# Define your permission sets here. You can include managed policies as well
# as an inline policy.
permission_sets = [
{
description = "Describe what your permission set allows"
managed_policies = ["arn:aws:iam::aws:policy/PowerUserAccess"]
name = "Example"
}
]
# For each group, assign a list of permission sets to each account.
group_assignments = {
"aws-admins@example.com.com" = {
Identity = ["Example"]
Production = ["Example"]
Sandbox = ["Example"]
}
}
# Because the identity account doesn't have access to list the accounts in the
# AWS organization, any accounts to which you'd like to assign permission sets
# must be explicitly listed here.
account_ids = {
Identity = "123456789010"
Production = "123456789010"
Sandbox = "123456789010"
}
# How long a user can assume a permission set without logging in again.
default_session_duration = "PT8H"
}
Name | Version |
---|---|
terraform | >= 1.4.0 |
aws | ~> 5.0 |
Name | Version |
---|---|
aws | ~> 5.0 |
No modules.
Name | Type |
---|---|
aws_ssoadmin_account_assignment.groups | resource |
aws_ssoadmin_customer_managed_policy_attachment.this | resource |
aws_ssoadmin_managed_policy_attachment.this | resource |
aws_ssoadmin_permission_set.this | resource |
aws_ssoadmin_permission_set_inline_policy.this | resource |
aws_identitystore_group.this | data source |
aws_ssoadmin_instances.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_ids | Account ID for each account name referenced in an assignment | map(string) |
n/a | yes |
default_session_duration | Session duration for permission sets without an explicit value | string |
n/a | yes |
group_assignments | Permission sets to be assigned to each group and account | map(map(list(string))) |
n/a | yes |
permission_sets | Permission sets which should be defined by this module | list(object({ |
n/a | yes |
No outputs.