SodaDev/Example SSO setup

## Example SSO setup
AWSTemplateFormatVersion: 2010-09-09
Description: SSO Account Setup

Parameters:
  InstanceARN:
    Type: String
    AllowedPattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}
    Description: 'Enter AWS SSO InstanceARN. Ex: arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxxx'
    ConstraintDescription: AWS SSO InstanceARN - gather with aws sso-admin list-instances
  IdentityStoreId:
    Type: String
    Description: 'Enter AWS SSO IdentityStoreId. Ex: d-1234567890'

Resources:
  ### Permission sets ###
  ReadOnlyPermissionSet:
    Type: AWS::SSO::PermissionSet
    Properties:
      InstanceArn: !Ref InstanceARN
      Name: IaaC-ReadOnlyAccess
      SessionDuration: PT4H
      ManagedPolicies:
        - arn:aws:iam::aws:policy/ReadOnlyAccess

  PowerUserPermissionSet:
    Type: AWS::SSO::PermissionSet
    Properties:
      InstanceArn: !Ref InstanceARN
      Name: IaaC-PowerUserAccess
      SessionDuration: PT1H
      ManagedPolicies:
        - arn:aws:iam::aws:policy/PowerUserAccess

  ### Groups ###
  DevopsGroup:
    Type: AWS::IdentityStore::Group
    Properties:
      DisplayName: devops
      IdentityStoreId: !Ref IdentityStoreId

  DevopsGroupAssignment:
    Type: AWS::SSO::Assignment
    Properties:
      InstanceArn: !Ref InstanceARN
      PermissionSetArn: !GetAtt PowerUserPermissionSet.PermissionSetArn
      PrincipalId: !GetAtt DevopsGroup.GroupId
      PrincipalType: GROUP
      TargetId: !Ref AWS::AccountId
      TargetType: AWS_ACCOUNT

  QaGroup:
    Type: AWS::IdentityStore::Group
    Properties:
      DisplayName: QAs
      IdentityStoreId: !Ref IdentityStoreId

  QaGroupAssignment:
    Type: AWS::SSO::Assignment
    Properties:
      InstanceArn: !Ref InstanceARN
      PermissionSetArn: !GetAtt ReadOnlyPermissionSet.PermissionSetArn
      PrincipalId: !GetAtt QaGroup.GroupId
      PrincipalType: GROUP
      TargetId: !Ref AWS::AccountId
      TargetType: AWS_ACCOUNT

  ### Users ###
  DevopsUser:
    Type: Custom::IAMIdentityCenterUser
    Properties:
      ServiceToken:
        Fn::ImportValue: SsoUserFunction::Arn
      IdentityStoreId: !Ref IdentityStoreId
      UserName: "devops"
      DisplayName: "some devops user"
      Emails:
        - Value: cloudandsoda+iaac@gmail.com
          Primary: True
          Type: Official
      Name:
        GivenName: "Devops name"
        FamilyName: "Devops surname"
        MiddleName: "SomeMiddleName"
        HonorificPrefix: "Xyz."
        HonorificSuffix: "Q.W.E"
      NickName: "devops guru"
      ProfileUrl: https://some-portalcom/devops
      Addresses:
        - Primary: true
          Type: "Workshop"
          Country: "xx"
          StreetAddress: "AnotherStreet 21"
          Region: "AnotherRegion"
          PostalCode: "00-666"
          Locality: "AnotherLocality"
      PhoneNumbers:
        - Primary: true
          Type: "Mobile"
          Value: "+1 (800) 123-4567"
      UserType: "manager"
      Title: "Maestro"
      PreferredLanguage: "en-us"
      Locale: "en-en"
      Timezone: "GMT+2"

  DevopsUserMembership:
    Type: AWS::IdentityStore::GroupMembership
    Properties:
      IdentityStoreId: !Ref IdentityStoreId
      GroupId: !GetAtt DevopsGroup.GroupId
      MemberId:
        UserId: !GetAtt DevopsUser.UserId

  QaUser:
    Type: Custom::IAMIdentityCenterUser
    Properties:
      ServiceToken:
        Fn::ImportValue: SsoUserFunction::Arn
      IdentityStoreId: !Ref IdentityStoreId
      UserName: "qa"
      DisplayName: "some qa user"
      Emails:
        - Value: cloudandsoda+qa@gmail.com
          Primary: False
          Type: Work
      Name:
        GivenName: "QA name"
        FamilyName: "Qa surname"
        MiddleName: "SomeMiddleName"
        HonorificPrefix: "Xyz."
        HonorificSuffix: "Q.W.E"
      NickName: "devops guru"
      ProfileUrl: https://some-portalcom/qa
      Addresses:
        - Primary: true
          Type: "Home"
          Country: "xx"
          StreetAddress: "SomeStreet 12"
          Region: "SomeRegion"
          PostalCode: "00-000"
          Locality: "SomeLocality"
          Formatted: "SomeStreet 12, SomeRegion, 00-000 xx"
      PhoneNumbers:
        - Primary: false
          Type: "Office"
          Value: "123-456-789"
      UserType: "hard worker"
      Title: "Leader"
      PreferredLanguage: "en-us"
      Locale: "en-en"
      Timezone: "GMT+2"

  QaUserMembership:
    Type: AWS::IdentityStore::GroupMembership
    Properties:
      IdentityStoreId: !Ref IdentityStoreId
      GroupId: !GetAtt QaGroup.GroupId
      MemberId:
        UserId: !GetAtt QaUser.UserId
	AWSTemplateFormatVersion: 2010-09-09
	Description: SSO Account Setup

	Parameters:
	InstanceARN:
	Type: String
	AllowedPattern: arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]{16}
	Description: 'Enter AWS SSO InstanceARN. Ex: arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxxx'
	ConstraintDescription: AWS SSO InstanceARN - gather with aws sso-admin list-instances
	IdentityStoreId:
	Type: String
	Description: 'Enter AWS SSO IdentityStoreId. Ex: d-1234567890'

	Resources:
	### Permission sets ###
	ReadOnlyPermissionSet:
	Type: AWS::SSO::PermissionSet
	Properties:
	InstanceArn: !Ref InstanceARN
	Name: IaaC-ReadOnlyAccess
	SessionDuration: PT4H
	ManagedPolicies:
	- arn:aws:iam::aws:policy/ReadOnlyAccess

	PowerUserPermissionSet:
	Type: AWS::SSO::PermissionSet
	Properties:
	InstanceArn: !Ref InstanceARN
	Name: IaaC-PowerUserAccess
	SessionDuration: PT1H
	ManagedPolicies:
	- arn:aws:iam::aws:policy/PowerUserAccess

	### Groups ###
	DevopsGroup:
	Type: AWS::IdentityStore::Group
	Properties:
	DisplayName: devops
	IdentityStoreId: !Ref IdentityStoreId

	DevopsGroupAssignment:
	Type: AWS::SSO::Assignment
	Properties:
	InstanceArn: !Ref InstanceARN
	PermissionSetArn: !GetAtt PowerUserPermissionSet.PermissionSetArn
	PrincipalId: !GetAtt DevopsGroup.GroupId
	PrincipalType: GROUP
	TargetId: !Ref AWS::AccountId
	TargetType: AWS_ACCOUNT

	QaGroup:
	Type: AWS::IdentityStore::Group
	Properties:
	DisplayName: QAs
	IdentityStoreId: !Ref IdentityStoreId

	QaGroupAssignment:
	Type: AWS::SSO::Assignment
	Properties:
	InstanceArn: !Ref InstanceARN
	PermissionSetArn: !GetAtt ReadOnlyPermissionSet.PermissionSetArn
	PrincipalId: !GetAtt QaGroup.GroupId
	PrincipalType: GROUP
	TargetId: !Ref AWS::AccountId
	TargetType: AWS_ACCOUNT

	### Users ###
	DevopsUser:
	Type: Custom::IAMIdentityCenterUser
	Properties:
	ServiceToken:
	Fn::ImportValue: SsoUserFunction::Arn
	IdentityStoreId: !Ref IdentityStoreId
	UserName: "devops"
	DisplayName: "some devops user"
	Emails:
	- Value: cloudandsoda+iaac@gmail.com
	Primary: True
	Type: Official
	Name:
	GivenName: "Devops name"
	FamilyName: "Devops surname"
	MiddleName: "SomeMiddleName"
	HonorificPrefix: "Xyz."
	HonorificSuffix: "Q.W.E"
	NickName: "devops guru"
	ProfileUrl: https://some-portalcom/devops
	Addresses:
	- Primary: true
	Type: "Workshop"
	Country: "xx"
	StreetAddress: "AnotherStreet 21"
	Region: "AnotherRegion"
	PostalCode: "00-666"
	Locality: "AnotherLocality"
	PhoneNumbers:
	- Primary: true
	Type: "Mobile"
	Value: "+1 (800) 123-4567"
	UserType: "manager"
	Title: "Maestro"
	PreferredLanguage: "en-us"
	Locale: "en-en"
	Timezone: "GMT+2"

	DevopsUserMembership:
	Type: AWS::IdentityStore::GroupMembership
	Properties:
	IdentityStoreId: !Ref IdentityStoreId
	GroupId: !GetAtt DevopsGroup.GroupId
	MemberId:
	UserId: !GetAtt DevopsUser.UserId

	QaUser:
	Type: Custom::IAMIdentityCenterUser
	Properties:
	ServiceToken:
	Fn::ImportValue: SsoUserFunction::Arn
	IdentityStoreId: !Ref IdentityStoreId
	UserName: "qa"
	DisplayName: "some qa user"
	Emails:
	- Value: cloudandsoda+qa@gmail.com
	Primary: False
	Type: Work
	Name:
	GivenName: "QA name"
	FamilyName: "Qa surname"
	MiddleName: "SomeMiddleName"
	HonorificPrefix: "Xyz."
	HonorificSuffix: "Q.W.E"
	NickName: "devops guru"
	ProfileUrl: https://some-portalcom/qa
	Addresses:
	- Primary: true
	Type: "Home"
	Country: "xx"
	StreetAddress: "SomeStreet 12"
	Region: "SomeRegion"
	PostalCode: "00-000"
	Locality: "SomeLocality"
	Formatted: "SomeStreet 12, SomeRegion, 00-000 xx"
	PhoneNumbers:
	- Primary: false
	Type: "Office"
	Value: "123-456-789"
	UserType: "hard worker"
	Title: "Leader"
	PreferredLanguage: "en-us"
	Locale: "en-en"
	Timezone: "GMT+2"

	QaUserMembership:
	Type: AWS::IdentityStore::GroupMembership
	Properties:
	IdentityStoreId: !Ref IdentityStoreId
	GroupId: !GetAtt QaGroup.GroupId
	MemberId:
	UserId: !GetAtt QaUser.UserId