Configuring AWS SSO: https://danquack.dev/blog/configuring-aws-sso/

data.tf

data "aws_ssoadmin_instances" "this" {}
data "aws_identitystore_group" "this" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]

  filter {
    attribute_path  = "DisplayName"
    attribute_value = var.group_name # Fill in the group you defined
  }
}

inline_policy.tf

data "aws_iam_policy_document" "sample_bucket_read" {
  statement {
    sid = "0"
    actions = [
      "s3:GetObject"
    ]
    resources = [
      "arn:aws:s3:::sample-bucket/*"
    ]
  }
}

resource "aws_ssoadmin_permission_set_inline_policy" "this" {
  inline_policy      = data.aws_iam_policy_document.sample_bucket_read.json
  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
}

managed_policy.tf

resource "aws_ssoadmin_managed_policy_attachment" "this" {
  for_each           = toset(var.managed_policy_arn)
  instance_arn       = tolist(data.aws_ssoadmin_instances.this.arns)[0]
  managed_policy_arn = each.value
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
}

permission_set.tf

resource "aws_ssoadmin_permission_set" "this" {
  name             = var.policy_name
  description      = var.policy_description
  session_duration = "PT12H" # Set this duration to the time you desire
  instance_arn     = tolist(data.aws_ssoadmin_instances.this.arns)[0]
}

ssoadmin_account_assignment.tf

data "aws_organizations_organization" "this" {}

resource "aws_ssoadmin_account_assignment" "this" {
  for_each           = toset(data.aws_organizations_organization.this.accounts[*].id)
  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
  principal_id       = data.aws_identitystore_group.this.group_id
  principal_type     = "GROUP"
  target_id          = sensitive(each.value)
  target_type        = "AWS_ACCOUNT"
}