Skip to content

Instantly share code, notes, and snippets.

@danquack

danquack/data.tf Secret

Created Feb 19, 2022
Embed
What would you like to do?
data "aws_ssoadmin_instances" "this" {}
data "aws_identitystore_group" "this" {
identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
filter {
attribute_path = "DisplayName"
attribute_value = var.group_name # Fill in the group you defined
}
}
data "aws_iam_policy_document" "sample_bucket_read" {
statement {
sid = "0"
actions = [
"s3:GetObject"
]
resources = [
      "arn:aws:s3:::sample-bucket/*"
]
}
}
resource "aws_ssoadmin_permission_set_inline_policy" "this" {
inline_policy = data.aws_iam_policy_document.sample_bucket_read.json
instance_arn = aws_ssoadmin_permission_set.this.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
resource "aws_ssoadmin_managed_policy_attachment" "this" {
for_each = toset(var.managed_policy_arn)
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
managed_policy_arn = each.value
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
resource "aws_ssoadmin_permission_set" "this" {
name = var.policy_name
description = var.policy_description
session_duration = "PT12H" # Set this duration to the time you desire
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
}
data "aws_organizations_organization" "this" {}
resource "aws_ssoadmin_account_assignment" "this" {
for_each = toset(data.aws_organizations_organization.this.accounts[*].id)
instance_arn = aws_ssoadmin_permission_set.this.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this.arn
principal_id = data.aws_identitystore_group.this.group_id
principal_type = "GROUP"
target_id = sensitive(each.value)
target_type = "AWS_ACCOUNT"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment