markilott/aws-cdk-sso-permission-set.js

## aws-cdk-sso-permission-set.js
// Create Permission Sets and Assign to Groups and Accounts
// Full code available here: https://github.com/markilott/aws-cdk-sso-permission-sets

// List of Accounts in the Organisation
const accountList = {
    master: '123456789',
    prod: '123456789',
    dev: '123456789',
};

// List of Groups in SSO
const groupList = {
    Developers: '9a67298558-5b31f15d-c107-4be6-a115-xxxxxxxxxxxx',
    ReadOnly: '9a67298558-8fb7193d-7b2f-4161-a372-xxxxxxxxxxxx',
};

// Example Inline Policy
const examplePolicy = {
    Version: '2012-10-17',
    Statement: [
        {
            Sid: 'ManageEc2',
            Effect: 'Allow',
            Action: [
                'ec2:RebootInstances',
                'ec2:StartInstances',
                'ec2:StopInstances',
            ],
            Resource: '*',
        },
        {
            Sid: 'AllowS3Objects',
            Effect: 'Allow',
            Action: [
                's3:PutObject',
                's3:GetObject',
            ],
            Resource: '*',
        },
    ],
};

// Permission Set Configuration
const permisssionSets = [
    {
        name: 'Example_Permission_Set1',
        description: 'For testing Permission set updates',
        sessionDuration: 2,
        accounts: [
            'prod',
            'master',
        ],
        groups: [
            'Developers',
            'ReadOnly',
        ],
        // List of AWS Managed Policy Arns
        managedPolicies: [
            'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess',
        ],
        // Custom Inline Policy JSON
        inlinePolicy: examplePolicy,
    },
    {
        name: 'Example_Permission_Set2',
        description: 'For testing Permission set updates',
        sessionDuration: 4,
        accounts: [
            'dev',
        ],
        groups: [
            'Developers',
        ],
        // List of AWS Managed Policy Arns
        managedPolicies: [],
        // Custom Inline Policy JSON
        inlinePolicy: examplePolicy,
    },
];

// CDK to create the Permission Sets
// Create and Assign Permission set for each configuration
permisssionSets.forEach((set) => {
    const {
        name, description, sessionDuration, accounts, groups, managedPolicies, inlinePolicy,
    } = set;

    // Create the Permission Set
    const permissionSet = new CfnPermissionSet(this, `${name}_Set`, {
        name,
        description,
        instanceArn,
        sessionDuration: moment.duration(sessionDuration, 'hours').toISOString(),
        inlinePolicy,
        managedPolicies,
    });

    // Assign to Accounts and Groups
    accounts.forEach((acc) => {
        const accNum = accountList[acc];
        groups.forEach((group) => {
            const groupId = groupList[group];
            new CfnAssignment(this, `${name}_${accNum}_${group}_Assignment`, {
                instanceArn,
                permissionSetArn: permissionSet.attrPermissionSetArn,
                principalId: groupId,
                principalType: 'GROUP',
                targetId: accNum,
                targetType: 'AWS_ACCOUNT',
            });
        });
    });
});
	// Create Permission Sets and Assign to Groups and Accounts
	// Full code available here: https://github.com/markilott/aws-cdk-sso-permission-sets

	// List of Accounts in the Organisation
	const accountList = {
	master: '123456789',
	prod: '123456789',
	dev: '123456789',
	};

	// List of Groups in SSO
	const groupList = {
	Developers: '9a67298558-5b31f15d-c107-4be6-a115-xxxxxxxxxxxx',
	ReadOnly: '9a67298558-8fb7193d-7b2f-4161-a372-xxxxxxxxxxxx',
	};

	// Example Inline Policy
	const examplePolicy = {
	Version: '2012-10-17',
	Statement: [
	{
	Sid: 'ManageEc2',
	Effect: 'Allow',
	Action: [
	'ec2:RebootInstances',
	'ec2:StartInstances',
	'ec2:StopInstances',
	],
	Resource: '*',
	},
	{
	Sid: 'AllowS3Objects',
	Effect: 'Allow',
	Action: [
	's3:PutObject',
	's3:GetObject',
	],
	Resource: '*',
	},
	],
	};

	// Permission Set Configuration
	const permisssionSets = [
	{
	name: 'Example_Permission_Set1',
	description: 'For testing Permission set updates',
	sessionDuration: 2,
	accounts: [
	'prod',
	'master',
	],
	groups: [
	'Developers',
	'ReadOnly',
	],
	// List of AWS Managed Policy Arns
	managedPolicies: [
	'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess',
	],
	// Custom Inline Policy JSON
	inlinePolicy: examplePolicy,
	},
	{
	name: 'Example_Permission_Set2',
	description: 'For testing Permission set updates',
	sessionDuration: 4,
	accounts: [
	'dev',
	],
	groups: [
	'Developers',
	],
	// List of AWS Managed Policy Arns
	managedPolicies: [],
	// Custom Inline Policy JSON
	inlinePolicy: examplePolicy,
	},
	];

	// CDK to create the Permission Sets
	// Create and Assign Permission set for each configuration
	permisssionSets.forEach((set) => {
	const {
	name, description, sessionDuration, accounts, groups, managedPolicies, inlinePolicy,
	} = set;

	// Create the Permission Set
	const permissionSet = new CfnPermissionSet(this, `${name}_Set`, {
	name,
	description,
	instanceArn,
	sessionDuration: moment.duration(sessionDuration, 'hours').toISOString(),
	inlinePolicy,
	managedPolicies,
	});

	// Assign to Accounts and Groups
	accounts.forEach((acc) => {
	const accNum = accountList[acc];
	groups.forEach((group) => {
	const groupId = groupList[group];
	new CfnAssignment(this, `${name}_${accNum}_${group}_Assignment`, {
	instanceArn,
	permissionSetArn: permissionSet.attrPermissionSetArn,
	principalId: groupId,
	principalType: 'GROUP',
	targetId: accNum,
	targetType: 'AWS_ACCOUNT',
	});
	});
	});
	});