Last active
February 27, 2022 08:42
-
-
Save markilott/cb9e64b118876e90a3317a489943529c to your computer and use it in GitHub Desktop.
AWS CDK SSO Permission Sets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Create Permission Sets and Assign to Groups and Accounts | |
// Full code available here: https://github.com/markilott/aws-cdk-sso-permission-sets | |
// List of Accounts in the Organisation | |
const accountList = { | |
master: '123456789', | |
prod: '123456789', | |
dev: '123456789', | |
}; | |
// List of Groups in SSO | |
const groupList = { | |
Developers: '9a67298558-5b31f15d-c107-4be6-a115-xxxxxxxxxxxx', | |
ReadOnly: '9a67298558-8fb7193d-7b2f-4161-a372-xxxxxxxxxxxx', | |
}; | |
// Example Inline Policy | |
const examplePolicy = { | |
Version: '2012-10-17', | |
Statement: [ | |
{ | |
Sid: 'ManageEc2', | |
Effect: 'Allow', | |
Action: [ | |
'ec2:RebootInstances', | |
'ec2:StartInstances', | |
'ec2:StopInstances', | |
], | |
Resource: '*', | |
}, | |
{ | |
Sid: 'AllowS3Objects', | |
Effect: 'Allow', | |
Action: [ | |
's3:PutObject', | |
's3:GetObject', | |
], | |
Resource: '*', | |
}, | |
], | |
}; | |
// Permission Set Configuration | |
const permisssionSets = [ | |
{ | |
name: 'Example_Permission_Set1', | |
description: 'For testing Permission set updates', | |
sessionDuration: 2, | |
accounts: [ | |
'prod', | |
'master', | |
], | |
groups: [ | |
'Developers', | |
'ReadOnly', | |
], | |
// List of AWS Managed Policy Arns | |
managedPolicies: [ | |
'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess', | |
], | |
// Custom Inline Policy JSON | |
inlinePolicy: examplePolicy, | |
}, | |
{ | |
name: 'Example_Permission_Set2', | |
description: 'For testing Permission set updates', | |
sessionDuration: 4, | |
accounts: [ | |
'dev', | |
], | |
groups: [ | |
'Developers', | |
], | |
// List of AWS Managed Policy Arns | |
managedPolicies: [], | |
// Custom Inline Policy JSON | |
inlinePolicy: examplePolicy, | |
}, | |
]; | |
// CDK to create the Permission Sets | |
// Create and Assign Permission set for each configuration | |
permisssionSets.forEach((set) => { | |
const { | |
name, description, sessionDuration, accounts, groups, managedPolicies, inlinePolicy, | |
} = set; | |
// Create the Permission Set | |
const permissionSet = new CfnPermissionSet(this, `${name}_Set`, { | |
name, | |
description, | |
instanceArn, | |
sessionDuration: moment.duration(sessionDuration, 'hours').toISOString(), | |
inlinePolicy, | |
managedPolicies, | |
}); | |
// Assign to Accounts and Groups | |
accounts.forEach((acc) => { | |
const accNum = accountList[acc]; | |
groups.forEach((group) => { | |
const groupId = groupList[group]; | |
new CfnAssignment(this, `${name}_${accNum}_${group}_Assignment`, { | |
instanceArn, | |
permissionSetArn: permissionSet.attrPermissionSetArn, | |
principalId: groupId, | |
principalType: 'GROUP', | |
targetId: accNum, | |
targetType: 'AWS_ACCOUNT', | |
}); | |
}); | |
}); | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment