-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
83 lines (69 loc) · 3.44 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
resource "aws_identitystore_user" "aws_user" {
for_each = var.sso_user_configmap
identity_store_id = element(var.identity_store_ids, 0)
display_name = each.value.display_name
user_name = each.value.user_name
name {
given_name = each.value.given_name
family_name = each.value.family_name
}
emails {
primary = true
value = each.value.email
}
lifecycle {
ignore_changes = [
name,
emails,
]
}
}
resource "aws_identitystore_group" "aws_group" {
for_each = var.sso_groups_configmap
identity_store_id = element(var.identity_store_ids, 0)
display_name = each.value.display_name
description = each.value.description
}
resource "aws_identitystore_group_membership" "aws_membership" {
for_each = { for identity in local.flattened_groups : "${identity.group_key}-${identity.user_key}" => identity }
identity_store_id = element(var.identity_store_ids, 0)
group_id = aws_identitystore_group.aws_group[each.value.group_key].group_id
member_id = aws_identitystore_user.aws_user[each.value.user_key].user_id
}
resource "aws_ssoadmin_permission_set" "permissionset" {
for_each = var.sso_permissionsets_configmap
name = each.value.name
description = each.value.description
instance_arn = tolist(var.ssoadmin_instance_arns)[0]
}
resource "aws_ssoadmin_permission_set_inline_policy" "inline_policy" {
for_each = { for k, v in var.sso_permissionsets_configmap : k => v if v.inline_policy != "" && v.inline_policy != null }
inline_policy = each.value.inline_policy
instance_arn = tolist(var.ssoadmin_instance_arns)[0]
permission_set_arn = aws_ssoadmin_permission_set.permissionset[each.value.name].arn
}
resource "aws_ssoadmin_managed_policy_attachment" "managed_policy_attachment" {
for_each = { for i in local.flattened_managed_policy_attachments : "${i.permission_set_name}-${i.managed_policy_arn}" => i }
instance_arn = tolist(var.ssoadmin_instance_arns)[0]
managed_policy_arn = each.value.managed_policy_arn
permission_set_arn = aws_ssoadmin_permission_set.permissionset[each.value.permission_set_name].arn
depends_on = [aws_ssoadmin_account_assignment.sso_account_user, aws_ssoadmin_account_assignment.sso_account_group, ]
}
resource "aws_ssoadmin_account_assignment" "sso_account_user" {
for_each = { for config in local.flatten_user_configurations : "${config.account}.${config.username}.${config.permissionset}" => config }
instance_arn = tolist(var.ssoadmin_instance_arns)[0]
target_id = each.value.account
target_type = "AWS_ACCOUNT"
principal_id = data.aws_identitystore_user.aws_user["${each.value.account}.${each.value.username}"].user_id
principal_type = "USER"
permission_set_arn = data.aws_ssoadmin_permission_set.aws_user_permissionset[each.key].arn
}
resource "aws_ssoadmin_account_assignment" "sso_account_group" {
for_each = { for config in local.flatten_group_configurations : "${config.account}.${config.groupname}.${config.permissionset}" => config }
instance_arn = tolist(var.ssoadmin_instance_arns)[0]
target_id = each.value.account
target_type = "AWS_ACCOUNT"
principal_id = data.aws_identitystore_group.aws_group["${each.value.account}.${each.value.groupname}"].group_id
principal_type = "GROUP"
permission_set_arn = data.aws_ssoadmin_permission_set.aws_group_permissionset[each.key].arn
}