Merge pull request #103 from answerdigital/sso-inline-policy

cmbuckley · web-flow · commit 757286dccb86 · 2024-01-29T13:04:50.000Z
SSO Permission Set support for inline IAM policies
diff --git a/modules/aws/sso_account_assignment/README.md b/modules/aws/sso_account_assignment/README.md
@@ -25,16 +25,17 @@ to be used with AWS IAM Identity Center.
 | [aws_ssoadmin_account_assignment.to_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
 | [aws_ssoadmin_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
 | [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
+| [aws_ssoadmin_permission_set_inline_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
 | [aws_identitystore_group.by_display_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
 | [aws_ssoadmin_instances.identity_center](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_assignments"></a> [assignments](#input\_assignments) | List of assignments between group, account and permission set. The key of each object is the group<br>    name that will be assigned the permissions. Ideally the organisation will use an external identity<br>    provider and this group should be created via SCIM. To also create the groups, enable `create_groups`.<br><br>    • `account_ids`     - (Required) The AWS account IDs to apply the assignment.<br>    • `permission_sets` - (Required) The Permission Sets to be assigned to the group. These should<br>                                     be a subset of the Permission Sets created above. | <pre>map(list(object({<br>    account_ids     = list(string)<br>    permission_sets = list(string)<br>  })))</pre> | n/a | yes |
+| <a name="input_assignments"></a> [assignments](#input\_assignments) | List of assignments between group, account and Permission Set. The key of each object is the group<br>    name that will be assigned the permissions. Ideally the organisation will use an external identity<br>    provider and this group should be created via SCIM. To also create the groups, enable `create_groups`.<br><br>    • `account_ids`     - (Required) The AWS account IDs to apply the assignment.<br>    • `permission_sets` - (Required) The Permission Sets to be assigned to the group. These should<br>                                     be a subset of the Permission Sets created above. | <pre>map(list(object({<br>    account_ids     = list(string)<br>    permission_sets = list(string)<br>  })))</pre> | n/a | yes |
 | <a name="input_create_groups"></a> [create\_groups](#input\_create\_groups) | Whether the module should also create the groups. | `bool` | `false` | no |
-| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | List of permission sets for the organization.<br><br>    • `name`             - (Optional) The name of the Permission Set. The key will be used by default.<br>    • `description`      - (Optional) The description of the Permission Set.<br>    • `managed_policies` - (Required) A list of managed policy names. The prefix `arn:aws:iam::aws:policy/`<br>                                      will be prepended to create the full ARN. | <pre>map(object({<br>    name             = optional(string)<br>    description      = optional(string)<br>    managed_policies = list(string)<br>  }))</pre> | n/a | yes |
+| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | List of Permission Sets for the organization. Each Permission Set must include AWS managed<br>    policies and/or an IAM inline policy.<br><br>    • `name`              - (Optional) The name of the Permission Set. The key will be used by default.<br>    • `description`       - (Optional) The description of the Permission Set.<br>    • `managed_policies`  - (Optional) A list of AWS-managed policy names. The prefix `arn:aws:iam::aws:policy/`<br>                                       will be prepended to create the full ARN.<br>    • `inline_policy`     - (Optional) An IAM inline policy to attach to the Permission Set. | <pre>map(object({<br>    name             = optional(string)<br>    description      = optional(string)<br>    managed_policies = optional(list(string), [])<br>    inline_policy    = optional(string, "")<br>  }))</pre> | n/a | yes |
 <!-- END_TF_DOCS -->
 
 # Example Usage
@@ -67,3 +68,28 @@ module "iam_example" {
   }
 }
 ```
+
+You can also provide inline IAM policies:
+
+```hcl
+data "aws_iam_policy_document" "example" {
+  statement {
+    actions = [
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation",
+    ]
+
+    resources = ["arn:aws:s3:::*"]
+  }
+}
+
+module "iam_example" {
+  # ...
+
+  permission_sets = {
+    S3BucketAccess = {
+      inline_policy = data.aws_iam_policy_document.example.json
+    }
+  }
+}
+```
diff --git a/modules/aws/sso_account_assignment/locals.tf b/modules/aws/sso_account_assignment/locals.tf
@@ -12,6 +12,13 @@ locals {
     ]
   ])
 
+  inline_policies = [
+    for permission_set, options in var.permission_sets : {
+      permission_set = permission_set
+      inline_policy  = options.inline_policy
+    } if options.inline_policy != ""
+  ]
+
   account_assignments = flatten(flatten(flatten([
     for group, assignments in var.assignments : [
       for assignment in assignments : [
diff --git a/modules/aws/sso_account_assignment/main.tf b/modules/aws/sso_account_assignment/main.tf
@@ -22,6 +22,14 @@ resource "aws_ssoadmin_managed_policy_attachment" "this" {
   permission_set_arn = aws_ssoadmin_permission_set.this[each.value.permission_set].arn
 }
 
+resource "aws_ssoadmin_permission_set_inline_policy" "this" {
+  for_each = { for p in local.inline_policies : p.permission_set => p }
+
+  inline_policy      = each.value.inline_policy
+  instance_arn       = local.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn
+}
+
 resource "aws_ssoadmin_account_assignment" "to_group" {
   for_each = { for a in local.account_assignments : "${a.account_id}_${a.group}_${a.permission_set}" => a }
 
diff --git a/modules/aws/sso_account_assignment/variables.tf b/modules/aws/sso_account_assignment/variables.tf
@@ -1,25 +1,33 @@
 variable "permission_sets" {
   description = <<EOT
-    List of permission sets for the organization.
-    
-    • `name`             - (Optional) The name of the Permission Set. The key will be used by default.
-    • `description`      - (Optional) The description of the Permission Set.
-    • `managed_policies` - (Required) A list of managed policy names. The prefix `arn:aws:iam::aws:policy/`
-                                      will be prepended to create the full ARN.
+    List of Permission Sets for the organization. Each Permission Set must include AWS managed
+    policies and/or an IAM inline policy.
+
+    • `name`              - (Optional) The name of the Permission Set. The key will be used by default.
+    • `description`       - (Optional) The description of the Permission Set.
+    • `managed_policies`  - (Optional) A list of AWS-managed policy names. The prefix `arn:aws:iam::aws:policy/`
+                                       will be prepended to create the full ARN.
+    • `inline_policy`     - (Optional) An IAM inline policy to attach to the Permission Set.
   EOT
   type = map(object({
     name             = optional(string)
     description      = optional(string)
-    managed_policies = list(string)
+    managed_policies = optional(list(string), [])
+    inline_policy    = optional(string, "")
   }))
+
+  validation {
+    condition     = alltrue([for p, opts in var.permission_sets : (length(opts.managed_policies) > 0 || opts.inline_policy != "")])
+    error_message = "Permission Sets must specify at least one of managed_policies or inline_policy."
+  }
 }
 
 variable "assignments" {
   description = <<EOT
-    List of assignments between group, account and permission set. The key of each object is the group
+    List of assignments between group, account and Permission Set. The key of each object is the group
     name that will be assigned the permissions. Ideally the organisation will use an external identity
     provider and this group should be created via SCIM. To also create the groups, enable `create_groups`.
-    
+
     • `account_ids`     - (Required) The AWS account IDs to apply the assignment.
     • `permission_sets` - (Required) The Permission Sets to be assigned to the group. These should
                                      be a subset of the Permission Sets created above.
