feat: add TerraformAccess, RootAccess permission sets and account_map bypass (#53)

* feat: add TerraformAccess, RootAccess permission sets and idp_groups support

New features:
- Add TerraformPlanAccess permission set (read-only state and account access)
- Add TerraformApplyAccess permission set (read/write state and admin access)
- Add RootAccess permission set (centralized root access via sts:AssumeRoot)
- Add provider-root.tf for root account assignments via profile
- Add idp_groups variable to look up IdP-synced groups
- Add group_ids output combining manual and IdP groups
- Add account_map_enabled variable to toggle between remote state and static mapping
- Add account_map variable for static account ID mapping

Changes:
- Update main.tf to conditionally use account_map module or static variable
- Update main.tf to include new permission sets and idp_groups data source
- Update remote-state.tf with conditional bypass for account_map
- Update variables.tf with new variables
- Update outputs.tf with group_ids output

These changes support the account-map deprecation effort by enabling
profile-based authentication and static account mappings.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove duplicate root provider from providers.tf

The root provider with alias "root" is now defined in provider-root.tf
as a simple profile-based provider. Remove the duplicate definition and
iam_roles_root module from providers.tf to avoid conflict.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: move profile-based providers to mixins folder

Revert providers.tf to include the root provider using account-map and
move the profile-based providers to mixins/ for optional vendoring.

This allows the component to work with account-map out of the box while
still supporting profile-based authentication when using Atmos Auth by
vendoring the mixins.

Changes:
- Restore root provider and iam_roles_root module to src/providers.tf
- Delete src/provider-root.tf (profile-based version)
- Add mixins/providers.tf with profile-based default provider
- Add mixins/provider-root.tf with profile-based root provider
- Update .pre-commit-config.yaml to exclude mixins/ from tflint

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: add versions.tf to mixins for CI provider-pinning checks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: remove unnecessary mixins/providers.tf

The main providers.tf is handled by the centralized mixin from
cloudposse-terraform-components/mixins. We only need component-specific
mixins for unique situations like aliased providers (provider-root.tf).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: simplify account_map lookup to always use module outputs

Since module.account_map.outputs provides values from either remote state
(when account_map_enabled is true) or from the static var.account_map
defaults (when bypassed), we can always reference module.account_map.outputs
directly without conditional logic.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: milldr

.pre-commit-config.yaml

@@ -26,9 +26,10 @@ repos:
     rev: v1.81.0
     hooks:
       - id: terraform_fmt
+        exclude: "mixins/"
       - id: terraform_docs
         args: ["--args=--lockfile=false"]
       - id: terraform_tflint
         args:
           - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
-        exclude: "context.tf$"
+        exclude: "(context.tf$|mixins/)"

mixins/.tflint.hcl

@@ -0,0 +1,5 @@
+# Disable tflint for mixins - these are partial terraform files
+# that are vendored into other components
+config {
+  disabled_by_default = true
+}

mixins/provider-root.tf

@@ -0,0 +1,20 @@
+# This mixin replaces the root provider in providers.tf to use
+# profile-based authentication instead of the account-map module.
+# Use this when deploying with Atmos Auth profiles.
+#
+# When using this mixin, you must also use a providers.tf mixin that
+# removes the root provider block and iam_roles_root module.
+
+variable "root_profile_name" {
+  type        = string
+  description = "The profile name to use for the root account"
+  default     = "core-root/terraform"
+}
+
+provider "aws" {
+  # The AWS provider to use to make changes in the root account
+  alias  = "root"
+  region = var.region
+
+  profile = var.root_profile_name
+}

mixins/versions.tf

@@ -0,0 +1,13 @@
+# This file exists to satisfy CI provider-pinning checks.
+# When vendored, the main component's versions.tf takes precedence.
+
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
+}

src/main.tf

@@ -1,6 +1,8 @@
 locals {
   enabled = module.this.enabled
 
+  # module.account_map.outputs provides values from either remote state (when enabled)
+  # or from the static var.account_map defaults (when bypassed)
   account_map  = module.account_map.outputs.full_account_map
   root_account = local.account_map[module.account_map.outputs.root_account_account_name]
 
@@ -73,6 +75,20 @@ resource "aws_identitystore_group" "manual" {
   identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
 }
 
+# Look up IdP-managed groups (synced from Google Workspace, Okta, etc.)
+data "aws_identitystore_group" "idp" {
+  for_each = toset(var.idp_groups)
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "DisplayName"
+      attribute_value = each.key
+    }
+  }
+}
+
 module "permission_sets" {
   source  = "cloudposse/sso/aws//modules/permission-sets"
   version = "1.2.0"
@@ -86,6 +102,9 @@ module "permission_sets" {
     local.identity_access_permission_sets,
     local.poweruser_access_permission_set,
     local.read_only_access_permission_set,
+    local.root_access_permission_set,
+    local.terraform_plan_access_permission_set,
+    local.terraform_apply_access_permission_set,
     local.terraform_update_access_permission_set,
   )
 

src/outputs.tf

@@ -9,6 +9,9 @@ output "sso_account_assignments" {
 }
 
 output "group_ids" {
-  value       = { for group_key, group_output in aws_identitystore_group.manual : group_key => group_output.group_id }
-  description = "Group IDs created for Identity Center"
+  value = merge(
+    { for group_key, group_output in aws_identitystore_group.manual : group_key => group_output.group_id },
+    { for group_key, group_output in data.aws_identitystore_group.idp : group_key => group_output.group_id }
+  )
+  description = "Group IDs for Identity Center (includes both manually created and IdP-synced groups)"
 }

src/policy-RootAccess.tf

@@ -0,0 +1,31 @@
+locals {
+  root_access_permission_set = [{
+    name             = "RootAccess",
+    description      = "Allow centralized root access to member accounts via sts:AssumeRoot",
+    relay_state      = "",
+    session_duration = var.session_duration,
+    tags             = {},
+    inline_policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [{
+        Sid      = "AssumeRootAccess"
+        Effect   = "Allow"
+        Action   = "sts:AssumeRoot"
+        Resource = "arn:${local.aws_partition}:iam::*:root"
+        Condition = {
+          StringEquals = {
+            "sts:TaskPolicyArn" = [
+              "arn:${local.aws_partition}:iam::aws:policy/root-task/IAMAuditRootUserCredentials",
+              "arn:${local.aws_partition}:iam::aws:policy/root-task/IAMCreateRootUserPassword",
+              "arn:${local.aws_partition}:iam::aws:policy/root-task/IAMDeleteRootUserCredentials",
+              "arn:${local.aws_partition}:iam::aws:policy/root-task/S3UnlockBucketPolicy",
+              "arn:${local.aws_partition}:iam::aws:policy/root-task/SQSUnlockQueuePolicy"
+            ]
+          }
+        }
+      }]
+    })
+    policy_attachments                  = []
+    customer_managed_policy_attachments = []
+  }]
+}

src/policy-TerraformAccess.tf

@@ -0,0 +1,135 @@
+# Shared variables for Terraform state backend access
+variable "tf_access_bucket_arn" {
+  type        = string
+  description = "The ARN of the S3 bucket for the Terraform state backend."
+  default     = ""
+}
+
+variable "tf_access_dynamodb_table_arn" {
+  type        = string
+  description = "The ARN of the DynamoDB table for the Terraform state backend."
+  default     = ""
+}
+
+variable "tf_access_role_arn" {
+  type        = string
+  description = "The ARN of the IAM role for accessing the Terraform state backend."
+  default     = ""
+}
+
+locals {
+  tf_access_enabled = module.this.enabled && var.tf_access_bucket_arn != "" && var.tf_access_role_arn != ""
+
+  # Terraform Plan Access permission set
+  terraform_plan_access_permission_set = local.tf_access_enabled ? [{
+    name                                = "TerraformPlanAccess",
+    description                         = "Allow read-only access to Terraform state for planning",
+    relay_state                         = "",
+    session_duration                    = var.session_duration,
+    tags                                = {},
+    inline_policy                       = one(data.aws_iam_policy_document.terraform_plan_access[*].json),
+    policy_attachments                  = ["arn:${local.aws_partition}:iam::aws:policy/ReadOnlyAccess"]
+    customer_managed_policy_attachments = []
+  }] : []
+
+  # Terraform Apply Access permission set
+  terraform_apply_access_permission_set = local.tf_access_enabled ? [{
+    name                                = "TerraformApplyAccess",
+    description                         = "Allow full access to Terraform state and account for applying changes",
+    relay_state                         = "",
+    session_duration                    = var.session_duration,
+    tags                                = {},
+    inline_policy                       = one(data.aws_iam_policy_document.terraform_apply_access[*].json),
+    policy_attachments                  = ["arn:${local.aws_partition}:iam::aws:policy/AdministratorAccess"]
+    customer_managed_policy_attachments = []
+  }] : []
+}
+
+# Terraform Plan Access - Read-only state access, read-only account access
+data "aws_iam_policy_document" "terraform_plan_access" {
+  count = local.tf_access_enabled ? 1 : 0
+
+  # Read-only access to Terraform state S3 bucket
+  statement {
+    sid    = "TerraformStateBackendS3BucketReadOnly"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject",
+    ]
+    resources = [var.tf_access_bucket_arn, "${var.tf_access_bucket_arn}/*"]
+  }
+
+  # Allow assuming the Terraform state backend role (needed to read state)
+  statement {
+    sid    = "TerraformStateBackendAssumeRole"
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+      "sts:TagSession",
+      "sts:SetSourceIdentity",
+    ]
+    resources = [var.tf_access_role_arn]
+  }
+
+  # Allow EC2 DescribeRegions - required by many Terraform modules for region validation
+  statement {
+    sid    = "EC2DescribeRegions"
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeRegions",
+    ]
+    resources = ["*"]
+  }
+}
+
+# Terraform Apply Access - Read/write state access, admin account access
+data "aws_iam_policy_document" "terraform_apply_access" {
+  count = local.tf_access_enabled ? 1 : 0
+
+  statement {
+    sid    = "TerraformStateBackendS3Bucket"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:PutObject",
+    ]
+    resources = [var.tf_access_bucket_arn, "${var.tf_access_bucket_arn}/*"]
+  }
+
+  # Only add the DynamoDB table statement if the DynamoDB table ARN is set.
+  # You may not have created a DynamoDB table if you're using S3 state locking
+  dynamic "statement" {
+    for_each = (local.tf_access_enabled && var.tf_access_dynamodb_table_arn != "") ? [1] : []
+
+    content {
+      sid       = "TerraformStateBackendDynamoDbTable"
+      effect    = "Allow"
+      actions   = ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem"]
+      resources = [var.tf_access_dynamodb_table_arn]
+    }
+  }
+
+  # Allow assuming the Terraform state backend role
+  statement {
+    sid    = "TerraformStateBackendAssumeRole"
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+      "sts:TagSession",
+      "sts:SetSourceIdentity",
+    ]
+    resources = [var.tf_access_role_arn]
+  }
+
+  # Allow EC2 DescribeRegions - required by many Terraform modules for region validation
+  statement {
+    sid    = "EC2DescribeRegions"
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeRegions",
+    ]
+    resources = ["*"]
+  }
+}

src/providers.tf

@@ -1,3 +1,30 @@
+variable "account_map_enabled" {
+  type        = bool
+  description = <<-EOT
+    When true, uses the account-map component to look up account IDs dynamically.
+    When false, uses the static account_map variable instead. Set to false when
+    using Atmos Auth profiles and static account mappings.
+    EOT
+  default     = true
+}
+
+variable "account_map" {
+  type = object({
+    full_account_map           = map(string)
+    audit_account_account_name = optional(string, "")
+    root_account_account_name  = optional(string, "")
+  })
+  description = <<-EOT
+    Static account map used when account_map_enabled is false.
+    Provides account name to account ID mapping without requiring the account-map component.
+    EOT
+  default = {
+    full_account_map           = {}
+    audit_account_account_name = ""
+    root_account_account_name  = ""
+  }
+}
+
 # This component is unusual in that part of it must be deployed to the `root`
 # account. You have the option of where to deploy the remaining part, and
 # Cloud Posse recommends you deploy it also to the `root` account, however

src/remote-state.tf

@@ -1,12 +1,25 @@
+# Remote state lookup for the account-map component (or fallback to static mapping).
+#
+# When account_map_enabled is true:
+#   - Performs remote state lookup to retrieve account mappings from the account-map component
+#   - Uses global tenant/environment/stage from iam_roles module for the lookup
+#
+# When account_map_enabled is false:
+#   - Bypasses the remote state lookup (bypass = true)
+#   - Returns the static account_map variable as defaults instead
+#   - Allows the component to function without the account-map dependency
 module "account_map" {
   source  = "cloudposse/stack-config/yaml//modules/remote-state"
   version = "1.8.0"
 
   component   = var.account_map_component_name
-  environment = module.iam_roles.global_environment_name
-  stage       = module.iam_roles.global_stage_name
-  tenant      = module.iam_roles.global_tenant_name
-  privileged  = var.privileged
+  tenant      = var.account_map_enabled ? module.iam_roles.global_tenant_name : null
+  environment = var.account_map_enabled ? module.iam_roles.global_environment_name : null
+  stage       = var.account_map_enabled ? module.iam_roles.global_stage_name : null
 
   context = module.this.context
+
+  # When account_map is disabled, bypass remote state and use the static account_map variable
+  bypass   = !var.account_map_enabled
+  defaults = var.account_map
 }