feat: add TerraformAccess, RootAccess permission sets and idp_groups support

New features:
- Add TerraformPlanAccess permission set (read-only state and account access)
- Add TerraformApplyAccess permission set (read/write state and admin access)
- Add RootAccess permission set (centralized root access via sts:AssumeRoot)
- Add provider-root.tf for root account assignments via profile
- Add idp_groups variable to look up IdP-synced groups
- Add group_ids output combining manual and IdP groups
- Add account_map_enabled variable to toggle between remote state and static mapping
- Add account_map variable for static account ID mapping

Changes:
- Update main.tf to conditionally use account_map module or static variable
- Update main.tf to include new permission sets and idp_groups data source
- Update remote-state.tf with conditional bypass for account_map
- Update variables.tf with new variables
- Update outputs.tf with group_ids output

These changes support the account-map deprecation effort by enabling
profile-based authentication and static account mappings.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: milldr

src/main.tf

@@ -1,8 +1,9 @@
 locals {
   enabled = module.this.enabled
 
-  account_map  = module.account_map.outputs.full_account_map
-  root_account = local.account_map[module.account_map.outputs.root_account_account_name]
+  # Use remote state outputs when account_map_enabled is true, otherwise use static variable
+  account_map  = var.account_map_enabled ? module.account_map.outputs.full_account_map : var.account_map.full_account_map
+  root_account = local.account_map[var.account_map_enabled ? module.account_map.outputs.root_account_account_name : var.account_map.root_account_account_name]
 
   account_assignments_groups = flatten([
     for account_key, account in var.account_assignments : [
@@ -73,6 +74,20 @@ resource "aws_identitystore_group" "manual" {
   identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
 }
 
+# Look up IdP-managed groups (synced from Google Workspace, Okta, etc.)
+data "aws_identitystore_group" "idp" {
+  for_each = toset(var.idp_groups)
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "DisplayName"
+      attribute_value = each.key
+    }
+  }
+}
+
 module "permission_sets" {
   source  = "cloudposse/sso/aws//modules/permission-sets"
   version = "1.2.0"
@@ -86,6 +101,9 @@ module "permission_sets" {
     local.identity_access_permission_sets,
     local.poweruser_access_permission_set,
     local.read_only_access_permission_set,
+    local.root_access_permission_set,
+    local.terraform_plan_access_permission_set,
+    local.terraform_apply_access_permission_set,
     local.terraform_update_access_permission_set,
   )
 

src/outputs.tf

@@ -9,6 +9,9 @@ output "sso_account_assignments" {
 }
 
 output "group_ids" {
-  value       = { for group_key, group_output in aws_identitystore_group.manual : group_key => group_output.group_id }
-  description = "Group IDs created for Identity Center"
+  value = merge(
+    { for group_key, group_output in aws_identitystore_group.manual : group_key => group_output.group_id },
+    { for group_key, group_output in data.aws_identitystore_group.idp : group_key => group_output.group_id }
+  )
+  description = "Group IDs for Identity Center (includes both manually created and IdP-synced groups)"
 }

src/policy-RootAccess.tf

@@ -0,0 +1,31 @@
+locals {
+  root_access_permission_set = [{
+    name             = "RootAccess",
+    description      = "Allow centralized root access to member accounts via sts:AssumeRoot",
+    relay_state      = "",
+    session_duration = var.session_duration,
+    tags             = {},
+    inline_policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [{
+        Sid      = "AssumeRootAccess"
+        Effect   = "Allow"
+        Action   = "sts:AssumeRoot"
+        Resource = "arn:${local.aws_partition}:iam::*:root"
+        Condition = {
+          StringEquals = {
+            "sts:TaskPolicyArn" = [
+              "arn:${local.aws_partition}:iam::aws:policy/root-task/IAMAuditRootUserCredentials",
+              "arn:${local.aws_partition}:iam::aws:policy/root-task/IAMCreateRootUserPassword",
+              "arn:${local.aws_partition}:iam::aws:policy/root-task/IAMDeleteRootUserCredentials",
+              "arn:${local.aws_partition}:iam::aws:policy/root-task/S3UnlockBucketPolicy",
+              "arn:${local.aws_partition}:iam::aws:policy/root-task/SQSUnlockQueuePolicy"
+            ]
+          }
+        }
+      }]
+    })
+    policy_attachments                  = []
+    customer_managed_policy_attachments = []
+  }]
+}

src/policy-TerraformAccess.tf

@@ -0,0 +1,135 @@
+# Shared variables for Terraform state backend access
+variable "tf_access_bucket_arn" {
+  type        = string
+  description = "The ARN of the S3 bucket for the Terraform state backend."
+  default     = ""
+}
+
+variable "tf_access_dynamodb_table_arn" {
+  type        = string
+  description = "The ARN of the DynamoDB table for the Terraform state backend."
+  default     = ""
+}
+
+variable "tf_access_role_arn" {
+  type        = string
+  description = "The ARN of the IAM role for accessing the Terraform state backend."
+  default     = ""
+}
+
+locals {
+  tf_access_enabled = module.this.enabled && var.tf_access_bucket_arn != "" && var.tf_access_role_arn != ""
+
+  # Terraform Plan Access permission set
+  terraform_plan_access_permission_set = local.tf_access_enabled ? [{
+    name                                = "TerraformPlanAccess",
+    description                         = "Allow read-only access to Terraform state for planning",
+    relay_state                         = "",
+    session_duration                    = var.session_duration,
+    tags                                = {},
+    inline_policy                       = one(data.aws_iam_policy_document.terraform_plan_access[*].json),
+    policy_attachments                  = ["arn:${local.aws_partition}:iam::aws:policy/ReadOnlyAccess"]
+    customer_managed_policy_attachments = []
+  }] : []
+
+  # Terraform Apply Access permission set
+  terraform_apply_access_permission_set = local.tf_access_enabled ? [{
+    name                                = "TerraformApplyAccess",
+    description                         = "Allow full access to Terraform state and account for applying changes",
+    relay_state                         = "",
+    session_duration                    = var.session_duration,
+    tags                                = {},
+    inline_policy                       = one(data.aws_iam_policy_document.terraform_apply_access[*].json),
+    policy_attachments                  = ["arn:${local.aws_partition}:iam::aws:policy/AdministratorAccess"]
+    customer_managed_policy_attachments = []
+  }] : []
+}
+
+# Terraform Plan Access - Read-only state access, read-only account access
+data "aws_iam_policy_document" "terraform_plan_access" {
+  count = local.tf_access_enabled ? 1 : 0
+
+  # Read-only access to Terraform state S3 bucket
+  statement {
+    sid    = "TerraformStateBackendS3BucketReadOnly"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject",
+    ]
+    resources = [var.tf_access_bucket_arn, "${var.tf_access_bucket_arn}/*"]
+  }
+
+  # Allow assuming the Terraform state backend role (needed to read state)
+  statement {
+    sid    = "TerraformStateBackendAssumeRole"
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+      "sts:TagSession",
+      "sts:SetSourceIdentity",
+    ]
+    resources = [var.tf_access_role_arn]
+  }
+
+  # Allow EC2 DescribeRegions - required by many Terraform modules for region validation
+  statement {
+    sid    = "EC2DescribeRegions"
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeRegions",
+    ]
+    resources = ["*"]
+  }
+}
+
+# Terraform Apply Access - Read/write state access, admin account access
+data "aws_iam_policy_document" "terraform_apply_access" {
+  count = local.tf_access_enabled ? 1 : 0
+
+  statement {
+    sid    = "TerraformStateBackendS3Bucket"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:PutObject",
+    ]
+    resources = [var.tf_access_bucket_arn, "${var.tf_access_bucket_arn}/*"]
+  }
+
+  # Only add the DynamoDB table statement if the DynamoDB table ARN is set.
+  # You may not have created a DynamoDB table if you're using S3 state locking
+  dynamic "statement" {
+    for_each = (local.tf_access_enabled && var.tf_access_dynamodb_table_arn != "") ? [1] : []
+
+    content {
+      sid       = "TerraformStateBackendDynamoDbTable"
+      effect    = "Allow"
+      actions   = ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem"]
+      resources = [var.tf_access_dynamodb_table_arn]
+    }
+  }
+
+  # Allow assuming the Terraform state backend role
+  statement {
+    sid    = "TerraformStateBackendAssumeRole"
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+      "sts:TagSession",
+      "sts:SetSourceIdentity",
+    ]
+    resources = [var.tf_access_role_arn]
+  }
+
+  # Allow EC2 DescribeRegions - required by many Terraform modules for region validation
+  statement {
+    sid    = "EC2DescribeRegions"
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeRegions",
+    ]
+    resources = ["*"]
+  }
+}

src/provider-root.tf

@@ -0,0 +1,13 @@
+variable "root_profile_name" {
+  type        = string
+  description = "The profile name to use for the root account"
+  default     = "core-root/terraform"
+}
+
+provider "aws" {
+  # The AWS provider to use to make changes in the root account
+  alias  = "root"
+  region = var.region
+
+  profile = var.root_profile_name
+}

src/providers.tf

@@ -1,3 +1,30 @@
+variable "account_map_enabled" {
+  type        = bool
+  description = <<-EOT
+    When true, uses the account-map component to look up account IDs dynamically.
+    When false, uses the static account_map variable instead. Set to false when
+    using Atmos Auth profiles and static account mappings.
+    EOT
+  default     = true
+}
+
+variable "account_map" {
+  type = object({
+    full_account_map           = map(string)
+    audit_account_account_name = optional(string, "")
+    root_account_account_name  = optional(string, "")
+  })
+  description = <<-EOT
+    Static account map used when account_map_enabled is false.
+    Provides account name to account ID mapping without requiring the account-map component.
+    EOT
+  default = {
+    full_account_map           = {}
+    audit_account_account_name = ""
+    root_account_account_name  = ""
+  }
+}
+
 # This component is unusual in that part of it must be deployed to the `root`
 # account. You have the option of where to deploy the remaining part, and
 # Cloud Posse recommends you deploy it also to the `root` account, however

src/remote-state.tf

@@ -1,12 +1,25 @@
+# Remote state lookup for the account-map component (or fallback to static mapping).
+#
+# When account_map_enabled is true:
+#   - Performs remote state lookup to retrieve account mappings from the account-map component
+#   - Uses global tenant/environment/stage from iam_roles module for the lookup
+#
+# When account_map_enabled is false:
+#   - Bypasses the remote state lookup (bypass = true)
+#   - Returns the static account_map variable as defaults instead
+#   - Allows the component to function without the account-map dependency
 module "account_map" {
   source  = "cloudposse/stack-config/yaml//modules/remote-state"
   version = "1.8.0"
 
   component   = var.account_map_component_name
-  environment = module.iam_roles.global_environment_name
-  stage       = module.iam_roles.global_stage_name
-  tenant      = module.iam_roles.global_tenant_name
-  privileged  = var.privileged
+  tenant      = var.account_map_enabled ? module.iam_roles.global_tenant_name : null
+  environment = var.account_map_enabled ? module.iam_roles.global_environment_name : null
+  stage       = var.account_map_enabled ? module.iam_roles.global_stage_name : null
 
   context = module.this.context
+
+  # When account_map is disabled, bypass remote state and use the static account_map variable
+  bypass   = !var.account_map_enabled
+  defaults = var.account_map
 }

src/variables.tf

@@ -77,3 +77,12 @@ variable "overridable_team_permission_set_name_pattern" {
   default     = "Identity%sTeamAccess"
 }
 
+variable "idp_groups" {
+  type        = list(string)
+  description = <<-EOT
+    List of IdP group names to look up and include in the group_ids output.
+    These groups are managed by your Identity Provider (e.g., Google Workspace, Okta)
+    and synced to AWS Identity Center. This allows referencing their IDs in other components.
+    EOT
+  default     = []
+}