Merge pull request #1 from trussworks/populate-module

Inaugural PR

.markdownlintrc

@@ -0,0 +1,9 @@
+{
+  "default": true,
+  "first-header-h1": false,
+  "first-line-h1": false,
+  "line_length": false,
+  "no-multiple-blanks": false,
+  "commands-show-output": false,
+  "no-inline-html": false
+}

.terraform-version

@@ -1 +1 @@
-1.4.5
+1.6.3

README.md

@@ -1,26 +1,86 @@
-# Truss Terraform Module template
+# Terraform AWS SSO Group
 
-This repository is meant to be a template repo we can just spin up new module
-repos from with our general format.
+This module provisions AWS IAM Identity Center (formerly AWS Single Sign-On) resources:
 
-## Creating a new Terraform Module
+- An Identity Store group and group memberships for each user that is specified (the module does not provision users for you)
+- A Permission Set with options for inline, AWS-managed, and customer-managed policy attachments to attach to the group
+- Account assignments provisioning the permission set in each specified account
 
-1. Clone this repo, renaming appropriately.
-1. Write your terraform code in the root dir.
+## Prerequisites
 
-## Actual readme below - Delete above here
-
-Please put a description of what this module does here
+- In order to use AWS IAM Identity Center, your account must be managed by AWS Organizations.
+- At the time of this writing (2023-11-09), you must manually click the Enable button in the AWS IAM Identity Center web console to create an instance in your account
 
 ## Usage
 
-### Put an example usage of the module here
-
 ```hcl
-module "example" {
-  source = "terraform/registry/path"
+data "aws_caller_identity" "current" {}
+
+data "aws_ssoadmin_instances" "this" {}
+
+variable "another_account_id" {
+  description = "ID of another account within the organization
+  type        = string
+  default     = "000000000000"
+}
 
-  <variables>
+variable "users" {
+  description = "users"
+  type        = map(map(string))
+  default = {
+    "John Doe" = {
+      username = "jdoe"
+      email    = "jdoe@example.com"
+    },
+    "John Smith" = {
+      username = "jsmith"
+      email    = "jsmith@example.com"
+    },
+    "Joe Bloggs" = {
+      username = "jbloggs"
+      email    = "jbloggs@example.com"
+    }
+  }
+}
+
+resource "aws_identitystore_user" "user" {
+  for_each = var.users
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+
+  display_name = each.key
+  user_name    = each.value["username"]
+
+  name {
+    given_name  = split(" ", each.key)[0]
+    family_name = split(" ", each.key)[1]
+  }
+
+  emails {
+    primary = true
+    value   = each.value["email"]
+  }
+}
+
+module "sso_group" {
+  source = "trussworks/sso-group/aws"
+  version = "~> 1.0"
+
+  group_name          = "group-name"
+  permission_set_name = "permission-set-name"
+
+  accounts = [
+    data.aws_caller_identity_current.account_id,
+    var.another_account_id
+  ]
+
+  users = [
+    for user in aws_identitystore_user.user : user.user_name => user.user_id
+  ]
+
+  policy_aws_managed = [
+    "arn:aws:iam::aws:policy/AdministratorAccess"
+  ]
 }
 ```
 
@@ -29,28 +89,54 @@ module "example" {
 
 | Name | Version |
 |------|---------|
-| terraform | >= 1.3.7 |
-| aws | ~> 4.52.0 |
+| terraform | ~> 1.6 |
+| aws | ~> 5.0 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| aws | ~> 5.0 |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_identitystore_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group) | resource |
+| [aws_identitystore_group_membership.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group_membership) | resource |
+| [aws_ssoadmin_account_assignment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
+| [aws_ssoadmin_customer_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
+| [aws_ssoadmin_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
+| [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
+| [aws_ssoadmin_permission_set_inline_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| accounts | List of accounts in which the permission set is to be provisioned | `list(string)` | n/a | yes |
+| group\_description | Description of the user group | `string` | `"N/A"` | no |
+| group\_name | The display name of the group being created | `string` | n/a | yes |
+| permission\_set\_description | Description of the permission set | `string` | `"N/A"` | no |
+| permission\_set\_name | Name of the permission set | `string` | n/a | yes |
+| policy\_aws\_managed | List of ARNs of policies to attach to permission set | `list(string)` | `[]` | no |
+| policy\_customer\_managed\_name | Name of the policy to attach to permission set | `string` | `""` | no |
+| policy\_customer\_managed\_path | Path of the policy to attach to permission set | `string` | `"/"` | no |
+| policy\_inline | Inline policy in JSON format to attach to permission set | `string` | `""` | no |
+| users | List of users to add to group | `map(string)` | n/a | yes |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| group\_id | the ID of the identity store group |
+| permission\_set\_arn | the ARN of the permission set |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Developer Setup

main.tf

@@ -1 +1,71 @@
-# main.tf placeholder
+data "aws_caller_identity" "this" {}
+
+data "aws_ssoadmin_instances" "this" {}
+
+# Identity Store Group
+resource "aws_identitystore_group" "this" {
+  display_name      = var.group_name
+  description       = var.group_description
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+}
+
+# Permission set
+resource "aws_ssoadmin_permission_set" "this" {
+  name         = var.permission_set_name
+  description  = var.permission_set_description
+  instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+}
+
+# AWS-managed policy attachments
+resource "aws_ssoadmin_managed_policy_attachment" "this" {
+  for_each = toset(var.policy_aws_managed)
+
+  instance_arn       = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+  managed_policy_arn = each.key
+  permission_set_arn = aws_ssoadmin_permission_set.this.arn
+}
+
+# Customer-managed policy attachments
+resource "aws_ssoadmin_customer_managed_policy_attachment" "this" {
+  count = var.policy_customer_managed_name != "" ? 1 : 0
+
+  instance_arn       = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+  permission_set_arn = aws_ssoadmin_permission_set.this.arn
+  customer_managed_policy_reference {
+    name = var.policy_customer_managed_name
+    path = var.policy_customer_managed_path
+  }
+}
+
+# Inline policy attachments
+resource "aws_ssoadmin_permission_set_inline_policy" "this" {
+  count = var.policy_inline != "" ? 1 : 0
+
+  inline_policy      = var.policy_inline
+  instance_arn       = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+  permission_set_arn = aws_ssoadmin_permission_set.this.arn
+}
+
+# Attach Identity Store Users to Group
+resource "aws_identitystore_group_membership" "this" {
+  for_each = var.users
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+  group_id          = aws_identitystore_group.this.group_id
+  member_id         = each.value
+}
+
+# Assign Accounts in which the Group can use its permission set
+resource "aws_ssoadmin_account_assignment" "this" {
+  for_each = toset(var.accounts)
+
+  instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+
+  permission_set_arn = aws_ssoadmin_permission_set.this.arn
+
+  principal_id   = aws_identitystore_group.this.group_id
+  principal_type = "GROUP"
+
+  target_id   = each.key
+  target_type = "AWS_ACCOUNT"
+}

outputs.tf

@@ -1 +1,10 @@
 # Outputs placeholder
+output "group_id" {
+  description = "the ID of the identity store group"
+  value       = aws_identitystore_group.this.group_id
+}
+
+output "permission_set_arn" {
+  description = "the ARN of the permission set"
+  value       = aws_ssoadmin_permission_set.this.arn
+}

variables.tf

@@ -1 +1,55 @@
-# Variables placeholder
+variable "accounts" {
+  description = "List of accounts in which the permission set is to be provisioned"
+  type        = list(string)
+}
+
+variable "group_description" {
+  description = "Description of the user group"
+  type        = string
+  default     = "N/A"
+}
+
+variable "group_name" {
+  description = "The display name of the group being created"
+  type        = string
+}
+
+variable "permission_set_description" {
+  description = "Description of the permission set"
+  type        = string
+  default     = "N/A"
+}
+
+variable "permission_set_name" {
+  description = "Name of the permission set"
+  type        = string
+}
+
+variable "policy_aws_managed" {
+  description = "List of ARNs of policies to attach to permission set"
+  type        = list(string)
+  default     = []
+}
+
+variable "policy_customer_managed_name" {
+  description = "Name of the policy to attach to permission set"
+  type        = string
+  default     = ""
+}
+
+variable "policy_customer_managed_path" {
+  description = "Path of the policy to attach to permission set"
+  type        = string
+  default     = "/"
+}
+
+variable "policy_inline" {
+  description = "Inline policy in JSON format to attach to permission set"
+  type        = string
+  default     = ""
+}
+
+variable "users" {
+  description = "List of users to add to group"
+  type        = map(string)
+}

versions.tf

@@ -1,14 +1,7 @@
 terraform {
-  required_version = ">= 1.3.7"
+  required_version = "~> 1.6"
 
   required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 4.63.0"
-    }
+    aws = "~> 5.0"
   }
 }
-
-provider "aws" {
-  region = "us-west-2"
-}