feat: Add support for Customer Managed policies (#8)

Author: aurimasmick

README.md

@@ -65,13 +65,13 @@ module "sso" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.23 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.27 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.30 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.27 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.30 |
 
 ## Modules
 
@@ -82,6 +82,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_ssoadmin_account_assignment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
+| [aws_ssoadmin_customer_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
 | [aws_ssoadmin_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
 | [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
 | [aws_ssoadmin_permission_set_inline_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |

examples/complete/README.md

@@ -6,6 +6,7 @@ Before this example can be used, please ensure that the following pre-requisites
 - Enable AWS SSO. [Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/step1.html).
 - Create AWS SSO entities (Users and Groups). [Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html).
 - Ensure that Terraform is using a role with permissions required for AWS SSO management. [Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#requiredpermissionsconsole).
+- If using Customer Managed Policies in permission sets, please make sure that policy exists (pre-created) in target AWS account.
 
 ## Diagram
 ![Alt text](aws_sso_diagram.png?raw=true "Title")
@@ -16,19 +17,19 @@ Before this example can be used, please ensure that the following pre-requisites
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.23 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.27 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.30 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.27 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.30 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_sso"></a> [sso](#module\_sso) | avlcloudtechnologies/sso/aws | n/a |
+| <a name="module_sso"></a> [sso](#module\_sso) | avlcloudtechnologies/sso/aws |  |
 
 ## Resources
 

examples/complete/main.tf

@@ -5,10 +5,8 @@ provider "aws" {
 data "aws_organizations_organization" "this" {}
 
 locals {
-  all_accounts_names            = [for account in toset(data.aws_organizations_organization.this.accounts) : account.name]
-  all_accounts_map              = zipmap(local.all_accounts_names, tolist(toset(data.aws_organizations_organization.this.accounts)))
-  non_management_accounts_names = [for account in toset(data.aws_organizations_organization.this.non_master_accounts) : account.name]
-  non_management_accounts_map   = zipmap(local.non_management_accounts_names, tolist(toset(data.aws_organizations_organization.this.non_master_accounts)))
+  all_active_accounts_map            = { for account in toset(data.aws_organizations_organization.this.accounts) : account.name => account if account.status == "ACTIVE" }
+  non_management_active_accounts_map = { for account in toset(data.aws_organizations_organization.this.non_master_accounts) : account.name => account if account.status == "ACTIVE" }
 }
 
 module "sso" {
@@ -30,42 +28,44 @@ module "sso" {
     },
     EKSAdminAccess = {
       description = "Allow full EKS and read only access across all AWS resources.",
-      # Can use Managed Policies and Inline policies in the same permission set
+      # Can use Managed, Customer and Inline policies in the same permission set
       managed_policies = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
       inline_policy    = data.aws_iam_policy_document.EKSAdmin.json
-      tags             = { "foo" = "bar" },
+      # NOTE! Customer Managed policies have to exist in all AWS accounts that this permission set will be assigned to.
+      customer_managed_policies = ["customer-managed-policy-foo"]
+      tags                      = { "foo" = "bar" },
     }
   }
   account_assignments = [
     {
       principal_name = "management"
       principal_type = "GROUP"
       permission_set = "AdministratorAccess"
-      account_ids    = [for account in local.all_accounts_map : account.id]
+      account_ids    = [for account in local.all_active_accounts_map : account.id]
     },
     {
       principal_name = "admins"
       principal_type = "GROUP"
       permission_set = "AdministratorAccess"
-      account_ids    = [for account in local.non_management_accounts_map : account.id]
+      account_ids    = [for account in local.non_management_active_accounts_map : account.id]
     },
     {
       principal_name = "bob"
       principal_type = "USER"
       permission_set = "PowerUserAccess"
-      account_ids    = [for account in local.non_management_accounts_map : account.id if contains(var.security_accounts, account.name)]
+      account_ids    = [for account in local.non_management_active_accounts_map : account.id if contains(var.security_accounts, account.name)]
     },
     {
       principal_name = "developers"
       principal_type = "GROUP"
       permission_set = "ViewOnlyAccess"
-      account_ids    = [for account in local.non_management_accounts_map : account.id if contains(var.developer_readonly_accounts, account.name)]
+      account_ids    = [for account in local.non_management_active_accounts_map : account.id if contains(var.developer_readonly_accounts, account.name)]
     },
     {
       principal_name = "developers"
       principal_type = "GROUP"
       permission_set = "EKSAdminAccess"
-      account_ids    = [for account in local.non_management_accounts_map : account.id if contains(var.developer_workload_accounts, account.name)]
+      account_ids    = [for account in local.non_management_active_accounts_map : account.id if contains(var.developer_workload_accounts, account.name)]
     },
   ]
 }

examples/complete/versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.27"
+      version = ">= 4.30"
     }
   }
 }

main.tf

@@ -1,6 +1,7 @@
 locals {
   ssoadmin_instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
   managed_ps            = { for ps_name, ps_attrs in var.permission_sets : ps_name => ps_attrs if can(ps_attrs.managed_policies) }
+  customer_managed_ps   = { for ps_name, ps_attrs in var.permission_sets : ps_name => ps_attrs if can(ps_attrs.customer_managed_policies) }
   # create ps_name and managed policy maps list
   ps_policy_maps = flatten([
     for ps_name, ps_attrs in local.managed_ps : [
@@ -10,6 +11,15 @@ locals {
       } if can(ps_attrs.managed_policies)
     ]
   ])
+  # create ps_name and customer managed policy maps list
+  customer_ps_policy_maps = flatten([
+    for ps_name, ps_attrs in local.customer_managed_ps : [
+      for policy in ps_attrs.customer_managed_policies : {
+        ps_name     = ps_name
+        policy_name = policy
+      } if can(ps_attrs.customer_managed_policies)
+    ]
+  ])
   account_assignments = flatten([
     for assignment in var.account_assignments : [
       for account_id in assignment.account_ids : {
@@ -25,6 +35,7 @@ locals {
 }
 
 data "aws_ssoadmin_instances" "this" {}
+
 data "aws_identitystore_group" "this" {
   for_each          = toset(local.groups)
   identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
@@ -42,11 +53,11 @@ data "aws_identitystore_user" "this" {
     attribute_value = each.value
   }
 }
+
 resource "aws_ssoadmin_permission_set" "this" {
   for_each = var.permission_sets
 
-  name = each.key
-  # description      = each.value.description
+  name             = each.key
   description      = lookup(each.value, "description", null)
   instance_arn     = local.ssoadmin_instance_arn
   relay_state      = lookup(each.value, "relay_state", null)
@@ -69,6 +80,18 @@ resource "aws_ssoadmin_managed_policy_attachment" "this" {
   managed_policy_arn = each.value.policy_arn
   permission_set_arn = aws_ssoadmin_permission_set.this[each.value.ps_name].arn
 }
+
+resource "aws_ssoadmin_customer_managed_policy_attachment" "this" {
+  for_each = { for ps in local.customer_ps_policy_maps : "${ps.ps_name}.${ps.policy_name}" => ps }
+
+  instance_arn       = local.ssoadmin_instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.value.ps_name].arn
+  customer_managed_policy_reference {
+    name = each.value.policy_name
+    path = "/"
+  }
+}
+
 resource "aws_ssoadmin_account_assignment" "this" {
   for_each = { for assignment in local.account_assignments : "${assignment.principal_name}.${assignment.permission_set.name}.${assignment.account_id}" => assignment }
 

versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.27"
+      version = ">= 4.30"
     }
   }
 }