From 706dfe9b02f2480fefdac73b898882e44ddd1fc2 Mon Sep 17 00:00:00 2001 From: Sylvia McLaughlin <85905333+sylviamclaughlin@users.noreply.github.com> Date: Tue, 15 Oct 2024 11:25:24 -0700 Subject: [PATCH] Adding DTO to the AWS SSO groups (#314) * Adding DTO for AWS SSO * Formatting --- ...gital_transformation_office_assignments.tf | 28 +++++++++++++++++++ .../digital_transformation_office_groups.tf | 14 ++++++++++ .../org_account/iam_identity_center/locals.tf | 2 ++ 3 files changed, 44 insertions(+) create mode 100644 terragrunt/org_account/iam_identity_center/digital_transformation_office_assignments.tf create mode 100644 terragrunt/org_account/iam_identity_center/digital_transformation_office_groups.tf diff --git a/terragrunt/org_account/iam_identity_center/digital_transformation_office_assignments.tf b/terragrunt/org_account/iam_identity_center/digital_transformation_office_assignments.tf new file mode 100644 index 00000000..39424050 --- /dev/null +++ b/terragrunt/org_account/iam_identity_center/digital_transformation_office_assignments.tf @@ -0,0 +1,28 @@ +# +# Accounts: assign permissions +# +locals { + digital_transformation_office_production_permission_sets = [ + { + group = aws_identitystore_group.digital_transformation_office_production_admin, + permission_set = data.aws_ssoadmin_permission_set.aws_administrator_access, + }, + { + group = aws_identitystore_group.digital_transformation_office_production_read_only, + permission_set = data.aws_ssoadmin_permission_set.aws_read_only_access, + }, + ] +} + +resource "aws_ssoadmin_account_assignment" "digital_transformation_office_production" { + for_each = { for perm in local.digital_transformation_office_production_permission_sets : "${perm.group.display_name}-${perm.permission_set.name}" => perm } + + instance_arn = local.sso_instance_arn + permission_set_arn = each.value.permission_set.arn + + principal_id = each.value.group.group_id + principal_type = "GROUP" + + target_id = local.digital_transformation_office_production_account_id + target_type = "AWS_ACCOUNT" +} \ No newline at end of file diff --git a/terragrunt/org_account/iam_identity_center/digital_transformation_office_groups.tf b/terragrunt/org_account/iam_identity_center/digital_transformation_office_groups.tf new file mode 100644 index 00000000..f59eddbb --- /dev/null +++ b/terragrunt/org_account/iam_identity_center/digital_transformation_office_groups.tf @@ -0,0 +1,14 @@ +# +# Production +# +resource "aws_identitystore_group" "digital_transformation_office_production_admin" { + display_name = "DigitalTransformationOffice-Production-Admin" + description = "Grants members administrator access to the Digital Transformation Office Production account." + identity_store_id = local.sso_identity_store_id +} + +resource "aws_identitystore_group" "digital_transformation_office_production_read_only" { + display_name = "DigitalTransformationOffice-Production-ReadOnly" + description = "Grants members read-only access to the Digital Transformation Office Production account." + identity_store_id = local.sso_identity_store_id +} \ No newline at end of file diff --git a/terragrunt/org_account/iam_identity_center/locals.tf b/terragrunt/org_account/iam_identity_center/locals.tf index 30be39d7..b1a327bc 100644 --- a/terragrunt/org_account/iam_identity_center/locals.tf +++ b/terragrunt/org_account/iam_identity_center/locals.tf @@ -13,6 +13,8 @@ locals { digital_credentials_dev_account_id = "767397971970" + digital_transformation_office_production_account_id = "730335533085" + forms_production_account_id = "957818836222" forms_staging_account_id = "687401027353"