feat: add IAM Identity Center module

Add a module that can manage the IAM Identity Center groups,
permission sets and account assignments.

This PR includes the GitHub workflow changes and the GC Articles group
and account assignments.

.github/workflows/tf-apply.yml

@@ -64,6 +64,11 @@ jobs:
             account: 659087519042
             role: cds-aws-lz-apply
 
+          - account_folder: org_account
+            module: iam_identity_center
+            account: 659087519042
+            role: cds-aws-lz-apply            
+
           - account_folder: log_archive
             module: main
             account: 274536870005

.github/workflows/tf-plan.yml

@@ -56,6 +56,11 @@ jobs:
             account: 659087519042
             role: cds-aws-lz-plan
 
+          - account_folder: org_account
+            module: iam_identity_center
+            account: 659087519042
+            role: cds-aws-lz-plan            
+
           - account_folder: log_archive
             module: main
             account: 274536870005

terragrunt/org_account/iam_identity_center/data.tf

@@ -0,0 +1,17 @@
+#
+# AWS default permission sets
+#
+data "aws_ssoadmin_permission_set" "aws_administrator_access" {
+  instance_arn = local.sso_instance_arn
+  name         = "AWSAdministratorAccess"
+}
+
+data "aws_ssoadmin_permission_set" "aws_read_only_access" {
+  instance_arn = local.sso_instance_arn
+  name         = "AWSReadOnlyAccess"
+}
+
+data "aws_ssoadmin_permission_set" "billing" {
+  instance_arn = local.sso_instance_arn
+  name         = "Billing"
+}

terragrunt/org_account/iam_identity_center/locals.tf

@@ -0,0 +1,5 @@
+locals {
+  sso_identity_store_id = "d-9d67173bdd"
+  sso_instance_id       = "ssoins-8824c710b5ddb452"
+  sso_instance_arn      = "arn:aws:sso:::instance/${local.sso_instance_id}"
+}

terragrunt/org_account/iam_identity_center/platform_articles.tf

@@ -0,0 +1,112 @@
+#
+# Groups
+#
+resource "aws_identitystore_group" "articles_devs" {
+  display_name      = "GCArticlesDevs"
+  description       = "Grants members access to the GC Articles accounts."
+  identity_store_id = local.sso_identity_store_id
+}
+
+resource "aws_identitystore_group" "articles_vpn" {
+  display_name      = "GCArticlesVPN"
+  description       = "Grants members access to the GC Articles VPN."
+  identity_store_id = local.sso_identity_store_id
+}
+
+#
+# Accounts: assign groups and permission sets
+#
+locals {
+  articles_permission_set_arns = [
+    {
+      name = "AWSAdministratorAccess",
+      arn  = data.aws_ssoadmin_permission_set.aws_administrator_access.arn,
+    },
+    {
+      name = "AWSReadOnlyAccess",
+      arn  = data.aws_ssoadmin_permission_set.aws_read_only_access.arn,
+    },
+  ]
+}
+
+resource "aws_ssoadmin_account_assignment" "articles_devs_staging" {
+  for_each = { for perm in local.articles_permission_set_arns : perm.name => perm }
+
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = each.value.arn
+
+  principal_id   = aws_identitystore_group.articles_devs.group_id
+  principal_type = "GROUP"
+
+  target_id   = "729164266357"
+  target_type = "AWS_ACCOUNT"
+}
+
+resource "aws_ssoadmin_account_assignment" "articles_devs_production" {
+  for_each = { for perm in local.articles_permission_set_arns : perm.name => perm }
+
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = each.value.arn
+
+  principal_id   = aws_identitystore_group.articles_devs.group_id
+  principal_type = "GROUP"
+
+  target_id   = "472286471787"
+  target_type = "AWS_ACCOUNT"
+}
+
+resource "aws_ssoadmin_account_assignment" "articles_devs_platform_list_manager" {
+  for_each = { for perm in local.articles_permission_set_arns : perm.name => perm }
+
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = each.value.arn
+
+  principal_id   = aws_identitystore_group.articles_devs.group_id
+  principal_type = "GROUP"
+
+  target_id   = "762579868088"
+  target_type = "AWS_ACCOUNT"
+}
+
+#
+# Terraform state imports: remove after merge to `main`
+#
+import {
+  to = aws_identitystore_group.articles_devs
+  id = "2c2df578-9041-7052-74b1-a2d362f212bb"
+}
+
+import {
+  to = aws_identitystore_group.articls_vpn
+  id = "dccd4518-30d1-7014-0e65-d503dc3c4b75"
+}
+
+import {
+  to = aws_ssoadmin_account_assignment.articles_devs_staging["AWSAdministratorAccess"]
+  id = "2c2df578-9041-7052-74b1-a2d362f212bb,GROUP,729164266357,AWS_ACCOUNT,${data.aws_ssoadmin_permission_set.aws_administrator_access},${local.sso_instance_arn}"
+}
+
+import {
+  to = aws_ssoadmin_account_assignment.articles_devs_staging["AWSReadOnlyAccess"]
+  id = "2c2df578-9041-7052-74b1-a2d362f212bb,GROUP,729164266357,AWS_ACCOUNT,${data.aws_ssoadmin_permission_set.aws_read_only_access},${local.sso_instance_arn}"
+}
+
+import {
+  to = aws_ssoadmin_account_assignment.articles_devs_production["AWSAdministratorAccess"]
+  id = "2c2df578-9041-7052-74b1-a2d362f212bb,GROUP,472286471787,AWS_ACCOUNT,${data.aws_ssoadmin_permission_set.aws_administrator_access},${local.sso_instance_arn}"
+}
+
+import {
+  to = aws_ssoadmin_account_assignment.articles_devs_production["AWSReadOnlyAccess"]
+  id = "2c2df578-9041-7052-74b1-a2d362f212bb,GROUP,472286471787,AWS_ACCOUNT,${data.aws_ssoadmin_permission_set.aws_read_only_access},${local.sso_instance_arn}"
+}
+
+import {
+  to = aws_ssoadmin_account_assignment.articles_devs_platform_list_manager["AWSAdministratorAccess"]
+  id = "2c2df578-9041-7052-74b1-a2d362f212bb,GROUP,762579868088,AWS_ACCOUNT,${data.aws_ssoadmin_permission_set.aws_administrator_access},${local.sso_instance_arn}"
+}
+
+import {
+  to = aws_ssoadmin_account_assignment.articles_devs_platform_list_manager["AWSReadOnlyAccess"]
+  id = "2c2df578-9041-7052-74b1-a2d362f212bb,GROUP,762579868088,AWS_ACCOUNT,${data.aws_ssoadmin_permission_set.aws_read_only_access},${local.sso_instance_arn}"
+}

terragrunt/org_account/iam_identity_center/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}