feat: add IAM Identity Center module (#249)

Add a module that can manage the IAM Identity Center groups,
permission sets and account assignments.

This includes the GitHub workflow changes and the GC Articles
target state group and account assignments.

.github/workflows/tf-apply.yml

@@ -64,6 +64,11 @@ jobs:
             account: 659087519042
             role: cds-aws-lz-apply
 
+          - account_folder: org_account
+            module: iam_identity_center
+            account: 659087519042
+            role: cds-aws-lz-apply            
+
           - account_folder: log_archive
             module: main
             account: 274536870005

.github/workflows/tf-plan.yml

@@ -56,6 +56,11 @@ jobs:
             account: 659087519042
             role: cds-aws-lz-plan
 
+          - account_folder: org_account
+            module: iam_identity_center
+            account: 659087519042
+            role: cds-aws-lz-plan            
+
           - account_folder: log_archive
             module: main
             account: 274536870005

terragrunt/org_account/iam_identity_center/data.tf

@@ -0,0 +1,17 @@
+#
+# AWS default permission sets
+#
+data "aws_ssoadmin_permission_set" "aws_administrator_access" {
+  instance_arn = local.sso_instance_arn
+  name         = "AWSAdministratorAccess"
+}
+
+data "aws_ssoadmin_permission_set" "aws_read_only_access" {
+  instance_arn = local.sso_instance_arn
+  name         = "AWSReadOnlyAccess"
+}
+
+data "aws_ssoadmin_permission_set" "billing" {
+  instance_arn = local.sso_instance_arn
+  name         = "Billing"
+}

terragrunt/org_account/iam_identity_center/locals.tf

@@ -0,0 +1,5 @@
+locals {
+  sso_identity_store_id = "d-9d67173bdd"
+  sso_instance_id       = "ssoins-8824c710b5ddb452"
+  sso_instance_arn      = "arn:aws:sso:::instance/${local.sso_instance_id}"
+}

terragrunt/org_account/iam_identity_center/platform_articles.tf

@@ -0,0 +1,92 @@
+#
+# Groups
+#
+resource "aws_identitystore_group" "articles_production_access_vpc_clientvpn" {
+  display_name      = "Articles-Production-Access-VPC-ClientVPN"
+  description       = "Grants members access to the GC Articles Production Client VPN."
+  identity_store_id = local.sso_identity_store_id
+}
+
+resource "aws_identitystore_group" "articles_production_admin" {
+  display_name      = "Articles-Production-Admin"
+  description       = "Grants members administrator access to the GC Articles Production account."
+  identity_store_id = local.sso_identity_store_id
+}
+
+resource "aws_identitystore_group" "articles_production_read_only" {
+  display_name      = "Articles-Production-ReadOnly"
+  description       = "Grants members read-only access to the GC Articles Production account."
+  identity_store_id = local.sso_identity_store_id
+}
+
+resource "aws_identitystore_group" "articles_staging_access_vpc_clientvpn" {
+  display_name      = "Articles-Staging-Access-VPC-ClientVPN"
+  description       = "Grants members access to the GC Articles Staging Client VPN."
+  identity_store_id = local.sso_identity_store_id
+}
+
+resource "aws_identitystore_group" "articles_staging_admin" {
+  display_name      = "Articles-Staging-Admin"
+  description       = "Grants members administrator access to the GC Articles Staging account."
+  identity_store_id = local.sso_identity_store_id
+}
+
+resource "aws_identitystore_group" "articles_staging_read_only" {
+  display_name      = "Articles-Staging-ReadOnly"
+  description       = "Grants members read-only access to the GC Articles Staging account."
+  identity_store_id = local.sso_identity_store_id
+}
+
+#
+# Accounts: assign groups and permission sets
+#
+locals {
+  articles_permission_set_arns = [
+    # GCArticles-Production
+    {
+      group              = aws_identitystore_group.articles_production_admin,
+      permission_set_arn = data.aws_ssoadmin_permission_set.aws_administrator_access.arn,
+      target_id          = "472286471787"
+    },
+    {
+      group              = aws_identitystore_group.articles_production_read_only,
+      permission_set_arn = data.aws_ssoadmin_permission_set.aws_read_only_access.arn,
+      target_id          = "472286471787"
+    },
+    # GCArticles-Staging       
+    {
+      group              = aws_identitystore_group.articles_staging_admin,
+      permission_set_arn = data.aws_ssoadmin_permission_set.aws_administrator_access.arn,
+      target_id          = "729164266357"
+    },
+    {
+      group              = aws_identitystore_group.articles_staging_read_only,
+      permission_set_arn = data.aws_ssoadmin_permission_set.aws_read_only_access.arn,
+      target_id          = "729164266357"
+    },
+    # PlatformListManager-Production
+    {
+      group              = aws_identitystore_group.articles_production_admin,
+      permission_set_arn = data.aws_ssoadmin_permission_set.aws_administrator_access.arn,
+      target_id          = "762579868088"
+    },
+    {
+      group              = aws_identitystore_group.articles_production_read_only,
+      permission_set_arn = data.aws_ssoadmin_permission_set.aws_read_only_access.arn,
+      target_id          = "762579868088"
+    },
+  ]
+}
+
+resource "aws_ssoadmin_account_assignment" "articles" {
+  for_each = { for perm in local.articles_permission_set_arns : "${perm.group.display_name}-${perm.target_id}" => perm }
+
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = each.value.permission_set_arn
+
+  principal_id   = each.value.group.group_id
+  principal_type = "GROUP"
+
+  target_id   = each.value.target_id
+  target_type = "AWS_ACCOUNT"
+}

terragrunt/org_account/iam_identity_center/terragrunt.hcl

@@ -0,0 +1,3 @@
+include {
+  path = find_in_parent_folders()
+}