diff --git a/.github/workflows/tf-apply.yml b/.github/workflows/tf-apply.yml index f0522959..80f7da6d 100644 --- a/.github/workflows/tf-apply.yml +++ b/.github/workflows/tf-apply.yml @@ -64,6 +64,11 @@ jobs: account: 659087519042 role: cds-aws-lz-apply + - account_folder: org_account + module: iam_identity_center + account: 659087519042 + role: cds-aws-lz-apply + - account_folder: log_archive module: main account: 274536870005 diff --git a/.github/workflows/tf-plan.yml b/.github/workflows/tf-plan.yml index 706c8023..b34c48d6 100644 --- a/.github/workflows/tf-plan.yml +++ b/.github/workflows/tf-plan.yml @@ -56,6 +56,11 @@ jobs: account: 659087519042 role: cds-aws-lz-plan + - account_folder: org_account + module: iam_identity_center + account: 659087519042 + role: cds-aws-lz-plan + - account_folder: log_archive module: main account: 274536870005 diff --git a/terragrunt/org_account/iam_identity_center/data.tf b/terragrunt/org_account/iam_identity_center/data.tf new file mode 100644 index 00000000..533da665 --- /dev/null +++ b/terragrunt/org_account/iam_identity_center/data.tf @@ -0,0 +1,17 @@ +# +# AWS default permission sets +# +data "aws_ssoadmin_permission_set" "aws_administrator_access" { + instance_arn = local.sso_instance_arn + name = "AWSAdministratorAccess" +} + +data "aws_ssoadmin_permission_set" "aws_read_only_access" { + instance_arn = local.sso_instance_arn + name = "AWSReadOnlyAccess" +} + +data "aws_ssoadmin_permission_set" "billing" { + instance_arn = local.sso_instance_arn + name = "Billing" +} diff --git a/terragrunt/org_account/iam_identity_center/locals.tf b/terragrunt/org_account/iam_identity_center/locals.tf new file mode 100644 index 00000000..4f6cc6c9 --- /dev/null +++ b/terragrunt/org_account/iam_identity_center/locals.tf @@ -0,0 +1,5 @@ +locals { + sso_identity_store_id = "d-9d67173bdd" + sso_instance_id = "ssoins-8824c710b5ddb452" + sso_instance_arn = "arn:aws:sso:::instance/${local.sso_instance_id}" +} \ No newline at end of file diff --git a/terragrunt/org_account/iam_identity_center/platform_articles.tf b/terragrunt/org_account/iam_identity_center/platform_articles.tf new file mode 100644 index 00000000..e6ce145f --- /dev/null +++ b/terragrunt/org_account/iam_identity_center/platform_articles.tf @@ -0,0 +1,92 @@ +# +# Groups +# +resource "aws_identitystore_group" "articles_production_access_vpc_clientvpn" { + display_name = "Articles-Production-Access-VPC-ClientVPN" + description = "Grants members access to the GC Articles Production Client VPN." + identity_store_id = local.sso_identity_store_id +} + +resource "aws_identitystore_group" "articles_production_admin" { + display_name = "Articles-Production-Admin" + description = "Grants members administrator access to the GC Articles Production account." + identity_store_id = local.sso_identity_store_id +} + +resource "aws_identitystore_group" "articles_production_read_only" { + display_name = "Articles-Production-ReadOnly" + description = "Grants members read-only access to the GC Articles Production account." + identity_store_id = local.sso_identity_store_id +} + +resource "aws_identitystore_group" "articles_staging_access_vpc_clientvpn" { + display_name = "Articles-Staging-Access-VPC-ClientVPN" + description = "Grants members access to the GC Articles Staging Client VPN." + identity_store_id = local.sso_identity_store_id +} + +resource "aws_identitystore_group" "articles_staging_admin" { + display_name = "Articles-Staging-Admin" + description = "Grants members administrator access to the GC Articles Staging account." + identity_store_id = local.sso_identity_store_id +} + +resource "aws_identitystore_group" "articles_staging_read_only" { + display_name = "Articles-Staging-ReadOnly" + description = "Grants members read-only access to the GC Articles Staging account." + identity_store_id = local.sso_identity_store_id +} + +# +# Accounts: assign groups and permission sets +# +locals { + articles_permission_set_arns = [ + # GCArticles-Production + { + group = aws_identitystore_group.articles_production_admin, + permission_set_arn = data.aws_ssoadmin_permission_set.aws_administrator_access.arn, + target_id = "472286471787" + }, + { + group = aws_identitystore_group.articles_production_read_only, + permission_set_arn = data.aws_ssoadmin_permission_set.aws_read_only_access.arn, + target_id = "472286471787" + }, + # GCArticles-Staging + { + group = aws_identitystore_group.articles_staging_admin, + permission_set_arn = data.aws_ssoadmin_permission_set.aws_administrator_access.arn, + target_id = "729164266357" + }, + { + group = aws_identitystore_group.articles_staging_read_only, + permission_set_arn = data.aws_ssoadmin_permission_set.aws_read_only_access.arn, + target_id = "729164266357" + }, + # PlatformListManager-Production + { + group = aws_identitystore_group.articles_production_admin, + permission_set_arn = data.aws_ssoadmin_permission_set.aws_administrator_access.arn, + target_id = "762579868088" + }, + { + group = aws_identitystore_group.articles_production_read_only, + permission_set_arn = data.aws_ssoadmin_permission_set.aws_read_only_access.arn, + target_id = "762579868088" + }, + ] +} + +resource "aws_ssoadmin_account_assignment" "articles" { + for_each = { for perm in local.articles_permission_set_arns : "${perm.group.display_name}-${perm.target_id}" => perm } + + instance_arn = local.sso_instance_arn + permission_set_arn = each.value.permission_set_arn + + principal_id = each.value.group.group_id + principal_type = "GROUP" + + target_id = each.value.target_id + target_type = "AWS_ACCOUNT" +} diff --git a/terragrunt/org_account/iam_identity_center/terragrunt.hcl b/terragrunt/org_account/iam_identity_center/terragrunt.hcl new file mode 100644 index 00000000..e68b7cf1 --- /dev/null +++ b/terragrunt/org_account/iam_identity_center/terragrunt.hcl @@ -0,0 +1,3 @@ +include { + path = find_in_parent_folders() +} \ No newline at end of file