Add module code

andresb39 · andresb39 · commit 0452d23e1ded · 2023-02-07T20:51:01.000-05:00
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -0,0 +1,81 @@
+name: Run Pre-Commit
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions: read-all
+
+env:
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v2
+        name: Setup Python
+      - run: |
+          pip3 install --no-cache-dir pre-commit
+          pip3 install --no-cache-dir checkov
+          curl -L "$(curl -s https://api.github.com/repos/terraform-docs/terraform-docs/releases/latest | grep -o -E -m 1 "https://.+?-linux-amd64.tar.gz")" > terraform-docs.tgz && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs && sudo mv terraform-docs /usr/bin/
+          curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E -m 1 "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && sudo mv terrascan /usr/bin/ && terrascan init
+          curl -L "$(curl -s https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
+          curl -L "$(curl -s https://api.github.com/repos/aquasecurity/tfsec/releases/latest | grep -o -E -m 1 "https://.+?tfsec-linux-amd64")" > tfsec && chmod +x tfsec && sudo mv tfsec /usr/bin/
+          sudo apt install -y jq && \
+          curl -L "$(curl -s https://api.github.com/repos/minamijoyo/tfupdate/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.tar.gz")" > tfupdate.tar.gz && tar -xzf tfupdate.tar.gz tfupdate && rm tfupdate.tar.gz && sudo mv tfupdate /usr/bin/
+          curl -L "$(curl -s https://api.github.com/repos/minamijoyo/hcledit/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.tar.gz")" > hcledit.tar.gz && tar -xzf hcledit.tar.gz hcledit && rm hcledit.tar.gz && sudo mv hcledit /usr/bin/
+        name: Install prerequisites
+      - uses: pre-commit/action@v2.0.3
+        name: Run pre-commit
+        with:
+          extra_args: --all-files
+  checkov:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: run checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: .
+          soft_fail: true
+          framework: terraform
+
+  terraform:
+    needs: checkov
+    name: 'Terraform'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install Terraform
+        env:
+          TERRAFORM_VERSION: "1.1.7"
+        run: |
+            tf_version=$TERRAFORM_VERSION
+            wget https://releases.hashicorp.com/terraform/"$tf_version"/terraform_"$tf_version"_linux_amd64.zip
+            unzip terraform_"$tf_version"_linux_amd64.zip
+            sudo mv terraform /usr/local/bin/
+
+      - name: Terraform Format
+        run: terraform fmt
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Plan and validate
+        run: |
+          terraform plan -var target_id=["111111111111"]  -var display_name="AWSAccountFactory" -var group_name="AWSAccountFactory" -var description="AWSAccountFactory" -var description_identity="AWSAccountFactory" -out tfplan
+          terraform show -json tfplan | jq '.' > tfplan.json
+          docker run --volume "${{ github.workspace }}:/tf" -w /tf bridgecrew/checkov -f tfplan.json --soft-fail
diff --git a/.gitignore b/.gitignore
@@ -1,9 +1,10 @@
 # Local .terraform directories
 **/.terraform/*
-
+.idea
 # .tfstate files
 *.tfstate
 *.tfstate.*
+*.lock.*
 
 # Crash log files
 crash.log
@@ -27,3 +28,5 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
+.terraform.lock.hcl
+TFDOC.md
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,62 @@
+  repos:
+  - repo: https://github.com/commitizen-tools/commitizen
+    rev: v2.39.1
+    hooks:
+      - id: commitizen
+        stages:
+          - commit-msg
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.77.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+        args:
+          - --args=-json
+      - id: terraform_docs
+        args:
+          - --hook-config=--path-to-file=./TFDOC.md        # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
+          - --hook-config=--add-to-exiting-file=true      # Boolean. true or false
+          - --hook-config=--create-file-if-not-exist=true # Boolean. true or false
+      - id: terraform_tflint
+        args:
+          - --args=--enable-rule=terraform_documented_variables
+      - id: terraform_checkov
+        args:
+          - --args=--quiet
+          - --args=--compact
+      - id: terraform_tfsec
+        args:
+          - >
+            --args=--format json
+            --no-color
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0  # Use the ref you want to point at
+    hooks:
+      - id: check-merge-conflict
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+      - id: mixed-line-ending
+        args: ['--fix=auto']
+      - id: check-json
+      - id: check-yaml
+
+  #With bridgecrew
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: '2.2.299' # change to tag or sha
+    hooks:
+      - id: checkov
+        verbose: true
+        args: [
+          "-d", ".",
+          "--skip-check", "CKV2_GHA_1",
+        ]
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
diff --git a/README.md b/README.md
@@ -1,2 +1,56 @@
-# terraform-aws-sso-permissions-set
-Terraform module for AWS SSO Permissions Set
+[![Run Pre-Commit](https://github.com/andresb39/aws_sso_permission_set/actions/workflows/pre-commit.yaml/badge.svg?branch=main)](https://github.com/andresb39/aws_sso_permission_set/actions/workflows/pre-commit.yaml)
+# Amazon SSO Permission set
+
+This module create identity groups and attachment policies inlines/managed and associated this groups with the accounts
+
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.50.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.50.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_identitystore_group.identitystore_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group) | resource |
+| [aws_ssoadmin_account_assignment.account_assignment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
+| [aws_ssoadmin_managed_policy_attachment.sso_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
+| [aws_ssoadmin_permission_set.sso_permission_set](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
+| [aws_ssoadmin_permission_set_inline_policy.sso_inline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
+| [aws_identitystore_group.identitystore_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
+| [aws_ssoadmin_instances.sso](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_description"></a> [description](#input\_description) | Permissions set group description | `string` | `""` | no |
+| <a name="input_description_identity"></a> [description\_identity](#input\_description\_identity) | (Optional) A string containing the description of the group. | `string` | `""` | no |
+| <a name="input_display_name"></a> [display\_name](#input\_display\_name) | (Optional) A string containing the name of the group. This value is commonly displayed when the group is referenced | `string` | `""` | no |
+| <a name="input_group_name"></a> [group\_name](#input\_group\_name) | Group name | `string` | `""` | no |
+| <a name="input_inline_policy"></a> [inline\_policy](#input\_inline\_policy) | Inline policies JSON to attach to SSO Permissions Set | `string` | `""` | no |
+| <a name="input_policy_attachment"></a> [policy\_attachment](#input\_policy\_attachment) | ARN of the policy attachment | `list(string)` | `[]` | no |
+| <a name="input_session_duration"></a> [session\_duration](#input\_session\_duration) | The length of time that the application user sessions are valid in the ISO-8601 standard. Default: PT1H | `string` | `"PT2H"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
+| <a name="input_target_id"></a> [target\_id](#input\_target\_id) | (Required, Forces new resource) An AWS account identifier, typically a 10-12 digit string. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_group_id"></a> [group\_id](#output\_group\_id) | Group ID |
+<!-- END_TF_DOCS -->
diff --git a/data.tf b/data.tf
@@ -0,0 +1,12 @@
+data "aws_ssoadmin_instances" "sso" {}
+
+data "aws_identitystore_group" "identitystore_group" {
+  identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0]
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "DisplayName"
+      attribute_value = var.display_name
+    }
+  }
+  depends_on = [aws_ssoadmin_permission_set.sso_permission_set]
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,35 @@
+resource "aws_ssoadmin_permission_set" "sso_permission_set" {
+  name             = var.group_name
+  instance_arn     = tolist(data.aws_ssoadmin_instances.sso.arns)[0]
+  description      = var.description
+  session_duration = var.session_duration
+  tags             = var.tags
+}
+resource "aws_ssoadmin_managed_policy_attachment" "sso_policy_attachment" {
+  count              = length(var.policy_attachment)
+  instance_arn       = aws_ssoadmin_permission_set.sso_permission_set.instance_arn
+  managed_policy_arn = var.policy_attachment[count.index]
+  permission_set_arn = aws_ssoadmin_permission_set.sso_permission_set.arn
+}
+resource "aws_ssoadmin_permission_set_inline_policy" "sso_inline_policy" {
+  count              = length(var.inline_policy) > 0 ? 1 : 0
+  inline_policy      = var.inline_policy
+  instance_arn       = aws_ssoadmin_permission_set.sso_permission_set.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.sso_permission_set.arn
+}
+
+resource "aws_identitystore_group" "identitystore_group" {
+  display_name      = var.display_name
+  description       = var.description_identity
+  identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0]
+}
+
+resource "aws_ssoadmin_account_assignment" "account_assignment" {
+  for_each           = length(var.target_id) > 0 ? toset(var.target_id) : []
+  instance_arn       = aws_ssoadmin_permission_set.sso_permission_set.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.sso_permission_set.arn
+  principal_id       = data.aws_identitystore_group.identitystore_group.group_id
+  principal_type     = "GROUP"
+  target_id          = each.value
+  target_type        = "AWS_ACCOUNT"
+}
diff --git a/output.tf b/output.tf
@@ -0,0 +1,4 @@
+output "group_id" {
+  value       = data.aws_identitystore_group.identitystore_group.group_id
+  description = "Group ID"
+}
diff --git a/provider.tf b/provider.tf
@@ -0,0 +1,9 @@
+provider "aws" {
+  region = "us-east-1"
+}
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    aws = ">= 4.50.0"
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,55 @@
+variable "group_name" {
+  description = "Group name"
+  type        = string
+  default     = ""
+}
+
+variable "description" {
+  description = "Permissions set group description"
+  type        = string
+  default     = ""
+}
+
+variable "session_duration" {
+  description = "The length of time that the application user sessions are valid in the ISO-8601 standard. Default: PT1H"
+  type        = string
+  default     = "PT2H"
+}
+
+variable "policy_attachment" {
+  description = "ARN of the policy attachment"
+  type        = list(string)
+  default     = []
+}
+
+variable "inline_policy" {
+  description = "Inline policies JSON to attach to SSO Permissions Set"
+  type        = string
+  default     = ""
+}
+
+#=== Identity Groups ===#
+variable "display_name" {
+  description = "(Optional) A string containing the name of the group. This value is commonly displayed when the group is referenced"
+  type        = string
+  default     = ""
+}
+
+variable "description_identity" {
+  description = "(Optional) A string containing the description of the group."
+  type        = string
+  default     = ""
+}
+
+#=== Account assignment ===#
+variable "target_id" {
+  description = "(Required, Forces new resource) An AWS account identifier, typically a 10-12 digit string."
+  type        = list(string)
+}
+
+// Tags
+variable "tags" {
+  description = "A map of tags to add to all resources."
+  type        = map(string)
+  default     = {}
+}
