diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..e282a8e --- /dev/null +++ b/.editorconfig @@ -0,0 +1,32 @@ +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +end_of_line = lf +insert_final_newline = true +trim_trailing_whitespace = true + +# Override for Makefile +[{Makefile,makefile,GNUmakefile}] +indent_style = tab +indent_size = 4 + +[Makefile.*] +indent_style = tab +indent_size = 4 + +[{*.yaml,*.yml,*.md}] +indent_style = space +indent_size = 2 + +[*.sh] +indent_style = tab +indent_size = 2 + +[*.{tf,tfvars,tpl,variant}] +indent_style = space +indent_size = 2 + +[*.json] +insert_final_newline = false diff --git a/.github/renovate.json b/.github/renovate.json index 47cf066..2921be4 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -3,4 +3,4 @@ "extends": [ "config:base" ] -} +} \ No newline at end of file diff --git a/.github/settings.yml b/.github/settings.yml index 73f8de6..b010cdb 100644 --- a/.github/settings.yml +++ b/.github/settings.yml @@ -5,3 +5,4 @@ repository: description: This component is responsible for creating AWS SSO Permission Sets and creating AWS SSO Account Assignments, that is, assigning IdP (Okta) groups and/or users to AWS SSO permission sets in specific AWS Accounts homepage: https://cloudposse.com/accelerate topics: terraform, terraform-component + diff --git a/README.md b/README.md index e169917..a0ab41a 100644 --- a/README.md +++ b/README.md @@ -125,51 +125,51 @@ format("Identity%sTeamAccess", replace(title(role), "-", "")) ### Defining a new permission set 1. Give the permission set a name, capitalized, in CamelCase, e.g. `AuditManager`. We will use `NAME` as a placeholder - for the name in the instructions below. In Terraform, convert the name to lowercase snake case, e.g. `audit_manager`. + for the name in the instructions below. In Terraform, convert the name to lowercase snake case, e.g. `audit_manager`. 2. Create a file in the `aws-sso` directory with the name `policy-NAME.tf`. 3. In that file, create a policy as follows: - ```hcl - data "aws_iam_policy_document" "TerraformUpdateAccess" { - # Define the custom policy here - } - - locals { - NAME_permission_set = { # e.g. audit_manager_permission_set - name = "NAME", # e.g. AuditManager - description = "", - relay_state = "", - session_duration = "PT1H", # One hour, maximum allowed for chained assumed roles - tags = {}, - inline_policy = data.aws_iam_policy_document.NAME.json, - policy_attachments = [] # ARNs of AWS managed IAM policies to attach, e.g. arn:aws:iam::aws:policy/ReadOnlyAccess - customer_managed_policy_attachments = [] # ARNs of customer managed IAM policies to attach - } - } - ``` + ```hcl + data "aws_iam_policy_document" "TerraformUpdateAccess" { + # Define the custom policy here + } + + locals { + NAME_permission_set = { # e.g. audit_manager_permission_set + name = "NAME", # e.g. AuditManager + description = "", + relay_state = "", + session_duration = "PT1H", # One hour, maximum allowed for chained assumed roles + tags = {}, + inline_policy = data.aws_iam_policy_document.NAME.json, + policy_attachments = [] # ARNs of AWS managed IAM policies to attach, e.g. arn:aws:iam::aws:policy/ReadOnlyAccess + customer_managed_policy_attachments = [] # ARNs of customer managed IAM policies to attach + } + } + ``` 4. Create a file named `additional-permission-sets-list_override.tf` in the `aws-sso` directory (if it does not already - exist). This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), - meaning its contents will be merged with the main terraform file, and any locals defined in it will override locals - defined in other files. Having your code in this separate override file makes it possible for the component to - provide a placeholder local variable so that it works without customization, while allowing you to customize the - component and still update it without losing your customizations. + exist). This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), + meaning its contents will be merged with the main terraform file, and any locals defined in it will override locals + defined in other files. Having your code in this separate override file makes it possible for the component to + provide a placeholder local variable so that it works without customization, while allowing you to customize the + component and still update it without losing your customizations. 5. In that file, redefine the local variable `overridable_additional_permission_sets` as follows: - ```hcl - locals { - overridable_additional_permission_sets = [ - local.NAME_permission_set, - ] - } - ``` + ```hcl + locals { + overridable_additional_permission_sets = [ + local.NAME_permission_set, + ] + } + ``` - If you have multiple custom policies, add each one to the list. + If you have multiple custom policies, add each one to the list. 6. With that done, the new permission set will be created when the changes are applied. You can then use it just like - the others. + the others. 7. If you want the permission set to be able to use Terraform, enable access to the Terraform state read/write (default) - role in `tfstate-backend`. + role in `tfstate-backend`. #### Example diff --git a/README.yaml b/README.yaml index 75f059b..566f02c 100644 --- a/README.yaml +++ b/README.yaml @@ -101,51 +101,51 @@ description: |- ### Defining a new permission set 1. Give the permission set a name, capitalized, in CamelCase, e.g. `AuditManager`. We will use `NAME` as a placeholder - for the name in the instructions below. In Terraform, convert the name to lowercase snake case, e.g. `audit_manager`. + for the name in the instructions below. In Terraform, convert the name to lowercase snake case, e.g. `audit_manager`. 2. Create a file in the `aws-sso` directory with the name `policy-NAME.tf`. 3. In that file, create a policy as follows: - ```hcl - data "aws_iam_policy_document" "TerraformUpdateAccess" { - # Define the custom policy here - } - - locals { - NAME_permission_set = { # e.g. audit_manager_permission_set - name = "NAME", # e.g. AuditManager - description = "", - relay_state = "", - session_duration = "PT1H", # One hour, maximum allowed for chained assumed roles - tags = {}, - inline_policy = data.aws_iam_policy_document.NAME.json, - policy_attachments = [] # ARNs of AWS managed IAM policies to attach, e.g. arn:aws:iam::aws:policy/ReadOnlyAccess - customer_managed_policy_attachments = [] # ARNs of customer managed IAM policies to attach - } - } - ``` + ```hcl + data "aws_iam_policy_document" "TerraformUpdateAccess" { + # Define the custom policy here + } + + locals { + NAME_permission_set = { # e.g. audit_manager_permission_set + name = "NAME", # e.g. AuditManager + description = "", + relay_state = "", + session_duration = "PT1H", # One hour, maximum allowed for chained assumed roles + tags = {}, + inline_policy = data.aws_iam_policy_document.NAME.json, + policy_attachments = [] # ARNs of AWS managed IAM policies to attach, e.g. arn:aws:iam::aws:policy/ReadOnlyAccess + customer_managed_policy_attachments = [] # ARNs of customer managed IAM policies to attach + } + } + ``` 4. Create a file named `additional-permission-sets-list_override.tf` in the `aws-sso` directory (if it does not already - exist). This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), - meaning its contents will be merged with the main terraform file, and any locals defined in it will override locals - defined in other files. Having your code in this separate override file makes it possible for the component to - provide a placeholder local variable so that it works without customization, while allowing you to customize the - component and still update it without losing your customizations. + exist). This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), + meaning its contents will be merged with the main terraform file, and any locals defined in it will override locals + defined in other files. Having your code in this separate override file makes it possible for the component to + provide a placeholder local variable so that it works without customization, while allowing you to customize the + component and still update it without losing your customizations. 5. In that file, redefine the local variable `overridable_additional_permission_sets` as follows: - ```hcl - locals { - overridable_additional_permission_sets = [ - local.NAME_permission_set, - ] - } - ``` + ```hcl + locals { + overridable_additional_permission_sets = [ + local.NAME_permission_set, + ] + } + ``` - If you have multiple custom policies, add each one to the list. + If you have multiple custom policies, add each one to the list. 6. With that done, the new permission set will be created when the changes are applied. You can then use it just like - the others. + the others. 7. If you want the permission set to be able to use Terraform, enable access to the Terraform state read/write (default) - role in `tfstate-backend`. + role in `tfstate-backend`. #### Example diff --git a/docs/.gitkeep b/docs/.gitkeep index e69de29..8b13789 100644 --- a/docs/.gitkeep +++ b/docs/.gitkeep @@ -0,0 +1 @@ + diff --git a/src/README.md b/src/README.md index fccd986..88d8d0b 100644 --- a/src/README.md +++ b/src/README.md @@ -106,51 +106,51 @@ format("Identity%sTeamAccess", replace(title(role), "-", "")) ### Defining a new permission set 1. Give the permission set a name, capitalized, in CamelCase, e.g. `AuditManager`. We will use `NAME` as a placeholder - for the name in the instructions below. In Terraform, convert the name to lowercase snake case, e.g. `audit_manager`. + for the name in the instructions below. In Terraform, convert the name to lowercase snake case, e.g. `audit_manager`. 2. Create a file in the `aws-sso` directory with the name `policy-NAME.tf`. 3. In that file, create a policy as follows: - ```hcl - data "aws_iam_policy_document" "TerraformUpdateAccess" { - # Define the custom policy here - } - - locals { - NAME_permission_set = { # e.g. audit_manager_permission_set - name = "NAME", # e.g. AuditManager - description = "", - relay_state = "", - session_duration = "PT1H", # One hour, maximum allowed for chained assumed roles - tags = {}, - inline_policy = data.aws_iam_policy_document.NAME.json, - policy_attachments = [] # ARNs of AWS managed IAM policies to attach, e.g. arn:aws:iam::aws:policy/ReadOnlyAccess - customer_managed_policy_attachments = [] # ARNs of customer managed IAM policies to attach - } - } - ``` + ```hcl + data "aws_iam_policy_document" "TerraformUpdateAccess" { + # Define the custom policy here + } + + locals { + NAME_permission_set = { # e.g. audit_manager_permission_set + name = "NAME", # e.g. AuditManager + description = "", + relay_state = "", + session_duration = "PT1H", # One hour, maximum allowed for chained assumed roles + tags = {}, + inline_policy = data.aws_iam_policy_document.NAME.json, + policy_attachments = [] # ARNs of AWS managed IAM policies to attach, e.g. arn:aws:iam::aws:policy/ReadOnlyAccess + customer_managed_policy_attachments = [] # ARNs of customer managed IAM policies to attach + } + } + ``` 4. Create a file named `additional-permission-sets-list_override.tf` in the `aws-sso` directory (if it does not already - exist). This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), - meaning its contents will be merged with the main terraform file, and any locals defined in it will override locals - defined in other files. Having your code in this separate override file makes it possible for the component to - provide a placeholder local variable so that it works without customization, while allowing you to customize the - component and still update it without losing your customizations. + exist). This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), + meaning its contents will be merged with the main terraform file, and any locals defined in it will override locals + defined in other files. Having your code in this separate override file makes it possible for the component to + provide a placeholder local variable so that it works without customization, while allowing you to customize the + component and still update it without losing your customizations. 5. In that file, redefine the local variable `overridable_additional_permission_sets` as follows: - ```hcl - locals { - overridable_additional_permission_sets = [ - local.NAME_permission_set, - ] - } - ``` + ```hcl + locals { + overridable_additional_permission_sets = [ + local.NAME_permission_set, + ] + } + ``` - If you have multiple custom policies, add each one to the list. + If you have multiple custom policies, add each one to the list. 6. With that done, the new permission set will be created when the changes are applied. You can then use it just like - the others. + the others. 7. If you want the permission set to be able to use Terraform, enable access to the Terraform state read/write (default) - role in `tfstate-backend`. + role in `tfstate-backend`. #### Example diff --git a/src/context.tf b/src/context.tf index 5e0ef88..e7dd3ea 100644 --- a/src/context.tf +++ b/src/context.tf @@ -264,8 +264,8 @@ variable "descriptor_formats" { Describe additional descriptors to be output in the `descriptors` output map. Map of maps. Keys are names of descriptors. Values are maps of the form `{ - format = string - labels = list(string) + format = string + labels = list(string) }` (Type is `any` so the map values can later be enhanced to provide additional options.) `format` is a Terraform format string to be passed to the `format()` function. diff --git a/src/policy-Identity-role-TeamAccess.tf b/src/policy-Identity-role-TeamAccess.tf index 371b293..26d21d7 100644 --- a/src/policy-Identity-role-TeamAccess.tf +++ b/src/policy-Identity-role-TeamAccess.tf @@ -19,9 +19,9 @@ data "aws_iam_policy_document" "assume_aws_team" { resources = ["*"] /* For future reference, this tag-based restriction also works, based on - the fact that we always tag our IAM roles with the "Name" tag. - This could be used to control access based on some other tag, like "Category", - so is left here as an example. + the fact that we always tag our IAM roles with the "Name" tag. + This could be used to control access based on some other tag, like "Category", + so is left here as an example. condition { test = "ForAllValues:StringEquals"