Merge pull request #50 from dtappert/add-instance-access-control-attr…

…ibutes

Add instance access control attributes

README.md

@@ -262,6 +262,7 @@ No modules.
 | [aws_ssoadmin_application_assignment.sso_apps_users_assignments](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_application_assignment) | resource |
 | [aws_ssoadmin_application_assignment_configuration.sso_apps_assignments_configs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_application_assignment_configuration) | resource |
 | [aws_ssoadmin_customer_managed_policy_attachment.pset_customer_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
+| [aws_ssoadmin_instance_access_control_attributes.sso_access_control_attributes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_instance_access_control_attributes) | resource |
 | [aws_ssoadmin_managed_policy_attachment.pset_aws_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
 | [aws_ssoadmin_permission_set.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
 | [aws_ssoadmin_permission_set_inline_policy.pset_inline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
@@ -286,6 +287,7 @@ No modules.
 | <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | Permission Sets that you wish to create in IAM Identity Center. This variable is a map of maps containing Permission Set names as keys. See permission\_sets description in README for information about map values. | `any` | `{}` | no |
 | <a name="input_sso_applications"></a> [sso\_applications](#input\_sso\_applications) | List of applications to be created in IAM Identity Center | <pre>map(object({<br>    name                     = string<br>    application_provider_arn = string<br>    description              = optional(string)<br>    portal_options = optional(object({<br>      sign_in_options = optional(object({<br>        application_url = optional(string)<br>        origin          = string<br>      }))<br>      visibility = optional(string)<br>    }))<br>    status              = string # acceptable values are "ENABLED" or "DISABLED"<br>    client_token        = optional(string)<br>    tags                = optional(map(string))<br>    assignment_required = bool # Resource: aws_ssoadmin_application_assignment_configuration<br>    assignments_access_scope = optional(<br>      list(object({<br>        authorized_targets = optional(list(string)) # List of application names<br>        scope              = string<br>      }))<br>    )                                          # Resource: aws_ssoadmin_application_access_scope<br>    group_assignments = optional(list(string)) # Resource aws_ssoadmin_application_assignment, keeping it separated for groups<br>    user_assignments  = optional(list(string)) # Resource aws_ssoadmin_application_assignment, keeping it separated for users<br>  }))</pre> | `{}` | no |
 | <a name="input_sso_groups"></a> [sso\_groups](#input\_sso\_groups) | Names of the groups you wish to create in IAM Identity Center. | <pre>map(object({<br>    group_name        = string<br>    group_description = optional(string, null)<br>  }))</pre> | `{}` | no |
+| <a name="input_sso_instance_access_control_attributes"></a> [sso\_instance\_access\_control\_attributes](#input\_sso\_instance\_access\_control\_attributes) | List of attributes for access control. This is used to create the enable and use attributes for access control. | <pre>list(object({<br>    attribute_name = string<br>    source = set(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_sso_users"></a> [sso\_users](#input\_sso\_users) | Names of the users you wish to create in IAM Identity Center. | <pre>map(object({<br>    display_name     = optional(string)<br>    user_name        = string<br>    group_membership = list(string)<br>    # Name<br>    given_name       = string<br>    middle_name      = optional(string, null)<br>    family_name      = string<br>    name_formatted   = optional(string)<br>    honorific_prefix = optional(string, null)<br>    honorific_suffix = optional(string, null)<br>    # Email<br>    email            = string<br>    email_type       = optional(string, null)<br>    is_primary_email = optional(bool, true)<br>    # Phone Number<br>    phone_number            = optional(string, null)<br>    phone_number_type       = optional(string, null)<br>    is_primary_phone_number = optional(bool, true)<br>    # Address<br>    country            = optional(string, " ")<br>    locality           = optional(string, " ")<br>    address_formatted  = optional(string)<br>    postal_code        = optional(string, " ")<br>    is_primary_address = optional(bool, true)<br>    region             = optional(string, " ")<br>    street_address     = optional(string, " ")<br>    address_type       = optional(string, null)<br>    # Additional<br>    user_type          = optional(string, null)<br>    title              = optional(string, null)<br>    locale             = optional(string, null)<br>    nickname           = optional(string, null)<br>    preferred_language = optional(string, null)<br>    profile_url        = optional(string, null)<br>    timezone           = optional(string, null)<br>  }))</pre> | `{}` | no |
 
 ## Outputs

VERSION

@@ -1,3 +1,3 @@
-v1.0.1
+v1.0.2
 
 

examples/inline-policy/main.tf

@@ -52,7 +52,7 @@ module "aws-iam-identity-center" {
 
   existing_sso_groups = {
     AWSControlTowerAdmins : {
-      group_name = "AWSControlTowerAdmins"
+      group_name = "AWSControlTowerAdmins" # this must be the name of a sso group that already exists in your AWS account
     }
   }
 
@@ -85,7 +85,7 @@ module "aws-iam-identity-center" {
 
   existing_permission_sets = {
     AWSAdministratorAccess : {
-      permission_set_name = "AWSAdministratorAccess"
+      permission_set_name = "AWSAdministratorAccess" # this must be the name of a permission set that already exists in your AWS account
     },
   }
 

examples/instance-access-control-attributes/.header.md

@@ -0,0 +1,14 @@
+This directory contains examples of using the module to **create** instance access control attributes.
+
+```hcl
+  sso_instance_access_control_attributes = [
+    {
+      attribute_name = "FirstName"
+      source = ["$${path:name.givenName}"]
+    },
+    {
+      attribute_name = "LastName"
+      source = ["$${path:name.familyName}"]
+    }
+  ]
+```

examples/instance-access-control-attributes/README.md

@@ -0,0 +1,46 @@
+<!-- BEGIN_TF_DOCS -->
+This directory contains examples of using the module to **create** instance access control attributes.
+
+```hcl
+  sso_instance_access_control_attributes = [
+    {
+      attribute_name = "FirstName"
+      source = ["$${path:name.givenName}"]
+    },
+    {
+      attribute_name = "LastName"
+      source = ["$${path:name.familyName}"]
+    }
+  ]
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws-iam-identity-center"></a> [aws-iam-identity-center](#module\_aws-iam-identity-center) | ../.. | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ssm_parameter.account1_account_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/instance-access-control-attributes/locals.tf

@@ -0,0 +1,14 @@
+# Fetch Account Id from SSM Parameter Store
+data "aws_ssm_parameter" "account1_account_id" {
+  name = "tf-aws-iam-idc-module-testing-account1-account-id" // replace with your SSM Parameter Key
+}
+
+locals {
+  # Account IDs
+  account1_account_id = nonsensitive(data.aws_ssm_parameter.account1_account_id.value)
+  # account1_account_id = "111111111111"
+  # account2_account_id = "222222222222"
+  # account3_account_id = "333333333333"
+  # account4_account_id = "444444444444"
+
+}

examples/instance-access-control-attributes/main.tf

@@ -0,0 +1,15 @@
+module "aws-iam-identity-center" {
+    source = "../.." // local example
+
+  //Create desired access control attributes
+  sso_instance_access_control_attributes = [
+    { 
+      attribute_name = "FirstName"
+      source = ["$${path:name.givenName}"]
+    },
+    {
+      attribute_name = "LastName"
+      source = ["$${path:name.familyName}"]
+    }
+  ]
+}

main.tf

@@ -318,3 +318,17 @@ resource "aws_ssoadmin_application_assignment" "sso_apps_users_assignments" {
   principal_type  = each.value.principal_type
 }
 
+# SSO Instance Access Control Attributes
+resource  "aws_ssoadmin_instance_access_control_attributes" "sso_access_control_attributes" {
+  count = length(var.sso_instance_access_control_attributes) <= 0 ? 0 : 1
+  instance_arn = local.ssoadmin_instance_arn
+  dynamic "attribute" {
+    for_each = var.sso_instance_access_control_attributes
+    content {
+      key   = attribute.key
+      value {
+        source = attribute.value.source
+      }
+    }
+  }
+}

tests/01_mandatory.tftest.hcl

@@ -10,4 +10,4 @@ run "e2e_test" {
   module {
     source = "./examples/create-users-and-groups"
   }
-}
+}

tests/07_instance_access_control_attributes.tftest.hcl

@@ -0,0 +1,13 @@
+run "unit_test" {
+  command = plan
+  module {
+    source = "./examples/instance-access-control-attributes"
+  }
+}
+
+run "e2e_test" {
+  command = apply
+  module {
+    source = "./examples/instance-access-control-attributes"
+  }
+}

variables.tf

@@ -145,3 +145,30 @@ variable "sso_applications" {
     error_message = "The application_provider_arn field is mandatory for all applications."
   }
 }
+
+#Access Control Attributes
+variable "sso_instance_access_control_attributes" {
+  description = "List of attributes for access control. This is used to create the enable and use attributes for access control."
+  type = list(object({
+    attribute_name = string
+    source = set(string)
+  }))
+  default = []
+  validation {
+    condition = alltrue([
+      for attr in var.sso_instance_access_control_attributes :
+      attr.attribute_name != null &&
+      attr.attribute_name != ""
+    ])
+    error_message = "The attribute_name field is mandatory for all attributes."
+  }
+  validation {
+    condition = alltrue([
+      for attr in var.sso_instance_access_control_attributes :
+      attr.source != null &&
+      length(attr.source) > 0 &&  # checks if the set is not empty
+      alltrue([for s in attr.source : s != ""]) # checks no empty strings in set
+    ])
+    error_message = "The attribute source is mandatory and must contain non-empty strings."
+  }
+}