From 838f833ee4a06413a177a518567ac9b7c5b1ae52 Mon Sep 17 00:00:00 2001
From: Zachary Hill <zhill@zacharyhill.co>
Date: Sat, 30 Dec 2023 12:05:31 -0500
Subject: [PATCH] initial configuration of permission set and policies

---
 .../identity_center/permission_set/main.tf    | 39 +++++++++++++++++++
 .../permission_set/variables.tf               | 24 ++++++++++++
 modules/module_template/main.tf               | 25 ++++++++++++
 3 files changed, 88 insertions(+)

diff --git a/modules/aws/identity_center/permission_set/main.tf b/modules/aws/identity_center/permission_set/main.tf
index da6618db..03329300 100644
--- a/modules/aws/identity_center/permission_set/main.tf
+++ b/modules/aws/identity_center/permission_set/main.tf
@@ -1,3 +1,6 @@
+###########################
+# Provider Configuration
+###########################
 terraform {
   required_version = ">= 1.0.0"
   required_providers {
@@ -8,8 +11,20 @@ terraform {
   }
 }
 
+###########################
+# Data Sources
+###########################
+
 data "aws_ssoadmin_instances" "this" {}
 
+###########################
+# Locals
+###########################
+
+###########################
+# Permission Set
+###########################
+
 resource "aws_ssoadmin_permission_set" "this" {
   name             = var.name
   description      = var.description
@@ -18,3 +33,27 @@ resource "aws_ssoadmin_permission_set" "this" {
   session_duration = var.session_duration
   tags             = merge(var.tags, { "Name" = var.name })
 }
+
+resource "aws_ssoadmin_customer_managed_policy_attachment" "this" {
+  count              = var.customer_managed_iam_policy_name != null ? 1 : 0
+  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this.arn
+  customer_managed_policy_reference {
+    name = var.customer_managed_iam_policy_name
+    path = var.customer_managed_iam_policy_path
+  }
+}
+
+resource "aws_ssoadmin_managed_policy_attachment" "this" {
+  count              = var.managed_policy_arn != null ? 1 : 0
+  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
+  managed_policy_arn = var.managed_policy_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this.arn
+}
+
+resource "aws_ssoadmin_permission_set_inline_policy" "this" {
+  count              = var.inline_policy != null ? 1 : 0
+  inline_policy      = var.inline_policy
+  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.this.arn
+}
diff --git a/modules/aws/identity_center/permission_set/variables.tf b/modules/aws/identity_center/permission_set/variables.tf
index 17966e28..e96e60a4 100644
--- a/modules/aws/identity_center/permission_set/variables.tf
+++ b/modules/aws/identity_center/permission_set/variables.tf
@@ -1,9 +1,33 @@
+variable "customer_managed_iam_policy_name" {
+  description = "(Optional) The name of the customer managed IAM policy to attach to a Permission Set. If this is set, the module will utilize a customer_managed_policy_attachment."
+  type        = string
+  default     = null
+}
+
+variable "customer_managed_iam_policy_path" {
+  description = "(Optional) The path of the customer managed IAM policy to attach to a Permission Set."
+  type        = string
+  default     = "/"
+}
+
 variable "description" {
   description = "(Optional) The description of the permission set."
   type        = string
   default     = null
 }
 
+variable "inline_policy" {
+  description = "(Optional) The IAM inline policy to attach to a Permission Set. If this is set, the module will utilize an inline_policy."
+  type        = string
+  default     = null
+}
+
+variable "managed_policy_arn" {
+  description = "(Optional) The ARN of the IAM managed policy to attach to a Permission Set. If this is set, the module will utilize a managed_policy_attachment."
+  type        = string
+  default     = null
+}
+
 variable "name" {
   description = "(Required) The name of the permission set."
   type        = string
diff --git a/modules/module_template/main.tf b/modules/module_template/main.tf
index e69de29b..ccf9fedc 100755
--- a/modules/module_template/main.tf
+++ b/modules/module_template/main.tf
@@ -0,0 +1,25 @@
+###########################
+# Provider Configuration
+###########################
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0.0"
+    }
+  }
+}
+
+###########################
+# Data Sources
+###########################
+
+
+###########################
+# Locals
+###########################
+
+###########################
+# Module Configuration
+###########################
\ No newline at end of file