diff --git a/README.md b/README.md index 8f1e1fc..1fd492d 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # AWS Organization and SSO terraform module [![Terraform CI](https://github.com/chris-qa-org/terraform-aws-organzation-and-sso/actions/workflows/main.yml/badge.svg?branch=main)](https://github.com/chris-qa-org/terraform-aws-organzation-and-sso/actions/workflows/main.yml?branch=main) -![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/chris-qa-org/terraform-aws-organzation-and-sso) +[![GitHub release](https://img.shields.io/github/release/chris-qa-org/terraform-aws-organzation-and-sso.svg)](https://github.com/chris-qa-org/terraform-aws-organzation-and-sso/releases/) This module creates and manages [AWS Organizations][1], [Organization units][2], [Accounts][3], [SSO Permission sets][5] and group/user assignments. @@ -14,8 +14,8 @@ This module creates and manages [AWS Organizations][1], [Organization units][2], ```hcl module "aws_organizations_and_sso" { - source = "github.com/chris-qa-org/terraform-aws-organzation-and-sso" - version = "0.4.1" + source = "chris-qa-org/organzation-and-sso/aws" + version = "1.0.0" sso_permission_sets = { "admin" = { diff --git a/examples/accounts-and-permission-assignments/README.md b/examples/accounts-and-permission-assignments/README.md new file mode 100644 index 0000000..b3eca14 --- /dev/null +++ b/examples/accounts-and-permission-assignments/README.md @@ -0,0 +1,59 @@ +# Accounts and permission assignments example + +SSO permission sets can be defined with the `sso_permission_sets` parameter. The `managed_policies` items should be the name of the policy within AWS (The last part of the AWS) +The permission sets can then be assigned to users or groups in an account with `user_assignments` or `group_assigmnets`. + +``` +module "aws_organizations_and_sso" { + source = "chris-qa-org/organzation-and-sso/aws" + version = "1.0.0" + + region = "eu-west-2" + + sso_permission_sets = { + "AdministratorAccess" = { + description = "Administrator Access", + session_duration = "PT2H", + managed_policies = [ + "AdministratorAccess" + ] + } + "Billing" = { + description = "Billing access", + session_duration = "PT4H", + managed_policies = [ + "job-function/Billing" + ] + } + } + + organization_config = { + units = { + "my-org-unit" = { + accounts = { + "my-account-name" = { + email = "me@example.com" + iam_user_access_to_billing = "ALLOW" + group_assignments = { + "Admins" = { + permission_sets = [ + "AdministratorAccess" + ] + } + }, + user_assignments = { + "Alex" = { + permission_sets = [ + "Billing" + ] + } + } + } + } + } + }, + feature_set = "ALL", + enabled_policy_types = [] + } +} +``` diff --git a/examples/accounts-and-permission-assignments/main.tf b/examples/accounts-and-permission-assignments/main.tf new file mode 100644 index 0000000..10ae755 --- /dev/null +++ b/examples/accounts-and-permission-assignments/main.tf @@ -0,0 +1,52 @@ +module "aws_organizations_and_sso" { + source = "chris-qa-org/organzation-and-sso/aws" + version = "1.0.0" + + region = "eu-west-2" + + sso_permission_sets = { + "AdministratorAccess" = { + description = "Administrator Access", + session_duration = "PT2H", + managed_policies = [ + "AdministratorAccess" + ] + } + "Billing" = { + description = "Billing access", + session_duration = "PT4H", + managed_policies = [ + "job-function/Billing" + ] + } + } + + organization_config = { + units = { + "my-org-unit" = { + accounts = { + "my-account-name" = { + email = "me@example.com" + iam_user_access_to_billing = "ALLOW" + group_assignments = { + "Admins" = { + permission_sets = [ + "AdministratorAccess" + ] + } + }, + user_assignments = { + "Alex" = { + permission_sets = [ + "Billing" + ] + } + } + } + } + } + }, + feature_set = "ALL", + enabled_policy_types = [] + } +} diff --git a/examples/existing-account-import/README.md b/examples/existing-account-import/README.md new file mode 100644 index 0000000..926a1c0 --- /dev/null +++ b/examples/existing-account-import/README.md @@ -0,0 +1,28 @@ +# Existing account example + +If an AWS account has been imported, the `iam_user_access_to_billing` setting must be set to "NULL" (`string`) +This is because it can only be set during account creation + +``` +module "aws_organizations_and_sso" { + source = "chris-qa-org/organzation-and-sso/aws" + version = "1.0.0" + + region = "eu-west-2" + + organization_config = { + units = { + "my-org-unit" = { + accounts = { + "my-account-name" = { + email = "me@example.com" + iam_user_access_to_billing = "NULL" + } + } + } + }, + feature_set = "ALL", + enabled_policy_types = [] + } +} +``` diff --git a/examples/existing-account-import/main.tf b/examples/existing-account-import/main.tf new file mode 100644 index 0000000..664b103 --- /dev/null +++ b/examples/existing-account-import/main.tf @@ -0,0 +1,21 @@ +module "aws_organizations_and_sso" { + source = "chris-qa-org/organzation-and-sso/aws" + version = "1.0.0" + + region = "eu-west-2" + + organization_config = { + units = { + "my-org-unit" = { + accounts = { + "my-account-name" = { + email = "me@example.com" + iam_user_access_to_billing = "NULL" + } + } + } + }, + feature_set = "ALL", + enabled_policy_types = [] + } +} diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..f0f9d5b --- /dev/null +++ b/main.tf @@ -0,0 +1,8 @@ +# https://github.com/chris-qa-org/terraform-aws-organzation-and-sso +# +# main terraform files: +# org.tf: AWS Organizaion resources +# sso.tf: AWS Single Sign On resources +# locals.tf: local values +# variables.tf: Input variables +# outputs.tf: Output values