Add support for multiple SSO Permission Set assignments

.github/workflows/terraform.yml

@@ -74,4 +74,4 @@ jobs:
       - name: Check out code
         uses: actions/checkout@master
       - name: Terraform security scan
-        uses: triat/terraform-security-scan@v2.0.2
+        uses: triat/terraform-security-scan@v2.2.3

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## 0.10.0 (2021-05-27)
+
+ENHANCEMENTS
+
+- Add support for multiple SSO Permission Set assignments ([#106](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/pull/106))
+
 ## 0.9.1 (2021-05-11)
 
 ENHANCEMENTS

README.md

@@ -290,7 +290,7 @@ module "landing_zone" {
 | aws\_required\_tags | AWS Required tags settings | <pre>map(list(object({<br>    name   = string<br>    values = list(string)<br>  })))</pre> | `null` | no |
 | aws\_security\_hub\_product\_arns | A list of the ARNs of the products you want to import into Security Hub | `list(string)` | `[]` | no |
 | aws\_security\_hub\_sns\_subscription | Subscription options for the LandingZone-SecurityHubFindings SNS topic | <pre>map(object({<br>    endpoint = string<br>    protocol = string<br>  }))</pre> | `{}` | no |
-| aws\_sso\_permission\_sets | Map of AWS SSO Permission Sets with the AWS Accounts and the names of the AWS SSO Groups that should be granted access to each account | <pre>map(object({<br>    accounts         = map(list(string))<br>    inline_policy    = string<br>    session_duration = string<br>  }))</pre> | `{}` | no |
+| aws\_sso\_permission\_sets | Map of AWS SSO Permission Sets with the AWS Accounts and the names of the AWS SSO Groups that should be granted access to each account | <pre>map(object({<br>    assignments      = list(map(list(string)))<br>    inline_policy    = string<br>    session_duration = string<br>  }))</pre> | `{}` | no |
 | datadog | Datadog integration options for the core accounts | <pre>object({<br>    api_key               = string<br>    enable_integration    = bool<br>    install_log_forwarder = bool<br>    site_url              = string<br>  })</pre> | `null` | no |
 | kms\_key\_policy | A valid KMS key policy JSON document | `string` | `""` | no |
 | monitor\_iam\_activity | Whether IAM activity should be monitored | `bool` | `true` | no |

UPGRADING.md

@@ -1,3 +1,9 @@
+# Upgrading to 0.10.x
+
+Version `0.10.x` adds the possibility of assigning the same SSO Permission Set to different groups of accounts and SSO Groups. For example, the permission set `Administrator` can be assigned to group A for account 123 and for group B for account 456.
+
+This required changing the variable `aws_sso_permission_sets` where the `accounts` attribute was renamed to `assignments` and changed to a list.
+
 # Upgrading to 0.9.x
 
 Removal of the local AVM module. Modify the source to the new [MCAF Account Vending Machine (AVM) module](https://github.com/schubergphilis/terraform-aws-mcaf-avm).

locals.tf

@@ -19,12 +19,14 @@ locals {
   )
   aws_sso_account_assignment = flatten([
     for permission_set_name, permission_set in var.aws_sso_permission_sets : [
-      for aws_account_id, sso_groups in permission_set.accounts : [
-        for sso_group in sso_groups : {
-          aws_account_id      = aws_account_id
-          permission_set_name = permission_set_name
-          sso_group           = sso_group
-        }
+      for assignment in permission_set.assignments : [
+        for aws_account_id, sso_groups in assignment : [
+          for sso_group in sso_groups : {
+            aws_account_id      = aws_account_id
+            permission_set_name = permission_set_name
+            sso_group           = sso_group
+          }
+        ]
       ]
     ]
   ])

variables.tf

@@ -114,7 +114,7 @@ variable "aws_security_hub_sns_subscription" {
 
 variable "aws_sso_permission_sets" {
   type = map(object({
-    accounts         = map(list(string))
+    assignments      = list(map(list(string)))
     inline_policy    = string
     session_duration = string
   }))