Skip to content

Commit

Permalink
add admin permissionset to every account
Browse files Browse the repository at this point in the history
  • Loading branch information
agjmills committed Aug 20, 2024
1 parent 43acaf1 commit 58d3c08
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion sso.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ resource "aws_identitystore_group" "administrators" {
}

resource "aws_identitystore_user" "alexm" {
identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]

display_name = "Alex Mills"
user_name = "alexm"
Expand Down Expand Up @@ -37,4 +37,15 @@ resource "aws_ssoadmin_managed_policy_attachment" "administrator_managed_policy_
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
permission_set_arn = aws_ssoadmin_permission_set.admin_permissionset.arn
}

resource "aws_ssoadmin_account_assignment" "admin_role_assignment" {
for_each = { for account in data.aws_organizations_organization.org.accounts : account.id => account }

instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
principal_id = aws_identitystore_group.administrators.group_id
principal_type = "GROUP"
target_type = "AWS_ACCOUNT"
target_id = each.key
permission_set_arn = aws_ssoadmin_permission_set.admin_permissionset.arn
}

0 comments on commit 58d3c08

Please sign in to comment.