From 58d3c08a9cc5eddb295ea1a31d2c95b2c3ccc3ab Mon Sep 17 00:00:00 2001
From: Alex Mills <alex@alexmills.uk>
Date: Tue, 20 Aug 2024 09:51:35 +0000
Subject: [PATCH] add admin permissionset to every account

---
 sso.tf | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sso.tf b/sso.tf
index f2a0b44..1086206 100644
--- a/sso.tf
+++ b/sso.tf
@@ -7,7 +7,7 @@ resource "aws_identitystore_group" "administrators" {
 }
 
 resource "aws_identitystore_user" "alexm" {
-  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] 
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
 
   display_name = "Alex Mills"
   user_name    = "alexm"
@@ -37,4 +37,15 @@ resource "aws_ssoadmin_managed_policy_attachment" "administrator_managed_policy_
   instance_arn       = tolist(data.aws_ssoadmin_instances.this.arns)[0]
   managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
   permission_set_arn = aws_ssoadmin_permission_set.admin_permissionset.arn
+}
+
+resource "aws_ssoadmin_account_assignment" "admin_role_assignment" {
+  for_each = { for account in data.aws_organizations_organization.org.accounts : account.id => account }
+
+  instance_arn       = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+  principal_id       = aws_identitystore_group.administrators.group_id
+  principal_type     = "GROUP"
+  target_type        = "AWS_ACCOUNT"
+  target_id          = each.key
+  permission_set_arn = aws_ssoadmin_permission_set.admin_permissionset.arn
 }
\ No newline at end of file