File tree Expand file tree Collapse file tree 4 files changed +160
-0
lines changed
accounts-and-permission-assignments Expand file tree Collapse file tree 4 files changed +160
-0
lines changed Original file line number Diff line number Diff line change 1+ # Accounts and permission assignments example
2+
3+ SSO permission sets can be defined with the ` sso_permission_sets ` parameter. The ` managed_policies ` items should be the name of the policy within AWS (The last part of the AWS)
4+ The permission sets can then be assigned to users or groups in an account with ` user_assignments ` or ` group_assigmnets ` .
5+
6+ ```
7+ module "aws_organizations_and_sso" {
8+ source = "github.com/chris-qa-org/terraform-aws-organzation-and-sso"
9+ version = "0.4.1"
10+
11+ region = "eu-west-2"
12+
13+ sso_permission_sets = {
14+ "AdministratorAccess" = {
15+ description = "Administrator Access",
16+ session_duration = "PT2H",
17+ managed_policies = [
18+ "AdministratorAccess"
19+ ]
20+ }
21+ "Billing" = {
22+ description = "Billing access",
23+ session_duration = "PT4H",
24+ managed_policies = [
25+ "job-function/Billing"
26+ ]
27+ }
28+ }
29+
30+ organization_config = {
31+ units = {
32+ "my-org-unit" = {
33+ accounts = {
34+ "my-account-name" = {
35+ 36+ iam_user_access_to_billing = "ALLOW"
37+ group_assignments = {
38+ "Admins" = {
39+ permission_sets = [
40+ "AdministratorAccess"
41+ ]
42+ }
43+ },
44+ user_assignments = {
45+ "Alex" = {
46+ permission_sets = [
47+ "Billing"
48+ ]
49+ }
50+ }
51+ }
52+ }
53+ }
54+ },
55+ feature_set = "ALL",
56+ enabled_policy_types = []
57+ }
58+ }
59+ ```
Original file line number Diff line number Diff line change 1+ module "aws_organizations_and_sso" {
2+ source = " github.com/chris-qa-org/terraform-aws-organzation-and-sso"
3+ version = " 0.4.1"
4+
5+ region = " eu-west-2"
6+
7+ sso_permission_sets =
8+ " AdministratorAccess" = {
9+ description = " Administrator Access"
10+ session_duration = " PT2H"
11+ managed_policies = [
12+ " AdministratorAccess"
13+ ]
14+ }
15+ " Billing" = {
16+ description = " Billing access"
17+ session_duration = " PT4H"
18+ managed_policies = [
19+ " job-function/Billing"
20+ ]
21+ }
22+ }
23+
24+ organization_config =
25+ units = {
26+ " my-org-unit" = {
27+ accounts = {
28+ " my-account-name" = {
29+ 30+ iam_user_access_to_billing = " ALLOW"
31+ group_assignments = {
32+ " Admins" = {
33+ permission_sets = [
34+ " AdministratorAccess"
35+ ]
36+ }
37+ },
38+ user_assignments = {
39+ " Alex" = {
40+ permission_sets = [
41+ " Billing"
42+ ]
43+ }
44+ }
45+ }
46+ }
47+ }
48+ },
49+ feature_set = " ALL"
50+ enabled_policy_types = []
51+ }
52+ }
Original file line number Diff line number Diff line change 1+ # Existing account example
2+
3+ If an AWS account has been imported, the ` iam_user_access_to_billing ` setting must be set to "NULL" (` string ` )
4+ This is because it can only be set during account creation
5+
6+ ```
7+ module "aws_organizations_and_sso" {
8+ source = "github.com/chris-qa-org/terraform-aws-organzation-and-sso"
9+ version = "0.4.1"
10+
11+ region = "eu-west-2"
12+
13+ organization_config = {
14+ units = {
15+ "my-org-unit" = {
16+ accounts = {
17+ "my-account-name" = {
18+ 19+ iam_user_access_to_billing = "NULL"
20+ }
21+ }
22+ }
23+ },
24+ feature_set = "ALL",
25+ enabled_policy_types = []
26+ }
27+ }
28+ ```
Original file line number Diff line number Diff line change 1+ module "aws_organizations_and_sso" {
2+ source = " github.com/chris-qa-org/terraform-aws-organzation-and-sso"
3+ version = " 0.4.1"
4+
5+ region = " eu-west-2"
6+
7+ organization_config =
8+ units = {
9+ " my-org-unit" = {
10+ accounts = {
11+ " my-account-name" = {
12+ 13+ iam_user_access_to_billing = " NULL"
14+ }
15+ }
16+ }
17+ },
18+ feature_set = " ALL"
19+ enabled_policy_types = []
20+ }
21+ }
You can’t perform that action at this time.
0 commit comments