initial implementation (#1)

Co-authored-by: actions-bot <58130806+actions-bot@users.noreply.github.com>

.gitignore

@@ -6,6 +6,7 @@
 *.tfstate.*
 .terraform
 .terraform.tfstate.lock.info
+.terraform.lock.hcl
 
 **/.idea
 **/*.iml

README.yaml

@@ -5,7 +5,7 @@
 #
 
 # Name of this project
-name: terraform-example-module
+name: terraform-aws-sso
 
 # Logo for this project
 #logo: docs/logo.png
@@ -20,13 +20,13 @@ copyrights:
     year: "2020"
 
 # Canonical GitHub repo
-github_repo: cloudposse/terraform-example-module
+github_repo: cloudposse/terraform-aws-sso
 
 # Badges to display
 badges:
   - name: "Latest Release"
-    image: "https://img.shields.io/github/release/cloudposse/terraform-example-module.svg"
-    url: "https://github.com/cloudposse/terraform-example-module/releases/latest"
+    image: "https://img.shields.io/github/release/cloudposse/terraform-aws-sso.svg"
+    url: "https://github.com/cloudposse/terraform-aws-sso/releases/latest"
   - name: "Slack Community"
     image: "https://slack.cloudposse.com/badge.svg"
     url: "https://slack.cloudposse.com"
@@ -37,48 +37,67 @@ badges:
 # List any related terraform modules that this module may be used with or that this module depends on.
 related:
   - name: "terraform-null-label"
-    description: "Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to implement a strict naming convention."
+    description:
+      "Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to
+      implement a strict naming convention."
     url: "https://github.com/cloudposse/terraform-null-label"
 
 # List any resources helpful for someone to get started. For example, link to the hashicorp documentation or AWS documentation.
 references:
   - name: "Terraform Standard Module Structure"
-    description: "HashiCorp's standard module structure is a file and directory layout we recommend for reusable modules distributed in separate repositories."
+    description:
+      "HashiCorp's standard module structure is a file and directory layout we recommend for reusable modules
+      distributed in separate repositories."
     url: "https://www.terraform.io/docs/modules/index.html#standard-module-structure"
   - name: "Terraform Module Requirements"
-    description: "HashiCorp's guidance on all the requirements for publishing a module. Meeting the requirements for publishing a module is extremely easy."
+    description:
+      "HashiCorp's guidance on all the requirements for publishing a module. Meeting the requirements for publishing a
+      module is extremely easy."
     url: "https://www.terraform.io/docs/registry/modules/publish.html#requirements"
   - name: "Terraform `random_integer` Resource"
-    description: "The resource random_integer generates random values from a given range, described by the min and max attributes of a given resource."
+    description:
+      "The resource random_integer generates random values from a given range, described by the min and max attributes
+      of a given resource."
     url: "https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer"
   - name: "Terraform Version Pinning"
-    description: "The required_version setting can be used to constrain which versions of the Terraform CLI can be used with your configuration"
+    description:
+      "The required_version setting can be used to constrain which versions of the Terraform CLI can be used with your
+      configuration"
     url: "https://www.terraform.io/docs/configuration/terraform.html#specifying-a-required-terraform-version"
 
 # Short description of this project
 description: |-
-  This is `terraform-example-module` project provides all the scaffolding for a typical well-built Cloud Posse module. It's a template repository you can
-  use when creating new repositories.
+  This module configures [AWS Single Sign-On (SSO)](https://aws.amazon.com/single-sign-on/). AWS SSO makes it easy to 
+  centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on 
+  access to all their assigned accounts and applications from one place. With AWS SSO, you can easily manage access and 
+  user permissions to all of your accounts in AWS Organizations centrally. AWS SSO configures and maintains all the 
+  necessary permissions for your accounts automatically, without requiring any additional setup in the individual 
+  accounts. You can assign user permissions based on common job functions and customize these permissions to meet your 
+  specific security requirements. AWS SSO also includes built-in integrations to many business applications, such as 
+  Salesforce, Box, and Microsoft 365.
+
+  With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your 
+  existing identity source, including Microsoft Active Directory, Okta Universal Directory, and Azure Active Directory 
+  (Azure AD). AWS SSO allows you to select user attributes, such as cost center, title, or locale, from your identity 
+  source, and then use them for attribute-based access control in AWS.
 
 # Introduction to the project
 #introduction: |-
 #  This is an introduction.
 
 # How to use this module. Should be an easy example to copy and paste.
 usage: |-
-  Here's how to invoke this example module in your projects
+  This module contains two sub-modules that can be used in conjunction to provision AWS SSO Permission Sets and to 
+  assign AWS SSO Users and Groups to Permissions Sets in accounts.
 
-  ```hcl
-  module "example" {
-    source = "https://github.com/cloudposse/terraform-example-module.git?ref=master"
-    example = "Hello world!"
-  }
-  ```
+  - [modules/account-assignments](/modules/account-assignments) - a module for assigning users and groups to permission 
+  sets in particular accounts
+  - [modules/permission-sets](/modules/permission-sets) - a module for provisioning AWS SSO permission sets
 
 # Example usage
 examples: |-
-  Here is an example of using this module:
-  - [`examples/complete`](https://github.com/cloudposse/terraform-example-module/) - complete example of using this module
+  Here is a full example of using these modules to provision permission sets and assign them to accounts:
+  - [`examples/complete`](/examples/complete) - complete example of using these modules
 
 # How to get started quickly
 #quickstart: |-
@@ -91,5 +110,5 @@ include:
 
 # Contributors to this project
 contributors:
-  - name: "Erik Osterman"
-    github: "osterman"
+  - name: "Matt Calhoun"
+    github: "mcalhoun"

docs/terraform.md

@@ -1,43 +1,18 @@
 <!-- markdownlint-disable -->
 ## Requirements
 
-| Name | Version |
-|------|---------|
-| terraform | >= 0.12.0, < 0.14.0 |
-| local | ~> 1.2 |
-| random | ~> 2.2 |
+No requirements.
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| random | ~> 2.2 |
+No provider.
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| additional\_tag\_map | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
-| attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
-| context | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | <pre>object({<br>    enabled             = bool<br>    namespace           = string<br>    environment         = string<br>    stage               = string<br>    name                = string<br>    delimiter           = string<br>    attributes          = list(string)<br>    tags                = map(string)<br>    additional_tag_map  = map(string)<br>    regex_replace_chars = string<br>    label_order         = list(string)<br>    id_length_limit     = number<br>  })</pre> | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_order": [],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {}<br>}</pre> | no |
-| delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
-| enabled | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
-| environment | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| example | Example variable | `string` | `"hello world"` | no |
-| id\_length\_limit | Limit `id` to this many characters.<br>Set to `0` for unlimited length.<br>Set to `null` for default, which is `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
-| label\_order | The naming order of the id output and Name tag.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |
-| name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
-| namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
-| regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
-| stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
-| tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+No input.
 
 ## Outputs
 
-| Name | Description |
-|------|-------------|
-| example | Example output |
-| id | ID of the created example |
-| random | Stable random number for this example |
+No output.
 
 <!-- markdownlint-restore -->

examples/complete/context.tf

@@ -19,7 +19,8 @@
 #
 
 module "this" {
-  source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.19.2"
+  source  = "cloudposse/label/null"
+  version = "0.24.1" # requires Terraform >= 0.13.0
 
   enabled             = var.enabled
   namespace           = var.namespace
@@ -33,27 +34,16 @@ module "this" {
   label_order         = var.label_order
   regex_replace_chars = var.regex_replace_chars
   id_length_limit     = var.id_length_limit
+  label_key_case      = var.label_key_case
+  label_value_case    = var.label_value_case
 
   context = var.context
 }
 
 # Copy contents of cloudposse/terraform-null-label/variables.tf here
 
 variable "context" {
-  type = object({
-    enabled             = bool
-    namespace           = string
-    environment         = string
-    stage               = string
-    name                = string
-    delimiter           = string
-    attributes          = list(string)
-    tags                = map(string)
-    additional_tag_map  = map(string)
-    regex_replace_chars = string
-    label_order         = list(string)
-    id_length_limit     = number
-  })
+  type = any
   default = {
     enabled             = true
     namespace           = null
@@ -67,6 +57,8 @@ variable "context" {
     regex_replace_chars = null
     label_order         = []
     id_length_limit     = null
+    label_key_case      = null
+    label_value_case    = null
   }
   description = <<-EOT
     Single object for setting entire context at once.
@@ -75,6 +67,16 @@ variable "context" {
     Individual variable settings (non-null) override settings in context object,
     except for attributes, tags, and additional_tag_map, which are merged.
   EOT
+
+  validation {
+    condition     = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
+    error_message = "Allowed values: `lower`, `title`, `upper`."
+  }
+
+  validation {
+    condition     = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
+    error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
+  }
 }
 
 variable "enabled" {
@@ -157,11 +159,44 @@ variable "id_length_limit" {
   type        = number
   default     = null
   description = <<-EOT
-    Limit `id` to this many characters.
+    Limit `id` to this many characters (minimum 6).
     Set to `0` for unlimited length.
     Set to `null` for default, which is `0`.
     Does not affect `id_full`.
   EOT
+  validation {
+    condition     = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
+    error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
+  }
+}
+
+variable "label_key_case" {
+  type        = string
+  default     = null
+  description = <<-EOT
+    The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
+    Possible values: `lower`, `title`, `upper`.
+    Default value: `title`.
+  EOT
+
+  validation {
+    condition     = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
+    error_message = "Allowed values: `lower`, `title`, `upper`."
+  }
 }
 
+variable "label_value_case" {
+  type        = string
+  default     = null
+  description = <<-EOT
+    The letter case of output label values (also used in `tags` and `id`).
+    Possible values: `lower`, `title`, `upper` and `none` (no transformation).
+    Default value: `lower`.
+  EOT
+
+  validation {
+    condition     = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
+    error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
+  }
+}
 #### End of copy of cloudposse/terraform-null-label/variables.tf

examples/complete/fixtures.tfvars

@@ -0,0 +1,4 @@
+enabled   = true
+namespace = "eg"
+name      = "aws-sso"
+stage     = "test"

examples/complete/main.tf

@@ -1,7 +1,66 @@
-module "example" {
-  source = "../.."
+module "permission_sets" {
+  source = "../../modules/permission-sets"
 
-  example = var.example
+  permission_sets = [
+    {
+      name               = "AdministratorAccess",
+      description        = "Allow Full Access to the account",
+      relay_state        = "",
+      session_duration   = "",
+      tags               = {},
+      inline_policy      = "",
+      policy_attachments = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+    },
+    {
+      name               = "S3AdministratorAccess",
+      description        = "Allow Full S3 Admininstrator access to the account",
+      relay_state        = "",
+      session_duration   = "",
+      tags               = {},
+      inline_policy      = data.aws_iam_policy_document.S3Access.json,
+      policy_attachments = []
+    }
+  ]
+  context = module.this.context
+}
 
+module "sso_account_assignments" {
+  source = "../../modules/account-assignments"
+
+  account_assignments = [
+    {
+      account            = "111111111111", // Represents the "production" account
+      permission_set_arn = module.permission_sets.permission_sets["AdministratorAccess"].arn,
+      principal_type     = "GROUP",
+      principal_name     = "Administrators"
+    },
+    {
+      account            = "111111111111",
+      permission_set_arn = module.permission_sets.permission_sets["S3AdministratorAccess"].arn,
+      principal_type     = "GROUP",
+      principal_name     = "S3Adminstrators"
+    },
+    {
+      account            = "222222222222", // Represents the "Sandbox" account
+      permission_set_arn = module.permission_sets.permission_sets["AdministratorAccess"].arn,
+      principal_type     = "GROUP",
+      principal_name     = "Developers"
+    },
+  ]
   context = module.this.context
 }
+
+#-----------------------------------------------------------------------------------------------------------------------
+# CREATE SOME IAM POLCIES TO ATTACH AS INLINE
+#-----------------------------------------------------------------------------------------------------------------------
+data "aws_iam_policy_document" "S3Access" {
+  statement {
+    sid = "1"
+
+    actions = ["*"]
+
+    resources = [
+      "arn:aws:s3:::*",
+    ]
+  }
+}

examples/complete/outputs.tf

@@ -1,14 +0,0 @@
-output "id" {
-  description = "ID of the created example"
-  value       = module.example.id
-}
-
-output "example" {
-  description = "Output \"example\" from example module"
-  value       = module.example.example
-}
-
-output "random" {
-  description = "Output \"random\" from example module"
-  value       = module.example.random
-}

examples/complete/variables.tf

@@ -1,4 +0,0 @@
-variable "example" {
-  type        = string
-  description = "The value which will be passed to the example module"
-}

examples/complete/versions.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.12.0, < 0.14"
+  required_version = ">= 0.13.0"
 
   required_providers {
     local = "~> 1.2"