diff --git a/README.md b/README.md
index 6217b68..2372049 100644
--- a/README.md
+++ b/README.md
@@ -262,6 +262,7 @@ No modules.
| [aws_ssoadmin_application_assignment.sso_apps_users_assignments](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_application_assignment) | resource |
| [aws_ssoadmin_application_assignment_configuration.sso_apps_assignments_configs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_application_assignment_configuration) | resource |
| [aws_ssoadmin_customer_managed_policy_attachment.pset_customer_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
+| [aws_ssoadmin_instance_access_control_attributes.sso_access_control_attributes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_instance_access_control_attributes) | resource |
| [aws_ssoadmin_managed_policy_attachment.pset_aws_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
| [aws_ssoadmin_permission_set.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
| [aws_ssoadmin_permission_set_inline_policy.pset_inline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
@@ -286,6 +287,7 @@ No modules.
| [permission\_sets](#input\_permission\_sets) | Permission Sets that you wish to create in IAM Identity Center. This variable is a map of maps containing Permission Set names as keys. See permission\_sets description in README for information about map values. | `any` | `{}` | no |
| [sso\_applications](#input\_sso\_applications) | List of applications to be created in IAM Identity Center | map(object({
name = string
application_provider_arn = string
description = optional(string)
portal_options = optional(object({
sign_in_options = optional(object({
application_url = optional(string)
origin = string
}))
visibility = optional(string)
}))
status = string # acceptable values are "ENABLED" or "DISABLED"
client_token = optional(string)
tags = optional(map(string))
assignment_required = bool # Resource: aws_ssoadmin_application_assignment_configuration
assignments_access_scope = optional(
list(object({
authorized_targets = optional(list(string)) # List of application names
scope = string
}))
) # Resource: aws_ssoadmin_application_access_scope
group_assignments = optional(list(string)) # Resource aws_ssoadmin_application_assignment, keeping it separated for groups
user_assignments = optional(list(string)) # Resource aws_ssoadmin_application_assignment, keeping it separated for users
})) | `{}` | no |
| [sso\_groups](#input\_sso\_groups) | Names of the groups you wish to create in IAM Identity Center. | map(object({
group_name = string
group_description = optional(string, null)
})) | `{}` | no |
+| [sso\_instance\_access\_control\_attributes](#input\_sso\_instance\_access\_control\_attributes) | List of attributes for access control. This is used to create the enable and use attributes for access control. | list(object({
attribute_name = string
source = set(string)
})) | `[]` | no |
| [sso\_users](#input\_sso\_users) | Names of the users you wish to create in IAM Identity Center. | map(object({
display_name = optional(string)
user_name = string
group_membership = list(string)
# Name
given_name = string
middle_name = optional(string, null)
family_name = string
name_formatted = optional(string)
honorific_prefix = optional(string, null)
honorific_suffix = optional(string, null)
# Email
email = string
email_type = optional(string, null)
is_primary_email = optional(bool, true)
# Phone Number
phone_number = optional(string, null)
phone_number_type = optional(string, null)
is_primary_phone_number = optional(bool, true)
# Address
country = optional(string, " ")
locality = optional(string, " ")
address_formatted = optional(string)
postal_code = optional(string, " ")
is_primary_address = optional(bool, true)
region = optional(string, " ")
street_address = optional(string, " ")
address_type = optional(string, null)
# Additional
user_type = optional(string, null)
title = optional(string, null)
locale = optional(string, null)
nickname = optional(string, null)
preferred_language = optional(string, null)
profile_url = optional(string, null)
timezone = optional(string, null)
})) | `{}` | no |
## Outputs
diff --git a/VERSION b/VERSION
index 95cf410..97e1eac 100644
--- a/VERSION
+++ b/VERSION
@@ -1,3 +1,3 @@
-v1.0.1
+v1.0.2
diff --git a/examples/inline-policy/main.tf b/examples/inline-policy/main.tf
index 54da76e..206602c 100644
--- a/examples/inline-policy/main.tf
+++ b/examples/inline-policy/main.tf
@@ -52,7 +52,7 @@ module "aws-iam-identity-center" {
existing_sso_groups = {
AWSControlTowerAdmins : {
- group_name = "AWSControlTowerAdmins"
+ group_name = "AWSControlTowerAdmins" # this must be the name of a sso group that already exists in your AWS account
}
}
@@ -85,7 +85,7 @@ module "aws-iam-identity-center" {
existing_permission_sets = {
AWSAdministratorAccess : {
- permission_set_name = "AWSAdministratorAccess"
+ permission_set_name = "AWSAdministratorAccess" # this must be the name of a permission set that already exists in your AWS account
},
}
diff --git a/examples/instance-access-control-attributes/.header.md b/examples/instance-access-control-attributes/.header.md
new file mode 100644
index 0000000..a804d19
--- /dev/null
+++ b/examples/instance-access-control-attributes/.header.md
@@ -0,0 +1,14 @@
+This directory contains examples of using the module to **create** instance access control attributes.
+
+```hcl
+ sso_instance_access_control_attributes = [
+ {
+ attribute_name = "FirstName"
+ source = ["$${path:name.givenName}"]
+ },
+ {
+ attribute_name = "LastName"
+ source = ["$${path:name.familyName}"]
+ }
+ ]
+```
diff --git a/examples/instance-access-control-attributes/README.md b/examples/instance-access-control-attributes/README.md
new file mode 100644
index 0000000..fc07e5c
--- /dev/null
+++ b/examples/instance-access-control-attributes/README.md
@@ -0,0 +1,46 @@
+
+This directory contains examples of using the module to **create** instance access control attributes.
+
+```hcl
+ sso_instance_access_control_attributes = [
+ {
+ attribute_name = "FirstName"
+ source = ["$${path:name.givenName}"]
+ },
+ {
+ attribute_name = "LastName"
+ source = ["$${path:name.familyName}"]
+ }
+ ]
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [aws-iam-identity-center](#module\_aws-iam-identity-center) | ../.. | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ssm_parameter.account1_account_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+
\ No newline at end of file
diff --git a/examples/instance-access-control-attributes/locals.tf b/examples/instance-access-control-attributes/locals.tf
new file mode 100644
index 0000000..28f6391
--- /dev/null
+++ b/examples/instance-access-control-attributes/locals.tf
@@ -0,0 +1,14 @@
+# Fetch Account Id from SSM Parameter Store
+data "aws_ssm_parameter" "account1_account_id" {
+ name = "tf-aws-iam-idc-module-testing-account1-account-id" // replace with your SSM Parameter Key
+}
+
+locals {
+ # Account IDs
+ account1_account_id = nonsensitive(data.aws_ssm_parameter.account1_account_id.value)
+ # account1_account_id = "111111111111"
+ # account2_account_id = "222222222222"
+ # account3_account_id = "333333333333"
+ # account4_account_id = "444444444444"
+
+}
\ No newline at end of file
diff --git a/examples/instance-access-control-attributes/main.tf b/examples/instance-access-control-attributes/main.tf
new file mode 100644
index 0000000..cb36249
--- /dev/null
+++ b/examples/instance-access-control-attributes/main.tf
@@ -0,0 +1,15 @@
+module "aws-iam-identity-center" {
+ source = "../.." // local example
+
+ //Create desired access control attributes
+ sso_instance_access_control_attributes = [
+ {
+ attribute_name = "FirstName"
+ source = ["$${path:name.givenName}"]
+ },
+ {
+ attribute_name = "LastName"
+ source = ["$${path:name.familyName}"]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index ad2641c..9fa2617 100644
--- a/main.tf
+++ b/main.tf
@@ -318,3 +318,17 @@ resource "aws_ssoadmin_application_assignment" "sso_apps_users_assignments" {
principal_type = each.value.principal_type
}
+# SSO Instance Access Control Attributes
+resource "aws_ssoadmin_instance_access_control_attributes" "sso_access_control_attributes" {
+ count = length(var.sso_instance_access_control_attributes) <= 0 ? 0 : 1
+ instance_arn = local.ssoadmin_instance_arn
+ dynamic "attribute" {
+ for_each = var.sso_instance_access_control_attributes
+ content {
+ key = attribute.key
+ value {
+ source = attribute.value.source
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/tests/01_mandatory.tftest.hcl b/tests/01_mandatory.tftest.hcl
index 6cbe0fb..9961135 100644
--- a/tests/01_mandatory.tftest.hcl
+++ b/tests/01_mandatory.tftest.hcl
@@ -10,4 +10,4 @@ run "e2e_test" {
module {
source = "./examples/create-users-and-groups"
}
-}
+}
\ No newline at end of file
diff --git a/tests/07_instance_access_control_attributes.tftest.hcl b/tests/07_instance_access_control_attributes.tftest.hcl
new file mode 100644
index 0000000..6b197c7
--- /dev/null
+++ b/tests/07_instance_access_control_attributes.tftest.hcl
@@ -0,0 +1,13 @@
+run "unit_test" {
+ command = plan
+ module {
+ source = "./examples/instance-access-control-attributes"
+ }
+}
+
+run "e2e_test" {
+ command = apply
+ module {
+ source = "./examples/instance-access-control-attributes"
+ }
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 395a424..5fa4a95 100644
--- a/variables.tf
+++ b/variables.tf
@@ -145,3 +145,30 @@ variable "sso_applications" {
error_message = "The application_provider_arn field is mandatory for all applications."
}
}
+
+#Access Control Attributes
+variable "sso_instance_access_control_attributes" {
+ description = "List of attributes for access control. This is used to create the enable and use attributes for access control."
+ type = list(object({
+ attribute_name = string
+ source = set(string)
+ }))
+ default = []
+ validation {
+ condition = alltrue([
+ for attr in var.sso_instance_access_control_attributes :
+ attr.attribute_name != null &&
+ attr.attribute_name != ""
+ ])
+ error_message = "The attribute_name field is mandatory for all attributes."
+ }
+ validation {
+ condition = alltrue([
+ for attr in var.sso_instance_access_control_attributes :
+ attr.source != null &&
+ length(attr.source) > 0 && # checks if the set is not empty
+ alltrue([for s in attr.source : s != ""]) # checks no empty strings in set
+ ])
+ error_message = "The attribute source is mandatory and must contain non-empty strings."
+ }
+}