2022-08-16
- Provision AWS SSO permission sets using CDK (typescript) (CDK)
-
2022-08-23 ◦ GitHub - markilott/aws-cdk-sso-permission-sets: AWS SSO Permission Sets with CDK
In CDK there are no Level 2 constructs, but we can use the L1 CloudFormation constructs for Permission Sets to:
- Create/Modify/Delete
- Assign to Users or Groups
- Provision to Accounts
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113// Create Permission Sets and Assign to Groups and Accounts // Full code available here: https://github.com/markilott/aws-cdk-sso-permission-sets // List of Accounts in the Organisation const accountList = { master: '123456789', prod: '123456789', dev: '123456789', }; // List of Groups in SSO const groupList = { Developers: '9a67298558-5b31f15d-c107-4be6-a115-xxxxxxxxxxxx', ReadOnly: '9a67298558-8fb7193d-7b2f-4161-a372-xxxxxxxxxxxx', }; // Example Inline Policy const examplePolicy = { Version: '2012-10-17', Statement: [ { Sid: 'ManageEc2', Effect: 'Allow', Action: [ 'ec2:RebootInstances', 'ec2:StartInstances', 'ec2:StopInstances', ], Resource: '*', }, { Sid: 'AllowS3Objects', Effect: 'Allow', Action: [ 's3:PutObject', 's3:GetObject', ], Resource: '*', }, ], }; // Permission Set Configuration const permisssionSets = [ { name: 'Example_Permission_Set1', description: 'For testing Permission set updates', sessionDuration: 2, accounts: [ 'prod', 'master', ], groups: [ 'Developers', 'ReadOnly', ], // List of AWS Managed Policy Arns managedPolicies: [ 'arn:aws:iam::aws:policy/job-function/ViewOnlyAccess', ], // Custom Inline Policy JSON inlinePolicy: examplePolicy, }, { name: 'Example_Permission_Set2', description: 'For testing Permission set updates', sessionDuration: 4, accounts: [ 'dev', ], groups: [ 'Developers', ], // List of AWS Managed Policy Arns managedPolicies: [], // Custom Inline Policy JSON inlinePolicy: examplePolicy, }, ]; // CDK to create the Permission Sets // Create and Assign Permission set for each configuration permisssionSets.forEach((set) => { const { name, description, sessionDuration, accounts, groups, managedPolicies, inlinePolicy, } = set; // Create the Permission Set const permissionSet = new CfnPermissionSet(this, `${name}_Set`, { name, description, instanceArn, sessionDuration: moment.duration(sessionDuration, 'hours').toISOString(), inlinePolicy, managedPolicies, }); // Assign to Accounts and Groups accounts.forEach((acc) => { const accNum = accountList[acc]; groups.forEach((group) => { const groupId = groupList[group]; new CfnAssignment(this, `${name}_${accNum}_${group}_Assignment`, { instanceArn, permissionSetArn: permissionSet.attrPermissionSetArn, principalId: groupId, principalType: 'GROUP', targetId: accNum, targetType: 'AWS_ACCOUNT', }); }); }); });
-