chore: initial

README.md

@@ -1,2 +1,11 @@
-# tf-template
-Template repository for Terraform modules
+# terraform-aws-k8s-addons-aws-sso
+
+Maps IAM Identity Center Permission Sets to Kubernetes cluster roles.
+
+## AWS Setup
+The following permission sets are used and needs to be created (when using AWS Control Tower these Permission Sets
+are created automatically):
+* AWSReadOnlyAccess (simplest is to use the predefined managed policy `ViewOnlyAccess`)
+* AWSAdministratorAccess (simplest is to use the predefined managed policy `AdministratorAccess`)
+
+and assign them to the AWS Account.

main.tf

@@ -0,0 +1,16 @@
+data "aws_iam_roles" "admin" {
+  name_regex  = "AWSReservedSSO_AWSAdministratorAccess_.*"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
+data "aws_iam_roles" "read_only" {
+  name_regex  = "AWSReservedSSO_AWSReadOnlyAccess_.*"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
+data "aws_caller_identity" "current" {}
+
+locals {
+  admin     = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${tolist(data.aws_iam_roles.admin.names)[0]}"
+  read_only = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${tolist(data.aws_iam_roles.read_only.names)[0]}"
+}

outputs.tf

@@ -0,0 +1,14 @@
+output "iam_role_mappings" {
+  value = {
+    (local.admin) : "system:masters"
+    (local.read_only) : "read-only"
+  }
+}
+
+output "addon" {
+  value = {
+    name : "rbac-sso"
+    version : "0.0.1"
+    content : file("${path.module}/rbac.yaml")
+  }
+}

rbac.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-only
+subjects:
+  - kind: Group
+    name: read-only
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: view
+  apiGroup: rbac.authorization.k8s.io