From 4cdae2f7b220d3b768ff19d3a3e57d4418d340cf Mon Sep 17 00:00:00 2001
From: Peter Svensson <peter@sparetimecoders.com>
Date: Thu, 10 Nov 2022 15:31:35 +0100
Subject: [PATCH] chore: initial

---
 README.md  | 13 +++++++++++--
 main.tf    | 16 ++++++++++++++++
 outputs.tf | 14 ++++++++++++++
 rbac.yaml  | 12 ++++++++++++
 4 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 main.tf
 create mode 100644 outputs.tf
 create mode 100644 rbac.yaml

diff --git a/README.md b/README.md
index 8e826c1..b4d36ec 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,11 @@
-# tf-template
-Template repository for Terraform modules
+# terraform-aws-k8s-addons-aws-sso
+
+Maps IAM Identity Center Permission Sets to Kubernetes cluster roles.
+
+## AWS Setup
+The following permission sets are used and needs to be created (when using AWS Control Tower these Permission Sets
+are created automatically):
+* AWSReadOnlyAccess (simplest is to use the predefined managed policy `ViewOnlyAccess`)
+* AWSAdministratorAccess (simplest is to use the predefined managed policy `AdministratorAccess`)
+
+and assign them to the AWS Account.
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..a1bfa94
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,16 @@
+data "aws_iam_roles" "admin" {
+  name_regex  = "AWSReservedSSO_AWSAdministratorAccess_.*"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
+data "aws_iam_roles" "read_only" {
+  name_regex  = "AWSReservedSSO_AWSReadOnlyAccess_.*"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
+data "aws_caller_identity" "current" {}
+
+locals {
+  admin     = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${tolist(data.aws_iam_roles.admin.names)[0]}"
+  read_only = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${tolist(data.aws_iam_roles.read_only.names)[0]}"
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..3daafb8
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,14 @@
+output "iam_role_mappings" {
+  value = {
+    (local.admin) : "system:masters"
+    (local.read_only) : "read-only"
+  }
+}
+
+output "addon" {
+  value = {
+    name : "rbac-sso"
+    version : "0.0.1"
+    content : file("${path.module}/rbac.yaml")
+  }
+}
diff --git a/rbac.yaml b/rbac.yaml
new file mode 100644
index 0000000..9e94816
--- /dev/null
+++ b/rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-only
+subjects:
+  - kind: Group
+    name: read-only
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: view
+  apiGroup: rbac.authorization.k8s.io