feat: pass policy document to sso permission set

Author: rehanvdm

API.md

@@ -60,10 +60,14 @@ The example below assigns the `AdministratorAccess` permission set (created by
         // Create a custom permission sets from inline policies
         {
           name: 's3-only-access',
-          inlinePolicyStatement: new iam.PolicyStatement({
-            actions: ['s3:*'],
-            resources: ['*'],
-          })
+          inlinePolicyDocument: new iam.PolicyDocument({
+            statements: [
+              new iam.PolicyStatement({
+                actions: ['s3:GetObject'],
+                resources: ['arn:aws:s3:::mybucket/*'],
+              })
+            ]
+          }),
         }
       ],
       accessGroups: [
@@ -87,6 +91,7 @@ The example below assigns the `AdministratorAccess` permission set (created by
     ```python
     import aws_cdk as cdk
     import aws_data_landing_zone as dlz
+    from aws_cdk.aws_iam import (PolicyDocument, Effect, PolicyStatement)
 
     app = cdk.App()
     dlz.DataLandingZone(app,
@@ -108,16 +113,21 @@ The example below assigns the `AdministratorAccess` permission set (created by
                 *Defaults.iam_identity_center_permission_sets(),
                 # Create custom permission sets from managed policies
                 {
-                  name: 'power-user-permission-set',
-                  managed_policy_arns: ['arn:aws:iam::aws:policy/PowerUserAccess']
+                    name: 'power-user-permission-set',
+                    managed_policy_arns: ['arn:aws:iam::aws:policy/PowerUserAccess']
                 },
                 # Create a custom permission sets from inline policies
                 {
-                  name: 's3-only-access',
-                  inline_policy_statement: {
-                    actions: ['s3:*'],
-                    resources: ['*'],
-                  }
+                    name: 's3-only-access',
+                    inline_policy_document: PolicyDocument(
+                        statements=[
+                            PolicyStatement(
+                                effect=Effect.ALLOW,
+                                actions=["s3:*"],
+                                resources=["*"]
+                            )
+                        ]
+                    )
                 }
             ],
             "access_groups": [

docs/src/content/docs/components/identity/iam-identity-center.mdx

@@ -18254,7 +18254,7 @@ const iamIdentityCenterPermissionSetProps: IamIdentityCenterPermissionSetProps =
 | --- | --- | --- |
 | <code><a href="#aws-data-landing-zone.IamIdentityCenterPermissionSetProps.property.name">name</a></code> | <code>string</code> | *No description.* |
 | <code><a href="#aws-data-landing-zone.IamIdentityCenterPermissionSetProps.property.description">description</a></code> | <code>string</code> | *No description.* |
-| <code><a href="#aws-data-landing-zone.IamIdentityCenterPermissionSetProps.property.inlinePolicyStatement">inlinePolicyStatement</a></code> | <code>aws-cdk-lib.aws_iam.PolicyStatement</code> | *No description.* |
+| <code><a href="#aws-data-landing-zone.IamIdentityCenterPermissionSetProps.property.inlinePolicyDocument">inlinePolicyDocument</a></code> | <code>aws-cdk-lib.aws_iam.PolicyDocument</code> | *No description.* |
 | <code><a href="#aws-data-landing-zone.IamIdentityCenterPermissionSetProps.property.managedPolicyArns">managedPolicyArns</a></code> | <code>string[]</code> | *No description.* |
 | <code><a href="#aws-data-landing-zone.IamIdentityCenterPermissionSetProps.property.permissionsBoundary">permissionsBoundary</a></code> | <code>aws-cdk-lib.IResolvable \| aws-cdk-lib.aws_sso.CfnPermissionSet.PermissionsBoundaryProperty</code> | *No description.* |
 | <code><a href="#aws-data-landing-zone.IamIdentityCenterPermissionSetProps.property.sessionDuration">sessionDuration</a></code> | <code>aws-cdk-lib.Duration</code> | *No description.* |
@@ -18281,13 +18281,13 @@ public readonly description: string;
 
 ---
 
-##### `inlinePolicyStatement`<sup>Optional</sup> <a name="inlinePolicyStatement" id="aws-data-landing-zone.IamIdentityCenterPermissionSetProps.property.inlinePolicyStatement"></a>
+##### `inlinePolicyDocument`<sup>Optional</sup> <a name="inlinePolicyDocument" id="aws-data-landing-zone.IamIdentityCenterPermissionSetProps.property.inlinePolicyDocument"></a>
 
 ```typescript
-public readonly inlinePolicyStatement: PolicyStatement;
+public readonly inlinePolicyDocument: PolicyDocument;
 ```
 
-- *Type:* aws-cdk-lib.aws_iam.PolicyStatement
+- *Type:* aws-cdk-lib.aws_iam.PolicyDocument
 
 ---
 

docs/src/content/docs/reference/api.md

@@ -15,7 +15,7 @@ import { DlzStack } from '../dlz-stack/index';
 export interface IamIdentityCenterPermissionSetProps {
   readonly name: string;
   readonly description?: string;
-  readonly inlinePolicyStatement?: iam.PolicyStatement;
+  readonly inlinePolicyDocument?: iam.PolicyDocument;
   readonly managedPolicyArns?: string[];
   readonly permissionsBoundary?: cdk.IResolvable | CfnPermissionSet.PermissionsBoundaryProperty;
   readonly sessionDuration?: cdk.Duration;
@@ -95,7 +95,7 @@ export class IamIdentityCenter {
           instanceArn: iamIdentityCenter.arn,
           name: permissionSetConf.name,
           description: permissionSetConf.description,
-          inlinePolicy: permissionSetConf.inlinePolicyStatement ? permissionSetConf.inlinePolicyStatement?.toJSON() : undefined,
+          inlinePolicy: permissionSetConf.inlinePolicyDocument ? permissionSetConf.inlinePolicyDocument.toJSON() : undefined,
           managedPolicies: permissionSetConf.managedPolicyArns,
           permissionsBoundary: permissionSetConf.permissionsBoundary,
           sessionDuration: permissionSetConf.sessionDuration ? durationToIso8601(permissionSetConf.sessionDuration) : undefined,

src/constructs/iam-identity-center/iam-identity-center.ts

@@ -652,9 +652,13 @@ const configBase: DataLandingZoneProps = {
       {
         name: 'inline-permission-set-read-only-s3',
         description: 'Limited get object permission',
-        inlinePolicyStatement: new iam.PolicyStatement({
-          actions: ['s3:GetObject'],
-          resources: ['arn:aws:s3:::mybucket/*'],
+        inlinePolicyDocument: new iam.PolicyDocument({
+          statements: [
+            new iam.PolicyStatement({
+              actions: ['s3:GetObject'],
+              resources: ['arn:aws:s3:::mybucket/*'],
+            }),
+          ],
         }),
       },
     ],

test/__snapshots__/build.test.ts.snap

@@ -119,9 +119,13 @@ describe('Permission sets', () => {
         {
           name: 'inline-permission-set-read-only-s3',
           description: 'Limited get object permission',
-          inlinePolicyStatement: new iam.PolicyStatement({
-            actions: ['s3:GetObject'],
-            resources: ['arn:aws:s3:::mybucket/*'],
+          inlinePolicyDocument: new iam.PolicyDocument({
+            statements: [
+              new iam.PolicyStatement({
+                actions: ['s3:GetObject'],
+                resources: ['arn:aws:s3:::mybucket/*'],
+              }),
+            ],
           }),
         },
       ],
@@ -139,9 +143,14 @@ describe('Permission sets', () => {
       Description: 'Limited get object permission',
       InstanceArn: 'arn:aws:sso:::instance/sso-instance-id',
       InlinePolicy: {
-        Action: 's3:GetObject',
-        Effect: 'Allow',
-        Resource: 'arn:aws:s3:::mybucket/*',
+        Statement: [
+          {
+            Action: 's3:GetObject',
+            Effect: 'Allow',
+            Resource: 'arn:aws:s3:::mybucket/*',
+          },
+        ],
+        Version: '2012-10-17',
       },
     });
   });