add group-assignment starter

terraform-modules · Sep 8, 2023 · 38ad44b · 38ad44b
1 parent ed66766
commit 38ad44b
Show file tree

Hide file tree

Showing 19 changed files with 1,789 additions and 1 deletion.
diff --git a/group-assignment/README.md b/group-assignment/README.md
@@ -0,0 +1,61 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_ldap"></a> [ldap](#provider\_ldap) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source |
+| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_organizations_organizational_unit_descendant_accounts.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organizational_unit_descendant_accounts) | data source |
+| [aws_organizations_organizational_unit_descendant_accounts.ou](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organizational_unit_descendant_accounts) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [ldap_object.users](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/data-sources/object) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_description"></a> [description](#input\_description) | Permission set description | `string` | `null` | no |
+| <a name="input_identity_store_id"></a> [identity\_store\_id](#input\_identity\_store\_id) | AWS SSO/IDC Instance ID | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | Permission set name | `string` | n/a | yes |
+| <a name="input_org_account_ids"></a> [org\_account\_ids](#input\_org\_account\_ids) | List of AWS Account ID to which to associate with this group | `list(string)` | `[]` | no |
+| <a name="input_org_account_names"></a> [org\_account\_names](#input\_org\_account\_names) | List of AWS Account aliases to which to associate with this group (note it use the commercial side alias for GovCloud) | `list(string)` | `[]` | no |
+| <a name="input_org_all"></a> [org\_all](#input\_org\_all) | Flag indicating to associate this group to all ACTIVE accounts in the organization | `bool` | `false` | no |
+| <a name="input_organizational_unit_hierarchy"></a> [organizational\_unit\_hierarchy](#input\_organizational\_unit\_hierarchy) | n/a | `map()` | `{}` | no |
+| <a name="input_organizational_unit_ids"></a> [organizational\_unit\_ids](#input\_organizational\_unit\_ids) | List of AWS Organizational Unit names to assocate with this group | `list(string)` | `[]` | no |
+| <a name="input_organizational_unit_names"></a> [organizational\_unit\_names](#input\_organizational\_unit\_names) | List of AWS Organizational Unit names to assocate with this group | `list(string)` | `[]` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_permissionset_arn"></a> [permissionset\_arn](#input\_permissionset\_arn) | AWS SSO/IDC Permission set ARN | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+| <a name="input_users"></a> [users](#input\_users) | List of Census usernames to assign to the group | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_availability_zone_ids"></a> [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list |
+| <a name="output_availability_zone_names"></a> [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list |
+| <a name="output_availability_zone_suffixes"></a> [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list |
+| <a name="output_results"></a> [results](#output\_results) | n/a |
diff --git a/group-assignment/accounts.tf b/group-assignment/accounts.tf
@@ -0,0 +1,23 @@
+locals {
+  active_accounts_map = { for account in data.aws_organizations_organizational_unit_descendant_accounts.accounts.accounts : account.name => account if account.status == "ACTIVE" }
+  active_accounts     = { for k, v in local.active_accounts_map : k => v.id }
+
+  _id_1 = ! var.org_all && length(var.org_account_names) > 0 ? [for k in var.org_account_names : lookup(local.active_accounts, k, null)] : []
+  _id_2 = ! var.org_all && length(var.org_account_ids) > 0 ? [for k in var.org_account_ids : k if contains(values(local.active_accounts), k)] : []
+
+  organizational_unit_hierarchy = length(var.organizational_unit_hierarchy) > 0 ? { for k, v in var.organizational_unit_hierarchy : k => v.self_id } : {}
+
+  _ou_1 = ! var.org_all && length(var.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? [for k, v in var.organizational_unit_names : lookup(local.organizational_unit_hierarchy, k, null)] : []
+  _ou_2 = ! var.org_all && length(var.organizational_unit_ids) > 0 && length(var.organizational_unit_hierarchy) > 0 ? [for k in var.organizational_unit_ids : k if contains(values(local.organizational_unit_hierarchy, k))] : []
+
+  organizational_units = distinct(compact(concat(local._ou_1, local._ou_2)))
+
+  _id_3 = flatten([for k, v in data.aws_organizations_organizational_unit_descendant_accounts.accounts.ou : [for accounts in v : account.id if account.status == "ACTIVE"]])
+
+  account_ids = distinct(compact(concat(local._id_1, local._id_2, local._id_3)))
+}
+
+data "aws_organizations_organizational_unit_descendant_accounts" "ou" {
+  for_each  = toset(local.organizational_units)
+  parent_id = each.key
+}
diff --git a/group-assignment/availabilty_zones.tf b/group-assignment/availabilty_zones.tf
@@ -0,0 +1 @@
+../common/availabilty_zones.tf
diff --git a/group-assignment/data.org.tf b/group-assignment/data.org.tf
@@ -0,0 +1,14 @@
+data "aws_organizations_organization" "org" {}
+
+data "aws_organizations_organizational_unit_descendant_accounts" "accounts" {
+  parent_id = data.aws_organizations_organization.org.roots[0].id
+}
+
+## data "aws_organizations_organizational_units" "ou" {
+##   parent_id = data.aws_organizations_organization.org.roots[0].id
+## }
+## 
+## data "aws_organizations_organizational_unit_child_accounts" "accounts" {
+##   parent_id = data.aws_organizations_organization.org.roots[0].id
+## }
+##