update

terraform-modules · Sep 8, 2023 · 3ca4941 · 3ca4941
1 parent 615bea2
commit 3ca4941
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 211 deletions.
diff --git a/group-assignment/README.md b/group-assignment/README.md
@@ -21,9 +21,10 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_identitystore_group.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group) | resource |
+| [aws_identitystore_group_membership.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group_membership) | resource |
+| [aws_ssoadmin_account_assignment.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
-| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source |
-| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
 | [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
@@ -40,6 +41,7 @@ No modules.
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_description"></a> [description](#input\_description) | Permission set description | `string` | `null` | no |
 | <a name="input_identity_store_id"></a> [identity\_store\_id](#input\_identity\_store\_id) | AWS SSO/IDC Instance ID | `string` | n/a | yes |
+| <a name="input_instance_arn"></a> [instance\_arn](#input\_instance\_arn) | AWS SSO/IDC Instance ARN | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Permission set name | `string` | n/a | yes |
 | <a name="input_org_account_ids"></a> [org\_account\_ids](#input\_org\_account\_ids) | List of AWS Account ID to which to associate with this group | `list(string)` | `[]` | no |
 | <a name="input_org_account_names"></a> [org\_account\_names](#input\_org\_account\_names) | List of AWS Account aliases to which to associate with this group (note it use the commercial side alias for GovCloud) | `list(string)` | `[]` | no |
@@ -57,8 +59,5 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_availability_zone_ids"></a> [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list |
-| <a name="output_availability_zone_names"></a> [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list |
-| <a name="output_availability_zone_suffixes"></a> [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list |
 | <a name="output_results"></a> [results](#output\_results) | n/a |
 | <a name="output_users"></a> [users](#output\_users) | n/a |
diff --git a/group-assignment/availabilty_zones.tf b/group-assignment/availabilty_zones.tf
diff --git a/group-assignment/main.tf b/group-assignment/main.tf
@@ -2,67 +2,25 @@ locals {
   description = coalesce(var.description, var.name)
 }
 
-## resource "aws_identitystore_group" "group" {
-##   identity_store_id = var.identity_store_id
-## 
-##   display_name = var.name
-##   description  = local.description
-## }
-## 
-## resource "aws_identitystore_group_membership" "group" {
-##   for_each          = { for ug in local.user_groups : ug.label => ug }
-##   identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0]
-## 
-##   group_id  = aws_identitystore_group.groups[each.value.group].group_id
-##   member_id = try(data.aws_identitystore_user.users[each.value.member].id, null)
-## }
-## 
-## resource "aws_ssoadmin_account_assignment" "inf-operations-t2" {
-##   for_each = lookup(local.groups, "inf-operations-t2", null) != null && lookup(local.groups["inf-operations-t2"], "enabled", true) ? { for a in local.org_accounts : a.id => a if a.status == "ACTIVE" && (contains(local.groups["inf-operations-t2"].account_ids, a.id) || contains(local.groups["inf-operations-t2"].account_ids, "ALL")) } : {}
-## 
-##   instance_arn = tolist(data.aws_ssoadmin_instances.sso.arns)[0]
-##   #  permission_set_arn = aws_ssoadmin_permission_set.pset.arn
-##   permission_set_arn = module.inf-operations-t2.permissionset_arn
-## 
-##   principal_id   = lookup(local.groups, "inf-operations-t2", null) != null && lookup(local.groups["inf-operations-t2"], "enabled", true) ? aws_identitystore_group.groups["inf-operations-t2"].group_id : null
-##   principal_type = "GROUP"
-## 
-##   target_id   = each.value.id
-##   target_type = "AWS_ACCOUNT"
-## }
-## 
-## ## @@@
-## ## 
-## ## 
-## ## groups:
-## ##   - inf-operations-t2:
-## ##       description: "INF Operations T2"
-## ##       display_name: "inf-operations-t2"
-## ##       permissionset_name: "inf-operations-t2"
-## ##       enabled: true
-## ##       members:
-## ##         - agbo0001
-## ##         - akapo001
-## ##         - bell0402
-## ##         - clark464
-## ##         - donog303
-## ##         - harpe341
-## ##         - horva001
-## ##         - illia300
-## ##         - krug0002
-## ##         - maure006
-## ##         - neal0328
-## ##         - pinkn005
-## ##         - quatt008
-## ##         - raybi001
-## ##         - regis004
-## ##         - rodri499
-## ##         - rolli307
-## ##         - smith934
-## ##         - tabro001
-## ##         - washi378
-## ##         - wood0360
-## ##         - wycli001
-## ##         - zunig011
-## ##       account_ids:
-## ##         - ALL
+resource "aws_identitystore_group" "group" {
+  identity_store_id = var.identity_store_id
+  display_name      = var.name
+  description       = local.description
+}
+
+resource "aws_identitystore_group_membership" "group" {
+  for_each          = data.aws_identitystore_user.users
+  identity_store_id = var.identity_store_id
+  group_id          = aws_identitystore_group.group.group_id
+  member_id         = each.value.id
+}
+
+resource "aws_ssoadmin_account_assignment" "accounts" {
+  for_each           = toset(local.account_ids)
+  instance_arn       = var.instance_arn
+  permission_set_arn = var.permissionset_arn
+  principal_id       = aws_identitystore_group.group.group_id
+  principal_type     = "GROUP"
+  target_id          = each.value
+  target_type        = "AWS_ACCOUNT"
+}
diff --git a/group-assignment/main.tf.x b/group-assignment/main.tf.x
diff --git a/group-assignment/users.tf b/group-assignment/users.tf
@@ -14,13 +14,13 @@ data "ldap_object" "users" {
 }
 
 data "aws_identitystore_user" "users" {
-  for_each          = local.ldap_user_attributes
+  for_each          = { for k, v in local.ldap_user_attributes : k => try(v.mail, null) if can(v.mail) }
   identity_store_id = var.identity_store_id
 
   alternate_identifier {
     unique_attribute {
       attribute_path  = "UserName"
-      attribute_value = each.value.mail
+      attribute_value = each.value
     }
   }
 }
diff --git a/group-assignment/variables.tf b/group-assignment/variables.tf
@@ -14,6 +14,11 @@ variable "identity_store_id" {
   type        = string
 }
 
+variable "instance_arn" {
+  description = "AWS SSO/IDC Instance ARN"
+  type        = string
+}
+
 variable "permissionset_arn" {
   description = "AWS SSO/IDC Permission set ARN"
   type        = string

diff --git a/permissionset/availabilty_zones.tf b/permissionset/availabilty_zones.tf