diff --git a/group-assignment/README.md b/group-assignment/README.md
index f2706d2..6311215 100644
--- a/group-assignment/README.md
+++ b/group-assignment/README.md
@@ -21,9 +21,10 @@ No modules.
| Name | Type |
|------|------|
+| [aws_identitystore_group.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group) | resource |
+| [aws_identitystore_group_membership.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group_membership) | resource |
+| [aws_ssoadmin_account_assignment.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
-| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source |
-| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
@@ -40,6 +41,7 @@ No modules.
| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
| [description](#input\_description) | Permission set description | `string` | `null` | no |
| [identity\_store\_id](#input\_identity\_store\_id) | AWS SSO/IDC Instance ID | `string` | n/a | yes |
+| [instance\_arn](#input\_instance\_arn) | AWS SSO/IDC Instance ARN | `string` | n/a | yes |
| [name](#input\_name) | Permission set name | `string` | n/a | yes |
| [org\_account\_ids](#input\_org\_account\_ids) | List of AWS Account ID to which to associate with this group | `list(string)` | `[]` | no |
| [org\_account\_names](#input\_org\_account\_names) | List of AWS Account aliases to which to associate with this group (note it use the commercial side alias for GovCloud) | `list(string)` | `[]` | no |
@@ -57,8 +59,5 @@ No modules.
| Name | Description |
|------|-------------|
-| [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list |
-| [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list |
-| [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list |
| [results](#output\_results) | n/a |
| [users](#output\_users) | n/a |
diff --git a/group-assignment/availabilty_zones.tf b/group-assignment/availabilty_zones.tf
deleted file mode 120000
index 00a240c..0000000
--- a/group-assignment/availabilty_zones.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/availabilty_zones.tf
\ No newline at end of file
diff --git a/group-assignment/main.tf b/group-assignment/main.tf
index 1ccf752..ebd113c 100644
--- a/group-assignment/main.tf
+++ b/group-assignment/main.tf
@@ -2,67 +2,25 @@ locals {
description = coalesce(var.description, var.name)
}
-## resource "aws_identitystore_group" "group" {
-## identity_store_id = var.identity_store_id
-##
-## display_name = var.name
-## description = local.description
-## }
-##
-## resource "aws_identitystore_group_membership" "group" {
-## for_each = { for ug in local.user_groups : ug.label => ug }
-## identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0]
-##
-## group_id = aws_identitystore_group.groups[each.value.group].group_id
-## member_id = try(data.aws_identitystore_user.users[each.value.member].id, null)
-## }
-##
-## resource "aws_ssoadmin_account_assignment" "inf-operations-t2" {
-## for_each = lookup(local.groups, "inf-operations-t2", null) != null && lookup(local.groups["inf-operations-t2"], "enabled", true) ? { for a in local.org_accounts : a.id => a if a.status == "ACTIVE" && (contains(local.groups["inf-operations-t2"].account_ids, a.id) || contains(local.groups["inf-operations-t2"].account_ids, "ALL")) } : {}
-##
-## instance_arn = tolist(data.aws_ssoadmin_instances.sso.arns)[0]
-## # permission_set_arn = aws_ssoadmin_permission_set.pset.arn
-## permission_set_arn = module.inf-operations-t2.permissionset_arn
-##
-## principal_id = lookup(local.groups, "inf-operations-t2", null) != null && lookup(local.groups["inf-operations-t2"], "enabled", true) ? aws_identitystore_group.groups["inf-operations-t2"].group_id : null
-## principal_type = "GROUP"
-##
-## target_id = each.value.id
-## target_type = "AWS_ACCOUNT"
-## }
-##
-## ## @@@
-## ##
-## ##
-## ## groups:
-## ## - inf-operations-t2:
-## ## description: "INF Operations T2"
-## ## display_name: "inf-operations-t2"
-## ## permissionset_name: "inf-operations-t2"
-## ## enabled: true
-## ## members:
-## ## - agbo0001
-## ## - akapo001
-## ## - bell0402
-## ## - clark464
-## ## - donog303
-## ## - harpe341
-## ## - horva001
-## ## - illia300
-## ## - krug0002
-## ## - maure006
-## ## - neal0328
-## ## - pinkn005
-## ## - quatt008
-## ## - raybi001
-## ## - regis004
-## ## - rodri499
-## ## - rolli307
-## ## - smith934
-## ## - tabro001
-## ## - washi378
-## ## - wood0360
-## ## - wycli001
-## ## - zunig011
-## ## account_ids:
-## ## - ALL
+resource "aws_identitystore_group" "group" {
+ identity_store_id = var.identity_store_id
+ display_name = var.name
+ description = local.description
+}
+
+resource "aws_identitystore_group_membership" "group" {
+ for_each = data.aws_identitystore_user.users
+ identity_store_id = var.identity_store_id
+ group_id = aws_identitystore_group.group.group_id
+ member_id = each.value.id
+}
+
+resource "aws_ssoadmin_account_assignment" "accounts" {
+ for_each = toset(local.account_ids)
+ instance_arn = var.instance_arn
+ permission_set_arn = var.permissionset_arn
+ principal_id = aws_identitystore_group.group.group_id
+ principal_type = "GROUP"
+ target_id = each.value
+ target_type = "AWS_ACCOUNT"
+}
diff --git a/group-assignment/main.tf.x b/group-assignment/main.tf.x
deleted file mode 100644
index 65ec89e..0000000
--- a/group-assignment/main.tf.x
+++ /dev/null
@@ -1,138 +0,0 @@
-locals {
- description = coalesce(var.description, var.name)
-}
-
-resource "aws_identitystore_group" "group" {
- identity_store_id = var.identity_store_id
-
- display_name = var.name
- description = local.description
-}
-
-data "aws_identitystore_user" "users" {
- for_each = var.users
- identity_store_id = var.identity_store_id
-
- alternate_identifier {
- unique_attribute {
- attribute_path = "UserName"
- attribute_value = each.value.mail
- }
- }
-}
-
-resource "aws_identitystore_group_membership" "group" {
- for_each = { for ug in local.user_groups : ug.label => ug }
- identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0]
-
- group_id = aws_identitystore_group.groups[each.value.group].group_id
- member_id = try(data.aws_identitystore_user.users[each.value.member].id, null)
-}
-
-resource "aws_ssoadmin_account_assignment" "inf-operations-t2" {
- for_each = lookup(local.groups, "inf-operations-t2", null) != null && lookup(local.groups["inf-operations-t2"], "enabled", true) ? { for a in local.org_accounts : a.id => a if a.status == "ACTIVE" && ( contains(local.groups["inf-operations-t2"].account_ids, a.id) || contains(local.groups["inf-operations-t2"].account_ids,"ALL") )} : {}
-
- instance_arn = tolist(data.aws_ssoadmin_instances.sso.arns)[0]
-# permission_set_arn = aws_ssoadmin_permission_set.pset.arn
- permission_set_arn = module.inf-operations-t2.permissionset_arn
-
- principal_id = lookup(local.groups, "inf-operations-t2", null) != null && lookup(local.groups["inf-operations-t2"], "enabled", true) ? aws_identitystore_group.groups["inf-operations-t2"].group_id : null
- principal_type = "GROUP"
-
- target_id = each.value.id
- target_type = "AWS_ACCOUNT"
-}
-
-@@@
-locals {
- user_base_dn = "ou=People,o=U.S. Census Bureau,c=US"
- data = yamldecode(file("groups.yml"))
- # _users = { for u in local.data["users"] : keys(u)[0] => values(u)[0] }
- # users = { for k, v in local._users : k => v if lookup(v, "enabled", true) }
- _groups = { for g in local.data["groups"] : keys(g)[0] => values(g)[0] }
- groups = { for k, v in local._groups : k => v if lookup(v, "enabled", true) }
- user_groups = flatten([for g, v in local.groups : [for m in v.members : { label = format("%v:%v", g, m), group = g, member = m }]])
- users = distinct([for ug in local.user_groups : ug.member])
- ldap_user_attributes = { for k, v in data.ldap_object.users : k => { for kk, vv in v.attributes_json : kk => jsondecode(vv)[0] } }
-}
-
-resource "aws_identitystore_group" "groups" {
- # for_each = { for k, v in local.groups : k => v if lookup(v, "enabled", true) }
- for_each = local.groups
- identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0]
-
- description = each.value.description
- display_name = each.value.display_name
-}
-
-resource "aws_identitystore_group_membership" "membership" {
- for_each = { for ug in local.user_groups : ug.label => ug }
- identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0]
-
- group_id = aws_identitystore_group.groups[each.value.group].group_id
- member_id = try(data.aws_identitystore_user.users[each.value.member].id, null)
-}
-
-data "ldap_object" "users" {
- for_each = toset(local.users)
- provider = ldap.bocas
-
- base_dn = local.user_base_dn
- search_values = { cn = each.key }
- select_attributes = ["cn", "dn", "givenName", "sn", "generationQualifier", "initials", "telephoneNumber", "mail", "departmentNumber", "fullName", "employeeType", "manager"]
-}
-
-data "aws_identitystore_user" "users" {
- for_each = local.ldap_user_attributes
- identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0]
-
- alternate_identifier {
- unique_attribute {
- attribute_path = "UserName"
- attribute_value = each.value.mail
- }
- }
-}
-
-# this has to be done after creation of the permissionset
-data "aws_ssoadmin_permission_set" "pset" {
- for_each = {for k,v in local.groups: k => v if try(v.permissionset_name,null) != null }
- instance_arn = tolist(data.aws_ssoadmin_instances.sso.arns)[0]
- name = each.value.permissionset_name
-}
-
-@@@
-
-
-groups:
- - inf-operations-t2:
- description: "INF Operations T2"
- display_name: "inf-operations-t2"
- permissionset_name: "inf-operations-t2"
- enabled: true
- members:
- - agbo0001
- - akapo001
- - bell0402
- - clark464
- - donog303
- - harpe341
- - horva001
- - illia300
- - krug0002
- - maure006
- - neal0328
- - pinkn005
- - quatt008
- - raybi001
- - regis004
- - rodri499
- - rolli307
- - smith934
- - tabro001
- - washi378
- - wood0360
- - wycli001
- - zunig011
- account_ids:
- - ALL
diff --git a/group-assignment/users.tf b/group-assignment/users.tf
index 3eacc6e..4da51d7 100644
--- a/group-assignment/users.tf
+++ b/group-assignment/users.tf
@@ -14,13 +14,13 @@ data "ldap_object" "users" {
}
data "aws_identitystore_user" "users" {
- for_each = local.ldap_user_attributes
+ for_each = { for k, v in local.ldap_user_attributes : k => try(v.mail, null) if can(v.mail) }
identity_store_id = var.identity_store_id
alternate_identifier {
unique_attribute {
attribute_path = "UserName"
- attribute_value = each.value.mail
+ attribute_value = each.value
}
}
}
diff --git a/group-assignment/variables.tf b/group-assignment/variables.tf
index 81cb8f5..2a9df21 100644
--- a/group-assignment/variables.tf
+++ b/group-assignment/variables.tf
@@ -14,6 +14,11 @@ variable "identity_store_id" {
type = string
}
+variable "instance_arn" {
+ description = "AWS SSO/IDC Instance ARN"
+ type = string
+}
+
variable "permissionset_arn" {
description = "AWS SSO/IDC Permission set ARN"
type = string
diff --git a/permissionset/availabilty_zones.tf b/permissionset/availabilty_zones.tf
deleted file mode 120000
index 00a240c..0000000
--- a/permissionset/availabilty_zones.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/availabilty_zones.tf
\ No newline at end of file