- add ability to grab description, permissionset_name from settings

- find permissionset if arn not found
terraform-modules · Sep 21, 2023 · 5c24c40 · 5c24c40
1 parent 317faf9
commit 5c24c40
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,3 +3,7 @@
 * 1.0.0 -- 2023-09-08
   - initial creation
 
+* 1.0.1 -- 2023-09-21
+  - add ability to grab description, permissionset_name from settings
+  - find permissionset if arn not found
+
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.0"
+  _module_version = "1.0.1"
 }
diff --git a/group-assignment/README.md b/group-assignment/README.md
@@ -31,6 +31,7 @@ No modules.
 | [aws_organizations_organizational_unit_descendant_accounts.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organizational_unit_descendant_accounts) | data source |
 | [aws_organizations_organizational_unit_descendant_accounts.ou](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organizational_unit_descendant_accounts) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_ssoadmin_permission_set.pset](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_permission_set) | data source |
 | [ldap_object.users](https://registry.terraform.io/providers/trevex/ldap/latest/docs/data-sources/object) | data source |
 
 ## Inputs
@@ -50,7 +51,8 @@ No modules.
 | <a name="input_organizational_unit_ids"></a> [organizational\_unit\_ids](#input\_organizational\_unit\_ids) | List of AWS Organizational Unit names to assocate with this group | `list(string)` | `[]` | no |
 | <a name="input_organizational_unit_names"></a> [organizational\_unit\_names](#input\_organizational\_unit\_names) | List of AWS Organizational Unit names to assocate with this group | `list(string)` | `[]` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
-| <a name="input_permissionset_arn"></a> [permissionset\_arn](#input\_permissionset\_arn) | AWS SSO/IDC Permission set ARN | `string` | n/a | yes |
+| <a name="input_permissionset_arn"></a> [permissionset\_arn](#input\_permissionset\_arn) | AWS SSO/IDC Permission set ARN | `string` | `null` | no |
+| <a name="input_permissionset_name"></a> [permissionset\_name](#input\_permissionset\_name) | AWS SSO/IDC Permission set name to find the permission set if ARN not set | `string` | `null` | no |
 | <a name="input_settings_file"></a> [settings\_file](#input\_settings\_file) | File name and path to YAML with users(list), account\_ids(list), org\_ous(list), and all(bool). See sample.yml in code. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 | <a name="input_users"></a> [users](#input\_users) | List of Census usernames to assign to the group | `list(string)` | `[]` | no |

diff --git a/group-assignment/main.tf b/group-assignment/main.tf
@@ -1,10 +1,13 @@
 locals {
-  description = coalesce(var.description, var.name)
+  name               = coalesce(var.name, try(local.settings.group, null))
+  description        = coalesce(var.description, try(local.settings.description, null), local.name)
+  permissionset_name = coalesce(var.permissionset_name, local.name)
+  permissionset_arn  = coalesce(var.permissionset_arn, try(data.aws_sso_admin_permission_set.pset[0].arn, null))
 }
 
 resource "aws_identitystore_group" "group" {
   identity_store_id = var.identity_store_id
-  display_name      = var.name
+  display_name      = local.name
   description       = local.description
 }
 
@@ -16,11 +19,26 @@ resource "aws_identitystore_group_membership" "group" {
 }
 
 resource "aws_ssoadmin_account_assignment" "accounts" {
-  for_each           = toset(local.account_ids)
-  instance_arn       = var.instance_arn
-  permission_set_arn = var.permissionset_arn
+  for_each     = toset(local.account_ids)
+  instance_arn = var.instance_arn
+  #  permission_set_arn = var.permissionset_arn
+  permission_set_arn = local.permissionset_arn
   principal_id       = aws_identitystore_group.group.group_id
   principal_type     = "GROUP"
   target_id          = each.value
   target_type        = "AWS_ACCOUNT"
+
+  lifecycle {
+    precondition {
+      condition     = local.permissionset_arn != null
+      error_message = "The permissionset ARN is missing or not found from the permissionset_name."
+    }
+  }
+}
+
+data "aws_ssoadmin_permission_set" "pset" {
+  count        = var.permissionset_arn == null && local.permissionset_name != null ? 1 : 0
+  instance_arn = var.instance_arn
+  name         = local.permissionset_name
 }
+
diff --git a/group-assignment/sample.yml b/group-assignment/sample.yml
@@ -1,4 +1,6 @@
 group: NAME
+description: string
+permissionset_name: string
 all: true
 account_names: []
 account_ids: []

diff --git a/group-assignment/variables.tf b/group-assignment/variables.tf
@@ -22,6 +22,13 @@ variable "instance_arn" {
 variable "permissionset_arn" {
   description = "AWS SSO/IDC Permission set ARN"
   type        = string
+  default     = null
+}
+
+variable "permissionset_name" {
+  description = "AWS SSO/IDC Permission set name to find the permission set if ARN not set"
+  type        = string
+  default     = null
 }
 
 variable "users" {