* 1.2.1 -- 2024-04-24

  - group-assignment
    - variable create_ldap_members to add users to ldap group (if created)

CHANGELOG.md

@@ -29,7 +29,11 @@
       * 1-20 => p-sso-{permissionsetname}-p{number}
 
 * 1.2.0 -- 2024-03-08
-  - add ldap creation for group-assignmen
+  - add ldap creation for group-assignment
     - variable create_ldap_group
     - variable ldap_base_ou
     - variable ldap_sso_name
+
+* 1.2.1 -- 2024-04-24
+  - group-assignment
+    - variable create_ldap_members to add users to ldap group (if created)

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.2.0"
+  _module_version = "1.2.1"
 }

group-assignment/README.md

@@ -26,6 +26,7 @@ No modules.
 | [aws_ssoadmin_account_assignment.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
 | [ldap_object.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource |
 | [ldap_object_attributes.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object_attributes) | resource |
+| [ldap_object_attributes.users](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object_attributes) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
@@ -42,6 +43,7 @@ No modules.
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_create_ldap_group"></a> [create\_ldap\_group](#input\_create\_ldap\_group) | Flag to create the respective LDAP group for the SSO group with name cn={groupname},ou=SSO,... | `bool` | `false` | no |
+| <a name="input_create_ldap_members"></a> [create\_ldap\_members](#input\_create\_ldap\_members) | Flag to add the users to the respective LDAP group for the SSO group | `bool` | `false` | no |
 | <a name="input_description"></a> [description](#input\_description) | Permission set description | `string` | `null` | no |
 | <a name="input_identity_store_id"></a> [identity\_store\_id](#input\_identity\_store\_id) | AWS SSO/IDC Instance ID | `string` | n/a | yes |
 | <a name="input_instance_arn"></a> [instance\_arn](#input\_instance\_arn) | AWS SSO/IDC Instance ARN | `string` | n/a | yes |

group-assignment/main.tf

@@ -105,6 +105,17 @@ resource "ldap_object_attributes" "group" {
   ]
 }
 
+# add user to group (if create groand add user to group enabled)
+resource "ldap_object_attributes" "users" {
+  provider = ldap
+  for_each = var.create_ldap_group && var.create_ldap_members ? data.ldap_object.users : {}
+
+  dn = local.ldap_dn
+  attributes = [
+    { member = each.value.dn },
+  ]
+}
+
 ## gov.census.tco:CPASS_APP=CSVD_CSVD IC lab
 ## gov.census.tco:CPASS_FullPath=Administration/AdminUI/Production Group Support/CSVD/CSVD IC lab/Users
 ## gov.census.tco:CPASS_ApprovalGroup=cn=CSVD IC lab_Approvers

group-assignment/variables.tf

@@ -94,6 +94,12 @@ variable "create_ldap_group" {
   default     = false
 }
 
+variable "create_ldap_members" {
+  description = "Flag to add the users to the respective LDAP group for the SSO group"
+  type        = bool
+  default     = false
+}
+
 variable "ldap_base_ou" {
   description = "LDAP Base OU used for access group and SSO groups. This assumed to exist and is created elsewhere."
   type        = string