diff --git a/CHANGELOG.md b/CHANGELOG.md
index a754c43..58da126 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,7 +29,11 @@
* 1-20 => p-sso-{permissionsetname}-p{number}
* 1.2.0 -- 2024-03-08
- - add ldap creation for group-assignmen
+ - add ldap creation for group-assignment
- variable create_ldap_group
- variable ldap_base_ou
- variable ldap_sso_name
+
+* 1.2.1 -- 2024-04-24
+ - group-assignment
+ - variable create_ldap_members to add users to ldap group (if created)
diff --git a/common/version.tf b/common/version.tf
index 1ee6619..54b3493 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.2.0"
+ _module_version = "1.2.1"
}
diff --git a/group-assignment/README.md b/group-assignment/README.md
index d14b957..cc4296d 100644
--- a/group-assignment/README.md
+++ b/group-assignment/README.md
@@ -26,6 +26,7 @@ No modules.
| [aws_ssoadmin_account_assignment.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
| [ldap_object.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource |
| [ldap_object_attributes.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object_attributes) | resource |
+| [ldap_object_attributes.users](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object_attributes) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
@@ -42,6 +43,7 @@ No modules.
| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
| [create\_ldap\_group](#input\_create\_ldap\_group) | Flag to create the respective LDAP group for the SSO group with name cn={groupname},ou=SSO,... | `bool` | `false` | no |
+| [create\_ldap\_members](#input\_create\_ldap\_members) | Flag to add the users to the respective LDAP group for the SSO group | `bool` | `false` | no |
| [description](#input\_description) | Permission set description | `string` | `null` | no |
| [identity\_store\_id](#input\_identity\_store\_id) | AWS SSO/IDC Instance ID | `string` | n/a | yes |
| [instance\_arn](#input\_instance\_arn) | AWS SSO/IDC Instance ARN | `string` | n/a | yes |
diff --git a/group-assignment/main.tf b/group-assignment/main.tf
index ab4c9b9..089dfc1 100644
--- a/group-assignment/main.tf
+++ b/group-assignment/main.tf
@@ -105,6 +105,17 @@ resource "ldap_object_attributes" "group" {
]
}
+# add user to group (if create groand add user to group enabled)
+resource "ldap_object_attributes" "users" {
+ provider = ldap
+ for_each = var.create_ldap_group && var.create_ldap_members ? data.ldap_object.users : {}
+
+ dn = local.ldap_dn
+ attributes = [
+ { member = each.value.dn },
+ ]
+}
+
## gov.census.tco:CPASS_APP=CSVD_CSVD IC lab
## gov.census.tco:CPASS_FullPath=Administration/AdminUI/Production Group Support/CSVD/CSVD IC lab/Users
## gov.census.tco:CPASS_ApprovalGroup=cn=CSVD IC lab_Approvers
diff --git a/group-assignment/variables.tf b/group-assignment/variables.tf
index e306348..26ae530 100644
--- a/group-assignment/variables.tf
+++ b/group-assignment/variables.tf
@@ -94,6 +94,12 @@ variable "create_ldap_group" {
default = false
}
+variable "create_ldap_members" {
+ description = "Flag to add the users to the respective LDAP group for the SSO group"
+ type = bool
+ default = false
+}
+
variable "ldap_base_ou" {
description = "LDAP Base OU used for access group and SSO groups. This assumed to exist and is created elsewhere."
type = string