group-assignment: add and ldap_group field to the yaml settings file

terraform-modules · Aug 30, 2024 · ba92692 · ba92692
1 parent d066987
commit ba92692
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,3 +41,7 @@
 * 1.2.2 -- 2024-04-26
   - group-assignment
     - add depends_on so group gets created before adding users
+
+* 1.3.0 -- 2024-08-29
+  - group-assignment
+    - add ldap_group option to the settings to be used for EDL u- groups
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.2.2"
+  _module_version = "1.3.0"
 }
diff --git a/group-assignment/README.md b/group-assignment/README.md
@@ -34,6 +34,7 @@ No modules.
 | [aws_organizations_organizational_unit_descendant_accounts.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organizational_unit_descendant_accounts) | data source |
 | [aws_organizations_organizational_unit_descendant_accounts.ou](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organizational_unit_descendant_accounts) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [ldap_object.ldap_groups](https://registry.terraform.io/providers/trevex/ldap/latest/docs/data-sources/object) | data source |
 | [ldap_object.users](https://registry.terraform.io/providers/trevex/ldap/latest/docs/data-sources/object) | data source |
 
 ## Inputs

diff --git a/group-assignment/users.tf b/group-assignment/users.tf
@@ -1,8 +1,10 @@
 locals {
-  user_base_dn         = "ou=People,o=U.S. Census Bureau,c=US"
-  ldap_user_attributes = { for k, v in data.ldap_object.users : k => { for kk, vv in v.attributes_json : kk => jsondecode(vv)[0] } }
-  users                = length(local.settings) > 0 ? try(local.settings.users, []) : var.users
-  user_mapping         = length(local.settings) > 0 ? try(local.settings.user_mapping, {}) : {}
+  user_base_dn           = "ou=People,o=U.S. Census Bureau,c=US"
+  ldap_user_attributes   = { for k, v in data.ldap_object.users : k => { for kk, vv in v.attributes_json : kk => jsondecode(vv)[0] } }
+  users_from_settings    = length(local.settings) > 0 ? try(local.settings.users, []) : var.users
+  users_from_ldap_groups = [for u in local.ldap_groups_members : u]
+  users                  = distinct(compact(concat(local.users_from_ldap_groups, local.users_from_settings)))
+  user_mapping           = length(local.settings) > 0 ? try(local.settings.user_mapping, {}) : {}
 }
 
 data "ldap_object" "users" {
@@ -25,3 +27,19 @@ data "aws_identitystore_user" "users" {
     }
   }
 }
+
+## ldap groups
+
+locals {
+  ldap_groups_base_dn = "o=U.S. Census Bureau,c=US"
+  ldap_groups_members = distinct(flatten([for k, v in data.ldap_object.ldap_groups : [for m in jsondecode(lookup(v.attributes_json, "memberUid", "")) : m if ! startswith(m, "p-")]]))
+}
+
+data "ldap_object" "ldap_groups" {
+  count    = try(local.settings.ldap_group, null) != null ? 1 : 0
+  provider = ldap
+
+  base_dn           = local.ldap_groups_base_dn
+  search_values     = { cn = try(local.settings.ldap_group, null) != null ? local.settings.ldap_group : null }
+  select_attributes = ["cn", "dn", "memberUid"]
+}