From 97d7caa8205277e75ae86a0702d551304551edd6 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 29 Feb 2024 13:18:47 -0500 Subject: [PATCH 01/10] add ldap --- group-assignment/README.md | 4 +++ group-assignment/main.tf | 63 +++++++++++++++++++++++++++++++++++ group-assignment/variables.tf | 23 +++++++++++++ 3 files changed, 90 insertions(+) diff --git a/group-assignment/README.md b/group-assignment/README.md index c44d42a..995fd64 100644 --- a/group-assignment/README.md +++ b/group-assignment/README.md @@ -24,6 +24,7 @@ No modules. | [aws_identitystore_group.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group) | resource | | [aws_identitystore_group_membership.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group_membership) | resource | | [aws_ssoadmin_account_assignment.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource | +| [ldap_object.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source | @@ -39,9 +40,12 @@ No modules. |------|-------------|------|---------|:--------:| | [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | | [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [create\_ldap\_group](#input\_create\_ldap\_group) | Flag to create the respective LDAP group for the SSO group with name cn={groupname},ou=SSO,... | `bool` | `false` | no | | [description](#input\_description) | Permission set description | `string` | `null` | no | | [identity\_store\_id](#input\_identity\_store\_id) | AWS SSO/IDC Instance ID | `string` | n/a | yes | | [instance\_arn](#input\_instance\_arn) | AWS SSO/IDC Instance ARN | `string` | n/a | yes | +| [ldap\_base\_ou](#input\_ldap\_base\_ou) | LDAP Base OU used for access group and SSO groups. This assumed to exist and is created elsewhere. | `string` | `"ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US"` | no | +| [ldap\_sso\_name](#input\_ldap\_sso\_name) | One of the available AWS Organziation labels: ent-ew, ent-gov, lab-gov | `string` | `null` | no | | [name](#input\_name) | Permission set name | `string` | `null` | no | | [org\_account\_ids](#input\_org\_account\_ids) | List of AWS Account ID to which to associate with this group | `list(string)` | `[]` | no | | [org\_account\_names](#input\_org\_account\_names) | List of AWS Account aliases to which to associate with this group (note it use the commercial side alias for GovCloud) | `list(string)` | `[]` | no | diff --git a/group-assignment/main.tf b/group-assignment/main.tf index 87512d4..3100ce0 100644 --- a/group-assignment/main.tf +++ b/group-assignment/main.tf @@ -56,3 +56,66 @@ resource "aws_ssoadmin_account_assignment" "accounts" { # } # } # } + +locals { + ldap_access_dn = format("cn=%v,%v", local.name, var.ldap_sso_name, var.ldap_sso_base) + ldap_dn = format("cn=%v,ou=SSO,%v,%v", local.name, var.ldap_sso_namevar.ldap_sso_base) +} + +resource "ldap_object" "group" { + provider = ldap + count = var.create_ldap_group ? 1 : 0 + dn = local.ldap_dn + object_classes = [ + "top", + "bocGroup", + "groupOfNames", + "nestedGroupAux", + ] + attributes = [ + { description = var.create_ldap_group ? format("sso-instance=%v group=%v", var.ldap_sso_name, local.name) : "" }, + { cn = var.create_ldap_group ? local.name : "" }, + { ou = var.ldap_sso_name }, + { groupMembership = local.ldap_access_dn }, + { bocApplicationData = format("gov.census.tco:CPASS_APP=CSVD_AWS SSO %v", var.ldap_sso_name) }, + { bocApplicationData = format("gov.census.tco:CPASS_FullPath=Administration/AdminUI/Production Group Support/CSVD/AWS SSO %v/Users", var.ldap_sso_name) }, + { bocApplicationData = format("gov.census.tco:CPASS_ApprovalGroup=CSVD AWS SSO %v Approvers", var.ldap_sso_name) }, + # { bocApplicationData = format("gov.census.csvd:account_alias=%v", local.account_alias) }, + # { bocApplicationData = format("gov.census.csvd:tf_module_name=%v", "aws-iam-role") }, + # { bocApplicationData = format("gov.census.csvd:tf_module_version=%v", local._module_version) }, + ] + lifecycle { + ignore_changes = [object_classes, attributes] + + precondition { + condition = var.ldap_sso_name != null + error_message = "ldap_sso_name must not be null. Please select one of the available values for the variable." + } + } +} + +## gov.census.tco:CPASS_APP=CSVD_CSVD IC lab +## gov.census.tco:CPASS_FullPath=Administration/AdminUI/Production Group Support/CSVD/CSVD IC lab/Users +## gov.census.tco:CPASS_ApprovalGroup=cn=CSVD IC lab_Approvers +## +## gov.census.tco:CPASS_APP=CSVD_AWS SSO lab-gov +## gov.census.tco:CPASS_FullPath=Administration/AdminUI/Production Group Support/CSVD/AWS SSO lab-gov/Users +## gov.census.tco:CPASS_ApprovalGroup=cn=CSVD AWS SSO lab-gov Approvers +## + + +## dn: cn=inf-admin-t4, ou=lab-gov, ou=SSO, ou=AWS, ou=Cloud, ou=Application, o= U.S. Census Bureau, c=US +## groupMembership: cn=OktaGroupsControlGroup,ou=Groups,ou=PeopleGroups,o=Census +## groupMembership: cn=lab-gov,ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bure au,c=US +## owner: cn=murra341adm,ou=Admins,ou=Administration,o=U.S. Census Bureau,c=US +## equivalentToMe: cn=badra001,ou=People,o=U.S. Census Bureau,c=US +## objectClass: groupOfNames +## objectClass: Top +## objectClass: ndsLoginProperties +## objectClass: nestedGroupAux +## objectClass: bocGroup +## DirXML-Associations: cn=census-doc-dev.okta-gov,cn=DriverSet2,ou=IDM,o=Census #1#00gd2pwomiPnbFvAi0j6 +## ACL: 2#entry#[Root]#member +## cn: inf-admin-t4 +## member: cn=badra001,ou=People,o=U.S. Census Bureau,c=US +## diff --git a/group-assignment/variables.tf b/group-assignment/variables.tf index 6f50219..074ee65 100644 --- a/group-assignment/variables.tf +++ b/group-assignment/variables.tf @@ -87,3 +87,26 @@ variable "organizational_unit_hierarchy" { ## "self_id" = "ou-9go7-zw77fgic" ## } ## } + +variable "create_ldap_group" { + description = "Flag to create the respective LDAP group for the SSO group with name cn={groupname},ou=SSO,..." + type = bool + default = false +} + +variable "ldap_base_ou" { + description = "LDAP Base OU used for access group and SSO groups. This assumed to exist and is created elsewhere." + type = string + default = "ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US" +} + +variable "ldap_sso_name" { + description = "One of the available AWS Organziation labels: ent-ew, ent-gov, lab-gov" + type = string + default = null + + validation { + condition = var.ldap_sso_name == null || contains(["ent-ew", "ent-gov", "lab-gov"], var.ldap_sso_name) + error_message = "ldap_sso_name must be one of: ent-ew, ent-gov, lab-gov." + } +} From 5bddc8b257a3e0f3b31c2895d7a430796c686189 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 29 Feb 2024 13:23:46 -0500 Subject: [PATCH 02/10] fix --- group-assignment/main.tf | 2 +- group-assignment/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group-assignment/main.tf b/group-assignment/main.tf index 3100ce0..2309363 100644 --- a/group-assignment/main.tf +++ b/group-assignment/main.tf @@ -59,7 +59,7 @@ resource "aws_ssoadmin_account_assignment" "accounts" { locals { ldap_access_dn = format("cn=%v,%v", local.name, var.ldap_sso_name, var.ldap_sso_base) - ldap_dn = format("cn=%v,ou=SSO,%v,%v", local.name, var.ldap_sso_namevar.ldap_sso_base) + ldap_dn = format("cn=%v,ou=SSO,%v,%v", local.name, var.ldap_sso_name, var.ldap_sso_base) } resource "ldap_object" "group" { diff --git a/group-assignment/variables.tf b/group-assignment/variables.tf index 074ee65..e306348 100644 --- a/group-assignment/variables.tf +++ b/group-assignment/variables.tf @@ -106,7 +106,7 @@ variable "ldap_sso_name" { default = null validation { - condition = var.ldap_sso_name == null || contains(["ent-ew", "ent-gov", "lab-gov"], var.ldap_sso_name) + condition = var.ldap_sso_name == null || try(contains(["ent-ew", "ent-gov", "lab-gov"], var.ldap_sso_name), false) error_message = "ldap_sso_name must be one of: ent-ew, ent-gov, lab-gov." } } From 1bc94c610417306ef20b9b069672e4149b4b89dd Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 29 Feb 2024 13:25:50 -0500 Subject: [PATCH 03/10] fix --- group-assignment/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group-assignment/main.tf b/group-assignment/main.tf index 2309363..0f593b0 100644 --- a/group-assignment/main.tf +++ b/group-assignment/main.tf @@ -58,8 +58,8 @@ resource "aws_ssoadmin_account_assignment" "accounts" { # } locals { - ldap_access_dn = format("cn=%v,%v", local.name, var.ldap_sso_name, var.ldap_sso_base) - ldap_dn = format("cn=%v,ou=SSO,%v,%v", local.name, var.ldap_sso_name, var.ldap_sso_base) + ldap_access_dn = format("cn=%v,%v", local.name, var.ldap_sso_name, var.ldap_base_ou) + ldap_dn = format("cn=%v,ou=SSO,%v,%v", local.name, var.ldap_sso_name, var.ldap_base_ou) } resource "ldap_object" "group" { From a89e78bf12909ff9eadb02e61b214d667447a757 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 29 Feb 2024 13:40:14 -0500 Subject: [PATCH 04/10] add to group --- group-assignment/README.md | 1 + group-assignment/main.tf | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/group-assignment/README.md b/group-assignment/README.md index 995fd64..d14b957 100644 --- a/group-assignment/README.md +++ b/group-assignment/README.md @@ -25,6 +25,7 @@ No modules. | [aws_identitystore_group_membership.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group_membership) | resource | | [aws_ssoadmin_account_assignment.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource | | [ldap_object.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource | +| [ldap_object_attributes.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object_attributes) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source | diff --git a/group-assignment/main.tf b/group-assignment/main.tf index 0f593b0..7745b3f 100644 --- a/group-assignment/main.tf +++ b/group-assignment/main.tf @@ -94,6 +94,17 @@ resource "ldap_object" "group" { } } +# add object to access group +resource "ldap_object_attributes" "group" { + provider = ldap + count = var.create_ldap_group ? 1 : 0 + + dn = local.ldap_access_dn + attributes = [ + { groupMember = local.ldap_dn }, + ] +} + ## gov.census.tco:CPASS_APP=CSVD_CSVD IC lab ## gov.census.tco:CPASS_FullPath=Administration/AdminUI/Production Group Support/CSVD/CSVD IC lab/Users ## gov.census.tco:CPASS_ApprovalGroup=cn=CSVD IC lab_Approvers @@ -119,3 +130,5 @@ resource "ldap_object" "group" { ## cn: inf-admin-t4 ## member: cn=badra001,ou=People,o=U.S. Census Bureau,c=US ## + + From ce53bc2b54011dd5586e94ddd0646655e78c610d Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 29 Feb 2024 13:43:43 -0500 Subject: [PATCH 05/10] fix --- group-assignment/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group-assignment/main.tf b/group-assignment/main.tf index 7745b3f..8d09b18 100644 --- a/group-assignment/main.tf +++ b/group-assignment/main.tf @@ -58,7 +58,7 @@ resource "aws_ssoadmin_account_assignment" "accounts" { # } locals { - ldap_access_dn = format("cn=%v,%v", local.name, var.ldap_sso_name, var.ldap_base_ou) + ldap_access_dn = format("cn=%v,%v", var.ldap_sso_name, var.ldap_base_ou) ldap_dn = format("cn=%v,ou=SSO,%v,%v", local.name, var.ldap_sso_name, var.ldap_base_ou) } From a7fb235964164153cb8ea836154edca0d2d27bad Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 29 Feb 2024 13:47:03 -0500 Subject: [PATCH 06/10] fix --- group-assignment/main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/group-assignment/main.tf b/group-assignment/main.tf index 8d09b18..48ba9fc 100644 --- a/group-assignment/main.tf +++ b/group-assignment/main.tf @@ -59,7 +59,7 @@ resource "aws_ssoadmin_account_assignment" "accounts" { locals { ldap_access_dn = format("cn=%v,%v", var.ldap_sso_name, var.ldap_base_ou) - ldap_dn = format("cn=%v,ou=SSO,%v,%v", local.name, var.ldap_sso_name, var.ldap_base_ou) + ldap_dn = format("cn=%v,ou=%v,ou=SSO,%v", local.name, var.ldap_sso_name, var.ldap_base_ou) } resource "ldap_object" "group" { @@ -131,4 +131,3 @@ resource "ldap_object_attributes" "group" { ## member: cn=badra001,ou=People,o=U.S. Census Bureau,c=US ## - From 89db6a304d6feb427d739a40dfb19c515740f1a7 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 29 Feb 2024 14:48:47 -0500 Subject: [PATCH 07/10] change to _Approvers --- group-assignment/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group-assignment/main.tf b/group-assignment/main.tf index 48ba9fc..0a479af 100644 --- a/group-assignment/main.tf +++ b/group-assignment/main.tf @@ -79,7 +79,7 @@ resource "ldap_object" "group" { { groupMembership = local.ldap_access_dn }, { bocApplicationData = format("gov.census.tco:CPASS_APP=CSVD_AWS SSO %v", var.ldap_sso_name) }, { bocApplicationData = format("gov.census.tco:CPASS_FullPath=Administration/AdminUI/Production Group Support/CSVD/AWS SSO %v/Users", var.ldap_sso_name) }, - { bocApplicationData = format("gov.census.tco:CPASS_ApprovalGroup=CSVD AWS SSO %v Approvers", var.ldap_sso_name) }, + { bocApplicationData = format("gov.census.tco:CPASS_ApprovalGroup=CSVD AWS SSO %v_Approvers", var.ldap_sso_name) }, # { bocApplicationData = format("gov.census.csvd:account_alias=%v", local.account_alias) }, # { bocApplicationData = format("gov.census.csvd:tf_module_name=%v", "aws-iam-role") }, # { bocApplicationData = format("gov.census.csvd:tf_module_version=%v", local._module_version) }, From b5f8db9b0fffc41a848288831f3a41f393670a12 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 1 Mar 2024 09:54:44 -0500 Subject: [PATCH 08/10] make group attribute use dn from object --- group-assignment/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group-assignment/main.tf b/group-assignment/main.tf index 0a479af..9967951 100644 --- a/group-assignment/main.tf +++ b/group-assignment/main.tf @@ -101,7 +101,7 @@ resource "ldap_object_attributes" "group" { dn = local.ldap_access_dn attributes = [ - { groupMember = local.ldap_dn }, + { groupMember = ldap_object.group.dn }, ] } From 385b4d0e9006127ab6ecabbcfb5e443a9ec9c0c1 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 1 Mar 2024 12:43:42 -0500 Subject: [PATCH 09/10] fix --- group-assignment/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group-assignment/main.tf b/group-assignment/main.tf index 9967951..ab4c9b9 100644 --- a/group-assignment/main.tf +++ b/group-assignment/main.tf @@ -101,7 +101,7 @@ resource "ldap_object_attributes" "group" { dn = local.ldap_access_dn attributes = [ - { groupMember = ldap_object.group.dn }, + { groupMember = try(ldap_object.group[0].dn, "") }, ] } From 3a98b5735eeb5fd29a02a75f8d61a9da68226ed1 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 8 Mar 2024 13:37:32 -0500 Subject: [PATCH 10/10] * 1.2.0 -- 2024-03-08 - add ldap creation for group-assignmen - variable create_ldap_group - variable ldap_base_ou - variable ldap_sso_name --- CHANGELOG.md | 6 ++++++ common/version.tf | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b607d0..a754c43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,3 +27,9 @@ - add auto_policy_count for generating policies of the form: * 0 => p-sso-{permissionsetname} * 1-20 => p-sso-{permissionsetname}-p{number} + +* 1.2.0 -- 2024-03-08 + - add ldap creation for group-assignmen + - variable create_ldap_group + - variable ldap_base_ou + - variable ldap_sso_name diff --git a/common/version.tf b/common/version.tf index 9c489cd..1ee6619 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.1.0" + _module_version = "1.2.0" }