enable ldap group creation in group-assignment

CHANGELOG.md

@@ -27,3 +27,9 @@
     - add auto_policy_count for generating policies of the form:
       * 0 => p-sso-{permissionsetname}
       * 1-20 => p-sso-{permissionsetname}-p{number}
+
+* 1.2.0 -- 2024-03-08
+  - add ldap creation for group-assignmen
+    - variable create_ldap_group
+    - variable ldap_base_ou
+    - variable ldap_sso_name

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.1.0"
+  _module_version = "1.2.0"
 }

group-assignment/README.md

@@ -24,6 +24,8 @@ No modules.
 | [aws_identitystore_group.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group) | resource |
 | [aws_identitystore_group_membership.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group_membership) | resource |
 | [aws_ssoadmin_account_assignment.accounts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
+| [ldap_object.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource |
+| [ldap_object_attributes.group](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object_attributes) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
@@ -39,9 +41,12 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_create_ldap_group"></a> [create\_ldap\_group](#input\_create\_ldap\_group) | Flag to create the respective LDAP group for the SSO group with name cn={groupname},ou=SSO,... | `bool` | `false` | no |
 | <a name="input_description"></a> [description](#input\_description) | Permission set description | `string` | `null` | no |
 | <a name="input_identity_store_id"></a> [identity\_store\_id](#input\_identity\_store\_id) | AWS SSO/IDC Instance ID | `string` | n/a | yes |
 | <a name="input_instance_arn"></a> [instance\_arn](#input\_instance\_arn) | AWS SSO/IDC Instance ARN | `string` | n/a | yes |
+| <a name="input_ldap_base_ou"></a> [ldap\_base\_ou](#input\_ldap\_base\_ou) | LDAP Base OU used for access group and SSO groups. This assumed to exist and is created elsewhere. | `string` | `"ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US"` | no |
+| <a name="input_ldap_sso_name"></a> [ldap\_sso\_name](#input\_ldap\_sso\_name) | One of the available AWS Organziation labels: ent-ew, ent-gov, lab-gov | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Permission set name | `string` | `null` | no |
 | <a name="input_org_account_ids"></a> [org\_account\_ids](#input\_org\_account\_ids) | List of AWS Account ID to which to associate with this group | `list(string)` | `[]` | no |
 | <a name="input_org_account_names"></a> [org\_account\_names](#input\_org\_account\_names) | List of AWS Account aliases to which to associate with this group (note it use the commercial side alias for GovCloud) | `list(string)` | `[]` | no |

group-assignment/main.tf

@@ -56,3 +56,78 @@ resource "aws_ssoadmin_account_assignment" "accounts" {
 #     }
 #   }
 # }
+
+locals {
+  ldap_access_dn = format("cn=%v,%v", var.ldap_sso_name, var.ldap_base_ou)
+  ldap_dn        = format("cn=%v,ou=%v,ou=SSO,%v", local.name, var.ldap_sso_name, var.ldap_base_ou)
+}
+
+resource "ldap_object" "group" {
+  provider = ldap
+  count    = var.create_ldap_group ? 1 : 0
+  dn       = local.ldap_dn
+  object_classes = [
+    "top",
+    "bocGroup",
+    "groupOfNames",
+    "nestedGroupAux",
+  ]
+  attributes = [
+    { description = var.create_ldap_group ? format("sso-instance=%v group=%v", var.ldap_sso_name, local.name) : "" },
+    { cn = var.create_ldap_group ? local.name : "" },
+    { ou = var.ldap_sso_name },
+    { groupMembership = local.ldap_access_dn },
+    { bocApplicationData = format("gov.census.tco:CPASS_APP=CSVD_AWS SSO %v", var.ldap_sso_name) },
+    { bocApplicationData = format("gov.census.tco:CPASS_FullPath=Administration/AdminUI/Production Group Support/CSVD/AWS SSO %v/Users", var.ldap_sso_name) },
+    { bocApplicationData = format("gov.census.tco:CPASS_ApprovalGroup=CSVD AWS SSO %v_Approvers", var.ldap_sso_name) },
+    #    { bocApplicationData = format("gov.census.csvd:account_alias=%v", local.account_alias) },
+    #    { bocApplicationData = format("gov.census.csvd:tf_module_name=%v", "aws-iam-role") },
+    #    { bocApplicationData = format("gov.census.csvd:tf_module_version=%v", local._module_version) },
+  ]
+  lifecycle {
+    ignore_changes = [object_classes, attributes]
+
+    precondition {
+      condition     = var.ldap_sso_name != null
+      error_message = "ldap_sso_name must not be null.  Please select one of the available values for the variable."
+    }
+  }
+}
+
+# add object to access group
+resource "ldap_object_attributes" "group" {
+  provider = ldap
+  count    = var.create_ldap_group ? 1 : 0
+
+  dn = local.ldap_access_dn
+  attributes = [
+    { groupMember = try(ldap_object.group[0].dn, "") },
+  ]
+}
+
+## gov.census.tco:CPASS_APP=CSVD_CSVD IC lab
+## gov.census.tco:CPASS_FullPath=Administration/AdminUI/Production Group Support/CSVD/CSVD IC lab/Users
+## gov.census.tco:CPASS_ApprovalGroup=cn=CSVD IC lab_Approvers
+## 
+## gov.census.tco:CPASS_APP=CSVD_AWS SSO lab-gov
+## gov.census.tco:CPASS_FullPath=Administration/AdminUI/Production Group Support/CSVD/AWS SSO lab-gov/Users
+## gov.census.tco:CPASS_ApprovalGroup=cn=CSVD AWS SSO lab-gov Approvers
+## 
+
+
+## dn: cn=inf-admin-t4, ou=lab-gov, ou=SSO, ou=AWS, ou=Cloud, ou=Application, o= U.S. Census Bureau, c=US
+## groupMembership: cn=OktaGroupsControlGroup,ou=Groups,ou=PeopleGroups,o=Census
+## groupMembership: cn=lab-gov,ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bure au,c=US
+## owner: cn=murra341adm,ou=Admins,ou=Administration,o=U.S. Census Bureau,c=US
+## equivalentToMe: cn=badra001,ou=People,o=U.S. Census Bureau,c=US
+## objectClass: groupOfNames
+## objectClass: Top
+## objectClass: ndsLoginProperties
+## objectClass: nestedGroupAux
+## objectClass: bocGroup
+## DirXML-Associations: cn=census-doc-dev.okta-gov,cn=DriverSet2,ou=IDM,o=Census #1#00gd2pwomiPnbFvAi0j6
+## ACL: 2#entry#[Root]#member
+## cn: inf-admin-t4
+## member: cn=badra001,ou=People,o=U.S. Census Bureau,c=US
+## 
+

group-assignment/variables.tf

@@ -87,3 +87,26 @@ variable "organizational_unit_hierarchy" {
 ##     "self_id" = "ou-9go7-zw77fgic"
 ##   }
 ## }
+
+variable "create_ldap_group" {
+  description = "Flag to create the respective LDAP group for the SSO group with name cn={groupname},ou=SSO,..."
+  type        = bool
+  default     = false
+}
+
+variable "ldap_base_ou" {
+  description = "LDAP Base OU used for access group and SSO groups. This assumed to exist and is created elsewhere."
+  type        = string
+  default     = "ou=AWS,ou=Cloud,ou=Application,o=U.S. Census Bureau,c=US"
+}
+
+variable "ldap_sso_name" {
+  description = "One of the available AWS Organziation labels: ent-ew, ent-gov, lab-gov"
+  type        = string
+  default     = null
+
+  validation {
+    condition     = var.ldap_sso_name == null || try(contains(["ent-ew", "ent-gov", "lab-gov"], var.ldap_sso_name), false)
+    error_message = "ldap_sso_name must be one of: ent-ew, ent-gov, lab-gov."
+  }
+}