test adding groups and memberships (#8)

* test adding groups and memberships * fix syntax * add back in data block * fix syntax * add group changes * remove duplicate resource group * test chatgpt code * try and fix group assocation * bad
zachrundle · Aug 22, 2024 · 517aa7c · 517aa7c
1 parent 8285246
commit 517aa7c
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 3 deletions.
diff --git a/modules/iam_identity_users/main.tf b/modules/iam_identity_users/main.tf
@@ -1,11 +1,17 @@
+# Fetching SSO Instance
 data "aws_ssoadmin_instances" "this" {}
 
+# Create SSO Groups
+resource "aws_identitystore_group" "this" {
+  for_each          = { for group_name in var.groups : group_name => group_name }
+  display_name      = each.value
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+}
 
+# Create SSO Users
 resource "aws_identitystore_user" "this" {
   for_each = var.users
-
   identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
-
   display_name = format("%s %s", each.value.first_name, each.value.last_name)
   user_name    = format("%s%s", substr(lower(each.value.first_name), 0, 1), lower(each.value.last_name))
 
@@ -17,4 +23,12 @@ resource "aws_identitystore_user" "this" {
   emails {
     value = join("@", [format("%s.%s", lower(each.value.first_name), lower(each.value.last_name)), var.email_domain])
   }
+}
+
+# Assign Users to Groups
+resource "aws_identitystore_group_membership" "this" {
+  for_each =  var.users
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+  group_id          = aws_identitystore_group.this[each.value.group].id
+  member_id         = aws_identitystore_user.this[each.key].id
 }
diff --git a/modules/iam_identity_users/variables.tf b/modules/iam_identity_users/variables.tf
@@ -3,11 +3,18 @@ variable "users" {
   type = map(object({
     first_name = string
     last_name  = string
+    groups     = set(string) # Set of group names the user belongs to
   }))
 }
 
 variable "email_domain" {
   description = "Domain used for user email accounts"
   type        = string
   default     = "example.com"
+}
+
+variable "groups" {
+  description = "List of IAM identity center groups to create"
+  type        = set(string)
+  default     = []
 }
diff --git a/users.tf b/users.tf
@@ -1,13 +1,17 @@
 module "users" {
   source = "./modules/iam_identity_users"
+  groups = ["administrators", "developers", "qa", "networking"]
+
   users = {
     "Zach Rundle" = {
       first_name = "Zach"
       last_name  = "Rundle"
+      groups     = ["administrators"]
     },
     "Maverick Dog" = {
       first_name = "Maverick"
       last_name  = "Dog"
+      groups     = ["developers", "qa"]
     },
   }
-}
+}