From c5e6cb5a68e22de5fe65151e3e9dbbe49a99eb85 Mon Sep 17 00:00:00 2001 From: cybershady Date: Mon, 26 Aug 2024 21:54:43 -0600 Subject: [PATCH 1/9] combine iam identity modules --- modules/iam_identity_center/main.tf | 46 ++++++++++++++++++++++++ modules/iam_identity_center/variables.tf | 22 ++++++++++++ modules/iam_identity_users/main.tf | 34 ------------------ modules/iam_identity_users/variables.tf | 21 ----------- 4 files changed, 68 insertions(+), 55 deletions(-) delete mode 100644 modules/iam_identity_users/main.tf delete mode 100644 modules/iam_identity_users/variables.tf diff --git a/modules/iam_identity_center/main.tf b/modules/iam_identity_center/main.tf index 7f9d385..ccf8dcd 100644 --- a/modules/iam_identity_center/main.tf +++ b/modules/iam_identity_center/main.tf @@ -64,3 +64,49 @@ resource "aws_ssoadmin_customer_managed_policy_attachment" "this" { path = coalesce(each.value.policy_path, "/") } } + +# Fetching SSO Instance +data "aws_ssoadmin_instances" "this" {} + +# Create SSO Groups +resource "aws_identitystore_group" "this" { + for_each = { for group_name in var.groups : group_name => group_name } + display_name = each.value + identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] +} + +# Create SSO Users +resource "aws_identitystore_user" "this" { + for_each = var.users + identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] + display_name = format("%s %s", each.value.first_name, each.value.last_name) + user_name = format("%s%s", substr(lower(each.value.first_name), 0, 1), lower(each.value.last_name)) + + name { + given_name = each.value.first_name + family_name = each.value.last_name + } + + emails { + value = join("@", [format("%s.%s", lower(each.value.first_name), lower(each.value.last_name)), var.email_domain]) + } +} + +# Assign Users to Groups +resource "aws_identitystore_group_membership" "this" { + for_each = var.users + identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] + group_id = aws_identitystore_group.this[each.value.groups].group_id + member_id = aws_identitystore_user.this[each.key].user_id +} + +resource "aws_ssoadmin_account_assignment" "this" { + instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0] + permission_set_arn = data.aws_ssoadmin_permission_set.example.arn + + principal_id = data.aws_identitystore_group.this.group_id + principal_type = "GROUP" + + target_id = "123456789012" + target_type = "AWS_ACCOUNT" +} diff --git a/modules/iam_identity_center/variables.tf b/modules/iam_identity_center/variables.tf index 92540ac..a7ab3b3 100644 --- a/modules/iam_identity_center/variables.tf +++ b/modules/iam_identity_center/variables.tf @@ -14,4 +14,26 @@ variable "permission_sets" { })) default = [] +} + +variable "users" { + description = "Map of user identifiers to user details including their team." + type = map(object({ + first_name = string + last_name = string + # TODO: add support in case a user needs to belong to multiple groups + groups = string + })) +} + +variable "email_domain" { + description = "Domain used for user email accounts" + type = string + default = "example.com" +} + +variable "groups" { + description = "List of IAM identity center groups to create" + type = set(string) + default = [] } \ No newline at end of file diff --git a/modules/iam_identity_users/main.tf b/modules/iam_identity_users/main.tf deleted file mode 100644 index 8356ecd..0000000 --- a/modules/iam_identity_users/main.tf +++ /dev/null @@ -1,34 +0,0 @@ -# Fetching SSO Instance -data "aws_ssoadmin_instances" "this" {} - -# Create SSO Groups -resource "aws_identitystore_group" "this" { - for_each = { for group_name in var.groups : group_name => group_name } - display_name = each.value - identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] -} - -# Create SSO Users -resource "aws_identitystore_user" "this" { - for_each = var.users - identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] - display_name = format("%s %s", each.value.first_name, each.value.last_name) - user_name = format("%s%s", substr(lower(each.value.first_name), 0, 1), lower(each.value.last_name)) - - name { - given_name = each.value.first_name - family_name = each.value.last_name - } - - emails { - value = join("@", [format("%s.%s", lower(each.value.first_name), lower(each.value.last_name)), var.email_domain]) - } -} - -# Assign Users to Groups -resource "aws_identitystore_group_membership" "this" { - for_each = var.users - identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] - group_id = aws_identitystore_group.this[each.value.groups].group_id - member_id = aws_identitystore_user.this[each.key].user_id -} \ No newline at end of file diff --git a/modules/iam_identity_users/variables.tf b/modules/iam_identity_users/variables.tf deleted file mode 100644 index 0936e95..0000000 --- a/modules/iam_identity_users/variables.tf +++ /dev/null @@ -1,21 +0,0 @@ -variable "users" { - description = "Map of user identifiers to user details including their team." - type = map(object({ - first_name = string - last_name = string - # TODO: add support in case a user needs to belong to multiple groups - groups = string - })) -} - -variable "email_domain" { - description = "Domain used for user email accounts" - type = string - default = "example.com" -} - -variable "groups" { - description = "List of IAM identity center groups to create" - type = set(string) - default = [] -} \ No newline at end of file From 3e39380b955f369da5b5324ce56a6c858cde7645 Mon Sep 17 00:00:00 2001 From: cybershady Date: Mon, 26 Aug 2024 21:57:22 -0600 Subject: [PATCH 2/9] Fix main.tf --- main.tf | 14 ++++++++++++++ modules/iam_identity_center/main.tf | 6 ------ users.tf | 17 ----------------- 3 files changed, 14 insertions(+), 23 deletions(-) delete mode 100644 users.tf diff --git a/main.tf b/main.tf index ff829ce..9941ae6 100644 --- a/main.tf +++ b/main.tf @@ -28,4 +28,18 @@ module "permission_sets" { policy_attachments = ["arn:aws:iam::aws:policy/AdministratorAccess"] customer_managed_policy_attachments = [] }] + groups = ["administrators", "developers", "networking"] + + users = { + "Zach Rundle" = { + first_name = "Zach" + last_name = "Rundle" + groups = "administrators" + }, + "Maverick Dog" = { + first_name = "Maverick" + last_name = "Dog" + groups = "developers" + }, + } } \ No newline at end of file diff --git a/modules/iam_identity_center/main.tf b/modules/iam_identity_center/main.tf index ccf8dcd..336048d 100644 --- a/modules/iam_identity_center/main.tf +++ b/modules/iam_identity_center/main.tf @@ -65,17 +65,12 @@ resource "aws_ssoadmin_customer_managed_policy_attachment" "this" { } } -# Fetching SSO Instance -data "aws_ssoadmin_instances" "this" {} - -# Create SSO Groups resource "aws_identitystore_group" "this" { for_each = { for group_name in var.groups : group_name => group_name } display_name = each.value identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] } -# Create SSO Users resource "aws_identitystore_user" "this" { for_each = var.users identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] @@ -92,7 +87,6 @@ resource "aws_identitystore_user" "this" { } } -# Assign Users to Groups resource "aws_identitystore_group_membership" "this" { for_each = var.users identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] diff --git a/users.tf b/users.tf deleted file mode 100644 index d22db6a..0000000 --- a/users.tf +++ /dev/null @@ -1,17 +0,0 @@ -module "users" { - source = "./modules/iam_identity_users" - groups = ["administrators", "developers", "networking"] - - users = { - "Zach Rundle" = { - first_name = "Zach" - last_name = "Rundle" - groups = "administrators" - }, - "Maverick Dog" = { - first_name = "Maverick" - last_name = "Dog" - groups = "developers" - }, - } -} From 55db31fc28d18e28ae52b70b58a61fae0b81c39a Mon Sep 17 00:00:00 2001 From: cybershady Date: Mon, 26 Aug 2024 21:59:01 -0600 Subject: [PATCH 3/9] comment out assignment temporarily --- modules/iam_identity_center/main.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/iam_identity_center/main.tf b/modules/iam_identity_center/main.tf index 336048d..96a6dff 100644 --- a/modules/iam_identity_center/main.tf +++ b/modules/iam_identity_center/main.tf @@ -94,13 +94,13 @@ resource "aws_identitystore_group_membership" "this" { member_id = aws_identitystore_user.this[each.key].user_id } -resource "aws_ssoadmin_account_assignment" "this" { - instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0] - permission_set_arn = data.aws_ssoadmin_permission_set.example.arn +# resource "aws_ssoadmin_account_assignment" "this" { +# instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] +# permission_set_arn = data.aws_ssoadmin_permission_set.this.arn - principal_id = data.aws_identitystore_group.this.group_id - principal_type = "GROUP" +# principal_id = data.aws_identitystore_group.this.group_id +# principal_type = "GROUP" - target_id = "123456789012" - target_type = "AWS_ACCOUNT" -} +# target_id = "123456789012" +# target_type = "AWS_ACCOUNT" +# } From cb0623257b2d8e0958f50e691e7ca37fe871c55c Mon Sep 17 00:00:00 2001 From: cybershady Date: Tue, 27 Aug 2024 22:00:48 -0600 Subject: [PATCH 4/9] add in account assignment --- modules/iam_identity_center/main.tf | 16 ++++++++-------- modules/iam_identity_center/variables.tf | 4 ++++ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/modules/iam_identity_center/main.tf b/modules/iam_identity_center/main.tf index 96a6dff..6c955e9 100644 --- a/modules/iam_identity_center/main.tf +++ b/modules/iam_identity_center/main.tf @@ -94,13 +94,13 @@ resource "aws_identitystore_group_membership" "this" { member_id = aws_identitystore_user.this[each.key].user_id } -# resource "aws_ssoadmin_account_assignment" "this" { -# instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] -# permission_set_arn = data.aws_ssoadmin_permission_set.this.arn +resource "aws_ssoadmin_account_assignment" "this" { + instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] + permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn -# principal_id = data.aws_identitystore_group.this.group_id -# principal_type = "GROUP" + principal_id = data.aws_identitystore_group.this.group_id + principal_type = "GROUP" -# target_id = "123456789012" -# target_type = "AWS_ACCOUNT" -# } + target_id = var.aws_account + target_type = "AWS_ACCOUNT" +} diff --git a/modules/iam_identity_center/variables.tf b/modules/iam_identity_center/variables.tf index a7ab3b3..47df04e 100644 --- a/modules/iam_identity_center/variables.tf +++ b/modules/iam_identity_center/variables.tf @@ -36,4 +36,8 @@ variable "groups" { description = "List of IAM identity center groups to create" type = set(string) default = [] +} + +variable "aws_account" { + description = "Account number to create aws resources in. This variable should be defined in the terraform cloud workspace settings" } \ No newline at end of file From 0b5f06318df5a0f4d8174168db508557673442c3 Mon Sep 17 00:00:00 2001 From: Zach Rundle <55340176+zachrundle@users.noreply.github.com> Date: Tue, 27 Aug 2024 22:04:52 -0600 Subject: [PATCH 5/9] Update variables.tf --- modules/iam_identity_center/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/iam_identity_center/variables.tf b/modules/iam_identity_center/variables.tf index e799f14..4080ba0 100644 --- a/modules/iam_identity_center/variables.tf +++ b/modules/iam_identity_center/variables.tf @@ -39,3 +39,4 @@ variable "groups" { variable "aws_account" { description = "Account number to create aws resources in. This variable should be defined in the terraform cloud workspace settings" +} From fa670f90e4efa5645bf0bde58a884e46fb7ea3a2 Mon Sep 17 00:00:00 2001 From: Zach Rundle <55340176+zachrundle@users.noreply.github.com> Date: Tue, 27 Aug 2024 22:06:28 -0600 Subject: [PATCH 6/9] Update variables.tf --- modules/iam_identity_center/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/iam_identity_center/variables.tf b/modules/iam_identity_center/variables.tf index 4080ba0..269140c 100644 --- a/modules/iam_identity_center/variables.tf +++ b/modules/iam_identity_center/variables.tf @@ -36,6 +36,7 @@ variable "groups" { description = "List of IAM identity center groups to create" type = set(string) default = [] +} variable "aws_account" { description = "Account number to create aws resources in. This variable should be defined in the terraform cloud workspace settings" From 5be0c715d0a9e1583f0d2a6b43b38a1ff132129d Mon Sep 17 00:00:00 2001 From: cybershady Date: Tue, 27 Aug 2024 22:07:43 -0600 Subject: [PATCH 7/9] add in aws_account var --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 9941ae6..3482932 100644 --- a/main.tf +++ b/main.tf @@ -16,6 +16,7 @@ module "eks" { module "permission_sets" { source = "./modules/iam_identity_center" + aws_account = var.aws_account permission_sets = [ { From eacef5b634f292b5cb920d435e0f5374549b264c Mon Sep 17 00:00:00 2001 From: cybershady Date: Tue, 27 Aug 2024 22:09:08 -0600 Subject: [PATCH 8/9] remove data prefix --- modules/iam_identity_center/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/iam_identity_center/main.tf b/modules/iam_identity_center/main.tf index 6c955e9..d9f15e3 100644 --- a/modules/iam_identity_center/main.tf +++ b/modules/iam_identity_center/main.tf @@ -98,7 +98,7 @@ resource "aws_ssoadmin_account_assignment" "this" { instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn - principal_id = data.aws_identitystore_group.this.group_id + principal_id = aws_identitystore_group.this.group_id principal_type = "GROUP" target_id = var.aws_account From c867833667aaf4246eae9854f7a271a09d1e8bb4 Mon Sep 17 00:00:00 2001 From: cybershady Date: Tue, 27 Aug 2024 22:10:38 -0600 Subject: [PATCH 9/9] add each.value --- modules/iam_identity_center/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/iam_identity_center/main.tf b/modules/iam_identity_center/main.tf index d9f15e3..ed29c62 100644 --- a/modules/iam_identity_center/main.tf +++ b/modules/iam_identity_center/main.tf @@ -98,7 +98,7 @@ resource "aws_ssoadmin_account_assignment" "this" { instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn - principal_id = aws_identitystore_group.this.group_id + principal_id = aws_identitystore_group.this[each.value.groups].group_id principal_type = "GROUP" target_id = var.aws_account