From b2bcade5d2720f0c9a34dbd2274f7b8b46f6e1dc Mon Sep 17 00:00:00 2001 From: Mufaddal Shakir Date: Mon, 29 Jul 2024 17:13:14 +0530 Subject: [PATCH] Revert "chore: Update account id assignment using data source" --- modules/account_users_and_groups_assignments/README.md | 3 +-- modules/account_users_and_groups_assignments/data.tf | 2 -- modules/account_users_and_groups_assignments/locals.tf | 7 +------ modules/account_users_and_groups_assignments/variables.tf | 8 ++++---- 4 files changed, 6 insertions(+), 14 deletions(-) diff --git a/modules/account_users_and_groups_assignments/README.md b/modules/account_users_and_groups_assignments/README.md index fded8e8..c3808a9 100644 --- a/modules/account_users_and_groups_assignments/README.md +++ b/modules/account_users_and_groups_assignments/README.md @@ -31,7 +31,6 @@ No modules. | [null_resource.sso_user_dependency](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_identitystore_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source | | [aws_identitystore_user.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source | -| [aws_organizations_organization.o](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | | [aws_ssoadmin_instances.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source | | [aws_ssoadmin_permission_set.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_permission_set) | data source | @@ -39,7 +38,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [account\_assignments](#input\_account\_assignments) | A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:
- account\_name: The AWS account where the permissions will be applied.
- permission\_sets: List of permission-set to be assigned to the specified principals.
- principal\_names: An identifier for an object in AWS SSO, such as the names of groups or users .
- principal\_type:The entity type for which the assignment will be created. Valid values: USER, GROUP. | 
list(object({
    account_name    = string
    permission_sets = list(string)
    principal_names = list(string)
    principal_type  = string
  }))
| n/a | yes | +| [account\_assignments](#input\_account\_assignments) | A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:
- account\_id: The AWS account ID where the permissions will be applied.
- permission\_sets: List of permission-set to be assigned to the specified principals.
- principal\_names: An identifier for an object in AWS SSO, such as the names of groups or users .
- principal\_type:The entity type for which the assignment will be created. Valid values: USER, GROUP. | 
list(object({
    account_id      = string
    permission_sets = list(string)
    principal_names = list(string)
    principal_type  = string
  }))
| n/a | yes | | [identitystore\_group\_depends\_on](#input\_identitystore\_group\_depends\_on) | A list of parameters (For example group IDs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no | | [identitystore\_permission\_set\_depends\_on](#input\_identitystore\_permission\_set\_depends\_on) | A list of parameters (For example permission set ARNs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no | | [identitystore\_user\_depends\_on](#input\_identitystore\_user\_depends\_on) | A list of parameters (For example user IDs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no | diff --git a/modules/account_users_and_groups_assignments/data.tf b/modules/account_users_and_groups_assignments/data.tf index c895923..afaaa50 100644 --- a/modules/account_users_and_groups_assignments/data.tf +++ b/modules/account_users_and_groups_assignments/data.tf @@ -1,5 +1,3 @@ -data "aws_organizations_organization" "o" {} - resource "null_resource" "sso_group_dependency" { triggers = { dependency_id = join(",", var.identitystore_group_depends_on) diff --git a/modules/account_users_and_groups_assignments/locals.tf b/modules/account_users_and_groups_assignments/locals.tf index 5e93541..ee49328 100644 --- a/modules/account_users_and_groups_assignments/locals.tf +++ b/modules/account_users_and_groups_assignments/locals.tf @@ -1,16 +1,11 @@ locals { - - account_map = { - for account in data.aws_organizations_organization.o.accounts : account.name => account.id - } - target_type = "AWS_ACCOUNT" flatten_account_group_permission = flatten([ for acc_assignment in var.account_assignments : [ for ps_name in acc_assignment.permission_sets : [ for pr_name in acc_assignment.principal_names : { - acc_id = account_map[acc_assignment.account_name] + acc_id = acc_assignment.account_id principal_name = pr_name ps_name = ps_name principal_type = acc_assignment.principal_type diff --git a/modules/account_users_and_groups_assignments/variables.tf b/modules/account_users_and_groups_assignments/variables.tf index 30faea3..e688c59 100644 --- a/modules/account_users_and_groups_assignments/variables.tf +++ b/modules/account_users_and_groups_assignments/variables.tf @@ -1,21 +1,21 @@ variable "account_assignments" { description = < 0]) - error_message = "Account name cannot be empty" + condition = alltrue([for a in var.account_assignments : can(regex("^\\d{12}$", a.account_id))]) + error_message = "Each account_id must be a valid 12-digit number." } validation { condition = alltrue([for a in var.account_assignments : length(a.permission_sets) > 0])