Merge pull request #9 from infraspecdev/feat/account_permissions_assignment

ShivaniBanke · web-flow · commit 3df107b5e473 · 2024-07-16T12:00:06.000+05:30
feat: Account Users and Groups Assignment
diff --git a/examples/assign-users-and-groups-to-account/locals.tf b/examples/assign-users-and-groups-to-account/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  aws_region = "us-east-1"
+}
diff --git a/examples/assign-users-and-groups-to-account/main.tf b/examples/assign-users-and-groups-to-account/main.tf
@@ -0,0 +1,5 @@
+module "account_perimissions_assignment" {
+  source = "../../modules/account_users_and_groups_assignments"
+
+  account_assignments = var.account_assignments
+}
diff --git a/examples/assign-users-and-groups-to-account/outputs.tf b/examples/assign-users-and-groups-to-account/outputs.tf
diff --git a/examples/assign-users-and-groups-to-account/provider.tf b/examples/assign-users-and-groups-to-account/provider.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region = local.aws_region
+}
diff --git a/examples/assign-users-and-groups-to-account/variables.tf b/examples/assign-users-and-groups-to-account/variables.tf
@@ -0,0 +1,15 @@
+variable "account_assignments" {
+  description = <<EOF
+  A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:
+  - account_id: The AWS account ID where the permissions will be applied.
+  - permission_sets: List of permission-set to be assigned to the specified principals.
+  - principal_names: An identifier for an object in AWS SSO, such as the names of groups or users .
+   -principal_type: The entity type for which the assignment will be created. Valid values: USER, GROUP.
+    EOF
+  type = list(object({
+    account_id      = string
+    permission_sets = list(string)
+    principal_names = list(string)
+    principal_type  = string
+  }))
+}
diff --git a/examples/assign-users-and-groups-to-account/version.tf b/examples/assign-users-and-groups-to-account/version.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.4.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.65.0"
+    }
+  }
+}
diff --git a/modules/account_users_and_groups_assignments/.header.md b/modules/account_users_and_groups_assignments/.header.md
@@ -0,0 +1,2 @@
+# Terraform AWS Account Users and Groups Assignments Module
+A Terraform module for assigning users and groups to AWS accounts.
diff --git a/modules/account_users_and_groups_assignments/README.md b/modules/account_users_and_groups_assignments/README.md
@@ -0,0 +1,49 @@
+# Terraform AWS Organization Account Permissions Assignment Module
+A Terraform module for associating permissions to AWS accounts.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.65.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.58.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.2 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ssoadmin_account_assignment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
+| [null_resource.sso_group_dependency](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.sso_permission_set_dependency](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.sso_user_dependency](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_identitystore_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
+| [aws_identitystore_user.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
+| [aws_ssoadmin_instances.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
+| [aws_ssoadmin_permission_set.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_permission_set) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:<br>  - account\_id: The AWS account ID where the permissions will be applied.<br>  - permission\_sets: List of permission-set to be assigned to the specified principals.<br>  - principal\_names: An identifier for an object in AWS SSO, such as the names of groups or users .<br>  - principal\_type:The entity type for which the assignment will be created. Valid values: USER, GROUP. | <pre>list(object({<br>    account_id      = string<br>    permission_sets = list(string)<br>    principal_names = list(string)<br>    principal_type  = string<br>  }))</pre> | n/a | yes |
+| <a name="input_identitystore_group_depends_on"></a> [identitystore\_group\_depends\_on](#input\_identitystore\_group\_depends\_on) | A list of parameters (For example group IDs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
+| <a name="input_identitystore_permission_set_depends_on"></a> [identitystore\_permission\_set\_depends\_on](#input\_identitystore\_permission\_set\_depends\_on) | A list of parameters (For example permission set ARNs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
+| <a name="input_identitystore_user_depends_on"></a> [identitystore\_user\_depends\_on](#input\_identitystore\_user\_depends\_on) | A list of parameters (For example user IDs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_assignments"></a> [assignments](#output\_assignments) | The account assignment resources created for AWS SSO. Each resource includes details about the account, permission set, principal, and the status of the assignments. |
diff --git a/modules/account_users_and_groups_assignments/data.tf b/modules/account_users_and_groups_assignments/data.tf
@@ -0,0 +1,59 @@
+resource "null_resource" "sso_group_dependency" {
+  triggers = {
+    dependency_id = join(",", var.identitystore_group_depends_on)
+  }
+}
+
+resource "null_resource" "sso_user_dependency" {
+  triggers = {
+    dependency_id = join(",", var.identitystore_user_depends_on)
+  }
+}
+
+data "aws_identitystore_group" "default" {
+  for_each = local.group_list
+
+  identity_store_id = local.identity_store_id
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "DisplayName"
+      attribute_value = each.key
+    }
+  }
+
+  depends_on = [null_resource.sso_group_dependency]
+}
+
+data "aws_identitystore_user" "default" {
+  for_each = local.user_list
+
+  identity_store_id = local.identity_store_id
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "UserName"
+      attribute_value = each.key
+    }
+  }
+
+  depends_on = [null_resource.sso_user_dependency]
+}
+
+data "aws_ssoadmin_instances" "default" {
+
+}
+
+resource "null_resource" "sso_permission_set_dependency" {
+  triggers = {
+    dependency_id = join(",", var.identitystore_permission_set_depends_on)
+  }
+}
+
+data "aws_ssoadmin_permission_set" "default" {
+  for_each = local.permission_set_list
+
+  instance_arn = local.sso_instance_arn
+  name         = each.value
+  depends_on   = [null_resource.sso_permission_set_dependency]
+}
diff --git a/modules/account_users_and_groups_assignments/locals.tf b/modules/account_users_and_groups_assignments/locals.tf
@@ -0,0 +1,41 @@
+
+locals {
+  flatten_account_group_permission = flatten([
+    for acc_assignment in var.account_assignments : [
+      for ps_name in acc_assignment.permission_sets : [
+        for pr_name in acc_assignment.principal_names : {
+          acc_id         = acc_assignment.account_id
+          principal_name = pr_name
+          ps_name        = ps_name
+          principal_type = acc_assignment.principal_type
+        }
+      ]
+    ]
+  ])
+  assignment_map = {
+    for a in local.flatten_account_group_permission :
+    format("%v-%v-%v-%v", a.acc_id, substr(a.principal_type, 0, 1), a.principal_name, a.ps_name) => a
+  }
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.default.identity_store_ids)[0]
+  sso_instance_arn  = tolist(data.aws_ssoadmin_instances.default.arns)[0]
+
+  group_list = toset(flatten([for a in var.account_assignments : [
+    for pr_name in a.principal_names : [
+    pr_name] if a.principal_type == "GROUP"
+    ]
+  ]))
+
+  user_list = toset(flatten([for a in var.account_assignments : [
+    for pr_name in a.principal_names : [
+    pr_name] if a.principal_type == "USER"
+    ]
+  ]))
+
+  permission_set_list = toset(flatten([for a in var.account_assignments : [
+    [for ps_name in a.permission_sets : ps_name
+    ]
+    ]
+  ]))
+  # permission_set_list = toset(local.all_permission_sets)
+}
diff --git a/modules/account_users_and_groups_assignments/main.tf b/modules/account_users_and_groups_assignments/main.tf
@@ -0,0 +1,14 @@
+locals {
+  target_type = "AWS_ACCOUNT"
+}
+
+resource "aws_ssoadmin_account_assignment" "this" {
+  for_each = local.assignment_map
+
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = data.aws_ssoadmin_permission_set.default[each.value.ps_name].arn
+  principal_id       = each.value.principal_type == "GROUP" ? data.aws_identitystore_group.default[each.value.principal_name].group_id : data.aws_identitystore_user.default[each.value.principal_name].user_id
+  principal_type     = each.value.principal_type
+  target_id          = each.value.acc_id
+  target_type        = local.target_type
+}
diff --git a/modules/account_users_and_groups_assignments/outputs.tf b/modules/account_users_and_groups_assignments/outputs.tf
@@ -0,0 +1,4 @@
+output "assignments" {
+  description = "The account assignment resources created for AWS SSO. Each resource includes details about the account, permission set, principal, and the status of the assignments."
+  value       = aws_ssoadmin_account_assignment.this
+}
diff --git a/modules/account_users_and_groups_assignments/variables.tf b/modules/account_users_and_groups_assignments/variables.tf
@@ -0,0 +1,51 @@
+variable "account_assignments" {
+  description = <<EOF
+  A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:
+  - account_id: The AWS account ID where the permissions will be applied.
+  - permission_sets: List of permission-set to be assigned to the specified principals.
+  - principal_names: An identifier for an object in AWS SSO, such as the names of groups or users .
+  - principal_type:The entity type for which the assignment will be created. Valid values: USER, GROUP.
+    EOF
+  type = list(object({
+    account_id      = string
+    permission_sets = list(string)
+    principal_names = list(string)
+    principal_type  = string
+  }))
+
+  validation {
+    condition     = alltrue([for a in var.account_assignments : can(regex("^\\d{12}$", a.account_id))])
+    error_message = "Each account_id must be a valid 12-digit number."
+  }
+  validation {
+    condition     = alltrue([for a in var.account_assignments : length(a.permission_sets) > 0])
+    error_message = "Permission sets cannot be empty."
+  }
+  validation {
+    condition     = alltrue([for a in var.account_assignments : length(a.principal_names) > 0])
+    error_message = "Principal names cannot be empty."
+  }
+  validation {
+    condition     = alltrue([for a in var.account_assignments : contains(["USER", "GROUP"], a.principal_type)])
+    error_message = "Principal type must be either 'USER' or 'GROUP'."
+  }
+
+}
+
+variable "identitystore_group_depends_on" {
+  description = "A list of parameters (For example group IDs)to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  type        = list(string)
+  default     = []
+}
+
+variable "identitystore_user_depends_on" {
+  description = "A list of parameters (For example user IDs)to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  type        = list(string)
+  default     = []
+}
+
+variable "identitystore_permission_set_depends_on" {
+  description = "A list of parameters (For example permission set ARNs)to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  type        = list(string)
+  default     = []
+}
diff --git a/modules/account_users_and_groups_assignments/versions.tf b/modules/account_users_and_groups_assignments/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 1.4.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.65.0"
+    }
+
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.2.2"
+    }
+  }
+}
diff --git a/tests/account_permission_assignment_unit-tests.tftest.hcl b/tests/account_permission_assignment_unit-tests.tftest.hcl
@@ -0,0 +1,109 @@
+run "validate_account_id_for_non_digits_value" {
+  command = plan
+
+  variables {
+    account_assignments = [{
+      account_id      = "dummyId"
+      permission_sets = [""]
+      principal_names = [""]
+      principal_type  = "GROUP"
+      }
+    ]
+  }
+
+  module {
+    source = "./modules/account_users_and_groups_assignments"
+  }
+
+  expect_failures = [
+    var.account_assignments.this[0].account_id
+  ]
+}
+
+run "validate_account_id_digits" {
+  command = plan
+
+  variables {
+    account_assignments = [{
+      account_id      = "dummyId"
+      permission_sets = [""]
+      principal_names = [""]
+      principal_type  = "GROUP"
+      }
+    ]
+  }
+
+  module {
+    source = "./modules/account_users_and_groups_assignments"
+  }
+
+  expect_failures = [
+    var.account_assignments.this[0].account_id
+  ]
+}
+
+run "validate_empty_permission_sets_list" {
+  command = plan
+
+  variables {
+    account_assignments = [{
+      account_id      = "123456789012"
+      permission_sets = []
+      principal_names = [""]
+      principal_type  = "GROUP"
+      }
+    ]
+  }
+
+  module {
+    source = "./modules/account_users_and_groups_assignments"
+  }
+
+  expect_failures = [
+    var.account_assignments.this[0].permission_sets
+  ]
+}
+
+run "validate_empty_principal_list" {
+  command = plan
+
+  variables {
+    account_assignments = [{
+      account_id      = "123456789012"
+      permission_sets = [""]
+      principal_names = []
+      principal_type  = "GROUP"
+      }
+    ]
+  }
+
+  module {
+    source = "./modules/account_users_and_groups_assignments"
+  }
+
+  expect_failures = [
+    var.account_assignments.this[0].principal_names
+  ]
+}
+
+run "validate_principal_type" {
+  command = plan
+
+  variables {
+    account_assignments = [{
+      account_id      = "123456789012"
+      permission_sets = [""]
+      principal_names = [""]
+      principal_type  = ""
+      }
+    ]
+  }
+
+  module {
+    source = "./modules/account_users_and_groups_assignments"
+  }
+
+  expect_failures = [
+    var.account_assignments.this[0].principal_type
+  ]
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+locals {`
	`2`	`+ aws_region = "us-east-1"`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+provider "aws" {`
	`2`	`+ region = local.aws_region`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Terraform AWS Account Users and Groups Assignments Module`
	`2`	`+A Terraform module for assigning users and groups to AWS accounts.`