chore : refactor the sub module

ShivaniBanke · ShivaniBanke · commit 47ef68737bd8 · 2024-07-14T09:03:58.000+05:30
diff --git a/examples/create-permission-set/locals.tf b/examples/create-permission-set/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  aws_region = "us-east-1"
+}
diff --git a/examples/create-permission-set/main.tf b/examples/create-permission-set/main.tf
@@ -0,0 +1,5 @@
+module "permission_sets" {
+  source = "../../modules/permission_sets"
+
+  permission_sets = var.permission_sets
+}
diff --git a/examples/create-permission-set/outputs.tf b/examples/create-permission-set/outputs.tf
diff --git a/examples/create-permission-set/provider.tf b/examples/create-permission-set/provider.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region = local.aws_region
+}
diff --git a/examples/create-permission-set/variables.tf b/examples/create-permission-set/variables.tf
@@ -0,0 +1,34 @@
+variable "permission_sets" {
+  description = <<EOF
+  (Required)A map of permission set objects with key as the permission set name. Each object contains:
+  - name: The name of the permission set.
+  - description: A brief description of the permission set.
+  - session_duration: Optional session duration for the permission set (default is null).
+  - relay_state: Optional relay state for the permission set (default is null).
+  - tags: Optional map of tags to associate with the permission set.
+  - inline_policy: The inline policy content in JSON format.
+  - managed_policies: A list of ARNs of managed policies to attach to the permission set.
+  - customer_managed_policies: A list of customer-managed policies to attach to the permission set. Each policy includes:
+      - name: The name of the customer-managed policy.
+      - path: The path of the customer-managed policy (default is "/").
+  EOF
+  type = map(object({
+    name             = string
+    description      = string
+    session_duration = optional(string, null)
+    relay_state      = optional(string, null)
+    tags             = optional(map(string))
+    inline_policy    = string
+    managed_policies = list(string)
+    customer_managed_policies = list(object({
+      name = string
+      path = optional(string, "/")
+    }))
+  }))
+}
+
+variable "tags" {
+  description = "(Optional) Key-value map of resource tags."
+  type        = map(string)
+  default     = null
+}
diff --git a/modules/permission_sets/README.md b/modules/permission_sets/README.md
@@ -1,6 +1,3 @@
-# Terraform AWS Organizations Permission-Sets Module
-A Terraform module for creating and managing AWS SSO (Single Sign-On) Permission Sets within AWS Organizations
-
 ## Requirements
 
 | Name | Version |
@@ -12,7 +9,7 @@ A Terraform module for creating and managing AWS SSO (Single Sign-On) Permission
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.57.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.58.0 |
 
 ## Modules
 
@@ -32,7 +29,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | n/a | <pre>list(object({<br>    name             = string<br>    description      = string<br>    session_duration = optional(string, "PT1H")<br>    tags             = optional(map(string), null)<br>    inline_policy    = optional(string, null)     # Inline policy in JSON format <br>    managed_policies = optional(list(string), []) # list of ARN's of managed policies<br>    customer_managed_policies = optional(list(object({<br>      name = string<br>      path = optional(string, "/") # list of customer-managed policies with their names and paths to be attached to each.<br>    })), [])<br>  }))</pre> | `[]` | no |
+| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) |(Required) A map of permission set objects with permission set name as the key. Each object contains:<br>  - name: The name of the permission set.<br>  - description: A brief description of the permission set.<br>  - session\_duration: Optional session duration for the permission set (default is PT1H).<br>  - relay\_state: Optional relay state for the permission set (default is null).<br>  - tags: Optional map of tags to associate with the permission set.<br>  - inline\_policy: The inline policy content in JSON format.<br>  - managed\_policies: A list of ARNs of managed policies to attach to the permission set.<br>  - customer\_managed\_policies: A list of customer-managed policies to attach to the permission set. Each policy includes:<br>      - name: The name of the customer-managed policy.<br>      - path: The path of the customer-managed policy (default is "/"). | <pre>map(object({<br>    name             = string<br>    description      = string<br>    session_duration = optional(string, null)<br>    relay_state      = optional(string, null)<br>    tags             = optional(map(string))<br>    inline_policy    = string       #  Inline policy <br>    managed_policies = list(string) # list of ARN's of managed policies<br>    customer_managed_policies = list(object({<br>      name = string<br>      path = optional(string, "/") # list of customer-managed policies with their names and paths to be attached to each.<br>    }))<br>  }))</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Key-value map of resource tags. | `map(string)` | `null` | no |
 
 ## Outputs
diff --git a/modules/permission_sets/data.tf b/modules/permission_sets/data.tf
@@ -0,0 +1 @@
+data "aws_ssoadmin_instances" "default" {}
diff --git a/modules/permission_sets/locals.tf b/modules/permission_sets/locals.tf
@@ -0,0 +1,30 @@
+locals {
+  sso_instance_arn    = tolist(data.aws_ssoadmin_instances.default.arns)[0]
+  permission_set_map  = { for ps_name, ps in var.permission_sets : ps_name => ps }
+  inline_policies_map = { for ps_name, ps in var.permission_sets : ps_name => ps.inline_policy if ps.inline_policy != "" }
+  managed_policy_map  = { for ps_name, ps in var.permission_sets : ps_name => ps.managed_policies if length(ps.managed_policies) > 0 }
+  managed_policy_attachments = flatten([
+    for ps_name, policy_list in local.managed_policy_map : [
+      for policy_arn in policy_list : {
+        ps_name    = ps_name
+        policy_arn = policy_arn
+      }
+    ]
+  ])
+  managed_policy_attachments_map = {
+    for policy in local.managed_policy_attachments : "${policy.ps_name}.${policy.policy_arn}" => policy
+  }
+  customer_managed_policy_map = { for ps_name, ps in var.permission_sets : ps_name => ps.customer_managed_policies if length(ps.customer_managed_policies) > 0 }
+  customer_managed_policy_attachments = flatten([
+    for ps_name, policy_list in local.customer_managed_policy_map : [
+      for policy in policy_list : {
+        ps_name     = ps_name
+        policy_name = policy.name
+        policy_path = policy.path
+      }
+    ]
+  ])
+  customer_managed_policy_attachments_map = {
+    for policy in local.customer_managed_policy_attachments : "${policy.ps_name}.${policy.policy_path}${policy.policy_name}" => policy
+  }
+}
diff --git a/modules/permission_sets/main.tf b/modules/permission_sets/main.tf
@@ -1,37 +1,3 @@
-locals {
-  sso_instance_arn    = tolist(data.aws_ssoadmin_instances.this.arns)[0]
-  permission_set_map  = { for ps in var.permission_sets : ps.name => ps }
-  inline_policies_map = { for ps in var.permission_sets : ps.name => ps.inline_policy if ps.inline_policy != null }
-  managed_policy_map  = { for ps in var.permission_sets : ps.name => ps.managed_policies if length(ps.managed_policies) > 0 }
-  managed_policy_attachments = flatten([
-    for ps_name, policy_list in local.managed_policy_map : [
-      for policy_arn in policy_list : {
-        permission_set = ps_name
-        policy_arn     = policy_arn
-      }
-    ]
-  ])
-  managed_policy_attachments_map = {
-    for policy in local.managed_policy_attachments : "${policy.permission_set}.${policy.policy_arn}" => policy
-  }
-  customer_managed_policy_map = { for ps in var.permission_sets : ps.name => ps.customer_managed_policies if length(ps.customer_managed_policies) > 0 }
-  customer_managed_policy_attachments = flatten([
-    for ps_name, policy_list in local.customer_managed_policy_map : [
-      for policy in policy_list : {
-        permission_set = ps_name
-        policy_name    = policy.name
-        policy_path    = policy.path
-      }
-    ]
-  ])
-  customer_managed_policy_attachments_map = {
-    for policy in local.customer_managed_policy_attachments : "${policy.permission_set}.${policy.policy_path}${policy.policy_name}" => policy
-  }
-}
-
-data "aws_ssoadmin_instances" "this" {}
-
-# CREATE THE PERMISSION SETS
 resource "aws_ssoadmin_permission_set" "this" {
   for_each = local.permission_set_map
 
@@ -42,34 +8,37 @@ resource "aws_ssoadmin_permission_set" "this" {
   tags             = merge(each.value.tags, var.tags)
 }
 
-# ATTACH INLINE POLICIES
 resource "aws_ssoadmin_permission_set_inline_policy" "this" {
   for_each = local.inline_policies_map
 
   inline_policy      = each.value
   instance_arn       = local.sso_instance_arn
   permission_set_arn = aws_ssoadmin_permission_set.this[each.key].arn
-  depends_on         = [aws_ssoadmin_permission_set_inline_policy.this]
+
+  #Ensures that this resource waits for the specified permission set to be created or updated before proceeding.
+  depends_on = [aws_ssoadmin_permission_set.this]
 }
 
-# ATTACH MANAGED POLICIES
 resource "aws_ssoadmin_managed_policy_attachment" "this" {
   for_each = local.managed_policy_attachments_map
 
   instance_arn       = local.sso_instance_arn
   managed_policy_arn = each.value.policy_arn
-  permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn
-  depends_on         = [aws_ssoadmin_permission_set_inline_policy.this]
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.value.ps_name].arn
+
+  #Ensures that this resource waits for the specified permission set to be created or updated before proceeding.
+  depends_on = [aws_ssoadmin_permission_set.this]
 }
 
-# ATTACH CUSTOMER MANAGED POLICIES
 resource "aws_ssoadmin_customer_managed_policy_attachment" "this" {
   for_each           = local.customer_managed_policy_attachments_map
   instance_arn       = local.sso_instance_arn
-  permission_set_arn = aws_ssoadmin_permission_set.this[each.value.policy_set].arn
+  permission_set_arn = aws_ssoadmin_permission_set.this[each.value.ps_name].arn
   customer_managed_policy_reference {
     name = each.value.policy_name
     path = each.value.policy_path
   }
-  depends_on = [aws_ssoadmin_permission_set_inline_policy.this]
+
+  #Ensures that this resource waits for the specified permission set to be created or updated before proceeding.
+  depends_on = [aws_ssoadmin_permission_set.this]
 }
diff --git a/modules/permission_sets/md b/modules/permission_sets/md
@@ -0,0 +1,39 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.65.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.58.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ssoadmin_customer_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |
+| [aws_ssoadmin_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
+| [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
+| [aws_ssoadmin_permission_set_inline_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
+| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | A map of permission set objects with permission set name as the key. Each object contains:<br>  - name: The name of the permission set.<br>  - description: A brief description of the permission set.<br>  - session\_duration: Optional session duration for the permission set (default is PT1H).<br>  - relay\_state: Optional relay state for the permission set (default is null).<br>  - tags: Optional map of tags to associate with the permission set.<br>  - inline\_policy: The inline policy content in JSON format.<br>  - managed\_policies: A list of ARNs of managed policies to attach to the permission set.<br>  - customer\_managed\_policies: A list of customer-managed policies to attach to the permission set. Each policy includes:<br>      - name: The name of the customer-managed policy.<br>      - path: The path of the customer-managed policy (default is "/"). | <pre>map(object({<br>    name             = string<br>    description      = string<br>    session_duration = optional(string, null)<br>    relay_state      = optional(string, null)<br>    tags             = optional(map(string))<br>    inline_policy    = string       #  Inline policy <br>    managed_policies = list(string) # list of ARN's of managed policies<br>    customer_managed_policies = list(object({<br>      name = string<br>      path = optional(string, "/") # list of customer-managed policies with their names and paths to be attached to each.<br>    }))<br>  }))</pre> | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Key-value map of resource tags. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_permission_sets"></a> [permission\_sets](#output\_permission\_sets) | A map of the permission sets that were created. Each key is the name of the permission set, and the value contains the details of the created permission set. |
diff --git a/modules/permission_sets/variables.tf b/modules/permission_sets/variables.tf
@@ -1,17 +1,48 @@
 variable "permission_sets" {
-  type = list(object({
+  description = <<EOF
+  (Required)A map of permission set objects with permission set name as the key. Each object contains:
+  - name: The name of the permission set.
+  - description: A brief description of the permission set.
+  - session_duration: Optional session duration for the permission set (default is PT1H).
+  - relay_state: Optional relay state for the permission set (default is null).
+  - tags: Optional map of tags to associate with the permission set.
+  - inline_policy: The inline policy content in JSON format.
+  - managed_policies: A list of ARNs of managed policies to attach to the permission set.
+  - customer_managed_policies: A list of customer-managed policies to attach to the permission set. Each policy includes:
+      - name: The name of the customer-managed policy.
+      - path: The path of the customer-managed policy (default is "/").
+  EOF
+  type = map(object({
     name             = string
     description      = string
-    session_duration = optional(string, "PT1H")
-    tags             = optional(map(string), null)
-    inline_policy    = optional(string, null)     # Inline policy in JSON format
-    managed_policies = optional(list(string), []) # list of ARN's of managed policies
-    customer_managed_policies = optional(list(object({
+    session_duration = optional(string, null)
+    relay_state      = optional(string, null)
+    tags             = optional(map(string))
+    inline_policy    = string
+    managed_policies = list(string)
+    customer_managed_policies = list(object({
       name = string
-      path = optional(string, "/") # list of customer-managed policies with their names and paths to be attached to each.
-    })), [])
+      path = optional(string, "/")
+    }))
   }))
-  default = []
+
+  validation {
+    condition     = alltrue([for ps in var.permission_sets : (ps.inline_policy != null)])
+    error_message = "Inline policy cannot be null"
+  }
+  validation {
+    condition     = alltrue([for ps in var.permission_sets : can(jsondecode(ps.inline_policy)) if ps.inline_policy != ""])
+    error_message = "Inline policy must be a valid JSON string."
+  }
+  validation {
+    condition     = alltrue([for ps in var.permission_sets : (ps.managed_policies != null)])
+    error_message = "Managed policies cannot be null"
+  }
+  validation {
+    condition     = alltrue([for ps in var.permission_sets : (ps.customer_managed_policies != null)])
+    error_message = "Customer managed policies cannot be null "
+  }
+
 }
 
 variable "tags" {
diff --git a/tests/permission_sets_unit-tests.tftest.hcl b/tests/permission_sets_unit-tests.tftest.hcl

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+locals {`
	`2`	`+ aws_region = "us-east-1"`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+provider "aws" {`
	`2`	`+ region = local.aws_region`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+data "aws_ssoadmin_instances" "default" {}`