Add account_permission_assignment sub module

Author: ShivaniBanke

modules/account_permissions_assignment/data.tf

@@ -0,0 +1,40 @@
+resource "null_resource" "sso_group_dependency" {
+  triggers = {
+    dependency_id = join(",", var.identitystore_group_depends_on)
+  }
+}
+
+data "aws_identitystore_group" "this" {
+  for_each          = local.group_list
+  identity_store_id = local.identity_store_id
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "DisplayName"
+      attribute_value = each.key
+    }
+  }
+
+  depends_on = [null_resource.sso_group_dependency]
+}
+
+data "aws_ssoadmin_instances" "this" {
+
+}
+
+resource "null_resource" "sso_permission_set_dependency" {
+  triggers = {
+    dependency_id = join(",", var.identitystore_permission_set_depends_on)
+  }
+}
+
+data "aws_ssoadmin_permission_set" "this" {
+  for_each = local.permission_set_list
+
+  instance_arn = local.sso_instance_arn
+  name         = each.value
+  depends_on   = [null_resource.sso_permission_set_dependency]
+}
+
+
+

modules/account_permissions_assignment/locals.tf

@@ -0,0 +1,15 @@
+
+locals {
+  assignment_map = {
+    for a in var.account_assignments :
+    format("%v-%v-%v-%v", a.account_id, substr(a.principal_type, 0, 1), a.principal_name, a.permission_set_name) => a
+  }
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+  sso_instance_arn  = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+
+  group_list          = toset([for mapping in var.account_assignments : mapping.principal_name])
+  permission_set_list = toset([for mapping in var.account_assignments : mapping.permission_set_name])
+
+}
+

modules/account_permissions_assignment/main.tf

@@ -0,0 +1,13 @@
+locals {
+  target_type = "AWS_ACCOUNT"
+}
+resource "aws_ssoadmin_account_assignment" "this" {
+  for_each = local.assignment_map
+
+  instance_arn       = local.sso_instance_arn
+  permission_set_arn = data.aws_ssoadmin_permission_set.this[each.value.permission_set_name].arn
+  principal_id       = data.aws_identitystore_group.this[each.value.principal_name].group_id
+  principal_type     = each.value.principal_type
+  target_id          = each.value.account_id
+  target_type        = local.target_type
+}

modules/account_permissions_assignment/outputs.tf

@@ -0,0 +1,3 @@
+output "assignments" {
+  value = aws_ssoadmin_account_assignment.this
+}

modules/account_permissions_assignment/provider.tf

@@ -0,0 +1,4 @@
+
+provider "aws" {
+  region = "us-east-1"
+}

modules/account_permissions_assignment/variables.tf

@@ -0,0 +1,38 @@
+variable "account_assignments" {
+  description = <<EOF
+  A list of objects representing permission assignments for AWS accounts. Each object contains the following attributes:
+  - account_id: The AWS account ID where the permissions will be applied.
+  - permission_set_name: The name of the permission set to be used.
+  - permission_set_arn: The Amazon Resource Name (ARN) of the permission set.
+  - principal_name: An identifier for an object in AWS SSO, such as the name of an SSO group.
+  - principal_type: The type of entity for which the assignment will be created. Should be set to 'GROUP' only. Defaults to 'GROUP'."
+  EOF
+  type = list(object({
+    account_id          = string
+    permission_set_name = string
+    principal_name      = string
+    principal_type      = optional(string, "GROUP")
+  }))
+  default = [{
+    account_id          = "471112575944"
+    permission_set_name = "Core_Dev"
+    principal_name      = "Read_Only"
+  }]
+
+  validation {
+    condition     = alltrue([for a in var.account_assignments : (a.principal_type == "GROUP")])
+    error_message = "Principal type should be 'GROUP' only"
+  }
+}
+
+variable "identitystore_group_depends_on" {
+  description = "A list of parameters to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  type        = list(string)
+  default     = []
+}
+
+variable "identitystore_permission_set_depends_on" {
+  description = "A list of parameters to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  type        = list(string)
+  default     = []
+}

modules/account_permissions_assignment/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.4.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.65.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.2.2"
+    }
+  }
+}