chore: Refactor the module

Author: ShivaniBanke

modules/account_permissions_assignment/.header.md

@@ -0,0 +1,2 @@
+# Terraform AWS Organization Account Permissions Assignment Module
+A Terraform module for associating permissions to AWS accounts.

modules/account_permissions_assignment/README.md

@@ -0,0 +1,43 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.65.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.57.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.2 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ssoadmin_account_assignment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
+| [null_resource.sso_group_dependency](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.sso_permission_set_dependency](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_identitystore_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
+| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
+| [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_permission_set) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:<br>  - account\_id: The AWS account ID where the permissions will be applied.<br>  - permission\_sets: List of permission-set names to be assigned.<br>  - principal\_name: An identifier for an object in AWS SSO, such as the name of an SSO group. | <pre>list(object({<br>    account_id      = string<br>    permission_sets = list(string)<br>    principal_name  = string<br>  }))</pre> | `[]` | no |
+| <a name="input_identitystore_group_depends_on"></a> [identitystore\_group\_depends\_on](#input\_identitystore\_group\_depends\_on) | A list of parameters to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
+| <a name="input_identitystore_permission_set_depends_on"></a> [identitystore\_permission\_set\_depends\_on](#input\_identitystore\_permission\_set\_depends\_on) | A list of parameters to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_assignments"></a> [assignments](#output\_assignments) | The account assignment resources created for AWS SSO. Each resource includes details about the account, permission set, principal, and the status of the assignment. |

modules/account_permissions_assignment/data.tf

@@ -5,7 +5,8 @@ resource "null_resource" "sso_group_dependency" {
 }
 
 data "aws_identitystore_group" "this" {
-  for_each          = local.group_list
+  for_each = local.group_list
+
   identity_store_id = local.identity_store_id
 
   alternate_identifier {

modules/account_permissions_assignment/locals.tf

@@ -1,15 +1,28 @@
 
 locals {
+  flatten_account_group_permission = flatten([
+    for acc_assignment in var.account_assignments : [
+      for ps_name in acc_assignment.permission_sets : {
+        acc_id         = acc_assignment.account_id
+        principal_name = acc_assignment.principal_name
+        ps_name        = ps_name
+      }
+    ]
+  ])
   assignment_map = {
-    for a in var.account_assignments :
-    format("%v-%v-%v-%v", a.account_id, substr(a.principal_type, 0, 1), a.principal_name, a.permission_set_name) => a
+    for a in local.flatten_account_group_permission :
+    format("%v-%v-%v", a.acc_id, a.principal_name, a.ps_name) => a
   }
 
   identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
   sso_instance_arn  = tolist(data.aws_ssoadmin_instances.this.arns)[0]
 
-  group_list          = toset([for mapping in var.account_assignments : mapping.principal_name])
-  permission_set_list = toset([for mapping in var.account_assignments : mapping.permission_set_name])
-
+  group_list = toset([for mapping in var.account_assignments : mapping.principal_name])
+  all_permission_sets = flatten([for mapping in var.account_assignments : [
+    [for ps_name in mapping.permission_sets : ps_name
+    ]
+    ]
+  ])
+  permission_set_list = toset(local.all_permission_sets)
 }
 

modules/account_permissions_assignment/main.tf

@@ -1,13 +1,15 @@
 locals {
-  target_type = "AWS_ACCOUNT"
+  target_type    = "AWS_ACCOUNT"
+  principal_type = "GROUP"
 }
+
 resource "aws_ssoadmin_account_assignment" "this" {
   for_each = local.assignment_map
 
   instance_arn       = local.sso_instance_arn
-  permission_set_arn = data.aws_ssoadmin_permission_set.this[each.value.permission_set_name].arn
+  permission_set_arn = data.aws_ssoadmin_permission_set.this[each.value.ps_name].arn
   principal_id       = data.aws_identitystore_group.this[each.value.principal_name].group_id
-  principal_type     = each.value.principal_type
-  target_id          = each.value.account_id
+  principal_type     = local.principal_type
+  target_id          = each.value.acc_id
   target_type        = local.target_type
 }

modules/account_permissions_assignment/outputs.tf

@@ -1,3 +1,4 @@
 output "assignments" {
-  value = aws_ssoadmin_account_assignment.this
+  description = "The account assignment resources created for AWS SSO. Each resource includes details about the account, permission set, principal, and the status of the assignment."
+  value       = aws_ssoadmin_account_assignment.this
 }

modules/account_permissions_assignment/variables.tf

@@ -1,28 +1,26 @@
 variable "account_assignments" {
   description = <<EOF
-  A list of objects representing permission assignments for AWS accounts. Each object contains the following attributes:
+  A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:
   - account_id: The AWS account ID where the permissions will be applied.
-  - permission_set_name: The name of the permission set to be used.
-  - permission_set_arn: The Amazon Resource Name (ARN) of the permission set.
+  - permission_sets: List of permission-set names to be assigned.
   - principal_name: An identifier for an object in AWS SSO, such as the name of an SSO group.
-  - principal_type: The type of entity for which the assignment will be created. Should be set to 'GROUP' only. Defaults to 'GROUP'."
-  EOF
+    EOF
   type = list(object({
-    account_id          = string
-    permission_set_name = string
-    principal_name      = string
-    principal_type      = optional(string, "GROUP")
+    account_id      = string
+    permission_sets = list(string)
+    principal_name  = string
   }))
-  default = [{
-    account_id          = "471112575944"
-    permission_set_name = "Core_Dev"
-    principal_name      = "Read_Only"
-  }]
+  default = []
 
   validation {
-    condition     = alltrue([for a in var.account_assignments : (a.principal_type == "GROUP")])
+    condition     = alltrue([for a in var.account_assignments : can(regex("^\\d{12}$", a.account_id))])
     error_message = "Principal type should be 'GROUP' only"
   }
+  validation {
+    condition     = alltrue([for a in var.account_assignments : length(a.permission_sets) > 0])
+    error_message = "Permission sets cannot be empty."
+  }
+
 }
 
 variable "identitystore_group_depends_on" {
@@ -35,4 +33,4 @@ variable "identitystore_permission_set_depends_on" {
   description = "A list of parameters to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
   type        = list(string)
   default     = []
-}
+}

tests/account_permission_assignment_unit-tests.tftest.hcl

@@ -0,0 +1,53 @@
+run "validate_account_id_for_non_digits_value" {
+  variables {
+    account_assignments = [{
+      account_id      = "dummyId"
+      permission_sets = [""]
+      principal_name  = ""
+      }
+    ]
+  }
+  module {
+    source = "./modules/account_permissions_assignment"
+  }
+  command = plan
+  expect_failures = [
+    var.account_assignments.this[0].account_id
+  ]
+}
+
+run "validate_account_id_digits" {
+  variables {
+    account_assignments = [{
+      account_id      = "dummyId"
+      permission_sets = [""]
+      principal_name  = ""
+      }
+    ]
+  }
+  module {
+    source = "./modules/account_permissions_assignment"
+  }
+  command = plan
+  expect_failures = [
+    var.account_assignments.this[0].account_id
+  ]
+}
+
+run "validate_empty_permission_sets_list" {
+  variables {
+    account_assignments = [{
+      account_id      = "123456789012"
+      permission_sets = []
+      principal_name  = ""
+      }
+    ]
+  }
+  module {
+    source = "./modules/account_permissions_assignment"
+  }
+  command = plan
+  expect_failures = [
+    var.account_assignments.this[0].permission_sets
+  ]
+}