Merge pull request #8 from infraspecdev/sso_groups

feat: SSO groups

Author: ShivaniBanke

examples/create-sso-group-and-assign-users/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  aws_region = "us-east-1"
+}

examples/create-sso-group-and-assign-users/main.tf

@@ -0,0 +1,6 @@
+module "sso_groups" {
+  source = "../../modules/sso_groups/"
+
+  sso_groups      = var.sso_groups
+  user_groups_map = var.user_groups_map
+}

examples/create-sso-group-and-assign-users/outputs.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = local.aws_region
+}

examples/create-sso-group-and-assign-users/provider.tf

@@ -0,0 +1,19 @@
+variable "sso_groups" {
+  description = <<EOF
+  (Recquired)A map of objects defining AWS SSO groups to be created. Each object contains:
+  - group_name: The name of the SSO group.
+  - group_description: A description for the SSO group.
+  EOF
+  type = map(object(
+    {
+      group_name        = string
+      group_description = string
+    }
+  ))
+}
+
+variable "user_groups_map" {
+  type        = map(list(string))
+  description = "(Optional)Mapping of users to their respective sso groups within the Organisation. For example map of `user=[sso_groups]"
+  default     = {}
+}

examples/create-sso-group-and-assign-users/variables.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.4.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.65.0"
+    }
+  }
+}

examples/create-sso-group-and-assign-users/version.tf

@@ -0,0 +1,2 @@
+# Terraform AWS Organizations SSO Groups module
+A Terraform module for creating sso groups and attaching users to the groups within the organisation.

modules/sso_groups/.header.md

@@ -0,0 +1,38 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.65.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.58.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_identitystore_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group) | resource |
+| [aws_identitystore_group_membership.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group_membership) | resource |
+| [aws_identitystore_user.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
+| [aws_ssoadmin_instances.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_sso_groups"></a> [sso\_groups](#input\_sso\_groups) | A map of objects defining AWS SSO groups to be created. Each object contains:<br>  - group\_name: The name of the SSO group.<br>  - group\_description: A description for the SSO group. | <pre>map(object(<br>    {<br>      group_name        = string<br>      group_description = string<br>    }<br>  ))</pre> | n/a | yes |
+| <a name="input_user_groups_mapping"></a> [user\_groups\_mapping](#input\_user\_groups\_mapping) | Mapping of users to their respective sso groups within the Organisation. For example map of `user=[sso_groups]` | `map(list(string))` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_sso_group_ids"></a> [sso\_group\_ids](#output\_sso\_group\_ids) | A map of SSO groups IDs created by this module |

modules/sso_groups/README.md

@@ -0,0 +1,17 @@
+# Fetch existing SSO Instance
+data "aws_ssoadmin_instances" "default" {}
+
+# - Fetch of SSO Users to be used for group membership assignment -
+data "aws_identitystore_user" "default" {
+  for_each = local.users_and_their_groups
+
+  identity_store_id = local.sso_instance_id
+
+  alternate_identifier {
+    # Filter users by user_name (nuzumaki, suchiha, dovis, etc.)
+    unique_attribute {
+      attribute_path  = "UserName"
+      attribute_value = each.value.user_name
+    }
+  }
+}

modules/sso_groups/data.tf

@@ -0,0 +1,19 @@
+# - Users and Groups
+locals {
+  # Create a new local variable by flattening the complex type given in the variable "sso_users"
+  flatten_user_data = flatten([
+    for this_user in keys(var.user_groups_map) : [
+      for group in var.user_groups_map[this_user] : {
+        user_name  = this_user
+        group_name = group
+      }
+    ]
+  ])
+
+  users_and_their_groups = {
+    for s in local.flatten_user_data : format("%s_%s", s.user_name, s.group_name) => s
+  }
+
+  # - Fetch SSO Instance ARN and SSO Instance ID -
+  sso_instance_id = tolist(data.aws_ssoadmin_instances.default.identity_store_ids)[0]
+}