Add user_groups_assignment module

Author: ShivaniBanke

modules/user_groups_assignment/.header.md

@@ -0,0 +1,2 @@
+# Terraform AWS SSO User and Groups Assignment Module
+This Terraform module manages the assignment of AWS SSO groups to users within the organization.

modules/user_groups_assignment/README.md

@@ -0,0 +1,42 @@
+# Terraform AWS SSO User and Groups Assignment Module
+This Terraform module manages the assignment of AWS SSO groups to users within the organization.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.65.0 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.5.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.65.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | ~> 2.5.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_identitystore_group_membership.sso_membership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group_membership) | resource |
+| [aws_identitystore_group.existing_sso_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
+| [aws_identitystore_user.existing_sso_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
+| [aws_ssoadmin_instances.sso_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
+| [local_file.sso_user](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_region"></a> [region](#input\_region) | n/a | `string` | `"us-east-1"` | no |
+| <a name="input_user_groups_mapping"></a> [user\_groups\_mapping](#input\_user\_groups\_mapping) | Mapping of users to their respective sso groups within the Organisation. For example map of `user@infraspec.dev=[sso_groups]` | `map(list(string))` | `{}` | no |
+
+## Outputs
+
+No outputs.

modules/user_groups_assignment/data.tf

@@ -0,0 +1,33 @@
+# Fetch existing SSO Instance
+data "aws_ssoadmin_instances" "sso_instance" {}
+
+# - Fetch of SSO Users to be used for group membership assignment -
+data "aws_identitystore_user" "existing_sso_user" {
+  for_each = local.users_and_their_groups
+
+  identity_store_id = local.sso_instance_id
+
+  alternate_identifier {
+    # Filter users by user_name (nuzumaki, suchiha, dovis, etc.)
+    unique_attribute {
+      attribute_path  = "UserName"
+      attribute_value = each.value.user_name
+    }
+  }
+}
+
+# - Fetch of SSO Groups to be used for group membership assignment -
+data "aws_identitystore_group" "existing_sso_group" {
+  for_each = local.users_and_their_groups
+
+  identity_store_id = local.sso_instance_id
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "DisplayName"
+      attribute_value = each.value.group_name
+    }
+  }
+}
+
+

modules/user_groups_assignment/locals.tf

@@ -0,0 +1,20 @@
+# - Users and Groups 
+locals {
+  # Create a new local variable by flattening the complex type given in the variable "sso_users"
+  flatten_user_data = flatten([
+    for this_user in keys(var.user_groups_mapping) : [
+      for group in var.user_groups_mapping[this_user] : {
+        user_name  = this_user
+        group_name = group
+      }
+    ]
+  ])
+
+  users_and_their_groups = {
+    for s in local.flatten_user_data : format("%s_%s", s.user_name, s.group_name) => s
+  }
+
+  # - Fetch SSO Instance ARN and SSO Instance ID -
+  sso_instance_id = tolist(data.aws_ssoadmin_instances.sso_instance.identity_store_ids)[0]
+}
+

modules/user_groups_assignment/main.tf

@@ -0,0 +1,8 @@
+# - Identity Store Group Membership -
+resource "aws_identitystore_group_membership" "sso_membership" {
+  for_each = local.users_and_their_groups
+
+  identity_store_id = local.sso_instance_id
+  group_id          = data.aws_identitystore_group.existing_sso_group[each.key].group_id
+  member_id         = data.aws_identitystore_user.existing_sso_user[each.key].user_id
+}

modules/user_groups_assignment/outputs.tf

@@ -0,0 +1 @@
+

modules/user_groups_assignment/variables.tf

@@ -0,0 +1,15 @@
+variable "user_groups_mapping" {
+  type        = map(list(string))
+  description = "Mapping of users to their respective sso groups within the Organisation. For example map of `user@infraspec.dev=[sso_groups]"
+  default     = {}
+  validation {
+    condition = alltrue([
+      for user, groups in var.user_groups_mapping : (
+        can(regex("^[a-zA-Z0-9+]+@infraspec\\.dev$", user)) &&
+        length(groups) > 0 &&
+        alltrue([for group in groups : can(regex("^[A-Za-z0-9_]+$", group))])
+      )
+    ])
+    error_message = "Each key must be a valid email address with the domain 'infraspec.dev', and each value must be a non-empty list of SSO group names."
+  }
+}

modules/user_groups_assignment/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.65.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.5.1"
+    }
+  }
+
+  required_version = ">= 1.4.6"
+}

tests/user_groups_assignment_unit-tests.tftest.hcl

@@ -0,0 +1,56 @@
+#Argument validation for user-group-assignment module
+run "check_for_invalid_user" {
+  module {
+    source = "./modules/user_groups_assignment"
+  }
+
+  variables {
+    user_groups_mapping = {
+      "dummyUser@gmail.com" = [
+        "Group1"
+      ]
+    }
+  }
+
+  command = plan
+
+  expect_failures = [
+    var.user_groups_mapping
+  ]
+}
+
+run "check_for_valid_user_with_no_groups" {
+  module {
+    source = "./modules/user_groups_assignment"
+  }
+
+  variables {
+    user_groups_mapping = {
+      "dummyUser@gmail.com" = []
+    }
+  }
+
+  command = plan
+
+  expect_failures = [
+    var.user_groups_mapping
+  ]
+}
+
+run "check_for_invalid_group" {
+  module {
+    source = "./modules/user_groups_assignment"
+  }
+
+  variables {
+    user_groups_mapping = {
+      "dummyUser@gmail.com" = [""]
+    }
+  }
+
+  command = plan
+
+  expect_failures = [
+    var.user_groups_mapping
+  ]
+}