test: add unit tests

ShivaniBanke · ShivaniBanke · commit cbfe01c56b4f · 2024-07-14T14:10:43.000+05:30
diff --git a/examples/assign-permissions-to-account/locals.tf b/examples/assign-permissions-to-account/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  aws_region = "us-east-1"
+}
diff --git a/examples/assign-permissions-to-account/main.tf b/examples/assign-permissions-to-account/main.tf
@@ -0,0 +1,5 @@
+module "account_perimissions_assignment" {
+  source = "../../modules/account_permissions_assignment"
+
+  account_assignments = var.account_assignments
+}
diff --git a/examples/assign-permissions-to-account/outputs.tf b/examples/assign-permissions-to-account/outputs.tf
diff --git a/examples/assign-permissions-to-account/provider.tf b/examples/assign-permissions-to-account/provider.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region = local.aws_region
+}
diff --git a/examples/assign-permissions-to-account/variables.tf b/examples/assign-permissions-to-account/variables.tf
@@ -0,0 +1,32 @@
+variable "account_assignments" {
+  description = <<EOF
+  A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:
+  - account_id: The AWS account ID where the permissions will be applied.
+  - permission_sets: List of permission-set to be assigned to the specified principals.
+  - principal_names: An identifier for an object in AWS SSO, such as the names of groups or users .
+   -principal_type: The entity type for which the assignment will be created. Valid values: USER, GROUP.
+    EOF
+  type = list(object({
+    account_id      = string
+    permission_sets = list(string)
+    principal_names = list(string)
+    principal_type  = string
+  }))
+}
+variable "identitystore_group_depends_on" {
+  description = "A list of parameters (For example group IDs)to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  type        = list(string)
+  default     = []
+}
+
+variable "identitystore_user_depends_on" {
+  description = "A list of parameters (For example user IDs)to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  type        = list(string)
+  default     = []
+}
+
+variable "identitystore_permission_set_depends_on" {
+  description = "A list of parameters (For example permission set ARNs)to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  type        = list(string)
+  default     = []
+}
diff --git a/examples/assign-permissions-to-account/version.tf b/examples/assign-permissions-to-account/version.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.4.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.65.0"
+    }
+  }
+}
diff --git a/modules/account_permissions_assignment/README.md b/modules/account_permissions_assignment/README.md
@@ -1,3 +1,6 @@
+# Terraform AWS Organization Account Permissions Assignment Module
+A Terraform module for associating permissions to AWS accounts.
+
 ## Requirements
 
 | Name | Version |
@@ -10,7 +13,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.57.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.58.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.2 |
 
 ## Modules
@@ -24,17 +27,20 @@ No modules.
 | [aws_ssoadmin_account_assignment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
 | [null_resource.sso_group_dependency](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.sso_permission_set_dependency](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [aws_identitystore_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
-| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
-| [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_permission_set) | data source |
+| [null_resource.sso_user_dependency](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_identitystore_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
+| [aws_identitystore_user.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
+| [aws_ssoadmin_instances.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
+| [aws_ssoadmin_permission_set.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_permission_set) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:<br>  - account\_id: The AWS account ID where the permissions will be applied.<br>  - permission\_sets: List of permission-set names to be assigned.<br>  - principal\_name: An identifier for an object in AWS SSO, such as the name of an SSO group. | <pre>list(object({<br>    account_id      = string<br>    permission_sets = list(string)<br>    principal_name  = string<br>  }))</pre> | `[]` | no |
-| <a name="input_identitystore_group_depends_on"></a> [identitystore\_group\_depends\_on](#input\_identitystore\_group\_depends\_on) | A list of parameters to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
-| <a name="input_identitystore_permission_set_depends_on"></a> [identitystore\_permission\_set\_depends\_on](#input\_identitystore\_permission\_set\_depends\_on) | A list of parameters to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
+| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:<br>  - account\_id: The AWS account ID where the permissions will be applied.<br>  - permission\_sets: List of permission-set to be assigned to the specified principals.<br>  - principal\_names: An identifier for an object in AWS SSO, such as the names of groups or users .<br>   -principal\_type:The entity type for which the assignment will be created. Valid values: USER, GROUP. | <pre>list(object({<br>    account_id      = string<br>    permission_sets = list(string)<br>    principal_names = list(string)<br>    principal_type  = string<br>  }))</pre> | n/a | yes |
+| <a name="input_identitystore_group_depends_on"></a> [identitystore\_group\_depends\_on](#input\_identitystore\_group\_depends\_on) | A list of parameters (For example group IDs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
+| <a name="input_identitystore_permission_set_depends_on"></a> [identitystore\_permission\_set\_depends\_on](#input\_identitystore\_permission\_set\_depends\_on) | A list of parameters (For example permission set ARNs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
+| <a name="input_identitystore_user_depends_on"></a> [identitystore\_user\_depends\_on](#input\_identitystore\_user\_depends\_on) | A list of parameters (For example user IDs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
 
 ## Outputs
 
diff --git a/modules/account_permissions_assignment/data.tf b/modules/account_permissions_assignment/data.tf
@@ -4,7 +4,13 @@ resource "null_resource" "sso_group_dependency" {
   }
 }
 
-data "aws_identitystore_group" "this" {
+resource "null_resource" "sso_user_dependency" {
+  triggers = {
+    dependency_id = join(",", var.identitystore_user_depends_on)
+  }
+}
+
+data "aws_identitystore_group" "default" {
   for_each = local.group_list
 
   identity_store_id = local.identity_store_id
@@ -19,7 +25,22 @@ data "aws_identitystore_group" "this" {
   depends_on = [null_resource.sso_group_dependency]
 }
 
-data "aws_ssoadmin_instances" "this" {
+data "aws_identitystore_user" "default" {
+  for_each = local.user_list
+
+  identity_store_id = local.identity_store_id
+
+  alternate_identifier {
+    unique_attribute {
+      attribute_path  = "UserName"
+      attribute_value = each.key
+    }
+  }
+
+  depends_on = [null_resource.sso_user_dependency]
+}
+
+data "aws_ssoadmin_instances" "default" {
 
 }
 
@@ -29,7 +50,7 @@ resource "null_resource" "sso_permission_set_dependency" {
   }
 }
 
-data "aws_ssoadmin_permission_set" "this" {
+data "aws_ssoadmin_permission_set" "default" {
   for_each = local.permission_set_list
 
   instance_arn = local.sso_instance_arn
diff --git a/modules/account_permissions_assignment/locals.tf b/modules/account_permissions_assignment/locals.tf
@@ -2,26 +2,40 @@
 locals {
   flatten_account_group_permission = flatten([
     for acc_assignment in var.account_assignments : [
-      for ps_name in acc_assignment.permission_sets : {
-        acc_id         = acc_assignment.account_id
-        principal_name = acc_assignment.principal_name
-        ps_name        = ps_name
-      }
+      for ps_name in acc_assignment.permission_sets : [
+        for pr_name in acc_assignment.principal_names : {
+          acc_id         = acc_assignment.account_id
+          principal_name = pr_name
+          ps_name        = ps_name
+          principal_type = acc_assignment.principal_type
+        }
+      ]
     ]
   ])
   assignment_map = {
     for a in local.flatten_account_group_permission :
-    format("%v-%v-%v", a.acc_id, a.principal_name, a.ps_name) => a
+    format("%v-%v-%v-%v", a.acc_id, substr(a.principal_type, 0, 1), a.principal_name, a.ps_name) => a
   }
 
-  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
-  sso_instance_arn  = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+  identity_store_id = tolist(data.aws_ssoadmin_instances.default.identity_store_ids)[0]
+  sso_instance_arn  = tolist(data.aws_ssoadmin_instances.default.arns)[0]
 
-  group_list = toset([for mapping in var.account_assignments : mapping.principal_name])
-  all_permission_sets = flatten([for mapping in var.account_assignments : [
-    [for ps_name in mapping.permission_sets : ps_name
+  group_list = toset(flatten([for a in var.account_assignments : [
+    for pr_name in a.principal_names : [
+    pr_name] if a.principal_type == "GROUP"
     ]
+  ]))
+
+  user_list = toset(flatten([for a in var.account_assignments : [
+    for pr_name in a.principal_names : [
+    pr_name] if a.principal_type == "USER"
     ]
-  ])
-  permission_set_list = toset(local.all_permission_sets)
+  ]))
+
+  permission_set_list = toset(flatten([for a in var.account_assignments : [
+    [for ps_name in a.permission_sets : ps_name
+    ]
+    ]
+  ]))
+  # permission_set_list = toset(local.all_permission_sets)
 }
diff --git a/modules/account_permissions_assignment/main.tf b/modules/account_permissions_assignment/main.tf
@@ -1,15 +1,14 @@
 locals {
-  target_type    = "AWS_ACCOUNT"
-  principal_type = "GROUP"
+  target_type = "AWS_ACCOUNT"
 }
 
 resource "aws_ssoadmin_account_assignment" "this" {
   for_each = local.assignment_map
 
   instance_arn       = local.sso_instance_arn
-  permission_set_arn = data.aws_ssoadmin_permission_set.this[each.value.ps_name].arn
-  principal_id       = data.aws_identitystore_group.this[each.value.principal_name].group_id
-  principal_type     = local.principal_type
+  permission_set_arn = data.aws_ssoadmin_permission_set.default[each.value.ps_name].arn
+  principal_id       = each.value.principal_type == "GROUP" ? data.aws_identitystore_group.default[each.value.principal_name].group_id : data.aws_identitystore_user.default[each.value.principal_name].user_id
+  principal_type     = each.value.principal_type
   target_id          = each.value.acc_id
   target_type        = local.target_type
 }
diff --git a/modules/account_permissions_assignment/provider.tf b/modules/account_permissions_assignment/provider.tf
diff --git a/modules/account_permissions_assignment/variables.tf b/modules/account_permissions_assignment/variables.tf
@@ -2,35 +2,50 @@ variable "account_assignments" {
   description = <<EOF
   A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:
   - account_id: The AWS account ID where the permissions will be applied.
-  - permission_sets: List of permission-set names to be assigned.
-  - principal_name: An identifier for an object in AWS SSO, such as the name of an SSO group.
+  - permission_sets: List of permission-set to be assigned to the specified principals.
+  - principal_names: An identifier for an object in AWS SSO, such as the names of groups or users .
+   -principal_type:The entity type for which the assignment will be created. Valid values: USER, GROUP.
     EOF
   type = list(object({
     account_id      = string
     permission_sets = list(string)
-    principal_name  = string
+    principal_names = list(string)
+    principal_type  = string
   }))
-  default = []
 
   validation {
     condition     = alltrue([for a in var.account_assignments : can(regex("^\\d{12}$", a.account_id))])
-    error_message = "Principal type should be 'GROUP' only"
+    error_message = "Each account_id must be a valid 12-digit number."
   }
   validation {
     condition     = alltrue([for a in var.account_assignments : length(a.permission_sets) > 0])
     error_message = "Permission sets cannot be empty."
   }
+  validation {
+    condition     = alltrue([for a in var.account_assignments : length(a.principal_names) > 0])
+    error_message = "Principal names cannot be empty."
+  }
+  validation {
+    condition     = alltrue([for a in var.account_assignments : contains(["USER", "GROUP"], a.principal_type)])
+    error_message = "Principal type must be either 'USER' or 'GROUP'."
+  }
 
 }
 
 variable "identitystore_group_depends_on" {
-  description = "A list of parameters to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  description = "A list of parameters (For example group IDs)to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  type        = list(string)
+  default     = []
+}
+
+variable "identitystore_user_depends_on" {
+  description = "A list of parameters (For example user IDs)to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
   type        = list(string)
   default     = []
 }
 
 variable "identitystore_permission_set_depends_on" {
-  description = "A list of parameters to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
+  description = "A list of parameters (For example permission set ARNs)to use for data resources to depend on. This is to avoid module depends_on as that will unnecessarily create the module resources"
   type        = list(string)
   default     = []
 }
diff --git a/tests/account_permission_assignment_unit-tests.tftest.hcl b/tests/account_permission_assignment_unit-tests.tftest.hcl
@@ -3,7 +3,8 @@ run "validate_account_id_for_non_digits_value" {
     account_assignments = [{
       account_id      = "dummyId"
       permission_sets = [""]
-      principal_name  = ""
+      principal_names = [""]
+      principal_type  = "GROUP"
       }
     ]
   }
@@ -21,7 +22,8 @@ run "validate_account_id_digits" {
     account_assignments = [{
       account_id      = "dummyId"
       permission_sets = [""]
-      principal_name  = ""
+      principal_names = [""]
+      principal_type  = "GROUP"
       }
     ]
   }
@@ -39,7 +41,8 @@ run "validate_empty_permission_sets_list" {
     account_assignments = [{
       account_id      = "123456789012"
       permission_sets = []
-      principal_name  = ""
+      principal_names = [""]
+      principal_type  = "GROUP"
       }
     ]
   }
@@ -51,3 +54,41 @@ run "validate_empty_permission_sets_list" {
     var.account_assignments.this[0].permission_sets
   ]
 }
+
+run "validate_empty_principal_list" {
+  variables {
+    account_assignments = [{
+      account_id      = "123456789012"
+      permission_sets = [""]
+      principal_names = []
+      principal_type  = "GROUP"
+      }
+    ]
+  }
+  module {
+    source = "./modules/account_permissions_assignment"
+  }
+  command = plan
+  expect_failures = [
+    var.account_assignments.this[0].principal_names
+  ]
+}
+
+run "validate_principal_type" {
+  variables {
+    account_assignments = [{
+      account_id      = "123456789012"
+      permission_sets = [""]
+      principal_names = [""]
+      principal_type  = ""
+      }
+    ]
+  }
+  module {
+    source = "./modules/account_permissions_assignment"
+  }
+  command = plan
+  expect_failures = [
+    var.account_assignments.this[0].principal_type
+  ]
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+locals {`
	`2`	`+ aws_region = "us-east-1"`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+provider "aws" {`
	`2`	`+ region = local.aws_region`
	`3`	`+}`