Merge pull request #21 from infraspecdev/refactor/account-id-assignment

chore: Update account id assignment using data source

Author: Mufaddal5253110

modules/account_users_and_groups_assignments/README.md

@@ -31,14 +31,15 @@ No modules.
 | [null_resource.sso_user_dependency](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_identitystore_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
 | [aws_identitystore_user.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
+| [aws_organizations_organization.o](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [aws_ssoadmin_instances.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
 | [aws_ssoadmin_permission_set.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_permission_set) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:<br>  - account\_id: The AWS account ID where the permissions will be applied.<br>  - permission\_sets: List of permission-set to be assigned to the specified principals.<br>  - principal\_names: An identifier for an object in AWS SSO, such as the names of groups or users .<br>  - principal\_type:The entity type for which the assignment will be created. Valid values: USER, GROUP. | <pre>list(object({<br>    account_id      = string<br>    permission_sets = list(string)<br>    principal_names = list(string)<br>    principal_type  = string<br>  }))</pre> | n/a | yes |
+| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:<br>  - account\_name: The AWS account where the permissions will be applied.<br>  - permission\_sets: List of permission-set to be assigned to the specified principals.<br>  - principal\_names: An identifier for an object in AWS SSO, such as the names of groups or users .<br>  - principal\_type:The entity type for which the assignment will be created. Valid values: USER, GROUP. | <pre>list(object({<br>    account_name    = string<br>    permission_sets = list(string)<br>    principal_names = list(string)<br>    principal_type  = string<br>  }))</pre> | n/a | yes |
 | <a name="input_identitystore_group_depends_on"></a> [identitystore\_group\_depends\_on](#input\_identitystore\_group\_depends\_on) | A list of parameters (For example group IDs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
 | <a name="input_identitystore_permission_set_depends_on"></a> [identitystore\_permission\_set\_depends\_on](#input\_identitystore\_permission\_set\_depends\_on) | A list of parameters (For example permission set ARNs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |
 | <a name="input_identitystore_user_depends_on"></a> [identitystore\_user\_depends\_on](#input\_identitystore\_user\_depends\_on) | A list of parameters (For example user IDs)to use for data resources to depend on. This is to avoid module depends\_on as that will unnecessarily create the module resources | `list(string)` | `[]` | no |

modules/account_users_and_groups_assignments/data.tf

@@ -1,3 +1,5 @@
+data "aws_organizations_organization" "o" {}
+
 resource "null_resource" "sso_group_dependency" {
   triggers = {
     dependency_id = join(",", var.identitystore_group_depends_on)

modules/account_users_and_groups_assignments/locals.tf

@@ -1,11 +1,16 @@
 
 locals {
+
+  account_map = {
+    for account in data.aws_organizations_organization.o.accounts : account.name => account.id
+  }
+
   target_type = "AWS_ACCOUNT"
   flatten_account_group_permission = flatten([
     for acc_assignment in var.account_assignments : [
       for ps_name in acc_assignment.permission_sets : [
         for pr_name in acc_assignment.principal_names : {
-          acc_id         = acc_assignment.account_id
+          acc_id         = account_map[acc_assignment.account_name]
           principal_name = pr_name
           ps_name        = ps_name
           principal_type = acc_assignment.principal_type

modules/account_users_and_groups_assignments/variables.tf

@@ -1,21 +1,21 @@
 variable "account_assignments" {
   description = <<EOF
   A list of objects representing permission assignments for AWS SSO. Each object contains the following attributes:
-  - account_id: The AWS account ID where the permissions will be applied.
+  - account_name: The AWS account where the permissions will be applied.
   - permission_sets: List of permission-set to be assigned to the specified principals.
   - principal_names: An identifier for an object in AWS SSO, such as the names of groups or users .
   - principal_type:The entity type for which the assignment will be created. Valid values: USER, GROUP.
     EOF
   type = list(object({
-    account_id      = string
+    account_name    = string
     permission_sets = list(string)
     principal_names = list(string)
     principal_type  = string
   }))
 
   validation {
-    condition     = alltrue([for a in var.account_assignments : can(regex("^\\d{12}$", a.account_id))])
-    error_message = "Each account_id must be a valid 12-digit number."
+    condition     = alltrue([for a in var.account_assignments : length(a.account_name) > 0])
+    error_message = "Account name cannot be empty"
   }
   validation {
     condition     = alltrue([for a in var.account_assignments : length(a.permission_sets) > 0])