Merge pull request #23 from chris-qa-org/support-user-assignments

Stretch96 · web-flow · commit 0bfca17d659b · 2022-02-19T11:11:05.000Z
Support user assignments
diff --git a/README.md b/README.md
@@ -29,6 +29,13 @@ module "aws_organizations_and_sso" {
       managed_policies = [
         "AWSReadOnlyAccess"
       ]
+    },
+    "billing" = {
+      description = "Billing Access",
+      relay_state = "https://console.aws.amazon.com/billing/home?#/",
+      managed_policies = [
+        "job-function/Billing"
+      ]
     }
   }
 
@@ -50,6 +57,13 @@ module "aws_organizations_and_sso" {
                 ]
               }
             }
+            user_assignments = {
+              "Alex" = {
+                permission_sets = [
+                  "billing"
+                ]
+              }
+            }
           },
           "existing-account-name" = {
             email = "existing@example.com"
@@ -63,6 +77,13 @@ module "aws_organizations_and_sso" {
                 ]
               }
             }
+            user_assignments = {
+              "Alex" = {
+                permission_sets = [
+                  "billing"
+                ]
+              }
+            }
           }
         }
       }
@@ -155,11 +176,13 @@ module "aws_organizations_and_sso" {
 | [aws_organizations_account.account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account) | resource |
 | [aws_organizations_organization.root](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization) | resource |
 | [aws_organizations_organizational_unit.unit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organizational_unit) | resource |
-| [aws_ssoadmin_account_assignment.assignment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
+| [aws_ssoadmin_account_assignment.group_assignment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
+| [aws_ssoadmin_account_assignment.user_assignment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |
 | [aws_ssoadmin_managed_policy_attachment.attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |
 | [aws_ssoadmin_permission_set.permission_set](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |
 | [aws_ssoadmin_permission_set_inline_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |
 | [aws_identitystore_group.aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source |
+| [aws_identitystore_user.aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source |
 | [aws_ssoadmin_instances.ssoadmin_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
 
 ## Inputs
diff --git a/sso.tf b/sso.tf
@@ -19,6 +19,25 @@ data "aws_identitystore_group" "aws" {
   }
 }
 
+data "aws_identitystore_user" "aws" {
+  for_each = local.enable_sso ? toset(
+    flatten([
+      for account in flatten([
+        for unit_name, unit in local.organization_config["units"] : [
+          for account_name in keys(local.organization_config["units"][unit_name]["accounts"]) : local.organization_config["units"][unit_name]["accounts"][account_name]
+        ]
+      ]) : keys(account["user_assignments"])
+    ])
+  ) : toset([])
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.ssoadmin_instances.identity_store_ids)[0]
+
+  filter {
+    attribute_path  = "UserName"
+    attribute_value = each.key
+  }
+}
+
 resource "aws_ssoadmin_permission_set" "permission_set" {
   for_each = local.enable_sso ? local.sso_permission_sets : {}
 
@@ -58,7 +77,7 @@ resource "aws_ssoadmin_permission_set_inline_policy" "policy" {
   permission_set_arn = aws_ssoadmin_permission_set.permission_set[each.key].arn
 }
 
-resource "aws_ssoadmin_account_assignment" "assignment" {
+resource "aws_ssoadmin_account_assignment" "group_assignment" {
   for_each = local.enable_sso ? {
     for assignment in flatten([
       for unit_name, unit in local.organization_config["units"] : [
@@ -84,3 +103,30 @@ resource "aws_ssoadmin_account_assignment" "assignment" {
   target_id   = aws_organizations_account.account[each.value["account_name"]].id
   target_type = "AWS_ACCOUNT"
 }
+
+resource "aws_ssoadmin_account_assignment" "user_assignment" {
+  for_each = local.enable_sso ? {
+    for assignment in flatten([
+      for unit_name, unit in local.organization_config["units"] : [
+        for account_name in keys(local.organization_config["units"][unit_name]["accounts"]) : [
+          for user_name, user_assignments in local.organization_config["units"][unit_name]["accounts"][account_name]["user_assignments"] : {
+            for permission_set in local.organization_config["units"][unit_name]["accounts"][account_name]["user_assignments"][user_name]["permission_sets"] : "${account_name}_${user_name}_${permission_set}" => {
+              account_name   = account_name
+              user_name      = user_name
+              permission_set = permission_set
+            }
+          }
+        ]
+      ]
+    ]) : keys(assignment)[0] => assignment[keys(assignment)[0]]
+  } : {}
+
+  instance_arn       = aws_ssoadmin_permission_set.permission_set[each.value["permission_set"]].instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.permission_set[each.value["permission_set"]].arn
+
+  principal_id   = data.aws_identitystore_user.aws[each.value["user_name"]].user_id
+  principal_type = "USER"
+
+  target_id   = aws_organizations_account.account[each.value["account_name"]].id
+  target_type = "AWS_ACCOUNT"
+}

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,13 @@ module "aws_organizations_and_sso" {`
`29`	`29`	`managed_policies = [`
`30`	`30`	`"AWSReadOnlyAccess"`
`31`	`31`	`]`
	`32`	`+ },`
	`33`	`+ "billing" = {`
	`34`	`+ description = "Billing Access",`
	`35`	`+ relay_state = "https://console.aws.amazon.com/billing/home?#/",`
	`36`	`+ managed_policies = [`
	`37`	`+ "job-function/Billing"`
	`38`	`+ ]`
`32`	`39`	`}`
`33`	`40`	`}`
`34`	`41`
`@@ -50,6 +57,13 @@ module "aws_organizations_and_sso" {`
`50`	`57`	`]`
`51`	`58`	`}`
`52`	`59`	`}`
	`60`	`+ user_assignments = {`
	`61`	`+ "Alex" = {`
	`62`	`+ permission_sets = [`
	`63`	`+ "billing"`
	`64`	`+ ]`
	`65`	`+ }`
	`66`	`+ }`
`53`	`67`	`},`
`54`	`68`	`"existing-account-name" = {`
`55`	`69`	`email = "[email protected]"`
`@@ -63,6 +77,13 @@ module "aws_organizations_and_sso" {`
`63`	`77`	`]`
`64`	`78`	`}`
`65`	`79`	`}`
	`80`	`+ user_assignments = {`
	`81`	`+ "Alex" = {`
	`82`	`+ permission_sets = [`
	`83`	`+ "billing"`
	`84`	`+ ]`
	`85`	`+ }`
	`86`	`+ }`
`66`	`87`	`}`
`67`	`88`	`}`
`68`	`89`	`}`
`@@ -155,11 +176,13 @@ module "aws_organizations_and_sso" {`
`155`	`176`	`\| [aws_organizations_account.account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account) \| resource \|`
`156`	`177`	`\| [aws_organizations_organization.root](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization) \| resource \|`
`157`	`178`	`\| [aws_organizations_organizational_unit.unit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organizational_unit) \| resource \|`
`158`		`-\| [aws_ssoadmin_account_assignment.assignment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) \| resource \|`
	`179`	`+\| [aws_ssoadmin_account_assignment.group_assignment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) \| resource \|`
	`180`	`+\| [aws_ssoadmin_account_assignment.user_assignment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) \| resource \|`
`159`	`181`	`\| [aws_ssoadmin_managed_policy_attachment.attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) \| resource \|`
`160`	`182`	`\| [aws_ssoadmin_permission_set.permission_set](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) \| resource \|`
`161`	`183`	`\| [aws_ssoadmin_permission_set_inline_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) \| resource \|`
`162`	`184`	`\| [aws_identitystore_group.aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) \| data source \|`
	`185`	`+\| [aws_identitystore_user.aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) \| data source \|`
`163`	`186`	`\| [aws_ssoadmin_instances.ssoadmin_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) \| data source \|`
`164`	`187`
`165`	`188`	`## Inputs`