From e62cc5595ae3c6d1f2dcd98a2258ab4b98551d4c Mon Sep 17 00:00:00 2001 From: hacker65536 Date: Thu, 6 Jun 2024 11:08:15 +0900 Subject: [PATCH] fix --- locals.tf | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/locals.tf b/locals.tf index 877eb74..5176604 100644 --- a/locals.tf +++ b/locals.tf @@ -134,6 +134,7 @@ locals { for s in local.flatten_account_assignment_data : format("Type:%s__Principal:%s__Permission:%s__Account:%s", s.principal_type, s.principal_name, s.permission_set, s.account_id) => s } + # List of permission sets, groups, and users that defined in this module this_permission_sets = keys(var.permission_sets) this_groups = [ for group in var.sso_groups : group.group_name @@ -142,27 +143,15 @@ locals { for user in var.sso_users : user.user_name ] - // Permission sets created from other than this module. + # For reference to resources that already exist in AWS existing_permission_sets = distinct([ for pset in local.principals_and_their_account_assignments : pset.permission_set if !contains(local.this_permission_sets, pset.permission_set) ]) - existing_sso_users = distinct([ - //for user_gourp in local.users_and_their_groups : user_gourp.user_name if !contains(local.this_users, user_group.user_name) for k, v in local.users_and_their_groups : v.user_name if !contains(local.this_users, v.user_name) ]) existing_sso_groups = distinct([ for k, v in local.users_and_their_groups : v.group_name if !contains(local.this_groups, v.group_name) ]) - # iterates over account_assignents, sets that to be assignment.principal_name ONLY if the assignment.principal_type - #is GROUP. Essentially stores all the possible 'assignments' (account assignments) that would be attached to a user group - - # same thing, for sso_users but for USERs not GROUPs - - # 'account_assignments_for_groups' is effectively a list of principal names where the account type is GROUP - account_assignments_for_groups = [for assignment in var.account_assignments : assignment.principal_name if(assignment.principal_type == "GROUP" && !contains(local.this_groups, assignment.principal_name))] - - # 'account_assignments_for_users' is effectively a list of principal names where the account type is USER - account_assignments_for_users = [for assignment in var.account_assignments : assignment.principal_name if assignment.principal_type == "USER" && !contains(local.this_users, assignment.principal_name)] }