fix

aws-ia · May 22, 2024 · f229bbf · f229bbf
1 parent 2f36282
commit f229bbf
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/data.tf b/data.tf
@@ -115,7 +115,7 @@ data "aws_ssoadmin_permission_set" "existing_permission_sets" {
   instance_arn = local.ssoadmin_instance_arn
   name         = each.value
   // Prevents failure if data fetch is attempted before Permission Sets are created
-  depends_on = [aws_ssoadmin_permission_set.pset]
+  //depends_on = [aws_ssoadmin_permission_set.pset]
 }
 
 

diff --git a/locals.tf b/locals.tf
@@ -139,6 +139,14 @@ locals {
     for pset in local.principals_and_their_account_assignments : pset.permission_set
   ])
 
+  this_permission_sets = keys(var.permission_sets)
+  this_groups = [
+    for group in var.sso_groups : group.group_name
+  ]
+  this_users = [
+    for user in var.sso_users : user.user_name
+  ]
+
 
   # iterates over account_assignents, sets that to be assignment.principal_name ONLY if the assignment.principal_type
   #is GROUP. Essentially stores all the possible 'assignments' (account assignments) that would be attached to a user group

diff --git a/main.tf b/main.tf
@@ -225,9 +225,10 @@ resource "aws_ssoadmin_account_assignment" "account_assignment" {
   for_each = local.principals_and_their_account_assignments // for_each arguement must be a map, or set of strings. Tuples won't work
 
   instance_arn       = local.ssoadmin_instance_arn
-  permission_set_arn = data.aws_ssoadmin_permission_set.existing_permission_sets[each.value.permission_set].arn
+  permission_set_arn = contains(local.this_permission_sets, each.value.permission_set) ? aws_ssoadmin_permission_set.pset[each.value.permission_set].arn : data.aws_ssoadmin_permission_set.existing_permission_sets[each.value.permission_set].arn
 
-  principal_id   = each.value.principal_type == "GROUP" ? (can(aws_identitystore_group.sso_groups[each.value.principal_name].group_id) ? aws_identitystore_group.sso_groups[each.value.principal_name].group_id : data.aws_identitystore_group.identity_store_group[each.value.principal_name].id) : (can(aws_identitystore_user.sso_users[each.value.principal_name].user_id) ? aws_identitystore_user.sso_users[each.value.principal_name].user_id : data.aws_identitystore_user.identity_store_user[each.value.principal_name].id)
+
+  principal_id   = each.value.principal_type == "GROUP" ? (contains(local.this_groups, each.value.principal_name) ? aws_identitystore_group.sso_groups[each.value.principal_name].group_id : data.aws_identitystore_group.identity_store_group[each.value.principal_name].id) : (contains(local.this_users, each.value.principal_name) ? aws_identitystore_user.sso_users[each.value.principal_name].user_id : data.aws_identitystore_user.identity_store_user[each.value.principal_name].id)
   principal_type = each.value.principal_type
 
   target_id   = each.value.account_id