From f229bbfd6fbe1fef6368e2f71ae6876e2656a999 Mon Sep 17 00:00:00 2001
From: hacker65536 <s.hacker65536@gmail.com>
Date: Wed, 22 May 2024 14:47:22 +0900
Subject: [PATCH] fix

---
 data.tf   | 2 +-
 locals.tf | 8 ++++++++
 main.tf   | 5 +++--
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/data.tf b/data.tf
index d905e5a..a460f7c 100644
--- a/data.tf
+++ b/data.tf
@@ -115,7 +115,7 @@ data "aws_ssoadmin_permission_set" "existing_permission_sets" {
   instance_arn = local.ssoadmin_instance_arn
   name         = each.value
   // Prevents failure if data fetch is attempted before Permission Sets are created
-  depends_on = [aws_ssoadmin_permission_set.pset]
+  //depends_on = [aws_ssoadmin_permission_set.pset]
 }
 
 
diff --git a/locals.tf b/locals.tf
index d046ae7..c5242df 100644
--- a/locals.tf
+++ b/locals.tf
@@ -139,6 +139,14 @@ locals {
     for pset in local.principals_and_their_account_assignments : pset.permission_set
   ])
 
+  this_permission_sets = keys(var.permission_sets)
+  this_groups = [
+    for group in var.sso_groups : group.group_name
+  ]
+  this_users = [
+    for user in var.sso_users : user.user_name
+  ]
+
 
   # iterates over account_assignents, sets that to be assignment.principal_name ONLY if the assignment.principal_type
   #is GROUP. Essentially stores all the possible 'assignments' (account assignments) that would be attached to a user group
diff --git a/main.tf b/main.tf
index 9b985c0..d706ef2 100644
--- a/main.tf
+++ b/main.tf
@@ -225,9 +225,10 @@ resource "aws_ssoadmin_account_assignment" "account_assignment" {
   for_each = local.principals_and_their_account_assignments // for_each arguement must be a map, or set of strings. Tuples won't work
 
   instance_arn       = local.ssoadmin_instance_arn
-  permission_set_arn = data.aws_ssoadmin_permission_set.existing_permission_sets[each.value.permission_set].arn
+  permission_set_arn = contains(local.this_permission_sets, each.value.permission_set) ? aws_ssoadmin_permission_set.pset[each.value.permission_set].arn : data.aws_ssoadmin_permission_set.existing_permission_sets[each.value.permission_set].arn
 
-  principal_id   = each.value.principal_type == "GROUP" ? (can(aws_identitystore_group.sso_groups[each.value.principal_name].group_id) ? aws_identitystore_group.sso_groups[each.value.principal_name].group_id : data.aws_identitystore_group.identity_store_group[each.value.principal_name].id) : (can(aws_identitystore_user.sso_users[each.value.principal_name].user_id) ? aws_identitystore_user.sso_users[each.value.principal_name].user_id : data.aws_identitystore_user.identity_store_user[each.value.principal_name].id)
+
+  principal_id   = each.value.principal_type == "GROUP" ? (contains(local.this_groups, each.value.principal_name) ? aws_identitystore_group.sso_groups[each.value.principal_name].group_id : data.aws_identitystore_group.identity_store_group[each.value.principal_name].id) : (contains(local.this_users, each.value.principal_name) ? aws_identitystore_user.sso_users[each.value.principal_name].user_id : data.aws_identitystore_user.identity_store_user[each.value.principal_name].id)
   principal_type = each.value.principal_type
 
   target_id   = each.value.account_id