Can I add an existing user to a new group with new permissions_sets and new account_assignments on AWS.

[leonkatz]

sso_groups = {
test : {
group_name = "test"
group_description = "test group"
}
test-leads : {
group_name = "test-leads"
group_description = "test group"
}
test-limited : {
group_name = "test-limited"
group_description = "test group"
}
}
existing_permission_sets = {
AdministratorAccess = {
permission_set_name = "AdministratorAccess"
},
ReadOnlyAccess = {
permission_set_name = "ReadOnlyAccess"

},

}
existing_sso_users = {
TesterDev : {
user_name = "TesterTesterDev"
group_membership = ["test-limited"]
}
}

sso_users = {
terraform : {
group_membership = ["test", "test-leads"]
user_name = "terraform"
given_name = "Terraform"
family_name = "test"
email = "[email protected]
}
}

account_assignments = {
test = {
principal_name = "test"
principal_type = "GROUP"
principal_idp = "INTERNAL"
permission_sets = ["AdministratorAccess", "ReadOnlyAccess"]
account_ids = [
"111111111111",
]
}
TesterDev = {
principal_name = "TesterDev"
principal_type = "USER"
principal_idp = "EXTERNAL"
permission_sets = ["ReadOnlyAccess"]
account_ids = [
"111111111111",

  ]
}

}

[novekm]

Hi @leonkatz, can you explain the use-case a bit more? What are you using for as your Identity Provider? IAM Identity Store?

[leonkatz]

Yes IAM Identity Store, it was all manually managed. Now I'm trying to bring it all into Terraform. I have a bunch of existing users. But will create new groups, new permission sets, and new account assignments. This is so the old ones aren't changed yet. But I need to get existing users into the new groups so that they now have the new permissions.

[act-mreeves]

This is similar to what I am trying to do. I would like to manage group membership of existing users using the existing_sso_users attribute.

Create new groups with:

  sso_groups = {
    # Leaving open the concept of having "level 1" job titles
    Developer1 : {
      group_name        = "Dev1"
      group_description = "Developer 1"
    }
    Devops1 : {
      group_name        = "Devops1"
      group_description = "Devops 1"
    },
  }

Now use these new groups with existing users:

  existing_sso_users = {
    bfranklin : {
      user_name : "[email protected]",
      group_membership : ["Dev1"]
    }
    jdoe : {
      user_name : "[email protected]",
      group_membership : ["Devops1"]
    }
   }

I want to manage the user to group mapping in this way but it doesn't seem to work so I had to use this method instead:

data "aws_ssoadmin_instances" "my_sso" {}

data "aws_identitystore_user" "bfranklin" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.my_sso.identity_store_ids)[0]
  alternate_identifier {
    unique_attribute {
      attribute_path  = "bfranklin"
      attribute_value = "[email protected]"
    }
  }
}

resource "aws_identitystore_group_membership" "devops1_bfranklin" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.my_sso.identity_store_ids)[0]
  group_id          = module.identity_center_shared.sso_groups_ids["Devops1"]
  member_id         = data.aws_identitystore_user.bfranklin.user_id
}

[novekm]

Hi all, sorry for the delay. You should be able to use the module that way, however this has not been extensively tested. You'll need to ensure you match the existing user names exactly as they appear in your AWS Account, since a data source is used to fetch the users by user name (you can see this here).

existing_sso_users was initially meant for users that were synced via SCIM to IAM IdC (such as from Okta, Entra ID/Azure AD, etc.) instead of users that were created manually. If the users were created manually, it would be preferable to import those users into state management and use the module from there.

@act-mreeves what is the error you received when trying to add existing (manually created) users to new groups in that way? Was it on the group assignment, or when trying to add permission sets to the groups?