aws-ia · novekm · Jun 20, 2024 · Jun 20, 2024 · Jun 20, 2024 · Jun 20, 2024
diff --git a/.header.md b/.header.md
@@ -143,17 +143,19 @@ module "aws-iam-identity-center" {
   // Assign users/groups access to accounts with the specified permissions
   account_assignments = {
     Admin : {
-      principal_name  = "Admin"                                   // name of the user or group you wish to have access to the account(s)
-      principal_type  = "GROUP"                                   // entity type (user or group) you wish to have access to the account(s)
-      permission_sets = ["AdministratorAccess", "ViewOnlyAccess"] // permissions the user/group will have in the account(s)
-      account_ids = [                                             // account(s) the group will have access to. Permissions they will have in account are above line
+      principal_name  = "Admin"                                   # name of the user or group you wish to have access to the account(s)
+      principal_type  = "GROUP"                                   # principal type (user or group) you wish to have access to the account(s)
+      principal_idp   = "INTERNAL"                                # type of Identity Provider you are using. Valid values are "INTERNAL" (using Identity Store) or "EXTERNAL" (using external IdP such as EntraID, Okta, Google, etc.)
+      permission_sets = ["AdministratorAccess", "ViewOnlyAccess"] # permissions the user/group will have in the account(s)
+      account_ids = [                                             # account(s) the group will have access to. Permissions they will have in account are above line
       "111111111111", // replace with your desired account id
       "222222222222", // replace with your desired account id
       ]
     },
     Audit : {
       principal_name  = "Audit"
       principal_type  = "GROUP"
+      principal_idp   = "INTERNAL"
       permission_sets = ["ViewOnlyAccess"]
       account_ids = [
       "111111111111",

diff --git a/README.md b/README.md
@@ -144,17 +144,19 @@ module "aws-iam-identity-center" {
   // Assign users/groups access to accounts with the specified permissions
   account_assignments = {
     Admin : {
-      principal_name  = "Admin"                                   // name of the user or group you wish to have access to the account(s)
-      principal_type  = "GROUP"                                   // entity type (user or group) you wish to have access to the account(s)
-      permission_sets = ["AdministratorAccess", "ViewOnlyAccess"] // permissions the user/group will have in the account(s)
-      account_ids = [                                             // account(s) the group will have access to. Permissions they will have in account are above line
+      principal_name  = "Admin"                                   # name of the user or group you wish to have access to the account(s)
+      principal_type  = "GROUP"                                   # principal type (user or group) you wish to have access to the account(s)
+      principal_idp   = "INTERNAL"                                # type of Identity Provider you are using. Valid values are "INTERNAL" (using Identity Store) or "EXTERNAL" (using external IdP such as EntraID, Okta, Google, etc.)
+      permission_sets = ["AdministratorAccess", "ViewOnlyAccess"] # permissions the user/group will have in the account(s)
+      account_ids = [                                             # account(s) the group will have access to. Permissions they will have in account are above line
       "111111111111", // replace with your desired account id
       "222222222222", // replace with your desired account id
       ]
     },
     Audit : {
       principal_name  = "Audit"
       principal_type  = "GROUP"
+      principal_idp   = "INTERNAL"
       permission_sets = ["ViewOnlyAccess"]
       account_ids = [
       "111111111111",
@@ -212,10 +214,13 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | List of maps containing mapping between user/group, permission set and assigned accounts list. See account\_assignments description in README for more information about map values. | `map(any)` | `{}` | no |
-| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | Map of maps containing Permission Set names as keys. See permission\_sets description in README for information about map values. | `any` | <pre>{<br>  "AdministratorAccess": {<br>    "description": "Provides full access to AWS services and resources.",<br>    "managed_policies": [<br>      "arn:aws:iam::aws:policy/AdministratorAccess"<br>    ],<br>    "session_duration": "PT2H"<br>  }<br>}</pre> | no |
-| <a name="input_sso_groups"></a> [sso\_groups](#input\_sso\_groups) | Names of the groups you wish to create in IAM Identity Center | `map(any)` | `{}` | no |
-| <a name="input_sso_users"></a> [sso\_users](#input\_sso\_users) | Names of the users you wish to create in IAM Identity Center | `map(any)` | `{}` | no |
+| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | List of maps containing mapping between user/group, permission set and assigned accounts list. See account\_assignments description in README for more information about map values. | <pre>map(object({<br>    principal_name  = string<br>    principal_type  = string<br>    principal_idp   = string # acceptable values are either "INTERNAL" or "EXTERNAL"<br>    permission_sets = list(string)<br>    account_ids     = list(string)<br>  }))</pre> | `{}` | no |
+| <a name="input_existing_permission_sets"></a> [existing\_permission\_sets](#input\_existing\_permission\_sets) | Names of the existing permission\_sets that you wish to reference from IAM Identity Center. | <pre>map(object({<br>    permission_set_name = string<br>  }))</pre> | `{}` | no |
+| <a name="input_existing_sso_groups"></a> [existing\_sso\_groups](#input\_existing\_sso\_groups) | Names of the existing groups that you wish to reference from IAM Identity Center. | <pre>map(object({<br>    group_name = string<br>  }))</pre> | `{}` | no |
+| <a name="input_existing_sso_users"></a> [existing\_sso\_users](#input\_existing\_sso\_users) | Names of the existing users that you wish to reference from IAM Identity Center. | <pre>map(object({<br>    user_name        = string<br>    group_membership = optional(list(string), null) // only used if your IdP only syncs users, and you wish to manage which groups they should go in<br>  }))</pre> | `{}` | no |
+| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | Permission Sets that you wish to create in IAM Identity Center. This variable is a map of maps containing Permission Set names as keys. See permission\_sets description in README for information about map values. | `any` | `{}` | no |
+| <a name="input_sso_groups"></a> [sso\_groups](#input\_sso\_groups) | Names of the groups you wish to create in IAM Identity Center. | <pre>map(object({<br>    group_name        = string<br>    group_description = optional(string, null)<br>  }))</pre> | `{}` | no |
+| <a name="input_sso_users"></a> [sso\_users](#input\_sso\_users) | Names of the users you wish to create in IAM Identity Center. | <pre>map(object({<br>    display_name     = optional(string)<br>    user_name        = string<br>    group_membership = list(string)<br>    # Name<br>    given_name       = string<br>    middle_name      = optional(string, null)<br>    family_name      = string<br>    name_formatted   = optional(string)<br>    honorific_prefix = optional(string, null)<br>    honorific_suffix = optional(string, null)<br>    # Email<br>    email            = string<br>    email_type       = optional(string, null)<br>    is_primary_email = optional(bool, true)<br>    # Phone Number<br>    phone_number            = optional(string, null)<br>    phone_number_type       = optional(string, null)<br>    is_primary_phone_number = optional(bool, true)<br>    # Address<br>    country            = optional(string, " ")<br>    locality           = optional(string, " ")<br>    address_formatted  = optional(string)<br>    postal_code        = optional(string, " ")<br>    is_primary_address = optional(bool, true)<br>    region             = optional(string, " ")<br>    street_address     = optional(string, " ")<br>    address_type       = optional(string, null)<br>    # Additional<br>    user_type          = optional(string, null)<br>    title              = optional(string, null)<br>    locale             = optional(string, null)<br>    nickname           = optional(string, null)<br>    preferred_language = optional(string, null)<br>    profile_url        = optional(string, null)<br>    timezone           = optional(string, null)<br>  }))</pre> | `{}` | no |
 
 ## Outputs
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v0.0.3
+v0.0.4
diff --git a/data.tf b/data.tf
@@ -25,36 +25,36 @@ data "aws_organizations_organization" "organization" {}
 
 # - Fetch of SSO Groups (externally defined) to be used for group membership assignment -
 data "aws_identitystore_group" "existing_sso_groups" {
-  for_each          = toset(local.existing_sso_groups)
+  for_each          = var.existing_sso_groups
   identity_store_id = local.sso_instance_id
   alternate_identifier {
     unique_attribute {
       attribute_path  = "DisplayName"
-      attribute_value = each.value
+      attribute_value = each.value.group_name
     }
   }
 }
 
 
 # - Fetch of SSO Users (externally defined) to be used for group membership assignment -
 data "aws_identitystore_user" "existing_sso_users" {
-  for_each          = toset(local.existing_sso_users)
+  for_each          = var.existing_sso_users
   identity_store_id = local.sso_instance_id
 
   alternate_identifier {
     # Filter users by user_name (nuzumaki, suchiha, dovis, etc.)
     unique_attribute {
       attribute_path  = "UserName"
-      attribute_value = each.value
+      attribute_value = each.value.user_name
     }
   }
 }
 
 # - Fetch of Permissions sets (externally defined) to be used for account assignment -
 data "aws_ssoadmin_permission_set" "existing_permission_sets" {
-  for_each     = toset(local.existing_permission_sets)
+  for_each     = var.existing_permission_sets
   instance_arn = local.ssoadmin_instance_arn
-  name         = each.value
+  name         = each.value.permission_set_name
 }
 
 
@@ -87,4 +87,3 @@ data "aws_ssoadmin_permission_set" "existing_permission_sets" {
 
 
 
-
diff --git a/examples/create-users-and-groups/main.tf b/examples/create-users-and-groups/main.tf
@@ -25,7 +25,7 @@ module "aws-iam-identity-center" {
   // Create desired USERS in IAM Identity Center
   sso_users = {
     nuzumaki : {
-      group_membership = ["Admin", "Dev", "QA", "Audit"]
+      group_membership = ["Admin", "Dev", "QA", "Audit", ]
       user_name        = "nuzumaki"
       given_name       = "Naruto"
       family_name      = "Uzumaki"
@@ -59,8 +59,9 @@ module "aws-iam-identity-center" {
   // Assign users/groups access to accounts with the specified permissions
   account_assignments = {
     Admin : {
-      principal_name  = "Admin"                                   // name of the user or group you wish to have access to the account(s)
-      principal_type  = "GROUP"                                   // entity type (user or group) you wish to have access to the account(s). Valid values are "USER" or "GROUP"
+      principal_name  = "Admin"                                   # name of the user or group you wish to have access to the account(s)
+      principal_type  = "GROUP"                                   # entity type (user or group) you wish to have access to the account(s). Valid values are "USER" or "GROUP"
+      principal_idp   = "INTERNAL"                                # type of Identity Provider you are using. Valid values are "INTERNAL" (using Identity Store) or "EXTERNAL" (using external IdP such as EntraID, Okta, Google, etc.)
       permission_sets = ["AdministratorAccess", "ViewOnlyAccess"] // permissions the user/group will have in the account(s)
       account_ids = [                                             // account(s) the group will have access to. Permissions they will have in account are above line
         local.account1_account_id,
@@ -72,6 +73,7 @@ module "aws-iam-identity-center" {
     Audit : {
       principal_name  = "Audit"
       principal_type  = "GROUP"
+      principal_idp   = "INTERNAL" # type of Identity Provider you are using. Valid values are "INTERNAL" (using Identity Store) or "EXTERNAL" (using external IdP such as EntraID, Okta, Google, etc.)
       permission_sets = ["ViewOnlyAccess"]
       account_ids = [
         local.account1_account_id,

diff --git a/examples/existing-users-and-groups/README.md b/examples/existing-users-and-groups/README.md
@@ -46,7 +46,9 @@ No requirements.
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 
 ## Modules
 
@@ -56,7 +58,9 @@ No providers.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_ssm_parameter.account1_account_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 

diff --git a/examples/existing-users-and-groups/locals.tf b/examples/existing-users-and-groups/locals.tf
@@ -1,8 +1,14 @@
+# Fetch Account Id from SSM Parameter Store
+data "aws_ssm_parameter" "account1_account_id" {
+  name = "tf-aws-iam-idc-module-testing-account1-account-id" // replace with your SSM Parameter Key
+}
+
 locals {
   # Account IDs
-  account1_account_id = "111111111111"
-  account2_account_id = "222222222222"
-  account3_account_id = "333333333333"
-  account4_account_id = "444444444444"
+  account1_account_id = nonsensitive(data.aws_ssm_parameter.account1_account_id.value)
+  # account1_account_id = "111111111111"
+  # account2_account_id = "222222222222"
+  # account3_account_id = "333333333333"
+  # account4_account_id = "444444444444"
 
 }
diff --git a/examples/existing-users-and-groups/main.tf b/examples/existing-users-and-groups/main.tf
@@ -2,7 +2,20 @@ module "aws-iam-identity-center" {
   source = "../.." // local example
   # source = "aws-ia/iam-identity-center/aws" // remote example
 
-  // Create permissions sets backed by AWS managed policies
+  # Ensure these User/Groups already exist in your AWS account
+  existing_sso_groups = {
+    testgroup : {
+      group_name = "testgroup" # this must be the name of a group that already exists in your AWS account
+    },
+  }
+  existing_sso_users = {
+    testuser : {
+      user_name = "testuser" # this must be the name of a user that already exists in your AWS account
+    },
+  }
+
+
+  # Create permissions sets backed by AWS managed policies
   permission_sets = {
     AdministratorAccess = {
       description          = "Provides AWS full access permissions.",
@@ -18,30 +31,32 @@ module "aws-iam-identity-center" {
     },
   }
 
-  # Ensure these User/Groups already exist in your AWS account
 
-  // Assign users/groups access to accounts with the specified permissions
+  # Assign users/groups access to accounts with the specified permissions
+  # Ensure these User/Groups already exist in your AWS account
   account_assignments = {
-    Admin : {
-      principal_name  = "Admin"                                   // name of the user or group you wish to have access to the account(s)
-      principal_type  = "GROUP"                                   // entity type (user or group) you wish to have access to the account(s). Valid values are "USER" or "GROUP"
-      permission_sets = ["AdministratorAccess", "ViewOnlyAccess"] // permissions the user/group will have in the account(s)
-      account_ids = [                                             // account(s) the group will have access to. Permissions they will have in account are above line
-        local.account1_account_id,                                // locals are used to allow for global changes to multiple account assignments
+    testgroup : {
+      principal_name  = "testgroup"
+      principal_type  = "GROUP"
+      principal_idp   = "EXTERNAL"
+      permission_sets = ["AdministratorAccess", "ViewOnlyAccess", ]
+      account_ids = [              // account(s) the user will have access to. Permissions they will have in account are above line
+        local.account1_account_id, // locals are used to allow for global changes to multiple account assignments
         # local.account2_account_id, // if hard coding the account ids, you would need to change them in every place you want to change
         # local.account3_account_id, // these are defined in a locals.tf file, example is in this directory
         # local.account4_account_id,
       ]
     },
-    Audit : {
-      principal_name  = "Audit"
-      principal_type  = "GROUP"
+    testuser : {
+      principal_name  = "testuser"
+      principal_type  = "USER"
+      principal_idp   = "EXTERNAL"
       permission_sets = ["ViewOnlyAccess"]
-      account_ids = [
-        local.account1_account_id,
-        local.account2_account_id,
-        local.account3_account_id,
-        local.account4_account_id,
+      account_ids = [              // account(s) the user will have access to. Permissions they will have in account are above line
+        local.account1_account_id, // locals are used to allow for global changes to multiple account assignments
+        # local.account2_account_id, // if hard coding the account ids, you would need to change them in every place you want to change
+        # local.account3_account_id, // these are defined in a locals.tf file, example is in this directory
+        # local.account4_account_id,
       ]
     },
   }

diff --git a/examples/inline-policy/main.tf b/examples/inline-policy/main.tf
@@ -50,6 +50,12 @@ module "aws-iam-identity-center" {
   source = "../.." // local example
   # source = "aws-ia/iam-identity-center/aws" // remote example
 
+  existing_sso_groups = {
+    AWSControlTowerAdmins : {
+      group_name = "AWSControlTowerAdmins"
+    }
+  }
+
   sso_groups = {
     Admin : {
       group_name        = "Admin"
@@ -77,6 +83,12 @@ module "aws-iam-identity-center" {
     },
   }
 
+  existing_permission_sets = {
+    AWSAdministratorAccess : {
+      permission_set_name = "AWSAdministratorAccess"
+    },
+  }
+
   permission_sets = {
     AdministratorAccess = {
       description          = "Provides full access to AWS services and resources",
@@ -115,6 +127,7 @@ module "aws-iam-identity-center" {
     Admin : {
       principal_name = "Admin"
       principal_type = "GROUP"
+      principal_idp  = "INTERNAL"
       permission_sets = [
         "AdministratorAccess",
         "PowerUserAccess",
@@ -125,24 +138,25 @@ module "aws-iam-identity-center" {
       account_ids = [
         // replace with your own account id
         local.account1_account_id,
-        # "111111111111",
-        # "222222222222",
-        # "333333333333",
+        # local.account2_account_id
+        # local.account3_account_id
+        # local.account4_account_id
       ]
     },
     Dev : {
       principal_name = "Dev"
       principal_type = "GROUP"
+      principal_idp  = "INTERNAL"
       permission_sets = [
         "PowerUserAccess",
         "ViewOnlyAccess",
       ]
       account_ids = [
         // replace with your own account id
         local.account1_account_id,
-        # "111111111111",
-        # "222222222222",
-        # "333333333333",
+        # local.account2_account_id
+        # local.account3_account_id
+        # local.account4_account_id
       ]
     },
   }