-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
r/ssoadmin_account_assignment: new resource; d/identitystore: new data sources #15322
Conversation
As discussed #15108, I'm happy to help. Where do you need assistance? |
Looks promising! Where does For the resource "aws_sso_account_assignment" "assignment" {
instance_arn = data.aws_sso_instance.selected.arn
identity_store_id = data.aws_sso_instance.selected.identity_store_id
permission_set_arn = aws_sso_permission_set.example.arn
# principal_group is mutually exclusive with principal_user
principal_group = "group-name"
target_account = data.aws_caller_identity.current.account_id
} There is only one There should also be support for managing policy attachments: resource "aws_sso_managed_policy_attachment" "attachment" {
instance_arn = data.aws_sso_instance.selected.arn
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
permission_set_arn = aws_sso_permission_set.example.arn
} |
Hi @onitake. Thanks for your input!
We're required to make a call to the So, in the design I came up with, the As for the If it's the case that there can be multiple SSO Instances, I'm not sure what to provide users as a filter to the
I'd be fine with renaming the As for adding the
This is an interesting one. I do plan to add in support for attaching managed policies (and a custom policy), but maybe not in the way you would expect. If you take a look at the schema I've setup for the resource "aws_sso_permission_set" "example" {
instance_arn = data.aws_sso_instance.selected.arn
name = "Example"
# ..
managed_policies = [
"arn:aws:iam::aws:policy/AdministratorAccess",
]
} Now the reason I've designed it like this rather than having a separate Note on Account Assignments: The CreateAccountAssignment API states that:
So, in order to ensure that all account assignments are updated whenever the connecting |
Makes sense.
As long as that is always an option, I don't see a problem. There might be an edge case where a user/API key has access to multiple AWS accounts, not sure what would happen then. I think you should report an error when more than one instance is returned, to ensure nothing unexpected happens. Makes me wonder why AWS has implemented a
Both resource names are ok, my suggestion was simply based on the API call.
Upon further reflection, what you say makes perfect sense.
There's certainly no need for a 1:1 mapping of all the API calls. Updating a list in hcl with API magic happening in the background is much more practical.
The downside here is that this will also trigger updates on all assignments that are not Terraform managed, as a sideeffect. On the other hand, this is probably what most people would want anyway... |
UpdateDid some initial testing. All data sources seem to be functioning as expected! Working on the data_source_aws_sso_instanceprovider "aws" {
region = "us-east-1"
}
data "aws_sso_instance" "selected" {}
output "arn" {
value = data.aws_sso_instance.selected.arn
}
output "identity_store_id" {
value = data.aws_sso_instance.selected.identity_store_id
}
Note: Sensitive info has been obfuscated data_source_aws_sso_permission_setprovider "aws" {
region = "us-east-1"
}
data "aws_sso_instance" "selected" {}
data "aws_sso_permission_set" "example" {
instance_arn = data.aws_sso_instance.selected.arn
name = "AWSReadOnlyAccess"
}
output "arn" {
value = data.aws_sso_permission_set.example.arn
}
output "created_date" {
value = data.aws_sso_permission_set.example.created_date
}
output "instance_arn" {
value = data.aws_sso_permission_set.example.instance_arn
}
output "name" {
value = data.aws_sso_permission_set.example.name
}
output "description" {
value = data.aws_sso_permission_set.example.description
}
output "session_duration" {
value = data.aws_sso_permission_set.example.session_duration
}
output "relay_state" {
value = data.aws_sso_permission_set.example.relay_state
}
output "inline_policy" {
value = data.aws_sso_permission_set.example.inline_policy
}
output "managed_policies" {
value = data.aws_sso_permission_set.example.managed_policies
}
output "tags" {
value = data.aws_sso_permission_set.example.tags
}
Note: Sensitive info has been obfuscated data_source_aws_identity_store_groupprovider "aws" {
region = "us-east-1"
}
data "aws_sso_instance" "selected" {}
data "aws_identity_store_group" "example_group" {
identity_store_id = data.aws_sso_instance.selected.identity_store_id
display_name = "Example [email protected]"
}
output "identity_store_id" {
value = data.aws_identity_store_group.example_group.identity_store_id
}
output "group_id" {
value = data.aws_identity_store_group.example_group.group_id
}
output "display_name" {
value = data.aws_identity_store_group.example_group.display_name
}
Note: Sensitive info has been obfuscated data_source_aws_identity_store_userprovider "aws" {
region = "us-east-1"
}
data "aws_sso_instance" "selected" {}
data "aws_identity_store_user" "example_user" {
identity_store_id = data.aws_sso_instance.selected.identity_store_id
user_name = "[email protected]"
}
output "identity_store_id" {
value = data.aws_identity_store_user.example_user.identity_store_id
}
output "user_id" {
value = data.aws_identity_store_user.example_user.user_id
}
output "user_name" {
value = data.aws_identity_store_user.example_user.user_name
}
Note: Sensitive info has been obfuscated |
Hello, I am curious if there is a timeline for when these resources will be added to terraform? I see you are making great progress and I'm really excited! |
Update
provider "aws" {
region = "us-east-1"
}
data "aws_sso_instance" "selected" {}
data "aws_sso_permission_set" "example" {
instance_arn = data.aws_sso_instance.selected.arn
name = "AWSReadOnlyAccess"
}
data "aws_identity_store_group" "example_group" {
identity_store_id = data.aws_sso_instance.selected.identity_store_id
display_name = "Example [email protected]"
}
resource "aws_sso_assignment" "example" {
instance_arn = data.aws_sso_instance.selected.arn
permission_set_arn = data.aws_sso_permission_set.example.arn
target_type = "AWS_ACCOUNT"
target_id = "012347678910"
principal_type = "GROUP"
principal_id = data.aws_identity_store_group.example_group.group_id
}
output "instance_arn" {
value = aws_sso_assignment.example.instance_arn
}
output "permission_set_arn" {
value = aws_sso_assignment.example.permission_set_arn
}
output "target_type" {
value = aws_sso_assignment.example.target_type
}
output "target_id" {
value = aws_sso_assignment.example.target_id
}
output "principal_type" {
value = aws_sso_assignment.example.principal_type
}
output "principal_id" {
value = aws_sso_assignment.example.principal_id
}
output "id" {
value = aws_sso_assignment.example.id
}
output "created_date" {
value = aws_sso_assignment.example.created_date
} terraform apply
Note: Sensitive info has been obfuscated terraform destroy
Note: Sensitive info has been obfuscated terraform apply (resource already exists)
Note: Sensitive info has been obfuscated terraform import
Note: Sensitive info has been obfuscated terraform plan (after import)
Note: Sensitive info has been obfuscated |
Hi @rfarro82. Thanks for your interest! With regards to the progress of this PR; we've completed all of the desired data sources and the As for a timeline, we're hoping to finish the primary work for this PR this week or early next week. After that I'm sure there'll be some back-and-fourth with the repo maintainers before they we can actually merge and schedule this for release. I'm not sure how long that typically takes. |
Hi @maryelizbeth / @bflad / @gdavison / @anGie44 / @breathingdust / @ksatirli (pulled from FAQ). We think we are mostly done with the work for this PR. We went through the contributing guides and we think we've got everything needed. Right now in this [WIP] PR we've got these new resources and data sources:
My question is what would be the best way for us to split this PR up into multiple? Based on the new service docs, "We prefer you to submit the necessary minimum in a single PR ...", we are planning on creating an initial PR with |
@ewbankkit and @DrFaust92; You've both had a bunch of PRs merged recently. Are you able to provide us with any advice for how to best setup these PRs? |
Hi @burck1, thank you for all of your work on this service. The breakdown for your initial PR, |
Hello, I'm really interested by the support of AWS SSO in terraform. Do you have any updates on this PR? Any way we can help move this forward? |
Hi @seddarj. We've completed most of the work for supporting AWS SSO in Terraform. This [WIP] PR encompasses all of that work. But, the contribution guide for this repo recommends submitting small pull requests with the minimum required resources, so we've submitted #15808 as our initial PR with just To help us move forward, please just go give a thumbs up on #15808. |
Hi @burck1, thanks for the details, I had completely missed that PR. You have my thumbs up. Thanks for implementing all this! |
Proposal for new PR title: r/aws_sso_assignment: New Resource |
Good catch @anarsen -- going to rename to reflect the changes here 👍 |
Hi @anGie44. Thank you for all of your work on moving this forward! We've been a bit preoccupied the past few weeks, but we have been paying attention to the updates. Definitely feel free to update this PR as necessary, or split into separate PRs, or however you want to handle the changes. Please let us know if you are blocked on anything or have any questions. Happy New Year! |
Was wondering how feasible it would be if in the "aws_ssoadmin_managed_policy_attachment" resource you could pass in a list of "managed_policy_arn" values to avoid creating a new resource for each attached policy? |
Hi @plynch-magnolia 👋 since the resource represents the singular attachment, I don't believe we would generally add an argument that would represent the management of multiple attachments; however, that is something we can open up for more discussion/find an alternative if feasible. do you mind creating a new issue to follow-up on your feature request/question? |
I really appreciate the increased traction on integrating AWS SSO Admin APIs into the provider. I realize this comment notifies a bunch of people, but seriously... I love the work you're all doing to make this happen. Thank you. |
@anGie44 I have added new issue #17108 to support this request |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again for all your contributions @burck1 @lawdhavmercy -- really great work here! Happy New year 🎉
Output of acceptances tests:
--- PASS: TestAccAWSIdentityStoreUserDataSource_NonExistent (3.88s)
--- PASS: TestAccAWSIdentityStoreGroupDataSource_NonExistent (3.89s)
--- PASS: TestAccAWSIdentityStoreUserDataSource_UserName (13.79s)
--- PASS: TestAccAWSIdentityStoreUserDataSource_UserID (13.79s)
--- PASS: TestAccAWSIdentityStoreGroupDataSource_DisplayName (13.80s)
--- PASS: TestAccAWSIdentityStoreGroupDataSource_GroupID (13.99s)
--- PASS: TestAccAWSSSOAdminAccountAssignment_Disappears (29.17s)
--- PASS: TestAccAWSSSOAdminAccountAssignment_Basic_Group (31.40s)
--- PASS: TestAccAWSSSOAdminAccountAssignment_Basic_User (62.27s)
This has been released in version 3.24.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Update 2020/11/03
To help us to continue to move forward, please go give a thumbs up on #15808.
We've completed most of the work for supporting the AWS SSO and AWS SSO Identity Store resources and datasources in Terraform. This [WIP] PR encompasses all of that work. But, the contribution guide for this repo recommends submitting small pull requests with the minimum required resources, so we've submitted #15808 as our initial PR with just
data.aws_sso_instance
,data.aws_sso_permission_set
, andaws_sso_permission_set
. Once that's merged, we will submit PRs for all of the other resources and data sources since they depend on that initial PR.Updated 2020/09/29
References
Community Note
Relates #15108