generated from hashicorp/terraform-provider-scaffolding
-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f79c938
commit 7b04d66
Showing
2 changed files
with
95 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,7 +13,8 @@ Provides an AWS account resource via Control Tower. | |
| ## Example Usage | ||
|
|
||
| ```terraform | ||
| resource "controltower_aws_account" "account" { | ||
| # Basic Example | ||
| resource "controltower_aws_account" "basic_account_example" { | ||
| name = "Example Account" | ||
| email = "[email protected]" | ||
| organizational_unit = "Sandbox" | ||
|
|
@@ -26,6 +27,51 @@ resource "controltower_aws_account" "account" { | |
| email = "[email protected]" | ||
| } | ||
| } | ||
| ########################################################################################################## | ||
| # Extended Example to handle account reassignment upon update | ||
| locals { | ||
| username = "[email protected]" | ||
| } | ||
| data "aws_ssoadmin_instances" "sso" {} | ||
| # Normally AWSAdministratorAccess is the default permission set assigned to the account upon creation by Control Tower. | ||
| data "aws_ssoadmin_permission_set" "permission" { | ||
| instance_arn = tolist(data.aws_ssoadmin_instances.sso.arns)[0] | ||
| name = "AWSAdministratorAccess" | ||
| } | ||
| data "aws_identitystore_user" "user" { | ||
| identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0] | ||
| alternate_identifier { | ||
| unique_attribute { | ||
| attribute_path = "UserName" | ||
| attribute_value = local.username | ||
| } | ||
| } | ||
| } | ||
| resource "controltower_aws_account" "extended_example_account" { | ||
| name = "Extended Example Account" | ||
| email = local.username | ||
| organizational_unit = "Sandbox" | ||
| organizational_unit_id_on_delete = "ou-some-id" | ||
| sso { | ||
| first_name = "John" | ||
| last_name = "Doe" | ||
| email = "[email protected]" | ||
| instance_arn = tolist(data.aws_ssoadmin_instances.sso.arns)[0] | ||
| principal_id = data.aws_identitystore_user.user.user_id | ||
| remove_account_assignment_on_update = true | ||
| permission_set_arn = data.aws_ssoadmin_permission_set.permission.arn | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| <!-- schema generated by tfplugindocs --> | ||
|
|
@@ -63,5 +109,6 @@ Required: | |
| Optional: | ||
|
|
||
| - `instance_arn` (String) ARN of the SSO instance. Required if remove_account_assignment_on_update is enabled. | ||
| - `permission_set_arn` (String) ARN of the permission set to be removed, normally it's the arn of AWSAdministratorAccess permission set. Required if remove_account_assignment_on_update is enabled. | ||
| - `principal_id` (String) Principal ID of the user. Required if remove_account_assignment_on_update is enabled. | ||
| - `remove_account_assignment_on_update` (Boolean) If enabled, this will remove the account assignment for the old SSO user when the resource is updated. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,5 @@ | ||
| resource "controltower_aws_account" "account" { | ||
| # Basic Example | ||
| resource "controltower_aws_account" "basic_account_example" { | ||
| name = "Example Account" | ||
| email = "[email protected]" | ||
| organizational_unit = "Sandbox" | ||
|
|
@@ -11,3 +12,48 @@ resource "controltower_aws_account" "account" { | |
| email = "[email protected]" | ||
| } | ||
| } | ||
| ########################################################################################################## | ||
|
|
||
| # Extended Example to handle account reassignment upon update | ||
| locals { | ||
| username = "[email protected]" | ||
| } | ||
|
|
||
| data "aws_ssoadmin_instances" "sso" {} | ||
|
|
||
| # Normally AWSAdministratorAccess is the default permission set assigned to the account upon creation by Control Tower. | ||
| data "aws_ssoadmin_permission_set" "permission" { | ||
|
|
||
| instance_arn = tolist(data.aws_ssoadmin_instances.sso.arns)[0] | ||
| name = "AWSAdministratorAccess" | ||
| } | ||
|
|
||
| data "aws_identitystore_user" "user" { | ||
|
|
||
| identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0] | ||
| alternate_identifier { | ||
| unique_attribute { | ||
| attribute_path = "UserName" | ||
| attribute_value = local.username | ||
| } | ||
| } | ||
| } | ||
|
|
||
| resource "controltower_aws_account" "extended_example_account" { | ||
| name = "Extended Example Account" | ||
| email = local.username | ||
| organizational_unit = "Sandbox" | ||
|
|
||
| organizational_unit_id_on_delete = "ou-some-id" | ||
|
|
||
| sso { | ||
| first_name = "John" | ||
| last_name = "Doe" | ||
| email = "[email protected]" | ||
| instance_arn = tolist(data.aws_ssoadmin_instances.sso.arns)[0] | ||
| principal_id = data.aws_identitystore_user.user.user_id | ||
| remove_account_assignment_on_update = true | ||
| permission_set_arn = data.aws_ssoadmin_permission_set.permission.arn | ||
|
|
||
| } | ||
| } | ||