diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 2c1c4b8..ac4404c 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -24,19 +24,19 @@ jobs:
fi
- name: Run a Terraform init
- uses: docker://hashicorp/terraform:1.8.5
+ uses: docker://hashicorp/terraform:1.9.1
with:
entrypoint: terraform
args: init
- name: Run a Terraform validate
- uses: docker://hashicorp/terraform:1.8.5
+ uses: docker://hashicorp/terraform:1.9.1
with:
entrypoint: terraform
args: validate
- name: Run a Terraform format check
- uses: docker://hashicorp/terraform:1.8.5
+ uses: docker://hashicorp/terraform:1.9.1
with:
entrypoint: terraform
args: fmt -check=true -diff=true
diff --git a/.terraform-version b/.terraform-version
index 8decb92..9ab8337 100644
--- a/.terraform-version
+++ b/.terraform-version
@@ -1 +1 @@
-1.8.5
+1.9.1
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index 4b934d3..5e905ee 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -2,37 +2,37 @@
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
- version = "5.53.0"
- constraints = "~> 5.0"
+ version = "5.57.0"
+ constraints = ">= 5.0.0"
hashes = [
- "h1:3SWhL6t4zG6rqOjfI3rpenZc/fi7ZkS/5ZcCU5U+RWo=",
- "h1:6u5Z28ArVnKsadP+ZRQYWPM4kNtTF7OZv7ZLzT2LBDc=",
- "h1:GFUbSPgNRaKbMr9vRkGxQFGMMn0eL6btojppsDKGQWw=",
- "h1:GjLFRg981kjEbsgu59rtqKFduYmh6LYyNTjkI06F2nc=",
- "h1:JdKy+/hyc91nHvVZggxlaFVYOkaLxSmR86MkRUpgX30=",
- "h1:KepZKzU16NeLHg0AiMDQbllfRuP0MfENjHME3jQeAw8=",
- "h1:SGunNgU7s19em6yPbvOSrBB1/gDDQMO/qC6tIKVgeTU=",
- "h1:TUSwJfsylmTH3L0Ax14mtMFnOQo9uoZEBO5eQoThK3c=",
- "h1:YCupEeam12IXAPo9j2wvnfJTqFFuaHjyzTgSj3GlOeg=",
- "h1:ghFa3wkDimz5fJraMTdx+9rsiEYNg2nU7iBT7VTuWJE=",
- "h1:hk2SENJibzbcl0m/axOVb4TqSxmh6tPQ7UcrkXAQohM=",
- "h1:ucNFgeMRknvGjwQrVf6FzR9I5kYpFxEl3F0MeVgloBw=",
- "h1:yIDopRNeRAXg1UZpPlO6GNofDyzqSPkl/+Eoc3pKW4Q=",
- "h1:zDAuX1IRNCyU/CSzF7xdw1aD7a140A5qsjgoVjoRLkk=",
- "zh:2adad39412111d19a5195474d6b95577fc25ccf06d88a90019bee0efba33a1e3",
- "zh:51226453a14f95b0d1163cfecafc9cf1a92ce5f66e42e6b4065d83a813836a2c",
- "zh:62450fadb56db9c18d50bb8b7728a3d009be608d7ee0d4fe95c85ccb521dff83",
- "zh:6f3ad977a9cc4800847c136690b1c0a0fd8437705062163d29dc4e9429598950",
- "zh:71ca0a16b735b8d34b7127dd7d1e1e5d1eaac9c9f792e08abde291b5beb947d5",
- "zh:7ae9cf4838eea80288305be0a3e69b39ffff86ede7b4319be421f06d32d04fb6",
- "zh:93abc2db5ad995cfee014eb7446abc7caedc427e141d375a11993e6e199076b5",
- "zh:9560b3424d97da804e98ee86b474b7370afefa09baf350cae7f33afb3f1aa209",
+ "h1:0vkeOAKaYJn/Qo1LT5BMMYcfxxorbdg6Wjm5cRUaSsk=",
+ "h1:47axyGCVgEBHaQThoNSabiGsrpFXGdIK+uLXqADLNeI=",
+ "h1:78RIKu5Kn+y7jwbk3Av+z64OQ+ubOqzkr+WkG2BLeXs=",
+ "h1:9yi3yb3XOMjj/xsSbOfscfmQzPUQ7sZqSYSBfGSfkBA=",
+ "h1:B8Rpgfr1+wt2ByOZYWZL0cIoOcfSUUYkajsF+ocZ97o=",
+ "h1:FPU7aOZNSo+wwydZpmA7sB4nt1d0Wgkh0cb5Zl+WNj4=",
+ "h1:KMPhyxoRthbmc11+RbClq5bricmGDICh1NgE3nPjN7U=",
+ "h1:PXidujIDQyFAIS9qHoEdsonNbfV7TWXiFYag/KLnq7c=",
+ "h1:RaNKerWC8c10tAXCRUNqO9FVLw3qIYwQN4Zp4+O/rWE=",
+ "h1:bSps73eq0YgIZf73/JvKKve40TNGfTB6+86bmT4ABGI=",
+ "h1:txjX+di/ltKLPAcNKskNjoVB4g/KjKfOYwCq9Tne+JI=",
+ "h1:u7FszdKvOSKA53nsWnNOuh0/GtKwzBe6uIlAoTEWeyU=",
+ "h1:y4fdaiu5VqzHOTjsuB0mTI33hoKYc4MnloHWjLCuA3c=",
+ "h1:yz3Y5KM6UgOzpOrlR/ExM4mlD2wAGvzlhkfODzuVHE8=",
+ "zh:03761bedb72290599aef0040d3cefb77842f0ef4338673a7e5b53557b0ca4960",
+ "zh:1c70c050116370688abd239979b06f33c5c8cb7f6e59e89f60cf08ee01666064",
+ "zh:1cc3b259028a65b2f68ffc25df876bbb0f46d108f262b8ec7c56fc597ac697af",
+ "zh:3bcdf1415b37f39b71e07d4d92977cf8697f07602382d63687d5f683fee0231a",
+ "zh:40b1774a2cacc84002ac88ef30fb017c273009456d7a1f9f7c5a4a057041ec75",
+ "zh:46d51fa066c6441594a1e242c9491cc31dbb2dc85f1acf8bc54ad6faa4de524b",
+ "zh:550e5635b0cd5d98fa66c2afd5dbb1563a8e019be9f760bd1543fbcca763f0c1",
+ "zh:7acc8357b5e02ed3eb478125614d049511d6faeb9850c084d6e6519db875f0d1",
+ "zh:7f7367299811ddf5560a0586e525d57dd52f1a0ca37e42e2c5284308069bf2b6",
+ "zh:8766cc10c83b1fc2e971c4e645bc4d3c871d4758eb54b0a3216600c66e3db681",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
- "zh:9eb57a9b649c217ac4eeb27af2a1935c18bd9bc8fb1be07434e7de74729eff46",
- "zh:b5f32dcbe71ea22c2090eeeaec9af3e098d7b8c3e4491f34ffdfdc6f1c1abf81",
- "zh:c9fbd5417f266c773055178e87bb4091df7f0542b72bf5ad0a4ae27045a2b7ca",
- "zh:d518b3c52c8a9f79769dbe1b3683d25b4cdc8bfc77a3b3cd9c85f74e6c7383e1",
- "zh:db741be21f32404bb87d73d25b1b7fd9b813b00aeb20a130ed8806d44dc26680",
- "zh:ed1a8bb4d08653d87265ae534d6fc33bbdabae1608692a1ee364fce03548d36c",
+ "zh:a1e85b1fb9004d8ffab7600304e02bce4aa14cea9f0ad77fbd7b84aae6390760",
+ "zh:bcf2fc83bd9e20e5a930d9d596eb813c319f2b007c620b1818e574c1702eb9a9",
+ "zh:d2538fcb20dc2afc04b716f67969944eef7f4fc4296410116d5b7af1811100f2",
+ "zh:e0e47c5d8710bbfcfe4db1cfa81c67e320056006d08063e69640cd2d492c6f64",
]
}
diff --git a/README.md b/README.md
index 8ee061f..fba2595 100644
--- a/README.md
+++ b/README.md
@@ -73,6 +73,7 @@ module "aws_organizations_and_sso" {
email = "existing@example.com"
# If the account has been imported into terrafrom, this must be set to "NULL"
# This behaviour cannot be changed once the account is created (only the root user account will be able to change it)
+ # (Terraform import example can be found at https://github.com/chris-qa-org/terraform-aws-organzation-and-sso/blob/main/examples/existing-account-import/README.md)
iam_user_access_to_billing = "NULL"
group_assignments = {
"SysAdmins" = {
@@ -195,13 +196,13 @@ module "aws_organizations_and_sso" {
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.1.5 |
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | >= 5.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.53.0 |
+| [aws](#provider\_aws) | 5.57.0 |
## Resources
diff --git a/examples/existing-account-import/README.md b/examples/existing-account-import/README.md
index eaf4cf6..2f38c82 100644
--- a/examples/existing-account-import/README.md
+++ b/examples/existing-account-import/README.md
@@ -3,6 +3,12 @@
If an AWS account has been imported, the `iam_user_access_to_billing` setting must be set to "NULL" (`string`)
This is because it can only be set during account creation
+## Importing an account
+
+```
+terraform import 'module.aws_organizations_and_sso.aws_organizations_account.account["my-account-name"]' 0123456789112
+```
+
```
module "aws_organizations_and_sso" {
source = "chris-qa-org/organzation-and-sso/aws"
diff --git a/locals.tf b/locals.tf
index 5e4745b..c0a66f2 100644
--- a/locals.tf
+++ b/locals.tf
@@ -2,4 +2,9 @@ locals {
sso_permission_sets = var.sso_permission_sets
organization_config = var.organization_config
enable_sso = var.enable_sso
+ accounts = flatten([
+ for unit_name, unit in local.organization_config["units"] : [
+ for account_name in keys(local.organization_config["units"][unit_name]["accounts"]) : local.organization_config["units"][unit_name]["accounts"][account_name]
+ ]
+ ])
}
diff --git a/sso.tf b/sso.tf
index 8493d2d..2b5102c 100644
--- a/sso.tf
+++ b/sso.tf
@@ -3,11 +3,7 @@ data "aws_ssoadmin_instances" "ssoadmin_instances" {}
data "aws_identitystore_group" "aws" {
for_each = local.enable_sso ? toset(
flatten([
- for account in flatten([
- for unit_name, unit in local.organization_config["units"] : [
- for account_name in keys(local.organization_config["units"][unit_name]["accounts"]) : local.organization_config["units"][unit_name]["accounts"][account_name]
- ]
- ]) : keys(lookup(account, "group_assignments", {}))
+ for account in local.accounts : keys(lookup(account, "group_assignments", {}))
])
) : toset([])
@@ -24,11 +20,7 @@ data "aws_identitystore_group" "aws" {
data "aws_identitystore_user" "aws" {
for_each = local.enable_sso ? toset(
flatten([
- for account in flatten([
- for unit_name, unit in local.organization_config["units"] : [
- for account_name in keys(local.organization_config["units"][unit_name]["accounts"]) : local.organization_config["units"][unit_name]["accounts"][account_name]
- ]
- ]) : keys(lookup(account, "user_assignments", {}))
+ for account in local.accounts : keys(lookup(account, "user_assignments", {}))
])
) : toset([])
@@ -53,16 +45,14 @@ resource "aws_ssoadmin_permission_set" "permission_set" {
}
resource "aws_ssoadmin_managed_policy_attachment" "attachment" {
- for_each = local.enable_sso ? {
- for attachment in flatten([
- for permission_set_name, permission_set in local.sso_permission_sets : {
- for managed_policy_name in lookup(permission_set, "managed_policies", []) : "${permission_set_name}_${managed_policy_name}" => {
- permission_set_name = permission_set_name
- managed_policy_name = managed_policy_name
- }
+ for_each = local.enable_sso ? merge([
+ for permission_set_name, permission_set in local.sso_permission_sets : {
+ for managed_policy_name in permission_set["managed_policies"] : "${permission_set_name}_${managed_policy_name}" => {
+ permission_set_name = permission_set_name
+ managed_policy_name = managed_policy_name
}
- ]) : keys(attachment)[0] => attachment[keys(attachment)[0]]
- } : {}
+ }
+ ]...) : {}
instance_arn = tolist(data.aws_ssoadmin_instances.ssoadmin_instances.arns)[0]
managed_policy_arn = "arn:aws:iam::aws:policy/${each.value["managed_policy_name"]}"
@@ -82,21 +72,19 @@ resource "aws_ssoadmin_permission_set_inline_policy" "policy" {
}
resource "aws_ssoadmin_account_assignment" "group_assignment" {
- for_each = local.enable_sso ? {
- for assignment in flatten([
- for unit_name, unit in local.organization_config["units"] : [
- for account_name in keys(local.organization_config["units"][unit_name]["accounts"]) : [
- for group_name, group_assignments in lookup(local.organization_config["units"][unit_name]["accounts"][account_name], "group_assignments", {}) : {
- for permission_set in group_assignments["permission_sets"] : "${account_name}_${group_name}_${permission_set}" => {
- account_name = account_name
- group_name = group_name
- permission_set = permission_set
- }
+ for_each = local.enable_sso ? merge(flatten([
+ for unit_name, unit in local.organization_config["units"] : [
+ for account_name in keys(local.organization_config["units"][unit_name]["accounts"]) : [
+ for group_name, group_assignments in lookup(local.organization_config["units"][unit_name]["accounts"][account_name], "group_assignments", {}) : {
+ for permission_set in group_assignments["permission_sets"] : "${account_name}_${group_name}_${permission_set}" => {
+ account_name = account_name
+ group_name = group_name
+ permission_set = permission_set
}
- ]
+ }
]
- ]) : keys(assignment)[0] => assignment[keys(assignment)[0]]
- } : {}
+ ]
+ ])...) : {}
instance_arn = aws_ssoadmin_permission_set.permission_set[each.value["permission_set"]].instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission_set[each.value["permission_set"]].arn
@@ -109,21 +97,19 @@ resource "aws_ssoadmin_account_assignment" "group_assignment" {
}
resource "aws_ssoadmin_account_assignment" "user_assignment" {
- for_each = local.enable_sso ? {
- for assignment in flatten([
- for unit_name, unit in local.organization_config["units"] : [
- for account_name in keys(local.organization_config["units"][unit_name]["accounts"]) : [
- for user_name, user_assignments in lookup(local.organization_config["units"][unit_name]["accounts"][account_name], "user_assignments", {}) : {
- for permission_set in user_assignments["permission_sets"] : "${account_name}_${user_name}_${permission_set}" => {
- account_name = account_name
- user_name = user_name
- permission_set = permission_set
- }
+ for_each = local.enable_sso ? merge(flatten([
+ for unit_name, unit in local.organization_config["units"] : [
+ for account_name in keys(local.organization_config["units"][unit_name]["accounts"]) : [
+ for user_name, user_assignments in lookup(local.organization_config["units"][unit_name]["accounts"][account_name], "user_assignments", {}) : {
+ for permission_set in user_assignments["permission_sets"] : "${account_name}_${user_name}_${permission_set}" => {
+ account_name = account_name
+ user_name = user_name
+ permission_set = permission_set
}
- ]
+ }
]
- ]) : keys(assignment)[0] => assignment[keys(assignment)[0]]
- } : {}
+ ]
+ ])...) : {}
instance_arn = aws_ssoadmin_permission_set.permission_set[each.value["permission_set"]].instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission_set[each.value["permission_set"]].arn
diff --git a/versions.tf b/versions.tf
index b188b75..ee1ff3b 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,6 +1,9 @@
terraform {
required_version = ">= 1.1.5"
required_providers {
- aws = "~> 5.0"
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.0"
+ }
}
}