Closed hacker65536 closed 3 weeks ago
This is a much needed addition due to the inherent difficulty of using customer managed policies.
This would be a great feature to have.
/do-e2e-tests
End to end test has been scheduled
E2E tests in progress
@novekm
I have updated files to support inline policy and permissions boundary.
Please review this when you have time.
Hi there - initially I went down the path of adding support for inline policies, however stopped as it's not an AWS best practice. It's recommended to use AWS Managed Policies, or Customer Managed policies where possible see this doc for more info on this. However, I acknowledge the current limitation with IAM IdC that the customer managed policy must exist in each account before you can actually use it outlined in this answer on AWS re:Post.
Unfortunately, there isn't a simple native way to deploy a Terraform configuration to multiple accounts, regions, etc. at once (something like CloudFormation StackSets). This means that with the current functionality of the module, you would need to first provision the customer managed policy in each account before referencing it in the module. Terraform Stacks seems to be something that will aid in these type of use cases once GA.
In the meantime, I'll review the PR for adding support for inline policies when I get some time
@hacker65536 I see you have been doing a few additional commits to the PR. Let me know when it is ready for review
@novekm I have done some testing with the following code. It seems to work fine. Please review it when you have time.
Hi @hacker65536, I'm testing the PR and all seems to be well with the inline policy, however it's still mentioning the forced replacements as with the current version of the module. Is the same showing on your end? This is what I'm getting after adding an additional group:
# module.aws-iam-identity-center.aws_identitystore_group_membership.sso_group_membership["testuser1_AWSControlTowerAdmins"] must be replaced
-/+ resource "aws_identitystore_group_membership" "sso_group_membership" {
~ group_id = "xx" # forces replacement -> (known after apply) # forces replacement
~ id = "xx/xx" -> (known after apply)
~ membership_id = "xx" -> (known after apply)
# (2 unchanged attributes hidden)
}
# module.aws-iam-identity-center.aws_identitystore_group_membership.sso_group_membership["testuser1_SectionSre"] must be replaced
-/+ resource "aws_identitystore_group_membership" "sso_group_membership" {
~ group_id = "xx" # forces replacement -> (known after apply) # forces replacement
~ id = "xx" -> (known after apply)
~ membership_id = "xx" -> (known after apply)
# (2 unchanged attributes hidden)
}
Plan: 3 to add, 0 to change, 2 to destroy.
Same situation. Perhaps the problem can be solved. Plz give me a moment.
@novekm I've simplified references to resources defined within this module and to resources defined outside of this module. How about this?
Hi @hacker65536, doing some testing today but initial tests look good. Will update later today
This module looks great and I would love to use it. I have modified the code a bit and would be happy to review it if you would like.