mbuotidem
commented
3 months ago This is a much needed addition due to the inherent difficulty of using customer managed policies.
Closed hacker65536 closed 3 weeks ago
mbuotidem
commented
3 months ago This is a much needed addition due to the inherent difficulty of using customer managed policies.
matiasbertani
commented
1 month ago This would be a great feature to have.
novekm
commented
1 month ago /do-e2e-tests
aws-ia-automator-prod[bot]
commented
1 month ago End to end test has been scheduled
aws-ia-automator-prod[bot]
commented
1 month ago E2E tests in progress
hacker65536
commented
1 month ago @novekm
I have updated files to support inline policy and permissions boundary.
Please review this when you have time.
novekm
commented
1 month ago Hi there - initially I went down the path of adding support for inline policies, however stopped as it's not an AWS best practice. It's recommended to use AWS Managed Policies, or Customer Managed policies where possible see this doc for more info on this. However, I acknowledge the current limitation with IAM IdC that the customer managed policy must exist in each account before you can actually use it outlined in this answer on AWS re:Post.
Unfortunately, there isn't a simple native way to deploy a Terraform configuration to multiple accounts, regions, etc. at once (something like CloudFormation StackSets). This means that with the current functionality of the module, you would need to first provision the customer managed policy in each account before referencing it in the module. Terraform Stacks seems to be something that will aid in these type of use cases once GA.
In the meantime, I'll review the PR for adding support for inline policies when I get some time
novekm
commented
1 month ago @hacker65536 I see you have been doing a few additional commits to the PR. Let me know when it is ready for review
hacker65536
commented
1 month ago @novekm I have done some testing with the following code. It seems to work fine. Please review it when you have time.
novekm
commented
1 month ago Hi @hacker65536, I'm testing the PR and all seems to be well with the inline policy, however it's still mentioning the forced replacements as with the current version of the module. Is the same showing on your end? This is what I'm getting after adding an additional group:
# module.aws-iam-identity-center.aws_identitystore_group_membership.sso_group_membership["testuser1_AWSControlTowerAdmins"] must be replaced
-/+ resource "aws_identitystore_group_membership" "sso_group_membership" {
~ group_id = "xx" # forces replacement -> (known after apply) # forces replacement
~ id = "xx/xx" -> (known after apply)
~ membership_id = "xx" -> (known after apply)
# (2 unchanged attributes hidden)
}
# module.aws-iam-identity-center.aws_identitystore_group_membership.sso_group_membership["testuser1_SectionSre"] must be replaced
-/+ resource "aws_identitystore_group_membership" "sso_group_membership" {
~ group_id = "xx" # forces replacement -> (known after apply) # forces replacement
~ id = "xx" -> (known after apply)
~ membership_id = "xx" -> (known after apply)
# (2 unchanged attributes hidden)
}
Plan: 3 to add, 0 to change, 2 to destroy.Same situation. Perhaps the problem can be solved. Plz give me a moment.
hacker65536
commented
1 month ago @novekm I've simplified references to resources defined within this module and to resources defined outside of this module. How about this?
novekm
commented
4 weeks ago Hi @hacker65536, doing some testing today but initial tests look good. Will update later today
This module looks great and I would love to use it. I have modified the code a bit and would be happy to review it if you would like.