Already existsing SCIM group cannot be referenced.

[rfum]

Hi, I'm trying to use an existing group with the module, but I'm encountering the error mentioned in issue #36. Upgrading to version 0.0.5 didn't resolve the problem. Could this be related to the naming of my group? The group name contains a '-' character. I am following the rules defined in the README, ensuring that the same name is used for both the object and the principal in the account_assignments block. I have confirmed that foo-read is an existing SCIM group in my account. What might be causing the issue with my configuration?

My code is :

module "aws-iam-identity-center" {
  source  = "aws-ia/iam-identity-center/aws"
  version = "0.0.5"

  // Create permissions sets backed by AWS managed policies
  permission_sets = {
    FooReadOnly = {
      description          = "read access to foo services.",
      session_duration     = "PT4H", // how long until session expires - this means 4 hours. max is 12 hours
      aws_managed_policies = ["arn:aws:iam::aws:policy/FooRead"]
    }
  }

  # Ensure these User/Groups already exist in your AWS account

  // Assign users/groups access to accounts with the specified permissions
  account_assignments = {
    foo-read : {
      principal_name  = "foo-read" // name of the user or group you wish to have access to the account(s)
      principal_type  = "GROUP"               // entity type (user or group) you wish to have access to the account(s). Valid values are "USER" or "GROUP"
      principal_idp   = "INTERNAL"
      permission_sets = ["FooReadOnly"] // permissions the user/group will have in the account(s)
      account_ids = [                       // account(s) the group will have access to. Permissions they will have in account are above line
        "xxxxxxxxxxx",                     // locals are used to allow for global changes to multiple account assignments
      ]
    },
  }
}

Response is :

 ╷
│ Error: Invalid index
│ 
│   on .terraform/modules/aws-iam-identity-center/main.tf line 244, in resource "aws_ssoadmin_account_assignment" "account_assignment":
│  244:   principal_id = each.value.principal_type == "GROUP" && each.value.principal_idp == "INTERNAL" ? aws_identitystore_group.sso_groups[each.value.principal_name].group_id : (each.value.principal_type == "USER" && each.value.principal_idp == "INTERNAL" ? aws_identitystore_user.sso_users[each.value.principal_name].user_id : (each.value.principal_type == "GROUP" && each.value.principal_idp == "EXTERNAL" ? data.aws_identitystore_group.existing_sso_groups[each.value.principal_name].group_id : (each.value.principal_type == "USER" && each.value.principal_idp == "EXTERNAL" ? data.aws_identitystore_user.existing_sso_users[each.value.principal_name].user_id : (each.value.principal_type == "USER" && each.value.principal_idp == "GOOGLE") ? data.aws_identitystore_user.existing_google_sso_users[each.value.principal_name].user_id : null)))
│     ├────────────────
│     │ aws_identitystore_group.sso_groups is object with no attributes
│     │ each.value.principal_name is "foo-read"
│ 
│ The given key does not identify an element in this collection value.

[a1mops]

@rfum please refer to the previous issue. You need to add the following block into your main.tf:

existing_sso_groups = { testgroup : { group_name = "testgroup" # this must be the name of a group that already exists in your AWS account }, }

[novekm]

Hi @rfum, yes @a1mops is correct - please review the example for referencing existing users/groups: https://github.com/aws-ia/terraform-aws-iam-identity-center/blob/main/examples/existing-users-and-groups/main.tf

Also on your account assignments - principal_idp should be "INTERNAL" only if you are using IAM Identity Store (the native IdP for IAM Identity Center). If you are syncing users/groups to IAM IdC via SCIM, this should be set to either "EXTERNAL" or "GOOGLE" (if using Google Workspace specifically). Let me know if this resolves your issue or if you need further help.

[rfum]

thanks!