Open JHunsGlobal opened 5 days ago
Hi @JHunsGlobal
In your code Teams-DevOps
is defined in a module, so INTERNAL
should be used.
An example would be this.
module "aws-iam-identity-center" {
source = "aws-ia/iam-identity-center/aws"
version = "0.0.5"
// This will be created by a module
sso_groups = {
Teams-DevOps : {
group_name = "Teams-DevOps"
group_description = "Admin IAM Identity Center Group"
}
}
// This is not created by a module. This is referenced as a data source.
existing_sso_groups = {
Teams-DevOps2 : {
group_name = "Teams-DevOps2"
group_description = "Admin IAM Identity Center Group"
}
}
permission_sets = {
ReadOnly = {
description = "Provides S3 read access permissions.",
session_duration = "PT4H",
customer_managed_policies = ["ReadOnly"]
}
}
account_assignments = {
Teams-DevOps : {
principal_idp = "INTERNAL"
principal_name = "Teams-DevOps"
principal_type = "GROUP"
permission_sets = ["ReadOnly"]
account_ids = ["123456789012", "098765432109"]
}
Teams-DevOps2 : {
principal_idp = "EXTERNAL"
principal_name = "Teams-DevOps2"
principal_type = "GROUP"
permission_sets = ["ReadOnly"]
account_ids = ["123456789012", "098765432109"]
}
}
}
Hi @JHunsGlobal, please see the examples that were updated with the v0.0.5
release. In your case, if the group exists already (synced via SCIM from EntraID) then your configuration should look similar to the following:
module "aws-iam-identity-center" {
source = "aws-ia/iam-identity-center/aws"
version = "0.0.5"
existing_sso_groups = {
Teams-DevOps : {
group_name = "Teams-DevOps"
group_description = "Admin IAM Identity Center Group"
}
}
permission_sets = {
ReadOnly = {
description = "Provides S3 read access permissions.",
session_duration = "PT4H",
customer_managed_policies = ["ReadOnly"]
}
}
account_assignments = {
Teams-DevOps : {
principal_idp = "EXTERNAL"
principal_name = "Teams-DevOps"
principal_type = "GROUP"
permission_sets = ["ReadOnly"]
account_ids = ["123456789012", "098765432109"]
}
}
}
Hi, I recently started using this module as of v0.0.3 with EntraID and added the idp as External as needed for v0.0.5
Please see my terraform code below:
I'm now met with this error:
Am I expected to use both existing_sso_groups and sso_groups?
Could you please also explain what is meant by existing and nonexisting as it's not very clear from your README?