data.aws_identitystore_group.existing_sso_groups is object with no attributes error after switching to v0.0.5

[JHunsGlobal]

Hi, I recently started using this module as of v0.0.3 with EntraID and added the idp as External as needed for v0.0.5

Please see my terraform code below:

module "aws-iam-identity-center" {
  source  = "aws-ia/iam-identity-center/aws"
  version = "0.0.5"

  sso_groups = {
    Teams-DevOps : {
      group_name        = "Teams-DevOps"
      group_description = "Admin IAM Identity Center Group"
    }
  }

  permission_sets = {
    ReadOnly = {
      description               = "Provides S3 read access permissions.",
      session_duration          = "PT4H",
      customer_managed_policies = ["ReadOnly"]
    }
  }

  account_assignments = {
    Teams-DevOps : {
      principal_idp   = "EXTERNAL"
      principal_name  = "Teams-DevOps"
      principal_type  = "GROUP"
      permission_sets = ["ReadOnly"]
      account_ids     = ["123456789012", "098765432109"] 
    }
  }
}

I'm now met with this error:

│ Error: Invalid index
│ 
│   on .terraform/modules/aws-iam-identity-center/main.tf line 244, in resource "aws_ssoadmin_account_assignment" "account_assignment":
│  244:   principal_id = each.value.principal_type == "GROUP" && each.value.principal_idp == "INTERNAL" ? aws_identitystore_group.sso_groups[each.value.principal_name].group_id : (each.value.principal_type == "USER" && each.value.principal_idp == "INTERNAL" ? aws_identitystore_user.sso_users[each.value.principal_name].user_id : (each.value.principal_type == "GROUP" && each.value.principal_idp == "EXTERNAL" ? data.aws_identitystore_group.existing_sso_groups[each.value.principal_name].group_id : (each.value.principal_type == "USER" && each.value.principal_idp == "EXTERNAL" ? data.aws_identitystore_user.existing_sso_users[each.value.principal_name].user_id : (each.value.principal_type == "USER" && each.value.principal_idp == "GOOGLE") ? data.aws_identitystore_user.existing_google_sso_users[each.value.principal_name].user_id : null)))
│     ├────────────────
│     │ data.aws_identitystore_group.existing_sso_groups is object with no attributes
│     │ each.value.principal_name is "Teams-DevOps"
│ 
│ The given key does not identify an element in this collection value.
╵
╷
│ Error: Invalid index
│ 
│   on .terraform/modules/aws-iam-identity-center/main.tf line 244, in resource "aws_ssoadmin_account_assignment" "account_assignment":
│  244:   principal_id = each.value.principal_type == "GROUP" && each.value.principal_idp == "INTERNAL" ? aws_identitystore_group.sso_groups[each.value.principal_name].group_id : (each.value.principal_type == "USER" && each.value.principal_idp == "INTERNAL" ? aws_identitystore_user.sso_users[each.value.principal_name].user_id : (each.value.principal_type == "GROUP" && each.value.principal_idp == "EXTERNAL" ? data.aws_identitystore_group.existing_sso_groups[each.value.principal_name].group_id : (each.value.principal_type == "USER" && each.value.principal_idp == "EXTERNAL" ? data.aws_identitystore_user.existing_sso_users[each.value.principal_name].user_id : (each.value.principal_type == "USER" && each.value.principal_idp == "GOOGLE") ? data.aws_identitystore_user.existing_google_sso_users[each.value.principal_name].user_id : null)))
│     ├────────────────
│     │ data.aws_identitystore_group.existing_sso_groups is object with no attributes
│     │ each.value.principal_name is "Teams-DevOps"
│ 
│ The given key does not identify an element in this collection value.

Am I expected to use both existing_sso_groups and sso_groups?

Could you please also explain what is meant by existing and nonexisting as it's not very clear from your README?

[hacker65536]

Hi @JHunsGlobal In your code Teams-DevOps is defined in a module, so INTERNAL should be used.

An example would be this.

module "aws-iam-identity-center" {
  source  = "aws-ia/iam-identity-center/aws"
  version = "0.0.5"

  //  This will be created by a module 
  sso_groups = {
    Teams-DevOps : {
      group_name        = "Teams-DevOps"
      group_description = "Admin IAM Identity Center Group"
    }
  }

  // This is not created by a module. This is referenced as a data source.
  existing_sso_groups = {
      Teams-DevOps2 : {
      group_name        = "Teams-DevOps2"
      group_description = "Admin IAM Identity Center Group"
    }
  }

  permission_sets = {
    ReadOnly = {
      description               = "Provides S3 read access permissions.",
      session_duration          = "PT4H",
      customer_managed_policies = ["ReadOnly"]
    }
  }

  account_assignments = {
    Teams-DevOps : {
      principal_idp   = "INTERNAL"
      principal_name  = "Teams-DevOps"
      principal_type  = "GROUP"
      permission_sets = ["ReadOnly"]
      account_ids     = ["123456789012", "098765432109"] 
    }

   Teams-DevOps2 : {
      principal_idp   = "EXTERNAL"
      principal_name  = "Teams-DevOps2"
      principal_type  = "GROUP"
      permission_sets = ["ReadOnly"]
      account_ids     = ["123456789012", "098765432109"] 
    }
  }
}

[novekm]

Hi @JHunsGlobal, please see the examples that were updated with the v0.0.5 release. In your case, if the group exists already (synced via SCIM from EntraID) then your configuration should look similar to the following:

module "aws-iam-identity-center" {
  source  = "aws-ia/iam-identity-center/aws"
  version = "0.0.5"

  existing_sso_groups = {
    Teams-DevOps : {
      group_name        = "Teams-DevOps"
      group_description = "Admin IAM Identity Center Group"
    }
  }

  permission_sets = {
    ReadOnly = {
      description               = "Provides S3 read access permissions.",
      session_duration          = "PT4H",
      customer_managed_policies = ["ReadOnly"]
    }
  }

  account_assignments = {
    Teams-DevOps : {
      principal_idp   = "EXTERNAL"
      principal_name  = "Teams-DevOps"
      principal_type  = "GROUP"
      permission_sets = ["ReadOnly"]
      account_ids     = ["123456789012", "098765432109"] 
    }
  }
}