novekm
commented
2 months ago Hi @leonkatz, can you explain the use-case a bit more? What are you using for as your Identity Provider? IAM Identity Store?
Open leonkatz opened 2 months ago
novekm
commented
2 months ago Hi @leonkatz, can you explain the use-case a bit more? What are you using for as your Identity Provider? IAM Identity Store?
leonkatz
commented
2 months ago Yes IAM Identity Store, it was all manually managed. Now I'm trying to bring it all into Terraform. I have a bunch of existing users. But will create new groups, new permission sets, and new account assignments. This is so the old ones aren't changed yet. But I need to get existing users into the new groups so that they now have the new permissions.
act-mreeves
commented
1 month ago This is similar to what I am trying to do. I would like to manage group membership of existing users using the existing_sso_users attribute.
Create new groups with:
sso_groups = {
# Leaving open the concept of having "level 1" job titles
Developer1 : {
group_name = "Dev1"
group_description = "Developer 1"
}
Devops1 : {
group_name = "Devops1"
group_description = "Devops 1"
},
}Now use these new groups with existing users:
existing_sso_users = {
bfranklin : {
user_name : "ben.franklin@example.com",
group_membership : ["Dev1"]
}
jdoe : {
user_name : "john.doe@example..com",
group_membership : ["Devops1"]
}
}I want to manage the user to group mapping in this way but it doesn't seem to work so I had to use this method instead:
data "aws_ssoadmin_instances" "my_sso" {}
data "aws_identitystore_user" "bfranklin" {
identity_store_id = tolist(data.aws_ssoadmin_instances.my_sso.identity_store_ids)[0]
alternate_identifier {
unique_attribute {
attribute_path = "bfranklin"
attribute_value = "ben.franklin@example.com"
}
}
}
resource "aws_identitystore_group_membership" "devops1_bfranklin" {
identity_store_id = tolist(data.aws_ssoadmin_instances.my_sso.identity_store_ids)[0]
group_id = module.identity_center_shared.sso_groups_ids["Devops1"]
member_id = data.aws_identitystore_user.bfranklin.user_id
}Hi all, sorry for the delay. You should be able to use the module that way, however this has not been extensively tested. You'll need to ensure you match the existing user names exactly as they appear in your AWS Account, since a data source is used to fetch the users by user name (you can see this here).
existing_sso_users was initially meant for users that were synced via SCIM to IAM IdC (such as from Okta, Entra ID/Azure AD, etc.) instead of users that were created manually. If the users were created manually, it would be preferable to import those users into state management and use the module from there.
@act-mreeves what is the error you received when trying to add existing (manually created) users to new groups in that way? Was it on the group assignment, or when trying to add permission sets to the groups?
sso_groups = { test : { group_name = "test" group_description = "test group" } test-leads : { group_name = "test-leads" group_description = "test group" } test-limited : { group_name = "test-limited" group_description = "test group" } } existing_permission_sets = { AdministratorAccess = { permission_set_name = "AdministratorAccess" }, ReadOnlyAccess = { permission_set_name = "ReadOnlyAccess"
} existing_sso_users = { TesterDev : { user_name = "TesterTesterDev" group_membership = ["test-limited"] } }
sso_users = { terraform : { group_membership = ["test", "test-leads"] user_name = "terraform" given_name = "Terraform" family_name = "test" email = "email@example.com } }
account_assignments = { test = { principal_name = "test" principal_type = "GROUP" principal_idp = "INTERNAL" permission_sets = ["AdministratorAccess", "ReadOnlyAccess"] account_ids = [ "111111111111", ] } TesterDev = { principal_name = "TesterDev" principal_type = "USER" principal_idp = "EXTERNAL" permission_sets = ["ReadOnlyAccess"] account_ids = [ "111111111111",
}