mperyer1 commented 2 months ago

Description

When assigning permissions in aws iam identity center, the same permissions often need to be added to multiple accounts in the same organizational unit.

Currently the only way to do that is to output the account id's from the ou and then loop through the ids as a list, creating a separate resource for each account.

It would be great to have the option to choose whether to assign permissions by account id or by ou in the same manner you would from the aws console or cdk.

Affected Resource(s) and/or Data Source(s)

iam-identity-center (module)
aws_ssoadmin_account_assignment (resource)

Potential Terraform Configuration

account_assignments = {
    Admin : {
      principal_name  = "Admin"
      principal_type  = "GROUP"
      permission_sets = ["AdministratorAccess", "ViewOnlyAccess"] 
      ou_names = [                                             
      "network", // replace with your desired ou name
      "sandbox", // replace with your desired ou name
      ]
      account_ids = [                                             
      "111111111111",
      "222222222222", 
      ]
    }

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_application_assignment https://github.com/aws-ia/terraform-aws-iam-identity-center?tab=readme-ov-file https://registry.terraform.io/modules/aws-ia/iam-identity-center/aws/latest?tab=inputs

Would you like to implement a fix?

None

github-actions[bot] commented 2 months ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please see our prioritization guide for information on how we prioritize.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

joelmccoy commented 2 months ago

I personally would see a lot of value of having a convenience like this. The AWS API does not support creating assignments at the OU level right now, so if someone were to implement this as a feature the logic would need to be done client side. I do imagine in the future AWS may add this as a feature in their API (they made room for different target types here.

This is the current example resource in the documentation:

resource "aws_ssoadmin_account_assignment" "account_assignment" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.example.arns)[0]
  permission_set_arn = aws_ssoadmin_permission_set.example.arn

  principal_id   = aws_identitystore_group.example.group_id
  principal_type = "GROUP"

  target_id   = "123456789012"
  target_type = "AWS_ACCOUNT"
}

I think the simplest way to add OU functionality would be to add an AWS_OU target type.

resource "aws_ssoadmin_account_assignment" "account_assignment" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.example.arns)[0]
  permission_set_arn = aws_ssoadmin_permission_set.example.arn

  principal_id   = aws_identitystore_group.example.group_id
  principal_type = "GROUP"

  target_id   = "ou-atzl-y9rttmaf"
  target_type = "AWS_OU"
}

The only downside of this is that you will need to maintain the state of the AWS accounts even though you specify an OU, and if AWS releases support for assigning to an OU you will have to change this behavior.

If there is value in adding something like mentioned above (or another solution to this problem) I would be happy to contribute and work on it.

greenflowers commented 2 weeks ago

On a side note, the example from AWS for IAM Identity Center Automation includes the translation logic from OUs to account ids.

hashicorp / terraform-provider-aws