From f30ccd360ba3d3e94ce3f247c0b5547fe44eda66 Mon Sep 17 00:00:00 2001 From: Ryoh Akiyoshi Date: Wed, 4 Aug 2021 14:20:58 +0900 Subject: [PATCH 1/5] Add an example for all in one --- examples/all-in-one/backend.tf | 5 +++++ examples/all-in-one/main.tf | 21 +++++++++++++++++++++ examples/all-in-one/providers.tf | 3 +++ examples/all-in-one/variables.tf | 8 ++++++++ examples/all-in-one/version.tf | 10 ++++++++++ 5 files changed, 47 insertions(+) create mode 100644 examples/all-in-one/backend.tf create mode 100644 examples/all-in-one/main.tf create mode 100644 examples/all-in-one/providers.tf create mode 100644 examples/all-in-one/variables.tf create mode 100644 examples/all-in-one/version.tf diff --git a/examples/all-in-one/backend.tf b/examples/all-in-one/backend.tf new file mode 100644 index 0000000..3c533e6 --- /dev/null +++ b/examples/all-in-one/backend.tf @@ -0,0 +1,5 @@ +terraform { + backend "local" { + path = "terraform.tfstate" + } +} diff --git a/examples/all-in-one/main.tf b/examples/all-in-one/main.tf new file mode 100644 index 0000000..2bef92e --- /dev/null +++ b/examples/all-in-one/main.tf @@ -0,0 +1,21 @@ +data "aws_ssoadmin_instances" "instances" {} + +data "aws_organizations_organization" "organization" {} + +locals { + instance_arn = tolist(data.aws_ssoadmin_instances.instances.arns)[0] + identity_store_id = tolist(data.aws_ssoadmin_instances.instances.identity_store_ids)[0] + accounts = data.aws_organizations_organization.organization.accounts +} + +module "sample_assignments" { + # TODO: Replace with the module of Terraform Registry + source = "git@github.com:speee/terraform-aws-sso-assignment.git" + + instance_arn = local.instance_arn + identity_store_id = local.identity_store_id + + organization_accounts = local.accounts + + assignments = var.assignments_sample +} diff --git a/examples/all-in-one/providers.tf b/examples/all-in-one/providers.tf new file mode 100644 index 0000000..6ba71cd --- /dev/null +++ b/examples/all-in-one/providers.tf @@ -0,0 +1,3 @@ +provider "aws" { + region = var.sso_region +} diff --git a/examples/all-in-one/variables.tf b/examples/all-in-one/variables.tf new file mode 100644 index 0000000..a0340c9 --- /dev/null +++ b/examples/all-in-one/variables.tf @@ -0,0 +1,8 @@ +variable "sso_region" { + type = string + description = "Region of your AWS SSO instance." +} + +variable "assignments_all" { + type = map(map(map(list(string)))) +} diff --git a/examples/all-in-one/version.tf b/examples/all-in-one/version.tf new file mode 100644 index 0000000..0a54aab --- /dev/null +++ b/examples/all-in-one/version.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">=3.52.0" + } + } +} From d5d47ba5d892564382b050ed0eca3fa2e315ae24 Mon Sep 17 00:00:00 2001 From: Ryoh Akiyoshi Date: Wed, 4 Aug 2021 15:23:19 +0900 Subject: [PATCH 2/5] Add example for all in one --- examples/all-in-one/README.md | 52 ++++++++++++++++++++++++++++ examples/all-in-one/main.tf | 7 ++-- examples/all-in-one/outputs.tf | 0 examples/all-in-one/terraform.tfvars | 41 ++++++++++++++++++++++ examples/all-in-one/variables.tf | 3 +- examples/all-in-one/version.tf | 2 +- 6 files changed, 99 insertions(+), 6 deletions(-) create mode 100644 examples/all-in-one/README.md create mode 100644 examples/all-in-one/outputs.tf create mode 100644 examples/all-in-one/terraform.tfvars diff --git a/examples/all-in-one/README.md b/examples/all-in-one/README.md new file mode 100644 index 0000000..df3ffb3 --- /dev/null +++ b/examples/all-in-one/README.md @@ -0,0 +1,52 @@ +# All account assignments in a single module + +Define all account assignments in a single module. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.3 | +| [aws](#requirement\_aws) | >=3.24.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 3.24.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [all\_assignments](#module\_all\_assignments) | ../.. | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_organizations_organization.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | +| [aws_ssoadmin_instances.instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [assignments\_all](#input\_assignments\_all) | All of account assignments. | `map(map(map(list(string))))` | n/a | yes | +| [sso\_region](#input\_sso\_region) | Region of your AWS SSO instance. | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/examples/all-in-one/main.tf b/examples/all-in-one/main.tf index 2bef92e..10b9902 100644 --- a/examples/all-in-one/main.tf +++ b/examples/all-in-one/main.tf @@ -8,14 +8,13 @@ locals { accounts = data.aws_organizations_organization.organization.accounts } -module "sample_assignments" { - # TODO: Replace with the module of Terraform Registry - source = "git@github.com:speee/terraform-aws-sso-assignment.git" +module "all_assignments" { + source = "../.." instance_arn = local.instance_arn identity_store_id = local.identity_store_id organization_accounts = local.accounts - assignments = var.assignments_sample + assignments = var.assignments_all } diff --git a/examples/all-in-one/outputs.tf b/examples/all-in-one/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/examples/all-in-one/terraform.tfvars b/examples/all-in-one/terraform.tfvars new file mode 100644 index 0000000..eefc46a --- /dev/null +++ b/examples/all-in-one/terraform.tfvars @@ -0,0 +1,41 @@ +assignments_all = { + "account1" = { + "groups" = { + "SystemAdministrator" = [ + "AdministratorAccess", + ], + "Engineer" = [ + "PowerUserAccess", + ], + "Manager" = [ + "ReadOnlyAccess", + ], + }, + "users" = { + "alice@example.com" = [ + "AdministratorAccess", + ], + }, + }, + "account2" = { + "groups" = { + "SystemAdministrator" = [ + "AdministratorAccess", + ], + "Engineer" = [ + "PowerUserAccess", + ], + "Manager" = [ + "ReadOnlyAccess", + ], + }, + "users" = { + "alice@example.com" = [ + "AdministratorAccess", + ], + "bob@example.com" = [ + "ReadOnlyAccess", + ], + }, + }, +} diff --git a/examples/all-in-one/variables.tf b/examples/all-in-one/variables.tf index a0340c9..96fcece 100644 --- a/examples/all-in-one/variables.tf +++ b/examples/all-in-one/variables.tf @@ -4,5 +4,6 @@ variable "sso_region" { } variable "assignments_all" { - type = map(map(map(list(string)))) + type = map(map(map(list(string)))) + description = "All of account assignments." } diff --git a/examples/all-in-one/version.tf b/examples/all-in-one/version.tf index 0a54aab..9a25607 100644 --- a/examples/all-in-one/version.tf +++ b/examples/all-in-one/version.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">=3.52.0" + version = ">=3.24.0" } } } From be3c07dadb9a047d3f286ea81ca7a2e58e03943f Mon Sep 17 00:00:00 2001 From: Ryoh Akiyoshi Date: Wed, 4 Aug 2021 16:18:15 +0900 Subject: [PATCH 3/5] Add example for module per organization units --- .../module-per-organizations-unit/README.md | 54 +++++++++++++++++++ .../module-per-organizations-unit/backend.tf | 5 ++ .../module-per-organizations-unit/main.tf | 31 +++++++++++ .../ou1.auto.tfvars | 41 ++++++++++++++ .../ou2.auto.tfvars | 35 ++++++++++++ .../module-per-organizations-unit/outputs.tf | 0 .../providers.tf | 3 ++ .../variables.tf | 14 +++++ .../module-per-organizations-unit/version.tf | 10 ++++ 9 files changed, 193 insertions(+) create mode 100644 examples/module-per-organizations-unit/README.md create mode 100644 examples/module-per-organizations-unit/backend.tf create mode 100644 examples/module-per-organizations-unit/main.tf create mode 100644 examples/module-per-organizations-unit/ou1.auto.tfvars create mode 100644 examples/module-per-organizations-unit/ou2.auto.tfvars create mode 100644 examples/module-per-organizations-unit/outputs.tf create mode 100644 examples/module-per-organizations-unit/providers.tf create mode 100644 examples/module-per-organizations-unit/variables.tf create mode 100644 examples/module-per-organizations-unit/version.tf diff --git a/examples/module-per-organizations-unit/README.md b/examples/module-per-organizations-unit/README.md new file mode 100644 index 0000000..8152c5d --- /dev/null +++ b/examples/module-per-organizations-unit/README.md @@ -0,0 +1,54 @@ +# Account assignment per organization units + +Define account assignments per organization units. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.3 | +| [aws](#requirement\_aws) | >=3.24.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 3.24.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [ou1\_assignments](#module\_ou1\_assignments) | ../.. | n/a | +| [ou2\_assignments](#module\_ou2\_assignments) | ../.. | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_organizations_organization.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | +| [aws_ssoadmin_instances.instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [assignments\_ou1](#input\_assignments\_ou1) | Account assignments for Organization Unit 1. | `map(map(map(list(string))))` | n/a | yes | +| [assignments\_ou2](#input\_assignments\_ou2) | Account assignments for Organization Unit 2. | `map(map(map(list(string))))` | n/a | yes | +| [sso\_region](#input\_sso\_region) | Region of your AWS SSO instance. | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/examples/module-per-organizations-unit/backend.tf b/examples/module-per-organizations-unit/backend.tf new file mode 100644 index 0000000..3c533e6 --- /dev/null +++ b/examples/module-per-organizations-unit/backend.tf @@ -0,0 +1,5 @@ +terraform { + backend "local" { + path = "terraform.tfstate" + } +} diff --git a/examples/module-per-organizations-unit/main.tf b/examples/module-per-organizations-unit/main.tf new file mode 100644 index 0000000..db5b2ce --- /dev/null +++ b/examples/module-per-organizations-unit/main.tf @@ -0,0 +1,31 @@ +data "aws_ssoadmin_instances" "instances" {} + +data "aws_organizations_organization" "organization" {} + +locals { + instance_arn = tolist(data.aws_ssoadmin_instances.instances.arns)[0] + identity_store_id = tolist(data.aws_ssoadmin_instances.instances.identity_store_ids)[0] + accounts = data.aws_organizations_organization.organization.accounts +} + +module "ou1_assignments" { + source = "../.." + + instance_arn = local.instance_arn + identity_store_id = local.identity_store_id + + organization_accounts = local.accounts + + assignments = var.assignments_ou1 +} + +module "ou2_assignments" { + source = "../.." + + instance_arn = local.instance_arn + identity_store_id = local.identity_store_id + + organization_accounts = local.accounts + + assignments = var.assignments_ou2 +} diff --git a/examples/module-per-organizations-unit/ou1.auto.tfvars b/examples/module-per-organizations-unit/ou1.auto.tfvars new file mode 100644 index 0000000..2e67034 --- /dev/null +++ b/examples/module-per-organizations-unit/ou1.auto.tfvars @@ -0,0 +1,41 @@ +assignments_ou1 = { + "account1" = { + "groups" = { + "SystemAdministrator" = [ + "AdministratorAccess", + ], + "Engineer" = [ + "PowerUserAccess", + ], + "Manager" = [ + "ReadOnlyAccess", + ], + }, + "users" = { + "alice@example.com" = [ + "AdministratorAccess", + ], + }, + }, + "account2" = { + "groups" = { + "SystemAdministrator" = [ + "AdministratorAccess", + ], + "Engineer" = [ + "PowerUserAccess", + ], + "Manager" = [ + "ReadOnlyAccess", + ], + }, + "users" = { + "alice@example.com" = [ + "AdministratorAccess", + ], + "bob@example.com" = [ + "ReadOnlyAccess", + ], + }, + }, +} diff --git a/examples/module-per-organizations-unit/ou2.auto.tfvars b/examples/module-per-organizations-unit/ou2.auto.tfvars new file mode 100644 index 0000000..e475302 --- /dev/null +++ b/examples/module-per-organizations-unit/ou2.auto.tfvars @@ -0,0 +1,35 @@ +assignments_ou2 = { + "account3" = { + "groups" = { + "SystemAdministrator" = [ + "AdministratorAccess", + ], + "Manager" = [ + "ReadOnlyAccess", + ], + }, + "users" = { + "alice@example.com" = [ + "AdministratorAccess", + ], + }, + }, + "account4" = { + "groups" = { + "SystemAdministrator" = [ + "AdministratorAccess", + ], + }, + "users" = { + "alice@example.com" = [ + "AdministratorAccess", + ], + "bob@example.com" = [ + "ReadOnlyAccess", + ], + "carol@example.com" = [ + "ReadOnlyAccess", + ], + }, + }, +} diff --git a/examples/module-per-organizations-unit/outputs.tf b/examples/module-per-organizations-unit/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/examples/module-per-organizations-unit/providers.tf b/examples/module-per-organizations-unit/providers.tf new file mode 100644 index 0000000..6ba71cd --- /dev/null +++ b/examples/module-per-organizations-unit/providers.tf @@ -0,0 +1,3 @@ +provider "aws" { + region = var.sso_region +} diff --git a/examples/module-per-organizations-unit/variables.tf b/examples/module-per-organizations-unit/variables.tf new file mode 100644 index 0000000..fcd6392 --- /dev/null +++ b/examples/module-per-organizations-unit/variables.tf @@ -0,0 +1,14 @@ +variable "sso_region" { + type = string + description = "Region of your AWS SSO instance." +} + +variable "assignments_ou1" { + type = map(map(map(list(string)))) + description = "Account assignments for Organization Unit 1." +} + +variable "assignments_ou2" { + type = map(map(map(list(string)))) + description = "Account assignments for Organization Unit 2." +} diff --git a/examples/module-per-organizations-unit/version.tf b/examples/module-per-organizations-unit/version.tf new file mode 100644 index 0000000..9a25607 --- /dev/null +++ b/examples/module-per-organizations-unit/version.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">=3.24.0" + } + } +} From a3a80d63c4791b7010670bee5f84c8279d9b247a Mon Sep 17 00:00:00 2001 From: Ryoh Akiyoshi Date: Wed, 4 Aug 2021 16:32:43 +0900 Subject: [PATCH 4/5] Update README --- README.md | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 65 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d01467a..87c90d1 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,70 @@ Terraform module which creates AWS SSO assignments on AWS. +## Usage +```hcl +module "account_assignments" { + source = "speee/sso_assignments/aws" + + instance_arn = "arn:aws:sso:::instance/ssoins-9999999999999999" + identity_store_id = "d-9999999999" + + organization_accounts = [ + { + arn = "arn:aws:organizations::123456789012:account/o-xxxxxxxxxx/123456789012" + email = "account1@example.com" + id = "123456789012" + name = "account1" + }, + { + arn = "arn:aws:organizations::123456789012:account/o-xxxxxxxxxx/234567890123" + email = "account2@example.com" + id = "234567890123" + name = "account2" + }, + ] + + assignments = { + "account1" = { + "groups" = { + "SystemAdministrator" = [ + "AdministratorAccess", + ], + "Engineer" = [ + "PowerUserAccess", + ], + "Manager" = [ + "ReadOnlyAccess", + ], + }, + "users" = { + "alice@example.com" = [ + "AdministratorAccess", + ], + }, + }, + "account2" = { + "users" = { + "alice@example.com" = [ + "AdministratorAccess", + ], + "bob@example.com" = [ + "ReadOnlyAccess", + ], + }, + }, + } +} +``` + +## Examples +- [All account assignments in a single module](https://github.com/speee/terraform-aws-sso-assignment/tree/master/examples/all-in-one) +- [Account assignments per organization units](https://github.com/speee/terraform-aws-sso-assignment/tree/master/examples/module-per-organizations-unit) + +## Notes +1. This module does not create no resource other than `aws_ssoadmin_account_assignment` resource. Use resources or data sources directly to manage other resources like `aws_ssoadmin_permission_set`. + + ## Requirements @@ -14,7 +78,7 @@ Terraform module which creates AWS SSO assignments on AWS. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.52.0 | +| [aws](#provider\_aws) | 3.24.0 | ## Modules From cafcd451752fbc1f8b5fc18c2186e306007c042e Mon Sep 17 00:00:00 2001 From: Ryoh Akiyoshi Date: Wed, 4 Aug 2021 17:43:12 +0900 Subject: [PATCH 5/5] Fix versions --- examples/all-in-one/README.md | 2 +- examples/all-in-one/version.tf | 2 +- examples/module-per-organizations-unit/README.md | 2 +- examples/module-per-organizations-unit/version.tf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/all-in-one/README.md b/examples/all-in-one/README.md index df3ffb3..fd3e00a 100644 --- a/examples/all-in-one/README.md +++ b/examples/all-in-one/README.md @@ -17,7 +17,7 @@ $ terraform apply | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.3 | +| [terraform](#requirement\_terraform) | >= 0.13.7 | | [aws](#requirement\_aws) | >=3.24.0 | ## Providers diff --git a/examples/all-in-one/version.tf b/examples/all-in-one/version.tf index 9a25607..0807d3a 100644 --- a/examples/all-in-one/version.tf +++ b/examples/all-in-one/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.0.3" + required_version = ">= 0.13.7" required_providers { aws = { diff --git a/examples/module-per-organizations-unit/README.md b/examples/module-per-organizations-unit/README.md index 8152c5d..dfe8f23 100644 --- a/examples/module-per-organizations-unit/README.md +++ b/examples/module-per-organizations-unit/README.md @@ -17,7 +17,7 @@ $ terraform apply | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.3 | +| [terraform](#requirement\_terraform) | >= 0.13.7 | | [aws](#requirement\_aws) | >=3.24.0 | ## Providers diff --git a/examples/module-per-organizations-unit/version.tf b/examples/module-per-organizations-unit/version.tf index 9a25607..0807d3a 100644 --- a/examples/module-per-organizations-unit/version.tf +++ b/examples/module-per-organizations-unit/version.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.0.3" + required_version = ">= 0.13.7" required_providers { aws = {