From 01e5b2a76a47bd55178d66e01ba4d51acb9ee236 Mon Sep 17 00:00:00 2001 From: viktoryathegreat Date: Mon, 13 May 2024 14:16:49 +0400 Subject: [PATCH 1/4] fix(DMVP-4099): Deleted deprecated feature --- .../sso/modules/account-assignments/data.tf | 17 +++++++++------- modules/sso/tests/basic/0-setup.tf | 20 +++++++++++++++++++ modules/sso/tests/basic/1-example.tf | 13 ++++++++++++ 3 files changed, 43 insertions(+), 7 deletions(-) create mode 100644 modules/sso/tests/basic/0-setup.tf create mode 100644 modules/sso/tests/basic/1-example.tf diff --git a/modules/sso/modules/account-assignments/data.tf b/modules/sso/modules/account-assignments/data.tf index ae1966d..1ebe53b 100644 --- a/modules/sso/modules/account-assignments/data.tf +++ b/modules/sso/modules/account-assignments/data.tf @@ -4,18 +4,21 @@ data "aws_identitystore_group" "this" { for_each = local.group_list identity_store_id = local.identity_store_id - filter { - attribute_path = "DisplayName" - attribute_value = each.key + alternate_identifier { + unique_attribute { + attribute_path = "DisplayName" + attribute_value = each.key + } } } data "aws_identitystore_user" "this" { for_each = local.user_list identity_store_id = local.identity_store_id - - filter { - attribute_path = "UserName" - attribute_value = each.key + alternate_identifier { + unique_attribute { + attribute_path = "UserName" + attribute_value = each.key + } } } diff --git a/modules/sso/tests/basic/0-setup.tf b/modules/sso/tests/basic/0-setup.tf new file mode 100644 index 0000000..a859a5e --- /dev/null +++ b/modules/sso/tests/basic/0-setup.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.41" + } + } + + required_version = ">= 1.3.0" +} + +/** + * set the following env vars so that aws provider will get authenticated before apply: + + export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx + export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxx +*/ +provider "aws" { + region = "eu-central-1" +} diff --git a/modules/sso/tests/basic/1-example.tf b/modules/sso/tests/basic/1-example.tf new file mode 100644 index 0000000..01a8ef0 --- /dev/null +++ b/modules/sso/tests/basic/1-example.tf @@ -0,0 +1,13 @@ +module "this" { + source = "../.." + associations = [ + { + group = "AdministratorAccess", + policy = "arn:aws:iam::aws:policy/AdministratorAccess" + }, + { + group = "ReadOnlyAccess", + policy = "arn:aws:iam::aws:policy/ReadOnlyAccess" + } + ] +} From 38597015a0c3a95f44a8401fe3815501b8766fbc Mon Sep 17 00:00:00 2001 From: viktoryathegreat Date: Mon, 13 May 2024 14:17:33 +0400 Subject: [PATCH 2/4] fix(DMVP-4099): Added missing line --- .github/workflows/checkov.yaml | 2 +- .github/workflows/terraform-test.yaml | 2 +- .github/workflows/tflint.yaml | 2 +- githooks/commit-msg | 0 githooks/pre-commit | 0 modules/sso/README.md | 40 +++++++++++++++++++++++++-- modules/sso/tests/basic/1-example.tf | 1 + modules/sso/tests/basic/README.md | 32 +++++++++++++++++++++ 8 files changed, 73 insertions(+), 6 deletions(-) mode change 100644 => 100755 githooks/commit-msg mode change 100644 => 100755 githooks/pre-commit create mode 100644 modules/sso/tests/basic/README.md diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml index 1db153a..25a44c3 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yaml @@ -19,7 +19,7 @@ jobs: - modules/sso - modules/sso/modules/account-assignments - modules/sso/modules/permission-sets - + steps: - uses: dasmeta/reusable-actions-workflows/checkov@main with: diff --git a/.github/workflows/terraform-test.yaml b/.github/workflows/terraform-test.yaml index 70b927f..e7c49f4 100644 --- a/.github/workflows/terraform-test.yaml +++ b/.github/workflows/terraform-test.yaml @@ -16,7 +16,7 @@ jobs: matrix: path: - / - + steps: - uses: dasmeta/reusable-actions-workflows/terraform-test@main with: diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml index 034249c..b89af97 100644 --- a/.github/workflows/tflint.yaml +++ b/.github/workflows/tflint.yaml @@ -20,7 +20,7 @@ jobs: - modules/sso - modules/sso/modules/account-assignments - modules/sso/modules/permission-sets - + steps: - uses: dasmeta/reusable-actions-workflows/tflint@main with: diff --git a/githooks/commit-msg b/githooks/commit-msg old mode 100644 new mode 100755 diff --git a/githooks/pre-commit b/githooks/pre-commit old mode 100644 new mode 100755 diff --git a/modules/sso/README.md b/modules/sso/README.md index b470eaa..4d394db 100644 --- a/modules/sso/README.md +++ b/modules/sso/README.md @@ -1,11 +1,11 @@ -## This module configures AWS Single Sign-On (SSO). AWS SSO makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. +## This module configures AWS Single Sign-On (SSO). AWS SSO makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. ### Usage -This module contains two sub-modules that can be used in conjunction to provision AWS SSO Permission Sets and to +This module contains two sub-modules that can be used in conjunction to provision AWS SSO Permission Sets and to assign AWS SSO Users and Groups to Permissions Sets in accounts. -- [modules/account-assignments](/modules/account-assignments) - a module for assigning groups to permission +- [modules/account-assignments](/modules/account-assignments) - a module for assigning groups to permission sets in particular accounts - [modules/permission-sets](/modules/permission-sets) - a module for provisioning AWS SSO permission sets @@ -29,4 +29,38 @@ module "sso_setup" { ] } ``` + +## Requirements +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [permission\_sets](#module\_permission\_sets) | ./modules/permission-sets | n/a | +| [sso\_account\_assignments](#module\_sso\_account\_assignments) | ./modules/account-assignments | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_id](#input\_account\_id) | n/a | `string` | `""` | no | +| [associations](#input\_associations) | n/a | `any` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/modules/sso/tests/basic/1-example.tf b/modules/sso/tests/basic/1-example.tf index 01a8ef0..976a483 100644 --- a/modules/sso/tests/basic/1-example.tf +++ b/modules/sso/tests/basic/1-example.tf @@ -1,5 +1,6 @@ module "this" { source = "../.." + associations = [ { group = "AdministratorAccess", diff --git a/modules/sso/tests/basic/README.md b/modules/sso/tests/basic/README.md new file mode 100644 index 0000000..39ba1f2 --- /dev/null +++ b/modules/sso/tests/basic/README.md @@ -0,0 +1,32 @@ +# basic + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3.0 | +| [aws](#requirement\_aws) | >= 3.41 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [this](#module\_this) | ../.. | n/a | + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +No outputs. + From e86608216ab46b803456769072163ddf96b131aa Mon Sep 17 00:00:00 2001 From: viktoryathegreat Date: Mon, 13 May 2024 14:30:59 +0400 Subject: [PATCH 3/4] fix(DMVP-4099): Upgraded terraform and aws provider versions --- modules/sso/modules/account-assignments/README.md | 6 +++--- modules/sso/modules/account-assignments/versions.tf | 4 ++-- modules/sso/modules/permission-sets/README.md | 6 +++--- modules/sso/modules/permission-sets/versions.tf | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/sso/modules/account-assignments/README.md b/modules/sso/modules/account-assignments/README.md index 28ecb7b..afa5b86 100644 --- a/modules/sso/modules/account-assignments/README.md +++ b/modules/sso/modules/account-assignments/README.md @@ -47,14 +47,14 @@ module "sso_account_assignments" { | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.0 | -| [aws](#requirement\_aws) | >= 3.26.0 | +| [terraform](#requirement\_terraform) | >= 1.3.0 | +| [aws](#requirement\_aws) | ~> 4.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.26.0 | +| [aws](#provider\_aws) | ~> 4.0 | ## Modules diff --git a/modules/sso/modules/account-assignments/versions.tf b/modules/sso/modules/account-assignments/versions.tf index c9a3bb8..5521288 100644 --- a/modules/sso/modules/account-assignments/versions.tf +++ b/modules/sso/modules/account-assignments/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.26.0" + version = "~> 4.0" } } } diff --git a/modules/sso/modules/permission-sets/README.md b/modules/sso/modules/permission-sets/README.md index 25997ea..bafd81f 100644 --- a/modules/sso/modules/permission-sets/README.md +++ b/modules/sso/modules/permission-sets/README.md @@ -68,14 +68,14 @@ resource "aws_iam_policy" "S3Access" { | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.0 | -| [aws](#requirement\_aws) | >= 4.30.0 | +| [terraform](#requirement\_terraform) | >= 1.3.0 | +| [aws](#requirement\_aws) | ~> 4.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.30.0 | +| [aws](#provider\_aws) | ~> 4.0 | ## Modules diff --git a/modules/sso/modules/permission-sets/versions.tf b/modules/sso/modules/permission-sets/versions.tf index fe87704..5521288 100644 --- a/modules/sso/modules/permission-sets/versions.tf +++ b/modules/sso/modules/permission-sets/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.0" + required_version = ">= 1.3.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.30.0" + version = "~> 4.0" } } } From e89a8992ca92f1c59bbc9f982fa1d8ad993b9685 Mon Sep 17 00:00:00 2001 From: viktoryathegreat Date: Mon, 13 May 2024 14:48:28 +0400 Subject: [PATCH 4/4] fix(DMVP-4099): Added test example --- modules/sso/README.md | 12 +++++------- modules/sso/tests/basic/1-example.tf | 8 ++++---- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/modules/sso/README.md b/modules/sso/README.md index 4d394db..6385864 100644 --- a/modules/sso/README.md +++ b/modules/sso/README.md @@ -17,15 +17,13 @@ module "sso_setup" { associations = [ { - group = "AWSMarketplaceFullAccess" - policy = "arn:aws:iam::aws:policy/AWSMarketplaceFullAccess" s" - // You can set AWS account id (default is current account) - account_id = "" + group = "Administrators", //Group name + policy = ["arn:aws:iam::aws:policy/AdministratorAccess"] }, { - group = "AmazonGlacierReadOnlyAccess" - policy = "arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess" - }, + group = "Developers", //Group name + policy = ["arn:aws:iam::aws:policy/ReadOnlyAccess"] + } ] } ``` diff --git a/modules/sso/tests/basic/1-example.tf b/modules/sso/tests/basic/1-example.tf index 976a483..b56dbe1 100644 --- a/modules/sso/tests/basic/1-example.tf +++ b/modules/sso/tests/basic/1-example.tf @@ -3,12 +3,12 @@ module "this" { associations = [ { - group = "AdministratorAccess", - policy = "arn:aws:iam::aws:policy/AdministratorAccess" + group = "Administrators", //Group name + policy = ["arn:aws:iam::aws:policy/AdministratorAccess"] }, { - group = "ReadOnlyAccess", - policy = "arn:aws:iam::aws:policy/ReadOnlyAccess" + group = "Developers", //Group name + policy = ["arn:aws:iam::aws:policy/ReadOnlyAccess"] } ] }