-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathlocals.tf
220 lines (185 loc) · 8.74 KB
/
locals.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
# - Users and Groups -
locals {
# Create a new local variable by flattening the complex type given in the variable "sso_users"
flatten_user_data = flatten([
for this_user in keys(var.sso_users) : [
for group in var.sso_users[this_user].group_membership : {
user_name = var.sso_users[this_user].user_name
group_name = group
}
]
])
users_and_their_groups = {
for s in local.flatten_user_data : format("%s_%s", s.user_name, s.group_name) => s
}
# Create a new local variable by flattening the complex type given in the variable "existing_google_sso_users"
flatten_user_data_existing_google_sso_users = flatten([
for this_existing_google_user in keys(var.existing_google_sso_users) : [
for group in var.existing_google_sso_users[this_existing_google_user].group_membership : {
user_name = var.existing_google_sso_users[this_existing_google_user].user_name
group_name = group
}
]
])
users_and_their_groups_existing_google_sso_users = {
for s in local.flatten_user_data_existing_google_sso_users : format("%s_%s", s.user_name, s.group_name) => s
}
}
# - Permission Sets and Policies -
locals {
# - Fetch SSO Instance ARN and SSO Instance ID -
ssoadmin_instance_arn = tolist(data.aws_ssoadmin_instances.sso_instance.arns)[0]
sso_instance_id = tolist(data.aws_ssoadmin_instances.sso_instance.identity_store_ids)[0]
# Iterate over the objects in var.permission sets, then evaluate the expression's 'pset_name'
# and 'pset_index' with 'pset_name' and 'pset_index' only if the pset_index.managed_policies (AWS Managed Policy ARN)
# produces a result without an error (i.e. if the ARN is valid). If any of the ARNs for any of the objects
# in the map are invalid, the for loop will fail.
# pset_name is the attribute name for each permission set map/object
# pset_index is the corresponding index of the map of maps (which is the variable permission_sets)
aws_managed_permission_sets = { for pset_name, pset_index in var.permission_sets : pset_name => pset_index if can(pset_index.aws_managed_policies) }
customer_managed_permission_sets = { for pset_name, pset_index in var.permission_sets : pset_name => pset_index if can(pset_index.customer_managed_policies) }
inline_policy_permission_sets = { for pset_name, pset_index in var.permission_sets : pset_name => pset_index if can(pset_index.inline_policy) }
permissions_boundary_aws_managed_permission_sets = { for pset_name, pset_index in var.permission_sets : pset_name => pset_index if can(pset_index.permissions_boundary.managed_policy_arn) }
permissions_boundary_customer_managed_permission_sets = { for pset_name, pset_index in var.permission_sets : pset_name => pset_index if can(pset_index.permissions_boundary.customer_managed_policy_reference) }
# When using the 'for' expression in Terraform:
# [ and ] produces a tuple
# { and } produces an object, and you must provide two result expressions separated by the => symbol
# The 'flatten' function takes a list and replaces any elements that are lists with a flattened sequence of the list contents
# create pset_name and managed policy maps list. flatten is needed because the result is a list of maps.name
# This nested for loop will run only if each of the managed_policies are valid ARNs.
# - AWS Managed Policies -
pset_aws_managed_policy_maps = flatten([
for pset_name, pset_index in local.aws_managed_permission_sets : [
for policy in pset_index.aws_managed_policies : {
pset_name = pset_name
policy_arn = policy
} if pset_index.aws_managed_policies != null && can(pset_index.aws_managed_policies)
]
])
# - Customer Managed Policies -
pset_customer_managed_policy_maps = flatten([
for pset_name, pset_index in local.customer_managed_permission_sets : [
for policy in pset_index.customer_managed_policies : {
pset_name = pset_name
policy_name = policy
# path = path
} if pset_index.customer_managed_policies != null && can(pset_index.customer_managed_policies)
]
])
# - Inline Policy -
pset_inline_policy_maps = flatten([
for pset_name, pset_index in local.inline_policy_permission_sets : [
{
pset_name = pset_name
inline_policy = pset_index.inline_policy
}
]
])
# - Permissions boundary -
pset_permissions_boundary_aws_managed_maps = flatten([
for pset_name, pset_index in local.permissions_boundary_aws_managed_permission_sets : [
{
pset_name = pset_name
boundary = {
managed_policy_arn = pset_index.permissions_boundary.managed_policy_arn
}
}
]
])
pset_permissions_boundary_customer_managed_maps = flatten([
for pset_name, pset_index in local.permissions_boundary_customer_managed_permission_sets : [
{
pset_name = pset_name
boundary = {
customer_managed_policy_reference = pset_index.permissions_boundary.customer_managed_policy_reference
}
}
]
])
}
# - Account Assignments -
locals {
accounts_ids_maps = {
for idx, account in data.aws_organizations_organization.organization.accounts : account.name => account.id
if account.status == "ACTIVE" && can(data.aws_organizations_organization.organization.accounts)
}
# Create a new local variable by flattening the complex type given in the variable "account_assignments"
# This will be a 'tuple'
flatten_account_assignment_data = flatten([
for this_assignment in keys(var.account_assignments) : [
for account in var.account_assignments[this_assignment].account_ids : [
for pset in var.account_assignments[this_assignment].permission_sets : {
permission_set = pset
principal_name = var.account_assignments[this_assignment].principal_name
principal_type = var.account_assignments[this_assignment].principal_type
principal_idp = var.account_assignments[this_assignment].principal_idp
account_id = length(regexall("[0-9]{12}", account)) > 0 ? account : lookup(local.accounts_ids_maps, account, null)
}
]
]
])
# Convert the flatten_account_assignment_data tuple into a map.
# Since we will be using this local in a for_each, it must either be a map or a set of strings
principals_and_their_account_assignments = {
for s in local.flatten_account_assignment_data : format("Type:%s__Principal:%s__Permission:%s__Account:%s", s.principal_type, s.principal_name, s.permission_set, s.account_id) => s
}
# List of permission sets, groups, and users that are defined in this module
this_permission_sets = keys(var.permission_sets)
this_groups = [
for group in var.sso_groups : group.group_name
]
this_users = [
for user in var.sso_users : user.user_name
]
# List of permission sets, groups, and users that are defined in this module
# this_existing_permission_sets = keys(var.existing_permission_sets)
# this_existing_groups = [
# for group in var.existing_sso_groups : group.group_name
# ]
# this_existing_google_sso_users = [
# for user in var.existing_google_sso_users : user.user_name
# ]
}
locals {
# Creating a local variable by flattening the complex type related to Applications to extract a simple structure representing
# group-application assignments
apps_groups_assignments = flatten([
for app in var.sso_applications : [
for group in app.group_assignments : {
app_name = app.name
group_name = group
principal_type = "GROUP"
}
]
])
# Creating a local variable by flattening the complex type related to Applications to extract a simple structure representing
# user-application assignments
apps_users_assignments = flatten([
for app in var.sso_applications : [
for user in app.user_assignments : {
app_name = app.name
user_name = user
principal_type = "USER"
}
]
])
# Creating a local variable by flattening the complex type related to Applications to extract a simple structure representing
# apps assignments configurations
apps_assignments_configs = flatten([
for app in var.sso_applications : {
app_name = app.name
assignment_required = app.assignment_required
}
])
# Creating a local variable by flattening the complex type related to Applications to extract a simple structure representing
# app assignments access scopes
apps_assignments_access_scopes = flatten([
for app in var.sso_applications : [
for ass_acc_scope in app.assignments_access_scope : {
app_name = app.name
authorized_targets = ass_acc_scope.authorized_targets
scope = ass_acc_scope.scope
}
]
])
}