combine iam identity modules (#12)

* combine iam identity modules

* Fix main.tf

* comment out assignment temporarily

Author: zachrundle

main.tf

@@ -28,4 +28,18 @@ module "permission_sets" {
       policy_attachments                  = ["arn:aws:iam::aws:policy/AdministratorAccess"]
       customer_managed_policy_attachments = []
   }]
+  groups = ["administrators", "developers", "networking"]
+
+  users = {
+    "Zach Rundle" = {
+      first_name = "Zach"
+      last_name  = "Rundle"
+      groups     = "administrators"
+    },
+    "Maverick Dog" = {
+      first_name = "Maverick"
+      last_name  = "Dog"
+      groups     = "developers"
+    },
+  }
 }

modules/iam_identity_center/main.tf

@@ -64,3 +64,43 @@ resource "aws_ssoadmin_customer_managed_policy_attachment" "this" {
     path = coalesce(each.value.policy_path, "/")
   }
 }
+
+resource "aws_identitystore_group" "this" {
+  for_each          = { for group_name in var.groups : group_name => group_name }
+  display_name      = each.value
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+}
+
+resource "aws_identitystore_user" "this" {
+  for_each = var.users
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+  display_name = format("%s %s", each.value.first_name, each.value.last_name)
+  user_name    = format("%s%s", substr(lower(each.value.first_name), 0, 1), lower(each.value.last_name))
+
+  name {
+    given_name  = each.value.first_name
+    family_name = each.value.last_name
+  }
+
+  emails {
+    value = join("@", [format("%s.%s", lower(each.value.first_name), lower(each.value.last_name)), var.email_domain])
+  }
+}
+
+resource "aws_identitystore_group_membership" "this" {
+  for_each =  var.users
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+  group_id          = aws_identitystore_group.this[each.value.groups].group_id
+  member_id         = aws_identitystore_user.this[each.key].user_id
+}
+
+# resource "aws_ssoadmin_account_assignment" "this" {
+#   instance_arn       = tolist(data.aws_ssoadmin_instances.this.arns)[0]
+#   permission_set_arn = data.aws_ssoadmin_permission_set.this.arn
+
+#   principal_id   = data.aws_identitystore_group.this.group_id
+#   principal_type = "GROUP"
+
+#   target_id   = "123456789012"
+#   target_type = "AWS_ACCOUNT"
+# }

modules/iam_identity_center/variables.tf

@@ -14,4 +14,26 @@ variable "permission_sets" {
   }))
 
   default = []
+}
+
+variable "users" {
+  description = "Map of user identifiers to user details including their team."
+  type = map(object({
+    first_name = string
+    last_name  = string
+    # TODO: add support in case a user needs to belong to multiple groups
+    groups     = string
+  }))
+}
+
+variable "email_domain" {
+  description = "Domain used for user email accounts"
+  type        = string
+  default     = "example.com"
+}
+
+variable "groups" {
+  description = "List of IAM identity center groups to create"
+  type        = set(string)
+  default     = []
 }