zachrundle
diff --git a/‎modules/iam_identity_center/main.tf‎
Lines changed: 46 additions & 0 deletions b/‎modules/iam_identity_center/main.tf‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎modules/iam_identity_center/variables.tf‎
Lines changed: 22 additions & 0 deletions b/‎modules/iam_identity_center/variables.tf‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎modules/iam_identity_users/main.tf‎
Lines changed: 0 additions & 34 deletions b/‎modules/iam_identity_users/main.tf‎
Lines changed: 0 additions & 34 deletions
diff --git a/‎modules/iam_identity_users/variables.tf‎
Lines changed: 0 additions & 21 deletions b/‎modules/iam_identity_users/variables.tf‎
Lines changed: 0 additions & 21 deletions
@@ -64,3 +64,49 @@ resource "aws_ssoadmin_customer_managed_policy_attachment" "this" {
     path = coalesce(each.value.policy_path, "/")
   }
 }
+
+# Fetching SSO Instance
+data "aws_ssoadmin_instances" "this" {}
+
+# Create SSO Groups
+resource "aws_identitystore_group" "this" {
+  for_each          = { for group_name in var.groups : group_name => group_name }
+  display_name      = each.value
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+}
+
+# Create SSO Users
+resource "aws_identitystore_user" "this" {
+  for_each = var.users
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+  display_name = format("%s %s", each.value.first_name, each.value.last_name)
+  user_name    = format("%s%s", substr(lower(each.value.first_name), 0, 1), lower(each.value.last_name))
+
+  name {
+    given_name  = each.value.first_name
+    family_name = each.value.last_name
+  }
+
+  emails {
+    value = join("@", [format("%s.%s", lower(each.value.first_name), lower(each.value.last_name)), var.email_domain])
+  }
+}
+
+# Assign Users to Groups
+resource "aws_identitystore_group_membership" "this" {
+  for_each =  var.users
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+  group_id          = aws_identitystore_group.this[each.value.groups].group_id
+  member_id         = aws_identitystore_user.this[each.key].user_id
+}
+
+resource "aws_ssoadmin_account_assignment" "this" {
+  instance_arn       = tolist(data.aws_ssoadmin_instances.example.arns)[0]
+  permission_set_arn = data.aws_ssoadmin_permission_set.example.arn
+
+  principal_id   = data.aws_identitystore_group.this.group_id
+  principal_type = "GROUP"
+
+  target_id   = "123456789012"
+  target_type = "AWS_ACCOUNT"
+}
@@ -14,4 +14,26 @@ variable "permission_sets" {
   }))
 
   default = []
+}
+
+variable "users" {
+  description = "Map of user identifiers to user details including their team."
+  type = map(object({
+    first_name = string
+    last_name  = string
+    # TODO: add support in case a user needs to belong to multiple groups
+    groups     = string
+  }))
+}
+
+variable "email_domain" {
+  description = "Domain used for user email accounts"
+  type        = string
+  default     = "example.com"
+}
+
+variable "groups" {
+  description = "List of IAM identity center groups to create"
+  type        = set(string)
+  default     = []
 }