Releases: cloudposse/terraform-aws-sso
v1.2.0
fix: coalesce policy attachments to '/' @dudymas (#51)
what
- coalesce policy attachments in
parameter-setmodule to"/"
why
- Some versions of the aws-sso provider allow this behavior and it corrupts
tfstate - coalesce is more friendly to generated paths, which could be difficult to correct in some scenarios
Contributors
Assets 2
v1.1.1
Add missing permission_set_name to account_assigments README.md @ximena9201 (#36)
what
This pull request adds a missing permission_set_name attribute to README.md within the account_assignments module. It's exactly related to this open draft #28 that however, due to a lack of activity in the meantime, it may have caused confusion as I personally was unable to find it documented. I test the module again and it worked with the missing attribute.
why
I recently went through the process of testing one of the modules and noticed that an attribute was missing from the README documentation. To prevent confusion for future users, I propose updating the README to include this missing information.
references
- None, just went through testing one of the module and I found out that adding the missing documented attribute fixed the issue.
🚀 Enhancements
Bugfix/deprecated field @Benbentwo (#44)
what
why
- Bugfix for provider version AWS 4.40+
- Workflows for better automation
References:
Contributors
Assets 2
v1.1.0
- No changes
v1.0.0
Fix AWS provider 4.40 deprecation warnings @simonweil (#35)
what
Fix the deprecation warnings as described here: https://github.com/hashicorp/terraform-provider-aws/releases/tag/v4.40.0
Based on PR #33 so that should be merged first.
why
Otherwise there are deprecation warnings...
references
Contributors
Assets 2
v0.8.0
feat: allow to safely depend on other resources to read from the identity store @simonweil (#33)
what
This adds a workaround for the depends_on issue with modules and data sources.
- Added a wait for variable
- Added a
null_resourceto use fordepends_onfor the data resource
If the PR is acceptable, we can add an example usage to avoid the recreation of resources.
why
- When creating a user group via an external source that syncs with AWS SSO, we need to wait for it to finish before reading the groups from the identity store
- Adding a
depends_onto a module can create a situation that every change to the dependee will recreate ALL the resources of the module which is super bad
In my case I have to following code:
data "okta_user" "this" {
for_each = toset(local.users_list)
user_id = each.value
}
resource "okta_group" "this" {
for_each = local.accounts_list
name = each.value.group_name
description = "description"
}
resource "okta_group_memberships" "this" {
for_each = local.accounts_list
group_id = okta_group.this[each.key].id
users = [for u in each.value.users : data.okta_user.this[u].id]
}
module "permission_sets" {
source = "cloudposse/sso/aws//modules/permission-sets"
version = "0.6.1"
permission_sets = [
for a in local.accounts_list : {
name = a.permission_set_name
description = "some desc"
relay_state = ""
session_duration = "PT2H"
tags = local.permission_set_tags
inline_policy = ""
policy_attachments = ["arn:aws:iam::aws:policy/XXXXX"]
}
]
}
module "account_assignments" {
source = "cloudposse/sso/aws//modules/account-assignments"
version = "0.6.1"
depends_on = [
okta_group.this,
]
account_assignments = concat([
for a in local.accounts_list : {
account = a.id
permission_set_arn = module.permission_sets.permission_sets[a.permission_set_name].arn
permission_set_name = "${a.name}-${a.role}"
principal_type = "GROUP",
principal_name = a.group_name
}
])
}
When ever I need to change the local.accounts_list it causes ALL the assignments to be recreated, disconnecting users and causing mayhem...
With the proposed change I need to change the account_assignments module and now I can add or remove accounts safely:
module "account_assignments" {
source = "path/to/terraform-aws-sso/modules/account-assignments"
for_each = local.accounts_list
wait_group_creation = okta_group.this[each.value.name].id
account_assignments = [
{
account = each.value.id
permission_set_arn = module.permission_sets.permission_sets[each.value.permission_set_name].arn
permission_set_name = "${each.value.name}-${each.value.role}"
principal_type = "GROUP",
principal_name = each.value.group_name
}
]
}
references
Contributors
Assets 2
v0.7.1
🚀 Enhancements
Fix map mismatch @cvlc (#31)
what
- Fixed failures in the module due to a mismatch in the maps.
why
- Currently the module does not work. This resolved the issue.
references
- Previous PR #30
errata
It would probably also be helpful to have a note in README.md about the need for policies to exist in the target account to be associated. The provided example is a little misleading for that reason.
Contributors
Assets 2
v0.7.0
Add customer managed policy attachments to permissionsets @lawliet89 (#30)
what
- Add support for attaching customer managed policies to permissionsets
This is a breaking change that requires a new AWS provider version: https://github.com/hashicorp/terraform-provider-aws/releases/tag/v4.30.0
why
- Inline policies have a maximum limit.
- Ease management with customer managed policies
references
git.io->cloudposse.tools update @dylanbannon (#27)
what and why
Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.
References
- DEV-143
Contributors
Assets 2
v0.6.2
v0.6.1
v0.6.0
fix/missing tags in permission set @apjneeraj (#18)
what
- Adding tags to permission set resource in module permission-set.
why
- tags defined in complete example to supply custom tags but it is not set in
aws_ssoadmin_permission_setresource which supports this attribute.