feat: create aws-sso groups for google workspaces (#928)

cloudposse · Dec 12, 2023 · 5f0abd4 · 5f0abd4
1 parent e4c5f6e
commit 5f0abd4
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 39 deletions.
diff --git a/modules/aws-sso/README.md b/modules/aws-sso/README.md
@@ -26,6 +26,28 @@ delegating SSO to the `identity` account is lost.
 Nevertheless, it is also not worth the effort to remove the delegation. If you have already delegated SSO to the `identity`,
 continue on, leaving the stack configuration in the `gbl-identity` stack rather than the currently recommended `gbl-root` stack.
 
+### Google Workspace
+
+:::important
+
+> Your identity source is currently configured as 'External identity provider'. To add new groups or edit their memberships, you must do this using your external identity provider.
+
+Groups _cannot_ be created with ClickOps in the AWS console and instead must be created with AWS API.
+
+:::
+
+Google Workspace is now supported by AWS Identity Center, but Group creation is not automatically handled. After [configuring SAML and SCIM with Google Workspace and IAM Identity Center following the AWS documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html), add any Group name to `var.groups` to create the Group with Terraform. Once the setup steps as described in the AWS documentation have been completed and the Groups are created with Terraform, Users should automatically populate each created Group.
+
+```yaml
+components:
+  terraform:
+    aws-sso:
+      vars:
+        groups:
+          - "Developers"
+          - "Dev Ops"
+```
+
 ### Atmos
 
 **Stack Level**: Global
@@ -187,11 +209,13 @@ components:
 
 | Name | Type |
 |------|------|
+| [aws_identitystore_group.manual](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group) | resource |
 | [aws_iam_policy_document.assume_aws_team](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.dns_administrator_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.eks_read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.terraform_update_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source |
 
 ## Inputs
 
@@ -206,6 +230,7 @@ components:
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
+| <a name="input_groups"></a> [groups](#input\_groups) | List of AWS Identity Center Groups to be created with the AWS API.<br><br>When provisioning the Google Workspace Integration with AWS, Groups need to be created with API in order for automatic provisioning to work as intended. | `list(string)` | `[]` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
@@ -225,6 +250,7 @@ components:
 
 | Name | Description |
 |------|-------------|
+| <a name="output_group_ids"></a> [group\_ids](#output\_group\_ids) | Group IDs created for Identity Center |
 | <a name="output_permission_sets"></a> [permission\_sets](#output\_permission\_sets) | Permission sets |
 | <a name="output_sso_account_assignments"></a> [sso\_account\_assignments](#output\_sso\_account\_assignments) | SSO account assignments |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

diff --git a/modules/aws-sso/main.tf b/modules/aws-sso/main.tf
@@ -1,42 +1,3 @@
-module "permission_sets" {
-  source  = "cloudposse/sso/aws//modules/permission-sets"
-  version = "1.1.1"
-
-  permission_sets = concat(
-    local.overridable_additional_permission_sets,
-    local.administrator_access_permission_set,
-    local.billing_administrator_access_permission_set,
-    local.billing_read_only_access_permission_set,
-    local.dns_administrator_access_permission_set,
-    local.identity_access_permission_sets,
-    local.poweruser_access_permission_set,
-    local.read_only_access_permission_set,
-    local.terraform_update_access_permission_set,
-  )
-
-  context = module.this.context
-}
-
-module "sso_account_assignments" {
-  source  = "cloudposse/sso/aws//modules/account-assignments"
-  version = "1.1.1"
-
-  account_assignments = local.account_assignments
-  context             = module.this.context
-}
-
-module "sso_account_assignments_root" {
-  source  = "cloudposse/sso/aws//modules/account-assignments"
-  version = "1.1.1"
-
-  providers = {
-    aws = aws.root
-  }
-
-  account_assignments = local.account_assignments_root
-  context             = module.this.context
-}
-
 locals {
   enabled = module.this.enabled
 
@@ -99,4 +60,66 @@ locals {
   aws_partition = data.aws_partition.current.partition
 }
 
+data "aws_ssoadmin_instances" "this" {}
+
 data "aws_partition" "current" {}
+
+resource "aws_identitystore_group" "manual" {
+  for_each = toset(var.groups)
+
+  display_name = each.key
+  description  = "Group created with Terraform"
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
+}
+
+module "permission_sets" {
+  source  = "cloudposse/sso/aws//modules/permission-sets"
+  version = "1.1.1"
+
+  permission_sets = concat(
+    local.overridable_additional_permission_sets,
+    local.administrator_access_permission_set,
+    local.billing_administrator_access_permission_set,
+    local.billing_read_only_access_permission_set,
+    local.dns_administrator_access_permission_set,
+    local.identity_access_permission_sets,
+    local.poweruser_access_permission_set,
+    local.read_only_access_permission_set,
+    local.terraform_update_access_permission_set,
+  )
+
+  context = module.this.context
+
+  depends_on = [
+    aws_identitystore_group.manual
+  ]
+}
+
+module "sso_account_assignments" {
+  source  = "cloudposse/sso/aws//modules/account-assignments"
+  version = "1.1.1"
+
+  account_assignments = local.account_assignments
+  context             = module.this.context
+
+  depends_on = [
+    aws_identitystore_group.manual
+  ]
+}
+
+module "sso_account_assignments_root" {
+  source  = "cloudposse/sso/aws//modules/account-assignments"
+  version = "1.1.1"
+
+  providers = {
+    aws = aws.root
+  }
+
+  account_assignments = local.account_assignments_root
+  context             = module.this.context
+
+  depends_on = [
+    aws_identitystore_group.manual
+  ]
+}
diff --git a/modules/aws-sso/outputs.tf b/modules/aws-sso/outputs.tf
@@ -7,3 +7,8 @@ output "sso_account_assignments" {
   value       = module.sso_account_assignments.assignments
   description = "SSO account assignments"
 }
+
+output "group_ids" {
+  value       = { for group_key, group_output in aws_identitystore_group.manual : group_key => group_output.group_id }
+  description = "Group IDs created for Identity Center"
+}
diff --git a/modules/aws-sso/variables.tf b/modules/aws-sso/variables.tf
@@ -42,3 +42,13 @@ variable "aws_teams_accessible" {
     EOT
   default     = []
 }
+
+variable "groups" {
+  type        = list(string)
+  description = <<-EOT
+    List of AWS Identity Center Groups to be created with the AWS API.
+
+    When provisioning the Google Workspace Integration with AWS, Groups need to be created with API in order for automatic provisioning to work as intended.
+    EOT
+  default     = []
+}