generated from plus3it/repo-template
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmain.tf
55 lines (48 loc) · 1.84 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
module "permission_sets" {
source = "./modules/permission-set"
for_each = { for permission_set in var.sso_admin.permission_sets : permission_set.name => permission_set }
permission_set = merge(
each.value,
{
instance_arn = local.sso_instance_arn
partition = local.partition
},
)
}
module "account_assignments" {
source = "./modules/account-assignment"
for_each = { for account_assignment in var.sso_admin.account_assignments : account_assignment.name => account_assignment }
account_assignment = merge(
each.value,
{
identity_store_id = local.identity_store_id
instance_arn = local.sso_instance_arn
organization_accounts = local.organization_accounts
permission_set_arn = (
try(each.value.permission_set_arn, null) != null ||
contains(
var.sso_admin.permission_sets[*].name,
try(each.value.permission_set_name, null)
)
) ? module.permission_sets[each.value.permission_set_name].permission_set.arn : null
# Null `permission_set_name` if `permission_set_arn` is provided or can
# be looked up from the permission-set module
permission_set_name = (
try(each.value.permission_set_arn, null) != null ||
contains(
var.sso_admin.permission_sets[*].name,
try(each.value.permission_set_name, null)
)
) ? null : each.value.permission_set_name
},
)
}
data "aws_organizations_organization" "this" {}
data "aws_partition" "this" {}
data "aws_ssoadmin_instances" "this" {}
locals {
identity_store_id = data.aws_ssoadmin_instances.this.identity_store_ids[0]
organization_accounts = data.aws_organizations_organization.this.accounts[*].id
partition = data.aws_partition.this.partition
sso_instance_arn = data.aws_ssoadmin_instances.this.arns[0]
}