Skip to content

v0.8.0
Compare
Choose a tag to compare
@cloudpossebot cloudpossebot released this 08 Mar 14:05
0.8.0
6a8b1ed
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
feat: allow to safely depend on other resources to read from the identity store @simonweil (#33)

what

This adds a workaround for the depends_on issue with modules and data sources.

  • Added a wait for variable
  • Added a null_resource to use for depends_on for the data resource

If the PR is acceptable, we can add an example usage to avoid the recreation of resources.

why

  • When creating a user group via an external source that syncs with AWS SSO, we need to wait for it to finish before reading the groups from the identity store
  • Adding a depends_on to a module can create a situation that every change to the dependee will recreate ALL the resources of the module which is super bad

In my case I have to following code:

data "okta_user" "this" {
  for_each = toset(local.users_list)

  user_id = each.value
}

resource "okta_group" "this" {
  for_each = local.accounts_list

  name        = each.value.group_name
  description = "description"
}

resource "okta_group_memberships" "this" {
  for_each = local.accounts_list

  group_id = okta_group.this[each.key].id
  users    = [for u in each.value.users : data.okta_user.this[u].id]
}


module "permission_sets" {
  source  = "cloudposse/sso/aws//modules/permission-sets"
  version = "0.6.1"

  permission_sets = [
    for a in local.accounts_list : {
      name               = a.permission_set_name
      description        = "some desc"
      relay_state        = ""
      session_duration   = "PT2H"
      tags               = local.permission_set_tags
      inline_policy      = ""
      policy_attachments = ["arn:aws:iam::aws:policy/XXXXX"]
    }
  ]
}

module "account_assignments" {
  source  = "cloudposse/sso/aws//modules/account-assignments"
  version = "0.6.1"

  depends_on = [
    okta_group.this,
  ]

  account_assignments = concat([
    for a in local.accounts_list : {
      account             = a.id
      permission_set_arn  = module.permission_sets.permission_sets[a.permission_set_name].arn
      permission_set_name = "${a.name}-${a.role}"
      principal_type      = "GROUP",
      principal_name      = a.group_name
    }
  ])
}

When ever I need to change the local.accounts_list it causes ALL the assignments to be recreated, disconnecting users and causing mayhem...

With the proposed change I need to change the account_assignments module and now I can add or remove accounts safely:

module "account_assignments" {
  source = "path/to/terraform-aws-sso/modules/account-assignments"

  for_each = local.accounts_list

  wait_group_creation = okta_group.this[each.value.name].id

  account_assignments = [
    {
      account             = each.value.id
      permission_set_arn  = module.permission_sets.permission_sets[each.value.permission_set_name].arn
      permission_set_name = "${each.value.name}-${each.value.role}"
      principal_type      = "GROUP",
      principal_name      = each.value.group_name
    }
  ]
}

references

Contributors

simonweil
Assets 2
Loading