Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow to safely depend on other resources to read from the identity store #33

Merged
merged 3 commits into from
Mar 8, 2023
Merged

feat: allow to safely depend on other resources to read from the identity store #33

merged 3 commits into from
Mar 8, 2023

Conversation

simonweil
Copy link
Contributor

what

This adds a workaround for the depends_on issue with modules and data sources.

  • Added a wait for variable
  • Added a null_resource to use for depends_on for the data resource

If the PR is acceptable, we can add an example usage to avoid the recreation of resources.

why

  • When creating a user group via an external source that syncs with AWS SSO, we need to wait for it to finish before reading the groups from the identity store
  • Adding a depends_on to a module can create a situation that every change to the dependee will recreate ALL the resources of the module which is super bad

In my case I have to following code:

data "okta_user" "this" {
  for_each = toset(local.users_list)

  user_id = each.value
}

resource "okta_group" "this" {
  for_each = local.accounts_list

  name        = each.value.group_name
  description = "description"
}

resource "okta_group_memberships" "this" {
  for_each = local.accounts_list

  group_id = okta_group.this[each.key].id
  users    = [for u in each.value.users : data.okta_user.this[u].id]
}


module "permission_sets" {
  source  = "cloudposse/sso/aws//modules/permission-sets"
  version = "0.6.1"

  permission_sets = [
    for a in local.accounts_list : {
      name               = a.permission_set_name
      description        = "some desc"
      relay_state        = ""
      session_duration   = "PT2H"
      tags               = local.permission_set_tags
      inline_policy      = ""
      policy_attachments = ["arn:aws:iam::aws:policy/XXXXX"]
    }
  ]
}

module "account_assignments" {
  source  = "cloudposse/sso/aws//modules/account-assignments"
  version = "0.6.1"

  depends_on = [
    okta_group.this,
  ]

  account_assignments = concat([
    for a in local.accounts_list : {
      account             = a.id
      permission_set_arn  = module.permission_sets.permission_sets[a.permission_set_name].arn
      permission_set_name = "${a.name}-${a.role}"
      principal_type      = "GROUP",
      principal_name      = a.group_name
    }
  ])
}

When ever I need to change the local.accounts_list it causes ALL the assignments to be recreated, disconnecting users and causing mayhem...

With the proposed change I need to change the account_assignments module and now I can add or remove accounts safely:

module "account_assignments" {
  source = "path/to/terraform-aws-sso/modules/account-assignments"

  for_each = local.accounts_list

  wait_group_creation = okta_group.this[each.value.name].id

  account_assignments = [
    {
      account             = each.value.id
      permission_set_arn  = module.permission_sets.permission_sets[each.value.permission_set_name].arn
      permission_set_name = "${each.value.name}-${each.value.role}"
      principal_type      = "GROUP",
      principal_name      = each.value.group_name
    }
  ]
}

references

@simonweil simonweil requested review from a team as code owners October 31, 2022 21:10
@simonweil simonweil requested review from Gowiem and woz5999 October 31, 2022 21:11
@simonweil simonweil mentioned this pull request Oct 31, 2022
Closed
@simonweil
Copy link
Contributor Author

Any chance to get a review and merge?

@aknysh
Copy link
Member

aknysh commented Dec 18, 2022

@simonweil thanks.

can you please run

make init
make github/init
make readme

and commit the changes

@simonweil simonweil force-pushed the feature/allow_safe_dependecies branch from 9559fe3 to 8c617b8 Compare December 20, 2022 10:32
@simonweil
Copy link
Contributor Author

@simonweil thanks.

can you please run

make init
make github/init
make readme

and commit the changes

I ran it but I think it did not do the expected thing...
The readme did not update

@simonweil simonweil mentioned this pull request Dec 20, 2022
Merged
@aknysh
Copy link
Member

aknysh commented Dec 20, 2022

/rebuild-readme

@josephmilla
Copy link

Looks good to me

@simonweil
Copy link
Contributor Author

@josephmilla is anything still missing? Can it get merged?

aknysh
aknysh reviewed Jan 24, 2023
View reviewed changes
Copy link
Member

@aknysh aknysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simonweil please see comments

@josephmilla
Copy link

@josephmilla is anything still missing? Can it get merged?

Should be good

@simonweil
Copy link
Contributor Author

I'd be glad to get it merged...
If anything needs to be done or changed tell me

@simonweil simonweil changed the title feat: allow to safly depend on other resources to read from the identity store feat: allow to safely depend on other resources to read from the identity store Mar 7, 2023
@aknysh
Copy link
Member

aknysh commented Mar 7, 2023

@simonweil please rename the variable wait_group_creation to identitystore_group_depends_on (wait_group_creation is not a descriptive name), then run these commands again

make init
make github/init
make readme

@simonweil
Copy link
Contributor Author

@simonweil please rename the variable wait_group_creation to identitystore_group_depends_on (wait_group_creation is not a descriptive name), then run these commands again

make init
make github/init
make readme

Done and pushed

@aknysh
Copy link
Member

aknysh commented Mar 8, 2023

/test all

aknysh
aknysh approved these changes Mar 8, 2023
View reviewed changes
Copy link
Member

@aknysh aknysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @simonweil

@aknysh aknysh added the minor New features that do not break anything label Mar 8, 2023
@aknysh aknysh merged commit 6a8b1ed into cloudposse:master Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nitrocode nitrocode nitrocode left review comments

@josephmilla josephmilla josephmilla requested changes

@aknysh aknysh aknysh approved these changes

@Gowiem Gowiem Awaiting requested review from Gowiem Gowiem was automatically assigned from cloudposse/contributors

@woz5999 woz5999 Awaiting requested review from woz5999 woz5999 was automatically assigned from cloudposse/contributors

Assignees
No one assigned
Labels
minor New features that do not break anything
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@simonweil @aknysh @josephmilla @nitrocode