Support list of accounts for assignments

[rstml]

Describe the Feature

Allow multiple account assignments. For example:

account_assignments = [
    {
      account_ids         = ["111111111111", "222222222222", "333333333333", ...]
      permission_set_arn  = module.sso_permission_sets.permission_sets["AdministratorAccess"].arn,
      permission_set_name = "AdministratorAccess",
      principal_type      = "GROUP",
      principal_name      = "admins"
    },

Use Case

This will reduce copy/paste and help with admin permissions where list of accounts can be auto-generated from something like data.aws_organizations_organization.this.accounts.

[ahublersos]

I was running into this same use case, and I wound up using some locals to build account_assignments before passing it in to the module.

module "sso_account_assignments" {
  source = "modules/account-assignments"
  account_assignments = local.prepared_assignments
}

locals {
  raw_account_assignments = [
    {
      accounts            =  [ "111111111111", "222222222222", "333333333333"]
      permission_set_arn  = module.permission_sets.permission_sets["SuperAdmin"].arn,
      permission_set_name = "SuperAdmin",
      principal_type      = "GROUP",
      principal_name      = "AWS-Admin"
    },
    {
      accounts            = ["444444444444"],
      permission_set_arn  = module.permission_sets.permission_sets["Admin"].arn,
      permission_set_name = "Admin",
      principal_type      = "GROUP",
      principal_name      = "AWS-Admin"
    }
  ]

  prepared_assignments = flatten([
    for a in local.raw_account_assignments :
    [
      for acct in a.accounts :
      {
        "permission_set_arn"  = a.permission_set_arn,
        "account"             = acct,
        "permission_set_name" = a.permission_set_name,
        "principal_type"      = a.principal_type,
        "principal_name"      = a.principal_name
      }
    ]
  ])
}

[ahkai86]

Hi hello! will there be support for targeted aws accounts for Organization Units (OU)? The accounts works for probably less than 10 accounts but under an OUs might have a longer list of AWS accounts.

[Gowiem]

@rstml does @ahublersos's work around sound like it would fix your issue here?

@ahkai86 that sounds like a separate issue. Can you open a separate issue or PR if you still need something in that regard?

[krishansrimal]

Some other thing I do apart from what @ahublersos mentioned is:

data "aws_organizations_organization" "this" {}

locals {
  all_aws_sub_accounts = [for account in data.aws_organizations_organization.this.accounts[*].id : account if account != 
  data.aws_organizations_organization.this.master_account_id]
   
  account_assignments = {
    ReadOnlyAccess = {
      permission_set_name = "ReadOnlyAccess"
      permission_set_arn  = module.permission_sets.permission_sets["ReadOnlyAccess"].arn
      principal_name      = "GROU_NAME"
      principal_type      = "GROUP"
      accounts            = local.all_aws_sub_accounts
    },
}

Ad modified the child module as:

locals {
  account_assignments = flatten([
    for key, value in var.account_assignments :
    [
      for account in value.accounts :
      {
        account             = account
        permission_set_name = value.permission_set_name
        permission_set_arn  = value.permission_set_arn
        principal_name      = value.principal_name
        principal_type      = value.principal_type
      }
    ]
  ])
  
    assignment_map = {
    for a in local.account_assignments :
    format("%v-%v-%v-%v", a.account, substr(a.principal_type, 0, 1), a.principal_name, a.permission_set_name) => a
  }
....
}

all_aws_sub_accounts exclude the master account ID because we are using delegated administrator account and its not allowed to assign permissions set / principles to master account from the delegated admin account.