r/aws_sso_permission_set: New Resource

aws/data_source_aws_ssoadmin_instances.go

@@ -0,0 +1,69 @@
+package aws
+
+import (
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ssoadmin"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceAwsSsoAdminInstances() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceAwsSsoAdminInstancesRead,
+
+		Schema: map[string]*schema.Schema{
+			"arns": {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+
+			"identity_store_ids": {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+		},
+	}
+}
+
+func dataSourceAwsSsoAdminInstancesRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).ssoadminconn
+
+	var instances []*ssoadmin.InstanceMetadata
+	var arns, ids []string
+
+	err := conn.ListInstancesPages(&ssoadmin.ListInstancesInput{}, func(page *ssoadmin.ListInstancesOutput, lastPage bool) bool {
+		if page == nil {
+			return !lastPage
+		}
+
+		instances = append(instances, page.Instances...)
+
+		return !lastPage
+	})
+
+	if err != nil {
+		return fmt.Errorf("error reading SSO Instances: %w", err)
+	}
+
+	if len(instances) == 0 {
+		return fmt.Errorf("error reading SSO Instance: no instances found")
+	}
+
+	for _, instance := range instances {
+		arns = append(arns, aws.StringValue(instance.InstanceArn))
+		ids = append(ids, aws.StringValue(instance.IdentityStoreId))
+	}
+
+	d.SetId(meta.(*AWSClient).region)
+	if err := d.Set("arns", arns); err != nil {
+		return fmt.Errorf("error setting arns: %w", err)
+	}
+	if err := d.Set("identity_store_ids", ids); err != nil {
+		return fmt.Errorf("error setting identity_store_ids: %w", err)
+	}
+
+	return nil
+}

aws/data_source_aws_ssoadmin_instances_test.go

@@ -0,0 +1,58 @@
+package aws
+
+import (
+	"regexp"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/ssoadmin"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func testAccPreCheckAWSSSOAdminInstances(t *testing.T) {
+	conn := testAccProvider.Meta().(*AWSClient).ssoadminconn
+
+	var instances []*ssoadmin.InstanceMetadata
+	err := conn.ListInstancesPages(&ssoadmin.ListInstancesInput{}, func(page *ssoadmin.ListInstancesOutput, lastPage bool) bool {
+		if page == nil {
+			return !lastPage
+		}
+
+		instances = append(instances, page.Instances...)
+
+		return !lastPage
+	})
+
+	if testAccPreCheckSkipError(err) {
+		t.Skipf("skipping acceptance testing: %s", err)
+	}
+
+	if len(instances) == 0 {
+		t.Skip("skipping acceptance testing: No SSO Instance found.")
+	}
+
+	if err != nil {
+		t.Fatalf("unexpected PreCheck error: %s", err)
+	}
+}
+
+func TestAccDataSourceAWSSSOAdminInstances_basic(t *testing.T) {
+	dataSourceName := "data.aws_ssoadmin_instances.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t); testAccPreCheckAWSSSOAdminInstances(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceAWSSSOAdminInstancesConfigBasic,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(dataSourceName, "arns.#", "1"),
+					resource.TestCheckResourceAttr(dataSourceName, "identity_store_ids.#", "1"),
+					testAccMatchResourceAttrGlobalARNNoAccount(dataSourceName, "arns.0", "sso", regexp.MustCompile("instance/(sso)?ins-[a-zA-Z0-9-.]{16}")),
+					resource.TestMatchResourceAttr(dataSourceName, "identity_store_ids.0", regexp.MustCompile("^[a-zA-Z0-9-]*")),
+				),
+			},
+		},
+	})
+}
+
+const testAccDataSourceAWSSSOAdminInstancesConfigBasic = `data "aws_ssoadmin_instances" "test" {}`

aws/data_source_aws_ssoadmin_permission_set.go

@@ -0,0 +1,171 @@
+package aws
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ssoadmin"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
+)
+
+func dataSourceAwsSsoAdminPermissionSet() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceAwsSsoAdminPermissionSetRead,
+
+		Schema: map[string]*schema.Schema{
+			"arn": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ValidateFunc: validateArn,
+				ExactlyOneOf: []string{"arn", "name"},
+			},
+
+			"created_date": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			"description": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			"instance_arn": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validateArn,
+			},
+
+			"name": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ValidateFunc: validation.All(
+					validation.StringLenBetween(1, 32),
+					validation.StringMatch(regexp.MustCompile(`[\w+=,.@-]+`), "must match [\\w+=,.@-]"),
+				),
+				ExactlyOneOf: []string{"name", "arn"},
+			},
+
+			"relay_state": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			"session_duration": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+
+			"tags": tagsSchemaComputed(),
+		},
+	}
+}
+
+func dataSourceAwsSsoAdminPermissionSetRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).ssoadminconn
+	ignoreTagsConfig := meta.(*AWSClient).IgnoreTagsConfig
+
+	instanceArn := d.Get("instance_arn").(string)
+
+	var permissionSet *ssoadmin.PermissionSet
+
+	if v, ok := d.GetOk("arn"); ok {
+		arn := v.(string)
+
+		input := &ssoadmin.DescribePermissionSetInput{
+			InstanceArn:      aws.String(instanceArn),
+			PermissionSetArn: aws.String(arn),
+		}
+
+		output, err := conn.DescribePermissionSet(input)
+		if err != nil {
+			return fmt.Errorf("error reading SSO Admin Permission Set (%s): %w", arn, err)
+		}
+
+		if output == nil {
+			return fmt.Errorf("error reading SSO Admin Permission Set (%s): empty output", arn)
+		}
+
+		permissionSet = output.PermissionSet
+	} else if v, ok := d.GetOk("name"); ok {
+		name := v.(string)
+		var describeErr error
+
+		input := &ssoadmin.ListPermissionSetsInput{
+			InstanceArn: aws.String(instanceArn),
+		}
+
+		err := conn.ListPermissionSetsPages(input, func(page *ssoadmin.ListPermissionSetsOutput, lastPage bool) bool {
+			if page == nil {
+				return !lastPage
+			}
+
+			for _, permissionSetArn := range page.PermissionSets {
+				if permissionSetArn == nil {
+					continue
+				}
+
+				output, describeErr := conn.DescribePermissionSet(&ssoadmin.DescribePermissionSetInput{
+					InstanceArn:      aws.String(instanceArn),
+					PermissionSetArn: permissionSetArn,
+				})
+
+				if describeErr != nil {
+					return false
+				}
+
+				if output == nil || output.PermissionSet == nil {
+					continue
+				}
+
+				if aws.StringValue(output.PermissionSet.Name) == name {
+					permissionSet = output.PermissionSet
+					return false
+				}
+			}
+
+			return !lastPage
+		})
+
+		if err != nil {
+			return fmt.Errorf("error listing SSO Permission Sets: %w", err)
+		}
+
+		if describeErr != nil {
+			return fmt.Errorf("error reading SSO Permission Set (%s): %w", name, describeErr)
+		}
+	}
+
+	if permissionSet == nil {
+		return errors.New("error reading SSO Permission Set: not found")
+	}
+
+	arn := aws.StringValue(permissionSet.PermissionSetArn)
+
+	d.SetId(arn)
+	d.Set("arn", arn)
+	d.Set("created_date", permissionSet.CreatedDate.Format(time.RFC3339))
+	d.Set("description", permissionSet.Description)
+	d.Set("instance_arn", instanceArn)
+	d.Set("name", permissionSet.Name)
+	d.Set("session_duration", permissionSet.SessionDuration)
+	d.Set("relay_state", permissionSet.RelayState)
+
+	tags, err := keyvaluetags.SsoadminListTags(conn, arn, instanceArn)
+	if err != nil {
+		return fmt.Errorf("error listing tags for SSO Permission Set (%s): %w", arn, err)
+	}
+
+	if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil {
+		return fmt.Errorf("error setting tags: %w", err)
+	}
+
+	return nil
+}