fix: updates account assignment on account update

idealo · Jan 8, 2025 · 13678bf · 13678bf
1 parent 83fd6b3
commit 13678bf
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 0 deletions.
diff --git a/go.mod b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.48
 	github.com/aws/aws-sdk-go-v2/service/organizations v1.36.2
 	github.com/aws/aws-sdk-go-v2/service/servicecatalog v1.32.8
+	github.com/aws/aws-sdk-go-v2/service/ssoadmin v1.29.8
 	github.com/aws/smithy-go v1.22.1
 	github.com/hashicorp/terraform-plugin-docs v0.20.1
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0

diff --git a/go.sum b/go.sum
@@ -45,6 +45,8 @@ github.com/aws/aws-sdk-go-v2/service/servicecatalog v1.32.8 h1:uDR8FMmsEd/g+eihj
 github.com/aws/aws-sdk-go-v2/service/servicecatalog v1.32.8/go.mod h1:8ugnqCHkdv41d2Mo5F/mdPtaXauABVDYL3kV9U7LNbM=
 github.com/aws/aws-sdk-go-v2/service/sso v1.24.8 h1:CvuUmnXI7ebaUAhbJcDy9YQx8wHR69eZ9I7q5hszt/g=
 github.com/aws/aws-sdk-go-v2/service/sso v1.24.8/go.mod h1:XDeGv1opzwm8ubxddF0cgqkZWsyOtw4lr6dxwmb6YQg=
+github.com/aws/aws-sdk-go-v2/service/ssoadmin v1.29.8 h1:nCDnD8rVurC8E43scFw1lDHBRi1aSxAyOgfDHauTUsg=
+github.com/aws/aws-sdk-go-v2/service/ssoadmin v1.29.8/go.mod h1:gs/HuXKm8GZigCov15NZ9pt/u9EhD5gij4/uAEEnlJM=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.7 h1:F2rBfNAL5UyswqoeWv9zs74N/NanhK16ydHW1pahX6E=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.7/go.mod h1:JfyQ0g2JG8+Krq0EuZNnRwX0mU0HrwY/tG6JNfcqh4k=
 github.com/aws/aws-sdk-go-v2/service/sts v1.33.3 h1:Xgv/hyNgvLda/M9l9qxXc4UFSgppnRczLxlMs5Ae/QY=

diff --git a/internal/provider/resource_aws_account.go b/internal/provider/resource_aws_account.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	orgTypes "github.com/aws/aws-sdk-go-v2/service/organizations/types"
 	scTypes "github.com/aws/aws-sdk-go-v2/service/servicecatalog/types"
+	"github.com/aws/aws-sdk-go-v2/service/ssoadmin"
 	"regexp"
 	"sync"
 	"time"
@@ -74,6 +75,22 @@ func resourceAWSAccount() *schema.Resource {
 							Required:     true,
 							ValidateFunc: validateEmailAddress,
 						},
+						"instance_arn": {
+							Description: "ARN of the SSO instance. Required if remove_account_assignment_on_update is enabled.",
+							Type:        schema.TypeString,
+							Required:    false,
+						},
+						"remove_account_assignment_on_update": {
+							Description: "If enabled, this will remove the account assignment for the old SSO user when the resource is updated.",
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Default:     false,
+						},
+						"principal_id": {
+							Description: "Principal ID of the user. Required if remove_account_assignment_on_update is enabled.",
+							Type:        schema.TypeString,
+							Required:    false,
+						},
 					},
 				},
 			},
@@ -410,9 +427,47 @@ func resourceAWSAccountUpdate(ctx context.Context, d *schema.ResourceData, m int
 		}
 	}
 
+	sso := d.Get("sso").([]interface{})[0].(map[string]interface{})
+	isRemoveAccountAssignmentOnUpdate := sso["remove_account_assignment_on_update"].(bool)
+
+	if d.HasChange("sso") && isRemoveAccountAssignmentOnUpdate {
+		ssoadmincon := ssoadmin.NewFromConfig(cfg)
+		accountId := d.Get("account_id").(string)
+		o, n := d.GetChange("sso")
+		if err := updateAccountAssignment(ctx, d, ssoadmincon, accountId, o, n); err != nil {
+			return diag.Errorf("error updating account assignment: %v", err)
+		}
+	}
+
 	return resourceAWSAccountRead(ctx, d, m)
 }
 
+func updateAccountAssignment(ctx context.Context, d *schema.ResourceData, ssoadmincon *ssoadmin.Client, accountId string, oldSSO interface{}, newSSO interface{}) error {
+
+	oldSSOMap := oldSSO.([]interface{})[0].(map[string]interface{})
+	newSSOMap := newSSO.([]interface{})[0].(map[string]interface{})
+	oldEmail := oldSSOMap["email"].(string)
+	newEmail := newSSOMap["email"].(string)
+	sso := d.Get("sso").([]interface{})[0].(map[string]interface{})
+	instanceArn := sso["instance_arn"].(string)
+	oldPrincipalId := oldSSOMap["principal_id"].(string)
+
+	if oldEmail != newEmail && oldPrincipalId != "" && instanceArn != "" {
+
+		_, err := ssoadmincon.DeleteAccountAssignment(ctx, &ssoadmin.DeleteAccountAssignmentInput{
+			InstanceArn:   &instanceArn,
+			TargetId:      &accountId,
+			TargetType:    "AWS_ACCOUNT",
+			PrincipalType: "USER",
+			PrincipalId:   &oldPrincipalId,
+		})
+		if err != nil {
+			return fmt.Errorf("error unassigning SSO user from account (%s): %v", accountId, err)
+		}
+	}
+	return nil
+}
+
 func resourceAWSAccountDelete(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	cfg := m.(aws.Config)