diff --git a/README.md b/README.md index 9fcef7a..d63e191 100644 --- a/README.md +++ b/README.md @@ -26,12 +26,22 @@ You can test the provider locally before creating a PR by following the steps be ```sh $ make build # make sure to have the build version in the executable name as a postfix e.g. terraform-provider-controltower_v2.0.0 -$ mkdir -p ~/.terraform.d/plugins/registry.terraform.io/idealo/controltower//darwin_arm64 # arch can be different depending on your system -$ mv bin/terraform-provider-controltower_ ~/.terraform.d/plugins/registry.terraform.io/idealo/controltower//darwin_arm64 # some version should be the future version of the provider after the changes. ``` +create a `~/.terraformrc` file your home directory with the following content: +```hcl +provider_installation { + dev_overrides { + "registry.terraform.io/idealo/controltower" = "path-to-the-built-binary/terraform-provider-controltower" # e.g /Users/username/repo/terraform-provider-controltower/bin/terraform-provider-controltower" + } + # For all other providers, install them directly from their origin provider + # registries as normal. If you omit this, Terraform will _only_ use + # the dev_overrides block, and so no other providers will be available. + direct {} +} +``` Then you can test your changes in your terraform configuration by running `terraform init` in the directory where your terraform configuration is located. Make sure to define the new version under the `required_providers` block. -Alternatively, if you're using terraform 0.14 or later, you can make use of `dev_overrides` as described [here](https://developer.hashicorp.com/terraform/cli/config/config-file#development-overrides-for-provider-developers) and point the provider to your `~/.terraformrc`. \ No newline at end of file +A complete reference can be found [here](https://developer.hashicorp.com/terraform/cli/config/config-file#development-overrides-for-provider-developers). \ No newline at end of file diff --git a/internal/provider/resource_aws_account.go b/internal/provider/resource_aws_account.go index 8c05af9..080098c 100644 --- a/internal/provider/resource_aws_account.go +++ b/internal/provider/resource_aws_account.go @@ -431,7 +431,7 @@ func resourceAWSAccountUpdate(ctx context.Context, d *schema.ResourceData, m int isRemoveAccountAssignmentOnUpdate := sso["remove_account_assignment_on_update"].(bool) - if d.HasChange("sso") && isRemoveAccountAssignmentOnUpdate { + if isRemoveAccountAssignmentOnUpdate && d.HasChange("sso") { ssoadminconn := ssoadmin.NewFromConfig(cfg) identitystoreconn := identitystore.NewFromConfig(cfg) @@ -458,22 +458,10 @@ func updateAccountAssignment(ctx context.Context, ssoadminconn *ssoadmin.Client, if err != nil { return fmt.Errorf("error listing SSO instances: %v", err) } - identityStoreId := ssoInstances.Instances[0].IdentityStoreId instanceArn := ssoInstances.Instances[0].InstanceArn - - alternateIdentifier := &types.AlternateIdentifierMemberUniqueAttribute{ - Value: types.UniqueAttribute{ - AttributePath: aws.String("UserName"), - AttributeValue: document.NewLazyDocument(oldEmail), - }, - } - - principal, err := identitystoreconn.GetUserId(ctx, &identitystore.GetUserIdInput{ - IdentityStoreId: identityStoreId, - AlternateIdentifier: alternateIdentifier, - }) + principalUserId, err := findPrincipalUserId(ctx, ssoInstances, oldEmail, err, identitystoreconn) if err != nil { - return fmt.Errorf("error getting principal id: %v", err) + return err } permissionSetArn, err := findPermissionSetArn(ctx, ssoadminconn, instanceArn, permissionSetName) @@ -488,7 +476,7 @@ func updateAccountAssignment(ctx context.Context, ssoadminconn *ssoadmin.Client, TargetId: &accountId, TargetType: "AWS_ACCOUNT", PrincipalType: "USER", - PrincipalId: principal.UserId, + PrincipalId: principalUserId, PermissionSetArn: &permissionSetArn, }) if err != nil { @@ -497,6 +485,26 @@ func updateAccountAssignment(ctx context.Context, ssoadminconn *ssoadmin.Client, } return nil } + +func findPrincipalUserId(ctx context.Context, ssoInstances *ssoadmin.ListInstancesOutput, oldEmail string, err error, identitystoreconn *identitystore.Client) (*string, error) { + identityStoreId := ssoInstances.Instances[0].IdentityStoreId + + alternateIdentifier := &types.AlternateIdentifierMemberUniqueAttribute{ + Value: types.UniqueAttribute{ + AttributePath: aws.String("UserName"), + AttributeValue: document.NewLazyDocument(oldEmail), + }, + } + + principal, err := identitystoreconn.GetUserId(ctx, &identitystore.GetUserIdInput{ + IdentityStoreId: identityStoreId, + AlternateIdentifier: alternateIdentifier, + }) + if err != nil { + return nil, fmt.Errorf("error getting principal id: %v", err) + } + return principal.UserId, nil +} func findPermissionSetArn(ctx context.Context, ssoadminconn *ssoadmin.Client, instanceArn *string, permissionSetName string) (string, error) { paginator := ssoadmin.NewListPermissionSetsPaginator(ssoadminconn, &ssoadmin.ListPermissionSetsInput{ InstanceArn: instanceArn,