EntraID SCIM: This really is better done in Terraform

.github/workflows/entraid-scim-plan.yml

@@ -0,0 +1,105 @@
+name: terraform plan (entraid-scim)
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'entraid-scim/terraform/**'
+      - '.github/workflows/entraid-scim-plan.yml'
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    defaults:
+      run:
+        working-directory: ./entraid-scim/terraform
+    steps:
+      - uses: actions/[email protected]
+
+      - uses: aws-actions/[email protected]
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ROOT_ACCOUNT_ID }}:role/github-actions-plan
+          role-session-name: GitHubActions
+          aws-region: eu-west-2
+
+      - uses: hashicorp/[email protected]
+        with:
+          terraform_version: latest
+
+      - name: Run terraform fmt
+        run: terraform fmt -check
+        continue-on-error: true
+
+      - name: Run terraform init
+        run: terraform init
+
+      - name: Run terraform validate
+        run: terraform validate -no-color
+
+      - name: Retrieve Slack Bot Token from AWS Secrets Manager
+        id: get_slack_bot_token
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: |
+            SLACK_INCOMING_WEBHOOK,aws-root-account-notifications-incoming-slack-webhook
+            aws-root-account-notifications-slack-information
+          parse-json-secrets: true
+
+      - name: Send initial message to Slack
+        id: slack_message
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0
+        with:
+          webhook: ${{ env.SLACK_INCOMING_WEBHOOK }}
+          webhook-type: incoming-webhook
+          payload: |
+            {
+              "text": ":information_source: Terraform Plan completed for *<${{ github.server_url }}/${{ github.repository }}|${{ github.repository }}>* at `${{ github.ref_name }}`.\n*Workflow:* `${{ github.workflow }}`\n*Run ID:* `${{ github.run_id }}`\n*Initiated by:* `${{ github.actor }}`"
+            }
+
+      - name: Run terraform plan and generate JSON payload
+        run: |
+          # Run Terraform plan and save to plan_output.txt
+          terraform plan -no-color > plan_output.txt
+          comment() {
+            url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            len=$(cat plan_output.txt | wc -c)
+            echo '```'
+            head -c 65476 plan_output.txt | sed -n '/Terraform will perform/,$p'
+            echo
+            echo '```'
+          }
+          echo 'TF_PLAN_OUT<<EOF' >> $GITHUB_ENV
+          comment >> $GITHUB_ENV
+          echo 'EOF' >> $GITHUB_ENV
+
+      - name: Send final message to Slack
+        id: second-slack-message
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0
+        with:
+          errors: true
+          token: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_BOT_TOKEN }}
+          method: chat.postMessage
+          payload: |
+            channel: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_CHANNEL }}
+            thread_ts: "${{ steps.slack_message.outputs.ts }}"
+            text: "TEST"
+
+      # - name: Send Terraform plan output to Slack
+      #   uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0
+      #   with:
+      #     errors: true
+      #     token: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_BOT_TOKEN }}
+      #     method: files.uploadV2
+      #     payload: |
+      #       channel: ${{ env.AWS_ROOT_ACCOUNT_NOTIFICATIONS_SLACK_INFORMATION_SLACK_CHANNEL }}
+      #       initial_comment: Terraform output attached!
+      #       file: ${{env.TF_PLAN_OUT}}
+      #       filename: plan-output.txt
+

.github/workflows/test-alert-workflow.yml

@@ -4,10 +4,6 @@ on:
   push:
     branches:
       - main
-  pull_request:
-    branches:
-      - main
-
 jobs:
   apply:
     runs-on: ubuntu-latest

entraid-scim/terraform/data.tf

@@ -0,0 +1,2 @@
+data "aws_caller_identity" "current" {}
+data "aws_ssoadmin_instances" "identity_store" {}

entraid-scim/terraform/locals.tf

@@ -0,0 +1,29 @@
+locals {
+  tags_default = {
+    is-production = false
+  }
+  github_repository = "github.com/ministryofjustice/aws-root-account/blob/main"
+
+  tags_organisation_management = {
+    application            = "Organisation Management"
+    business-unit          = "Platforms"
+    infrastructure-support = "Hosting Leads: [email protected]"
+    is-production          = true
+    owner                  = "Hosting Leads: [email protected]"
+    source-code            = "github.com/ministryofjustice/aws-root-account"
+  }
+
+  azuread_group_members = toset([for group_id, group_data in data.azuread_group.entraid_group_data :
+    flatten([group_data.members, group_data.owners])
+  ])
+
+  group_memberships = flatten([
+    for group_name, group_data in data.azuread_group.entraid_group_data : [
+      for member in distinct(concat(group_data.members, group_data.owners)) : {
+        group_name  = group_name
+        member_name = member
+      }
+    ]
+  ])
+}
+

entraid-scim/terraform/main.tf

@@ -0,0 +1,50 @@
+data "azuread_groups" "azure_aws_sso" {
+  display_name_prefix = "azure-aws-sso-"
+}
+
+data "azuread_group" "entraid_group_data" {
+  for_each     = toset(data.azuread_groups.azure_aws_sso.display_names)
+  display_name = each.value
+}
+
+data "azuread_user" "entraid_group_members" {
+  for_each  = toset(flatten(local.azuread_group_members))
+  object_id = each.value
+}
+
+resource "aws_identitystore_group" "groups" {
+  for_each          = toset(data.azuread_groups.azure_aws_sso.display_names)
+  identity_store_id = tolist(data.aws_ssoadmin_instances.identity_store.identity_store_ids)[0]
+  display_name      = each.key
+}
+
+resource "aws_identitystore_user" "entraid_synchronised_users" {
+  for_each          = data.azuread_user.entraid_group_members
+  identity_store_id = tolist(data.aws_ssoadmin_instances.identity_store.identity_store_ids)[0]
+
+  display_name = each.value.display_name
+  user_name    = each.value.user_principal_name
+
+  name {
+    given_name  = each.value.given_name
+    family_name = each.value.surname
+  }
+
+  emails {
+    value   = each.value.mail
+    primary = true
+    type    = "EntraId"
+  }
+}
+
+resource "aws_identitystore_group_membership" "add_users" {
+  # Create a unique key for each group-member combination
+  for_each = {
+    for entry in local.group_memberships :
+    "${entry.group_name}-${entry.member_name}" => entry
+  }
+
+  identity_store_id = tolist(data.aws_ssoadmin_instances.identity_store.identity_store_ids)[0]
+  group_id          = aws_identitystore_group.groups[each.value.group_name].id
+  member_id         = aws_identitystore_user.entraid_synchronised_users[each.value.member_name].user_id
+}

entraid-scim/terraform/providers.tf

@@ -0,0 +1,22 @@
+# State config
+terraform {
+  # `backend` blocks do not support variables, so the bucket name is hard-coded here
+  backend "s3" {
+    bucket  = "moj-aws-root-account-terraform-state"
+    region  = "eu-west-2"
+    key     = "management-account/entraid-scim/terraform.tfstate"
+    encrypt = true
+  }
+}
+
+# Default provider
+provider "aws" {
+  region = "eu-west-2"
+}
+
+# Azure provider
+provider "azuread" {
+  tenant_id     = jsondecode(data.aws_secretsmanager_secret_version.azure_aws_connectivity_details.secret_string)["AZURE_TENANT_ID"]
+  client_id     = jsondecode(data.aws_secretsmanager_secret_version.azure_aws_connectivity_details.secret_string)["AZURE_CLIENT_ID"]
+  client_secret = jsondecode(data.aws_secretsmanager_secret_version.azure_aws_connectivity_details.secret_string)["AZURE_CLIENT_SECRET"]
+}

entraid-scim/terraform/secrets-manager.tf

@@ -0,0 +1,9 @@
+# Retrieving existing secret
+
+data "aws_secretsmanager_secret" "azure_aws_connectivity_details" {
+  name = "entra_id_aws_connectivity_details"
+}
+
+data "aws_secretsmanager_secret_version" "azure_aws_connectivity_details" {
+  secret_id = data.aws_secretsmanager_secret.azure_aws_connectivity_details.id
+}

entraid-scim/terraform/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_version = ">= 1.1.6"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 3.0"
+    }
+  }
+}