data "aws_ssoadmin_instances" "sso1" {}

locals {
  csv_data2 = <<-CSV
    username,email,lastName,firstName
    user1,user1@acme.local,Doe,John
    user2,user2@acme.local,Smith,Jane
  CSV

  users = csvdecode(local.csv_data2)
}

resource "aws_identitystore_user" "sso-user" {
  for_each = { for item in local.users : item.username => item }
  identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
  display_name      = "${each.value.firstName} ${each.value.lastName}"
  user_name         = each.value.username
  nickname          = each.value.username
  emails {
    primary = true
    value   = each.value.email
  }

  name {
    family_name = each.value.lastName
    given_name  = each.value.firstName
  }
}

resource "aws_identitystore_group" "sso-group" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
  display_name      = "Viewers"
  description       = "Users with view permission"
}

resource "aws_identitystore_group_membership" "sso-group-membership" {
  for_each = aws_identitystore_user.sso-user
  identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
  group_id          = aws_identitystore_group.sso-group.group_id
  member_id         = each.value.user_id
}

locals {
  csv_data3 = <<-CSV
    seq,groupName,permission,accountId
    1,Viewers,ViewOnly,865184416664
    2,Viewers,ViewOnly,572802010687
  CSV

  accounts = csvdecode(local.csv_data3)
}

resource "aws_ssoadmin_account_assignment" "pset-assignment" {
  for_each = { for item in local.accounts : item.seq => item }

  instance_arn       = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
  permission_set_arn = module.sso[each.value.permission].pset-arn

  principal_id   = aws_identitystore_group.sso-group.group_id
  principal_type = "GROUP"

  target_id   = each.value.accountId
  target_type = "AWS_ACCOUNT"
}