refactor: remove policy files and simplify providers

[Benbentwo]

Summary

Removes two policy definition files (TerraformUpdateAccess and Identity-role-TeamAccess) and simplifies the providers configuration. The component now uses basic AWS provider setup with a dummy IAM roles module.

Changes

• Deleted policy-TerraformUpdateAccess.tf and policy-Identity-role-TeamAccess.tf
• Simplified providers.tf to remove complex role assumption logic
• Updated main.tf to remove root account assignment handling
• Removed unused variables from variables.tf

Testing

Terraform validate passed successfully.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Refactor

  • Simplified account assignment flow into a single flat configuration and streamlined provider/role handling.

• New Features

  • Added mixins for root-provider migration, Terraform-state access, and per-team role permission sets.
  • Added a v2.0.0 Migration Guide and changelog with migration steps and guidance.
  • Introduced static account-map support and extended account-map fields.

• Chores

  • Removed legacy root-specific configuration and deprecated variables.
  • Moved policy definitions into mixins and updated documentation and examples.

[coderabbitai]

Warning

Rate limit exceeded

@Benbentwo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 32 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Removes root-specific account assignment branching and module, consolidates account_assignments, extends account_map schema, simplifies provider/iam_roles wiring, removes several public variables, adds mixin-based policy files, and adds a v2.0.0 migration guide and changelog.

Changes

Cohort / File(s)	Summary
Account assignment & permission sets src/main.tf	Deleted root-specific locals and module "sso_account_assignments_root"; replaced composite/root assignments with account_assignments = concat(account_assignments_groups, account_assignments_users); removed identity_access_permission_sets and terraform_update_access_permission_set args from permission_sets.
Providers & IAM roles src/providers.tf	Extended account_map object with identity_account_account_name, aws_partition, iam_role_arn_templates; removed per-account assume_role/provider dynamic logic and iam_roles_root; added placeholder module "iam_roles".
Public variables removed src/variables.tf	Removed public variables: privileged, aws_teams_accessible, tfstate_backend_component_name, overridable_team_permission_set_name_pattern.
Mixins and policy docs mixins/README.md, mixins/provider-root.tf, mixins/policy-TerraformUpdateAccess.tf, mixins/policy-Identity-role-TeamAccess.tf	Added mixin documentation and three new mixin definitions (provider-root.tf, policy-TerraformUpdateAccess.tf, policy-Identity-role-TeamAccess.tf); minor whitespace cleanup in mixins/policy-Identity-role-TeamAccess.tf.
Migration & release notes src/MIGRATION.md, src/CHANGELOG.md, README.yaml, README.md	Added v2.0.0 migration guide and BREAKING notes; updated docs and examples for static account_map, mixin vendoring, and removal of root/provider patterns.
Minor edits mixins/policy-Identity-role-TeamAccess.tf	Removed a leading blank line; no functional changes.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add TerraformStateAccess Permission Set #57 — Touches the same permission_sets inputs and terraform-state/terraform-update permission-set handling.
• feat: add TerraformAccess, RootAccess permission sets and account_map bypass #53 — Overlaps on provider-root mixin, account_map/account_map_enabled changes, and root/provider removal.
• Add Partner Central Permission Sets mixin #59 — Adds mixins and policy TF files similar to the new mixins introduced here.

Suggested reviewers

• osterman
• aknysh
• goruha

Poem

🐰 I hopped through Terraform plains tonight,
Root branches pruned beneath the moonlight,
Mixins stitched each permission seam,
Account maps steady, bright the beam,
Tiny paws, big infra delight 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: removal of policy files and simplification of provider configuration across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch Benbentwo/remove-src-policies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

aws-identity-center/src/main.tf

Lines 94 to 99 in b51ca8b

	module "sso_account_assignments" {
	source = "cloudposse/sso/aws//modules/account-assignments"
	version = "1.2.0"
	account_assignments = local.account_assignments
	context = module.this.context

Preserve root account assignment handling

All account assignments are now applied through the default provider (sso_account_assignments uses local.account_assignments directly). When account_assignments includes the management/root account and the component is deployed from a delegated admin/identity account, AWS Identity Center APIs reject those root assignments (they require management account credentials). The previous split for root vs non-root avoided this; with the split removed, root assignments will fail in that scenario.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@src/providers.tf`:
- Around line 3-7: The change to variable "account_map_enabled" flips its
default from true to false which is a breaking behavioral change for existing
users; either revert the default back to true in the variable declaration
(restore previous behavior for variable "account_map_enabled") or, if the new
default is intentional, explicitly document the breaking change in the PR
description and release notes and add a migration guide (and consider a version
bump) so consumers know to opt-in to the new behavior.
- Around line 33-37: The dummy module "iam_roles" uses cloudposse/label/null
which doesn't export the expected outputs (global_tenant_name,
global_environment_name, global_stage_name) referenced by the remote-state
usage; fix by either swapping the "iam_roles" module to one that exposes those
outputs or adapt the remote-state configuration to use the existing context
outputs (tenant, environment, stage) from module. Locate the module "iam_roles"
declaration and either replace its source with a module that defines
global_tenant_name/global_environment_name/global_stage_name, or add a
mapping/local values so remote-state references the available outputs (e.g., map
module.iam_roles.context.tenant -> global_tenant_name) and update remote-state
references accordingly.

[mergify]

Important

Do not edit the README.md directly. It's auto-generated from the README.yaml

Please update the README.yaml file instead.

Could you fix it @Benbentwo? 🙏

[milldr]

Please remove all references to account-map in the new version. For example, remote state.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@README.md`:
- Line 510: The README module table is out of sync: it shows
cloudposse/label/null as "n/a" while src/providers.tf pins version = "0.25.0";
regenerate the docs from README.yaml (e.g., run `atmos docs` or your
repository's docs generation command) so README.md reflects the pinned provider
version and commit the updated README.md.

🧹 Nitpick comments (3)

src/providers.tf (1)

1-2: Comment text is inconsistent with default behavior.

The comment states "when account map is disabled" but the default for account_map_enabled is true (enabled). This could confuse users reading the code.

Consider updating the comment to accurately reflect the file's purpose:

📝 Suggested fix

-# This is the default providers.tf when account map is disabled.
+# This is the default providers.tf for the aws-identity-center component.
+# Set account_map_enabled to false to use static account mappings instead of remote state lookups.

src/MIGRATION.md (1)

79-88: Add language specifier to fenced code block.

The error message code block is missing a language specifier. Per markdownlint (MD040), fenced code blocks should have a language specified for consistency and proper rendering.

📝 Suggested fix

-```
+```text
 Error: Provider configuration not present
 
 To work with module.sso_account_assignments_root.aws_ssoadmin_account_assignment.this[...] (orphan)
 its original provider configuration at provider["registry.terraform.io/hashicorp/aws"].root is required,
 but it has been removed.

</details>

</blockquote></details>
<details>
<summary>README.md (1)</summary><blockquote>

`160-164`: **Add language specifier to fenced code block.**

The code block showing the Terraform format expression is missing a language specifier. Per markdownlint (MD040), add `hcl` for proper syntax highlighting.

<details>
<summary>📝 Suggested fix</summary>

```diff
-```
+```hcl
 format("Identity%sTeamAccess", replace(title(replace(team, "_", "-")), "-", ""))

</details>

</blockquote></details>

</blockquote></details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@README.md`:
- Around line 161-163: The fenced code block showing
format("Identity%sTeamAccess", replace(title(replace(team, "_", "-")), "-", ""))
is missing a language tag in the generated README.md; open the source
README.yaml, locate the corresponding code block entry and add the appropriate
language identifier (e.g., bash, text, or the template language you use) to the
fence, then regenerate README.md from README.yaml using the atmos docs commands
so the change is preserved (do not edit README.md directly).

[github-actions]

These changes were released in v2.0.0.