cloudposse-terraform-components · Benbentwo · Feb 4, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/src/main.tf b/src/main.tf
@@ -3,8 +3,7 @@ locals {
 
   # module.account_map.outputs provides values from either remote state (when enabled)
   # or from the static var.account_map defaults (when bypassed)
-  account_map  = module.account_map.outputs.full_account_map
-  root_account = local.account_map[module.account_map.outputs.root_account_account_name]
+  account_map = module.account_map.outputs.full_account_map
 
   account_assignments_groups = flatten([
     for account_key, account in var.account_assignments : [
@@ -20,17 +19,6 @@ locals {
       ]
     ] if lookup(account, "groups", null) != null
   ])
-  # Remove root because the identity org role cannot provision root assignments
-  account_assignments_groups_no_root = [
-    for val in local.account_assignments_groups :
-    val
-    if val.account != local.root_account
-  ]
-  account_assignments_groups_only_root = [
-    for val in local.account_assignments_groups :
-    val
-    if val.account == local.root_account
-  ]
   account_assignments_users = flatten([
     for account_key, account in var.account_assignments : [
       for principal_key, principal in account.users : [
@@ -45,19 +33,8 @@ locals {
       ]
     ] if lookup(account, "users", null) != null
   ])
-  account_assignments_users_no_root = [
-    for val in local.account_assignments_users :
-    val
-    if val.account != local.root_account
-  ]
-  account_assignments_users_only_root = [
-    for val in local.account_assignments_users :
-    val
-    if val.account == local.root_account
-  ]
 
-  account_assignments      = concat(local.account_assignments_groups_no_root, local.account_assignments_users_no_root)
-  account_assignments_root = concat(local.account_assignments_groups_only_root, local.account_assignments_users_only_root)
+  account_assignments = concat(local.account_assignments_groups, local.account_assignments_users)
 
   aws_partition = data.aws_partition.current.partition
 }
@@ -99,13 +76,11 @@ module "permission_sets" {
     local.billing_administrator_access_permission_set,
     local.billing_read_only_access_permission_set,
     local.dns_administrator_access_permission_set,
-    local.identity_access_permission_sets,
     local.poweruser_access_permission_set,
     local.read_only_access_permission_set,
     local.root_access_permission_set,
     local.terraform_plan_access_permission_set,
     local.terraform_apply_access_permission_set,
-    local.terraform_update_access_permission_set,
     local.terraform_state_access_permission_set,
   )
 
@@ -128,18 +103,3 @@ module "sso_account_assignments" {
   ]
 }
 
-module "sso_account_assignments_root" {
-  source  = "cloudposse/sso/aws//modules/account-assignments"
-  version = "1.2.0"
-
-  providers = {
-    aws = aws.root
-  }
-
-  account_assignments = local.account_assignments_root
-  context             = module.this.context
-
-  depends_on = [
-    aws_identitystore_group.manual
-  ]
-}
diff --git a/src/policy-Identity-role-TeamAccess.tf b/src/policy-Identity-role-TeamAccess.tf
diff --git a/src/policy-TerraformUpdateAccess.tf b/src/policy-TerraformUpdateAccess.tf
diff --git a/src/providers.tf b/src/providers.tf
@@ -1,102 +1,37 @@
+# This is the default providers.tf when account map is disabled.
+
 variable "account_map_enabled" {
   type        = bool
-  description = <<-EOT
-    When true, uses the account-map component to look up account IDs dynamically.
-    When false, uses the static account_map variable instead. Set to false when
-    using Atmos Auth profiles and static account mappings.
-    EOT
-  default     = true
+  description = "Enable the account map component"
+  default     = false
 }
 
 variable "account_map" {
   type = object({
-    full_account_map           = map(string)
-    audit_account_account_name = optional(string, "")
-    root_account_account_name  = optional(string, "")
+    full_account_map              = map(string)
+    audit_account_account_name    = optional(string, "")
+    root_account_account_name     = optional(string, "")
+    identity_account_account_name = optional(string, "")
+    aws_partition                 = optional(string, "aws")
+    iam_role_arn_templates        = optional(map(string), {})
   })
-  description = <<-EOT
-    Static account map used when account_map_enabled is false.
-    Provides account name to account ID mapping without requiring the account-map component.
-    EOT
+  description = "Map of account names (tenant-stage format) to account IDs. Used to verify we're targeting the correct AWS account. Optional attributes support component-specific functionality (e.g., audit_account_account_name for cloudtrail, root_account_account_name for aws-sso)."
   default = {
-    full_account_map           = {}
-    audit_account_account_name = ""
-    root_account_account_name  = ""
+    full_account_map              = {}
+    audit_account_account_name    = ""
+    root_account_account_name     = ""
+    identity_account_account_name = ""
+    aws_partition                 = "aws"
+    iam_role_arn_templates        = {}
   }
 }
 
-# This component is unusual in that part of it must be deployed to the `root`
-# account. You have the option of where to deploy the remaining part, and
-# Cloud Posse recommends you deploy it also to the `root` account, however
-# it can be deployed to the `identity` account instead. In the discussion
-# below, when we talk about where this module is being deployed, we are
-# referring to the part of the module that is not deployed to the `root`
-# account and is configured by setting `stage` etc..
-
-# If you have Dynamic Terraform Roles enabled, leave the backend `role_arn` at
-# its default value. If deploying only to the `root` account, leave `privileged: false`
-# and use either SuperAdmin or an appropriate `aws-team` (such as `managers`).
-# If deploying to the `identity` account, set `privileged: true`
-# and use SuperAdmin or any other role in the `root` account with Admin access.
-#
-# For those not using dynamic Terraform roles:
-#
-# Set the stack configuration for this component to set `privileged: true`
-# and backend `role_arn` to `null`, and deploy it using either the SuperAdmin
-# role or any other role in the `root` account with Admin access.
-#
-# If you are deploying this to the "identity" account and have a team empowered
-# to deploy to both the "identity" and "root" accounts, then you have the option to set
-# `privileged: false` and leave the backend `role_arn` at its default value, but
-# then SuperAdmin will not be able to deploy this component,
-# only the team with access to both accounts will be able to deploy it.
-#
-
 provider "aws" {
   region = var.region
-
-  profile = !var.privileged && module.iam_roles.profiles_enabled ? module.iam_roles.terraform_profile_name : null
-  dynamic "assume_role" {
-    for_each = !var.privileged && module.iam_roles.profiles_enabled ? [] : (
-      var.privileged ? compact([module.iam_roles.org_role_arn]) : compact([module.iam_roles.terraform_role_arn])
-    )
-    content {
-      role_arn = assume_role.value
-    }
-  }
 }
 
-
+# dummy module to satisfy the module dependency
 module "iam_roles" {
-  source     = "../account-map/modules/iam-roles"
-  privileged = var.privileged
-
-  context = module.this.context
-}
-
-provider "aws" {
-  alias  = "root"
-  region = var.region
-
-  profile = !var.privileged && module.iam_roles_root.profiles_enabled ? module.iam_roles_root.terraform_profile_name : null
-  dynamic "assume_role" {
-    for_each = !var.privileged && module.iam_roles_root.profiles_enabled ? [] : (
-      var.privileged ? compact([module.iam_roles_root.org_role_arn]) : compact([module.iam_roles_root.terraform_role_arn])
-    )
-    content {
-      role_arn = assume_role.value
-    }
-  }
-}
-
-
-module "iam_roles_root" {
-  source = "../account-map/modules/iam-roles"
-
-  privileged  = var.privileged
-  tenant      = module.iam_roles.global_tenant_name
-  stage       = module.iam_roles.global_stage_name
-  environment = module.iam_roles.global_environment_name
-
+  source  = "cloudposse/label/null"
   context = module.this.context
 }
diff --git a/src/variables.tf b/src/variables.tf
@@ -3,12 +3,6 @@ variable "region" {
   description = "AWS Region"
 }
 
-variable "privileged" {
-  type        = bool
-  description = "True if the user running the Terraform command already has access to the Terraform backend"
-  default     = false
-}
-
 variable "account_assignments" {
   type = map(map(map(object({
     permission_sets = list(string)
@@ -33,16 +27,6 @@ variable "account_assignments" {
   default     = {}
 }
 
-variable "aws_teams_accessible" {
-  type        = set(string)
-  description = <<-EOT
-    List of IAM roles (e.g. ["admin", "terraform"]) for which to create permission
-    sets that allow the user to assume that role. Named like
-    admin -> IdentityAdminTeamAccess
-    EOT
-  default     = []
-}
-
 variable "groups" {
   type        = list(string)
   description = <<-EOT
@@ -59,24 +43,12 @@ variable "session_duration" {
   default     = ""
 }
 
-variable "tfstate_backend_component_name" {
-  type        = string
-  description = "The name of the tfstate-backend component"
-  default     = "tfstate-backend"
-}
-
 variable "account_map_component_name" {
   type        = string
   description = "The name of the account-map component"
   default     = "account-map"
 }
 
-variable "overridable_team_permission_set_name_pattern" {
-  type        = string
-  description = "The pattern used to generate the AWS SSO PermissionSet name for each team"
-  default     = "Identity%sTeamAccess"
-}
-
 variable "idp_groups" {
   type        = list(string)
   description = <<-EOT