fmt: precommit run -a

README.md

@@ -468,7 +468,7 @@ settings:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.56.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.65.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.6.2 |
 
 ## Modules
@@ -492,6 +492,7 @@ settings:
 | [aws_iam_role.eventbridge_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.eventbridge_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_lambda_permission.eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_scheduler_schedule_group.one_time_schedule_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/scheduler_schedule_group) | resource |
 | [aws_sns_topic.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_subscription.dlq](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
@@ -510,9 +511,13 @@ settings:
 | <a name="input_approver_renotification_initial_wait_time"></a> [approver\_renotification\_initial\_wait\_time](#input\_approver\_renotification\_initial\_wait\_time) | The initial wait time before the first re-notification to the approver is sent. This is measured in minutes. If set to 0, no re-notifications will be sent. | `number` | `15` | no |
 | <a name="input_aws_sns_topic_subscription_email"></a> [aws\_sns\_topic\_subscription\_email](#input\_aws\_sns\_topic\_subscription\_email) | value for the email address to subscribe to the SNS topic | `string` | `""` | no |
 | <a name="input_config"></a> [config](#input\_config) | value for the SSO Elevator config | `any` | n/a | yes |
-| <a name="input_ecr_owner_account_id"></a> [ecr\_owner\_account\_id](#input\_ecr\_owner\_account\_id) | In what account is the ECR repository located. | `string` | `"754426185857"` | no |
-| <a name="input_event_brige_check_on_inconsistency_rule_name"></a> [event\_brige\_check\_on\_inconsistency\_rule\_name](#input\_event\_brige\_check\_on\_inconsistency\_rule\_name) | value for the event bridge check on inconsistency rule name | `string` | `"sso_elevator_check_on_inconsistency"` | no |
-| <a name="input_event_brige_scheduled_revocation_rule_name"></a> [event\_brige\_scheduled\_revocation\_rule\_name](#input\_event\_brige\_scheduled\_revocation\_rule\_name) | value for the event bridge scheduled revocation rule name | `string` | `"sso_elevator_scheduled_revocation"` | no |
+| <a name="input_create_api_gateway"></a> [create\_api\_gateway](#input\_create\_api\_gateway) | If true, module will create & configure API Gateway for the Lambda function | `bool` | `true` | no |
+| <a name="input_create_lambda_url"></a> [create\_lambda\_url](#input\_create\_lambda\_url) | If true, the Lambda function will continue to use the Lambda URL, which will be deprecated in the future<br>If false, Lambda url will be deleted. | `bool` | `true` | no |
+| <a name="input_ecr_owner_account_id"></a> [ecr\_owner\_account\_id](#input\_ecr\_owner\_account\_id) | In what account is the ECR repository located. | `string` | `"222341826240"` | no |
+| <a name="input_ecr_repo_name"></a> [ecr\_repo\_name](#input\_ecr\_repo\_name) | The name of the ECR repository. | `string` | `"aws-sso-elevator"` | no |
+| <a name="input_event_brige_check_on_inconsistency_rule_name"></a> [event\_brige\_check\_on\_inconsistency\_rule\_name](#input\_event\_brige\_check\_on\_inconsistency\_rule\_name) | value for the event bridge check on inconsistency rule name | `string` | `"sso-elevator-check_on-inconsistency"` | no |
+| <a name="input_event_brige_scheduled_revocation_rule_name"></a> [event\_brige\_scheduled\_revocation\_rule\_name](#input\_event\_brige\_scheduled\_revocation\_rule\_name) | value for the event bridge scheduled revocation rule name | `string` | `"sso-elevator-scheduled-revocation"` | no |
+| <a name="input_group_config"></a> [group\_config](#input\_group\_config) | value for the SSO Elevator group config | `any` | n/a | yes |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | value for the log level | `string` | `"INFO"` | no |
 | <a name="input_max_permissions_duration_time"></a> [max\_permissions\_duration\_time](#input\_max\_permissions\_duration\_time) | Maximum duration of the permissions granted by the Elevator in hours. | `number` | `24` | no |
 | <a name="input_request_expiration_hours"></a> [request\_expiration\_hours](#input\_request\_expiration\_hours) | After how many hours should the request expire? If set to 0, the request will never expire. | `number` | `8` | no |
@@ -529,7 +534,7 @@ settings:
 | <a name="input_schedule_expression"></a> [schedule\_expression](#input\_schedule\_expression) | recovation schedule expression (will revoke all user-level assignments unknown to the Elevator) | `string` | `"cron(0 23 * * ? *)"` | no |
 | <a name="input_schedule_expression_for_check_on_inconsistency"></a> [schedule\_expression\_for\_check\_on\_inconsistency](#input\_schedule\_expression\_for\_check\_on\_inconsistency) | how often revoker should check for inconsistency (warn if found unknown user-level assignments) | `string` | `"rate(2 hours)"` | no |
 | <a name="input_schedule_group_name"></a> [schedule\_group\_name](#input\_schedule\_group\_name) | value for the schedule group name | `string` | `"sso-elevator-scheduled-revocation"` | no |
-| <a name="input_schedule_role_name"></a> [schedule\_role\_name](#input\_schedule\_role\_name) | value for the schedule role name | `string` | `"event-bridge-role-for-sso-elevator"` | no |
+| <a name="input_schedule_role_name"></a> [schedule\_role\_name](#input\_schedule\_role\_name) | value for the schedule role name | `string` | `"sso-elevator-event-bridge-role"` | no |
 | <a name="input_slack_bot_token"></a> [slack\_bot\_token](#input\_slack\_bot\_token) | value for the Slack bot token | `string` | n/a | yes |
 | <a name="input_slack_channel_id"></a> [slack\_channel\_id](#input\_slack\_channel\_id) | value for the Slack channel ID | `string` | n/a | yes |
 | <a name="input_slack_signing_secret"></a> [slack\_signing\_secret](#input\_slack\_signing\_secret) | value for the Slack signing secret | `string` | n/a | yes |
@@ -541,6 +546,7 @@ settings:
 
 | Name | Description |
 |------|-------------|
+| <a name="output_lambda_function_url"></a> [lambda\_function\_url](#output\_lambda\_function\_url) | value for the access\_requester lambda function URL |
 | <a name="output_requester_api_endpoint_url"></a> [requester\_api\_endpoint\_url](#output\_requester\_api\_endpoint\_url) | The full URL to invoke the API. Pass this URL into the Slack App manifest as the Request URL. |
 | <a name="output_sso_elevator_bucket_id"></a> [sso\_elevator\_bucket\_id](#output\_sso\_elevator\_bucket\_id) | The name of the SSO elevator bucket. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

src/access_control.py

@@ -44,10 +44,10 @@ def determine_affected_statements(
     group_id: str | None = None,
 ) -> FrozenSet[Statement] | FrozenSet[GroupStatement]:
     if isinstance(statements, FrozenSet) and all(isinstance(item, Statement) for item in statements):
-        return get_affected_statements(statements, account_id, permission_set_name) #type: ignore # noqa: PGH003
+        return get_affected_statements(statements, account_id, permission_set_name)  # type: ignore # noqa: PGH003
 
     if isinstance(statements, FrozenSet) and all(isinstance(item, GroupStatement) for item in statements):
-        return get_affected_group_statements(statements, group_id) #type: ignore # noqa: PGH003
+        return get_affected_group_statements(statements, group_id)  # type: ignore # noqa: PGH003
 
     # About type ignore:
     # For some reason, pylance is not able to understand that we already checked the type of the items in the set,
@@ -77,16 +77,16 @@ def make_decision_on_access_request(  # noqa: PLR0911
             return AccessRequestDecision(
                 grant=True,
                 reason=DecisionReason.ApprovalNotRequired,
-                based_on_statements=frozenset([statement]), #type: ignore # noqa: PGH003
+                based_on_statements=frozenset([statement]),  # type: ignore # noqa: PGH003
             )
         if requester_email in statement.approvers and statement.allow_self_approval and not explicit_deny_self_approval:
             return AccessRequestDecision(
                 grant=True,
                 reason=DecisionReason.SelfApproval,
-                based_on_statements=frozenset([statement]), #type: ignore # noqa: PGH003
+                based_on_statements=frozenset([statement]),  # type: ignore # noqa: PGH003
             )
 
-        decision_based_on_statements.add(statement) #type: ignore # noqa: PGH003
+        decision_based_on_statements.add(statement)  # type: ignore # noqa: PGH003
         potential_approvers.update(approver for approver in statement.approvers if approver != requester_email)
 
     if not decision_based_on_statements:
@@ -142,13 +142,13 @@ def make_decision_on_approve_request(  # noqa: PLR0913
                 return ApproveRequestDecision(
                     grant=action == entities.ApproverAction.Approve,
                     permit=True,
-                    based_on_statements=frozenset([statement]), #type: ignore # noqa: PGH003
+                    based_on_statements=frozenset([statement]),  # type: ignore # noqa: PGH003
                 )
 
     return ApproveRequestDecision(
         grant=False,
         permit=False,
-        based_on_statements=affected_statements, #type: ignore # noqa: PGH003
+        based_on_statements=affected_statements,  # type: ignore # noqa: PGH003
     )
 
 
@@ -195,8 +195,8 @@ def execute_decision(  # noqa: PLR0913
             request_id=account_assignment_status.request_id,
             operation_type="grant",
             permission_duration=permission_duration,
-            sso_user_principal_id = user_principal_id,
-            audit_entry_type = "account"
+            sso_user_principal_id=user_principal_id,
+            audit_entry_type="account",
         ),
     )
 
@@ -215,7 +215,6 @@ def execute_decision(  # noqa: PLR0913
     return True  # Temporary solution for testing
 
 
-
 def execute_decision_on_group_request(  # noqa: PLR0913
     decision: AccessRequestDecision | ApproveRequestDecision,
     group: entities.aws.SSOGroup,
@@ -225,7 +224,6 @@ def execute_decision_on_group_request(  # noqa: PLR0913
     requester: entities.slack.User,
     reason: str,
     identity_store_id: str,
-
 ) -> bool:
     logger.info("Executing decision")
     if not decision.grant:
@@ -238,48 +236,40 @@ def execute_decision_on_group_request(  # noqa: PLR0913
         sso_user_id=user_principal_id,
         identity_store_client=identitystore_client,
     ):
-        logger.info("User is already in the group",extra={
-            "group_id": group.id,
-            "user_id": user_principal_id,
-            "membership_id": membership_id
-            }
+        logger.info(
+            "User is already in the group", extra={"group_id": group.id, "user_id": user_principal_id, "membership_id": membership_id}
         )
     else:
-        membership_id = sso.add_user_to_a_group(group.id,user_principal_id,identity_store_id,identitystore_client)["MembershipId"]
-        logger.info("User added to the group",extra={
-            "group_id": group.id,
-            "user_id": user_principal_id,
-            "membership_id": membership_id
-            }
-        )
+        membership_id = sso.add_user_to_a_group(group.id, user_principal_id, identity_store_id, identitystore_client)["MembershipId"]
+        logger.info("User added to the group", extra={"group_id": group.id, "user_id": user_principal_id, "membership_id": membership_id})
 
     s3.log_operation(
         audit_entry=s3.AuditEntry(
-            group_name = group.name,
-            group_id = group.id,
-            reason = reason,
-            requester_slack_id = requester.id,
-            requester_email = requester.email,
-            approver_slack_id = approver.id,
-            approver_email = approver.email,
-            operation_type = "grant",
-            permission_duration = permission_duration,
-            audit_entry_type = "group",
-            sso_user_principal_id = user_principal_id,
-            ),
-        )
+            group_name=group.name,
+            group_id=group.id,
+            reason=reason,
+            requester_slack_id=requester.id,
+            requester_email=requester.email,
+            approver_slack_id=approver.id,
+            approver_email=approver.email,
+            operation_type="grant",
+            permission_duration=permission_duration,
+            audit_entry_type="group",
+            sso_user_principal_id=user_principal_id,
+        ),
+    )
 
     schedule.schedule_group_revoke_event(
-            permission_duration=permission_duration,
-            schedule_client=schedule_client,
-            approver=approver,
-            requester=requester,
-            group_assignment=sso.GroupAssignment(
-                identity_store_id=identity_store_id,
-                group_name=group.name,
-                group_id=group.id,
-                user_principal_id=user_principal_id,
-                membership_id=membership_id,
-            ),
-        )
-    return# type: ignore # noqa: PGH003
+        permission_duration=permission_duration,
+        schedule_client=schedule_client,
+        approver=approver,
+        requester=requester,
+        group_assignment=sso.GroupAssignment(
+            identity_store_id=identity_store_id,
+            group_name=group.name,
+            group_id=group.id,
+            user_principal_id=user_principal_id,
+            membership_id=membership_id,
+        ),
+    )
+    return  # type: ignore # noqa: PGH003

src/config.py

@@ -25,6 +25,7 @@ def to_set_if_list_or_str(v: list | str) -> frozenset[str]:
         }
     )
 
+
 def parse_group_statement(_dict: dict) -> GroupStatement:
     def to_set_if_list_or_str(v: list | str) -> frozenset[str]:
         if isinstance(v, list):
@@ -40,6 +41,7 @@ def to_set_if_list_or_str(v: list | str) -> frozenset[str]:
         }
     )
 
+
 def get_groups_from_statements(statements: set[GroupStatement]) -> frozenset[str]:
     return frozenset(group for statement in statements for group in statement.resource)