Skip to content

trussworks/terraform-aws-sso-group

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
.gitignore
.gitignore
 
 
.markdownlintrc
.markdownlintrc
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.terraform-docs.yml
.terraform-docs.yml
 
 
.terraform-version
.terraform-version
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
renovate.json
renovate.json
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

Terraform AWS SSO Group

This module provisions AWS IAM Identity Center (formerly AWS Single Sign-On) resources:

  • An Identity Store group and group memberships for each user that is specified (the module does not provision users for you)
    • Alternatively, you may supply your own pre-existing Identity Store group. This is especially useful if you make use of an external IdP such as Okta. In this case, set create_group = false but still provide the group_name. You should also omit users to avoid drift from the IdP.
  • A Permission Set with options for inline, AWS-managed, and customer-managed policy attachments to attach to the group
  • Account assignments provisioning the permission set in each specified account

Prerequisites

  • In order to use AWS IAM Identity Center, your account must be managed by AWS Organizations.
  • At the time of this writing (2023-11-09), you must manually click the Enable button in the AWS IAM Identity Center web console to create an instance in your account

Usage

Example where you wish to provision users and groups

data "aws_caller_identity" "current" {}

data "aws_ssoadmin_instances" "this" {}

variable "another_account_id" {
  description = "ID of another account within the organization"
  type        = string
  default     = "000000000000"
}

variable "users" {
  description = "users"
  type        = map(map(string))
  default = {
    "John Doe" = {
      username = "jdoe"
      email    = "[email protected]"
    },
    "John Smith" = {
      username = "jsmith"
      email    = "[email protected]"
    },
    "Joe Bloggs" = {
      username = "jbloggs"
      email    = "[email protected]"
    }
  }
}

resource "aws_identitystore_user" "user" {
  for_each = var.users

  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]

  display_name = each.key
  user_name    = each.value["username"]

  name {
    given_name  = split(" ", each.key)[0]
    family_name = split(" ", each.key)[1]
  }

  emails {
    primary = true
    value   = each.value["email"]
  }
}

module "sso_group" {
  source = "trussworks/sso-group/aws"
  version = "~> 1.0"

  group_name          = "group-name"
  permission_set_name = "permission-set-name"

  accounts = [
    data.aws_caller_identity_current.account_id,
    var.another_account_id
  ]

  users = [
    for user in aws_identitystore_user.user : user.user_name => user.user_id
  ]

  policy_aws_managed = [
    "arn:aws:iam::aws:policy/AdministratorAccess"
  ]
}

Example where an external IdP + SCIM handles users and groups

module "sre_admin" {
  source  = "trussworks/sso-group/aws"
  version = "~> 1.0"

  accounts = [
    data.aws_caller_identity_current.account_id,
    var.another_account_id
  ]

  create_group = false

  group_name = "group-name" # must match the group name that already exists

  permission_set_name = "permission-set-name"

  policy_aws_managed = [
    "arn:aws:iam::aws:policy/AdministratorAccess"
  ]
}

Requirements

Name Version
terraform ~> 1.6
aws ~> 5.0

Providers

Name Version
aws ~> 5.0

Modules

No modules.

Resources

Name Type
aws_identitystore_group.this resource
aws_identitystore_group_membership.this resource
aws_ssoadmin_account_assignment.this resource
aws_ssoadmin_customer_managed_policy_attachment.this resource
aws_ssoadmin_managed_policy_attachment.this resource
aws_ssoadmin_permission_set.this resource
aws_ssoadmin_permission_set_inline_policy.this resource
aws_caller_identity.this data source
aws_identitystore_group.this data source
aws_ssoadmin_instances.this data source

Inputs

Name Description Type Default Required
accounts List of accounts in which the permission set is to be provisioned list(string) n/a yes
create_group Whether to create a new usergroup. Defaults to true so that updates don't cause issues bool true no
group_description Description of the user group string "N/A" no
group_name The display name of the group being created string n/a yes
permission_set_description Description of the permission set string "N/A" no
permission_set_name Name of the permission set string n/a yes
policy_aws_managed List of ARNs of policies to attach to permission set list(string) [] no
policy_customer_managed_name Name of the policy to attach to permission set string "" no
policy_customer_managed_path Path of the policy to attach to permission set string "/" no
policy_inline Inline policy in JSON format to attach to permission set string "" no
session_duration The user session duration in ISO-8601 format string "PT1H" no
users List of users to add to group map(string) {} no

Outputs

Name Description
group_id the ID of the identity store group
permission_set_arn the ARN of the permission set

Developer Setup

Install dependencies (macOS)

brew install pre-commit tfenv terraform-docs
tfenv install
pre-commit install --install-hooks

About

Creates AWS IAM Identity Center resources

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

2 stars

Watchers

6 watching

Forks

3 forks
Report repository

Releases 3

Allow for the use of a pre-existing identitystore group Latest
May 28, 2024
+ 2 releases

Packages

No packages published

Contributors 6

Languages