avlcloudtechnologies / terraform-aws-sso

Terraform module to manage AWS Single Sign-On (SSO) resources.
Apache License 2.0
37 stars 33 forks source link

AWS SSO Terraform module

GitHub tag (latest by date)

This module handles creation of AWS SSO permission sets and assignment to AWS SSO entities and AWS Accounts.

Pre-requisites

Before this module can be used, please ensure that the following pre-requisites are met:

Usage

More complex examples can be found in the examples directory. Simple use case:

module "sso" {
  source  = "avlcloudtechnologies/sso/aws"

  permission_sets = {
    AdministratorAccess = {
      description      = "Provides full access to AWS services and resources.",
      session_duration = "PT2H",
      managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"]
    },
  }
  account_assignments = [
    {
      principal_name = "management"
      principal_type = "GROUP"
      permission_set = "AdministratorAccess"
      account_ids    = ["123456789", "234567890"]
    },
  ]
}

permission_sets and account_assignments

permission_sets is a map of maps. Key is used as unique value for for_each resources. Inner map has the following keys/value pairs.

Name Description Type If unset
description (Optional) The description of the Permission Set. string Provider default behavior
relay_state (Optional) The relay state URL used to redirect users within the application during the federation authentication process string Provider default behavior.
session_duration (Optional) The length of time that the application user sessions are valid in the ISO-8601 standard string Provider default behavior.
tags (Optional) Key-value map of resource tags. string Provider default behavior
managed_policies (Optional) List of Managed IAM policies that are attached to permission set. list(string) Managed Policies not set.
customer_managed_policies (Optional) List of Customer Managed IAM policies that are attached to permission set. list(string) Customer Managed Policies not set.
inline_policy (Optional) Inline policy that is attached to permission set. string Inline policy not set.

account_assignments is a list of maps which have the following keys/value pairs.

Name Description Type If unset
principal_name (Required) Name of the SSO entity that you want to assign the Permission Set. string Required
principal_type (Required) Type of the SSO entity that you want to assign the Permission Set. Valid values: USER, GROUP string Required
permission_set (Required) Name of the Permission Set which will be granted to SSO entity on specified AWS accounts. string Required
account_ids (Required) AWS account IDs. list Required

Requirements

Name Version
terraform >= 0.12.23
aws >= 4.40

Providers

Name Version
aws >= 4.40
null n/a

Modules

No modules.

Resources

Name Type
aws_ssoadmin_account_assignment.this resource
aws_ssoadmin_customer_managed_policy_attachment.this resource
aws_ssoadmin_managed_policy_attachment.this resource
aws_ssoadmin_permission_set.this resource
aws_ssoadmin_permission_set_inline_policy.this resource
null_resource.group_dependency resource
null_resource.user_dependency resource
aws_identitystore_group.this data source
aws_identitystore_user.this data source
aws_ssoadmin_instances.this data source

Inputs

Name Description Type Default Required
account_assignments List of maps containing mapping between user/group, permission set and assigned accounts list. See account_assignments description in README for more information about map values.
list(object({
principal_name = string,
principal_type = string,
permission_set = string,
account_ids = list(string)
}))
[] no
identitystore_group_data_source_depends_on List of parameters that identitystore group data sources depend on, for example new SSO group IDs. list(string) [] no
identitystore_user_data_source_depends_on List of parameters that identitystore user data sources depend on, for example new SSO user IDs. list(string) [] no
permission_sets Map of maps containing Permission Set names as keys. See permission_sets description in README for information about map values. any
{
"AdministratorAccess": {
"description": "Provides full access to AWS services and resources.",
"managed_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess"
],
"session_duration": "PT2H"
}
}
no

Outputs

Name Description
aws_ssoadmin_account_assignments Maps of account assignments to permission sets with keys user/group_name.permission_set_name.account_id and attributes listed in Terraform resource aws_ssoadmin_account_assignment documentation.
aws_ssoadmin_permission_sets Maps of permission sets with attributes listed in Terraform resource aws_ssoadmin_permission_set documentation.