(aws-sso): Context Provider for SSO Instances.

mrpackethead commented 11 months ago

Describe the feature

A context provider that will return the id of the identity source for SSO.

Use Case

An Identity Center Group, requires the Id of the identity Store to create a Group.

const group = new aws_identitystore.CfnGroup(this, 'Resource', {
      identityStoreId: props.identityStoreId,
      description: props.description,
      displayName: props.name,
    });

Currently this can be provided, manually by providing a value in cdk.json, or a slightly anti-pattern custom resource lookup.

Groups are at the heart of creating policy for Verified Permissions and Verified Access.

Proposed Solution

Implement a IdentityCenterStore Id Context Procider Plugin.. The can follow the pattern of other providers, such as hosted-zones

Other Information

A custom resource can be used to get the value, but this has the possiblity of non determinism if the value changed, so is anti-pattern.
The value can be provided manually in cdk.context.

Acknowledgements

[X] I may be able to implement this feature request
[ ] This feature might incur a breaking change

CDK version used

2.85.0

Environment details (OS name and version, etc.)

any

pahud commented 11 months ago

Makes sense to me. Thank you for your PR!

hatchetation commented 9 months ago

I would love to see an SSO context provider!

In addition to being useful to get the identitystore ID, a context provider is also essential for managing user/group relations via CfnGroupMembership objects.

Example usecase: Auto-provisioning of users from some external IdP providers (eg Google Workspace) via SCIM doesn't include any group memberships. This leaves users in a pickle, since the console disables group modifications (creation,deletion,membership changes) when auto-provisioning is enabled. Oddly, groups are still able to be modified via CLI, API, and Cfn.

CDK could make this incomplete auto-provisioning useful by allowing people to import preexisting identitystore users and manage group memberships outside of SCIM. However, the identitystore API requires opaque GUIDs to identify Users and Groups, so without a way to lookup existing users via a context provider, the constructs are of limited usefulness.

    //this bit is fictional
    const importedUser = identitystore.User.fromUserName(this, "ImportedUser", "me@example.com");

    //importedUser.userId is a GUID, and is otherwise unavailable without a context provider
    const cfnGroupMembership = new identitystore.CfnGroupMembership(
      this,
      "MeAdmin",
      {
        groupId: cfnGroup.attrGroupId,
        identityStoreId: this.identityStoreId,
        memberId: {
          userId: importedUser.userId,
        },
      }
    );

The alternative is to abandon auto-provisioning, and maintain a duplicate list of users within IAM Identity Center, which is not attractive either.

aws / aws-cdk