Open mrpackethead opened 11 months ago
Makes sense to me. Thank you for your PR!
I would love to see an SSO context provider!
In addition to being useful to get the identitystore ID, a context provider is also essential for managing user/group relations via CfnGroupMembership
objects.
Example usecase: Auto-provisioning of users from some external IdP providers (eg Google Workspace) via SCIM doesn't include any group memberships. This leaves users in a pickle, since the console disables group modifications (creation,deletion,membership changes) when auto-provisioning is enabled. Oddly, groups are still able to be modified via CLI, API, and Cfn.
CDK could make this incomplete auto-provisioning useful by allowing people to import preexisting identitystore users and manage group memberships outside of SCIM. However, the identitystore API requires opaque GUIDs to identify Users and Groups, so without a way to lookup existing users via a context provider, the constructs are of limited usefulness.
//this bit is fictional
const importedUser = identitystore.User.fromUserName(this, "ImportedUser", "me@example.com");
//importedUser.userId is a GUID, and is otherwise unavailable without a context provider
const cfnGroupMembership = new identitystore.CfnGroupMembership(
this,
"MeAdmin",
{
groupId: cfnGroup.attrGroupId,
identityStoreId: this.identityStoreId,
memberId: {
userId: importedUser.userId,
},
}
);
The alternative is to abandon auto-provisioning, and maintain a duplicate list of users within IAM Identity Center, which is not attractive either.
Describe the feature
A context provider that will return the id of the identity source for SSO.
Use Case
An Identity Center Group, requires the Id of the identity Store to create a Group.
Currently this can be provided, manually by providing a value in cdk.json, or a slightly anti-pattern custom resource lookup.
Groups are at the heart of creating policy for Verified Permissions and Verified Access.
Proposed Solution
Implement a IdentityCenterStore Id Context Procider Plugin.. The can follow the pattern of other providers, such as hosted-zones
Other Information
A custom resource can be used to get the value, but this has the possiblity of non determinism if the value changed, so is anti-pattern.
The value can be provided manually in cdk.context.
Acknowledgements
CDK version used
2.85.0
Environment details (OS name and version, etc.)
any