Skip to content
/ terraform-aws-sso Public
forked from avlcloudtechnologies/terraform-aws-sso

Terraform module to manage AWS Single Sign-On (SSO) resources.

License

Apache-2.0 license
0 stars 33 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

virtualGain/terraform-aws-sso

BranchesTags
 
 

Repository files navigation

Forked from https://github.com/avlcloudtechnologies/terraform-aws-sso

AWS SSO Terraform module

GitHub tag (latest by date)

This module handles creation of AWS SSO permission sets and assignment to AWS SSO entities and AWS Accounts.

Pre-requisites

Before this module can be used, please ensure that the following pre-requisites are met:

  • Enable AWS Organizations and add AWS Accounts you want to be managed by SSO. Documentation
  • Enable AWS SSO. Documentation.
  • Create AWS SSO entities (Users and Groups) Documentation or use identitystore module.
  • Ensure that Terraform is using a role with permissions required for AWS SSO management. Documentation.

Usage

More complex examples can be found in the examples directory. Simple use case:

module "sso" {
  source  = "git::https://github.com/virtualGain/terraform-aws-sso.git?ref=v0.4.1"

  permission_sets = {
    AdministratorAccess = {
      description      = "Provides full access to AWS services and resources.",
      session_duration = "PT2H",
      managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"]
    },
  }
  account_assignments = [
    {
      principal_name = "management"
      principal_type = "GROUP"
      permission_set = "AdministratorAccess"
      account_ids    = ["123456789", "234567890"]
    },
  ]
}

permission_sets and account_assignments

permission_sets is a map of maps. Key is used as unique value for for_each resources. Inner map has the following keys/value pairs.

Name Description Type If unset
description (Optional) The description of the Permission Set. string Provider default behavior
relay_state (Optional) The relay state URL used to redirect users within the application during the federation authentication process string Provider default behavior.
session_duration (Optional) The length of time that the application user sessions are valid in the ISO-8601 standard string Provider default behavior.
tags (Optional) Key-value map of resource tags. string Provider default behavior
managed_policies (Optional) List of Managed IAM policies that are attached to permission set. list(string) Managed Policies not set.
customer_managed_policies (Optional) List of Customer Managed IAM policies that are attached to permission set. list(string) Customer Managed Policies not set.
inline_policy (Optional) Inline policy that is attached to permission set. string Inline policy not set.

account_assignments is a list of maps which have the following keys/value pairs.

Name Description Type If unset
principal_name (Required) Name of the SSO entity that you want to assign the Permission Set. string Required
principal_type (Required) Type of the SSO entity that you want to assign the Permission Set. Valid values: USER, GROUP string Required
permission_set (Required) Name of the Permission Set which will be granted to SSO entity on specified AWS accounts. string Required
account_ids (Required) AWS account IDs. list Required

Requirements

Name Version
terraform >= 0.12.23
aws >= 4.40

Providers

Name Version
aws >= 4.40

Modules

No modules.

Resources

Name Type
aws_ssoadmin_account_assignment.this resource
aws_ssoadmin_customer_managed_policy_attachment.this resource
aws_ssoadmin_managed_policy_attachment.this resource
aws_ssoadmin_permission_set.this resource
aws_ssoadmin_permission_set_inline_policy.this resource
aws_identitystore_group.this data source
aws_identitystore_user.this data source
aws_ssoadmin_instances.this data source

Inputs

Name Description Type Default Required
account_assignments List of maps containing mapping between user/group, permission set and assigned accounts list. See account_assignments description in README for more information about map values. 
list(object({
    principal_name = string,
    principal_type = string,
    permission_set = string,
    account_ids    = list(string)
  }))
 [] no
permission_sets Map of maps containing Permission Set names as keys. See permission_sets description in README for information about map values. any 
{
  "AdministratorAccess": {
    "description": "Provides full access to AWS services and resources.",
    "managed_policies": [
      "arn:aws:iam::aws:policy/AdministratorAccess"
    ],
    "session_duration": "PT2H"
  }
}
 no

Outputs

Name Description
aws_ssoadmin_account_assignments Maps of account assignments to permission sets with keys user/group_name.permission_set_name.account_id and attributes listed in Terraform resource aws_ssoadmin_account_assignment documentation.
aws_ssoadmin_permission_sets Maps of permission sets with attributes listed in Terraform resource aws_ssoadmin_permission_set documentation.

About

Terraform module to manage AWS Single Sign-On (SSO) resources.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Initial Fork Latest
May 12, 2023

Packages

No packages published

Languages

  • HCL 100.0%