Terraform provides several resources for configuring AWS SSO across an organization. Once the service is enabled, you will need to define an identity source. This can be using the built-in directory service, active directory, or any external identity provider with SAML integration. At this time of writing, identitystore doesn't have a fully fleshed out API, so you will have to configure this manually.
However, once the identity store is configured, it can utilize those pushed or self-created users and groups and assign permission sets to accounts.
Get SSO Instance ID and Identity Group Via Lookup
data "aws_ssoadmin_instances" "this" {}
data "aws_identitystore_group" "this" {
identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
filter {
attribute_path = "DisplayName"
attribute_value = var.group_name # Fill in the group you defined
}
}
Create a Permission Set to Define Accounts
resource "aws_ssoadmin_permission_set" "this" {
name = var.policy_name
description = var.policy_description
session_duration = "PT12H" # Set this duration to the time you desire
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
}
Define Policy For Permission Set
Managed Policy
If you have a list of managed polcies you'd like to attach, you can loop over and attach them indiviudally.
resource "aws_ssoadmin_managed_policy_attachment" "this" {
for_each = toset(var.managed_policy_arn)
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
managed_policy_arn = each.value
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
Inline Policy
data "aws_iam_policy_document" "sample_bucket_read" {
statement {
sid = "0"
actions = [
"s3:GetObject"
]
resources = [
"arn:aws:s3:::sample-bucket/*"
]
}
}
resource "aws_ssoadmin_permission_set_inline_policy" "this" {
inline_policy = data.aws_iam_policy_document.sample_bucket_read.json
instance_arn = aws_ssoadmin_permission_set.this.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
Apply the permissions sets to Accounts
data "aws_organizations_organization" "this" {}
resource "aws_ssoadmin_account_assignment" "this" {
for_each = toset(data.aws_organizations_organization.this.accounts[*].id)
instance_arn = aws_ssoadmin_permission_set.this.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this.arn
principal_id = data.aws_identitystore_group.this.group_id
principal_type = "GROUP"
target_id = sensitive(each.value)
target_type = "AWS_ACCOUNT"
}
Top comments (0)