DEV Community

Daniel Quackenbush
Daniel Quackenbush

Posted on

Configuring AWS SSO

Terraform provides several resources for configuring AWS SSO across an organization. Once the service is enabled, you will need to define an identity source. This can be using the built-in directory service, active directory, or any external identity provider with SAML integration. At this time of writing, identitystore doesn't have a fully fleshed out API, so you will have to configure this manually.

However, once the identity store is configured, it can utilize those pushed or self-created users and groups and assign permission sets to accounts.

 Get SSO Instance ID and Identity Group Via Lookup

data "aws_ssoadmin_instances" "this" {}
data "aws_identitystore_group" "this" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]

  filter {
    attribute_path  = "DisplayName"
    attribute_value = var.group_name # Fill in the group you defined
  }
}
Enter fullscreen mode Exit fullscreen mode

 Create a Permission Set to Define Accounts

resource "aws_ssoadmin_permission_set" "this" {
  name             = var.policy_name
  description      = var.policy_description
  session_duration = "PT12H" # Set this duration to the time you desire
  instance_arn     = tolist(data.aws_ssoadmin_instances.this.arns)[0]
}
Enter fullscreen mode Exit fullscreen mode

Define Policy For Permission Set

Managed Policy

If you have a list of managed polcies you'd like to attach, you can loop over and attach them indiviudally.

resource "aws_ssoadmin_managed_policy_attachment" "this" {
  for_each           = toset(var.managed_policy_arn)
  instance_arn       = tolist(data.aws_ssoadmin_instances.this.arns)[0]
  managed_policy_arn = each.value
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
Enter fullscreen mode Exit fullscreen mode
Inline Policy
data "aws_iam_policy_document" "sample_bucket_read" {
  statement {
    sid = "0"
    actions = [
      "s3:GetObject"
    ]
    resources = [
      "arn:aws:s3:::sample-bucket/*"
    ]
  }
}

resource "aws_ssoadmin_permission_set_inline_policy" "this" {
  inline_policy      = data.aws_iam_policy_document.sample_bucket_read.json
  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
Enter fullscreen mode Exit fullscreen mode

Apply the permissions sets to Accounts

data "aws_organizations_organization" "this" {}

resource "aws_ssoadmin_account_assignment" "this" {
  for_each           = toset(data.aws_organizations_organization.this.accounts[*].id)
  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
  principal_id       = data.aws_identitystore_group.this.group_id
  principal_type     = "GROUP"
  target_id          = sensitive(each.value)
  target_type        = "AWS_ACCOUNT"
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)