DEV Community

Daniel Quackenbush
Daniel Quackenbush

Posted on

Configuring AWS SSO

#sso #terraform #aws

Terraform provides several resources for configuring AWS SSO across an organization. Once the service is enabled, you will need to define an identity source. This can be using the built-in directory service, active directory, or any external identity provider with SAML integration. At this time of writing, identitystore doesn't have a fully fleshed out API, so you will have to configure this manually.

However, once the identity store is configured, it can utilize those pushed or self-created users and groups and assign permission sets to accounts.

 Get SSO Instance ID and Identity Group Via Lookup 

data "aws_ssoadmin_instances" "this" {}
data "aws_identitystore_group" "this" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]

  filter {
    attribute_path  = "DisplayName"
    attribute_value = var.group_name # Fill in the group you defined
  }
}
Enter fullscreen mode Exit fullscreen mode

 Create a Permission Set to Define Accounts 

resource "aws_ssoadmin_permission_set" "this" {
  name             = var.policy_name
  description      = var.policy_description
  session_duration = "PT12H" # Set this duration to the time you desire
  instance_arn     = tolist(data.aws_ssoadmin_instances.this.arns)[0]
}
Enter fullscreen mode Exit fullscreen mode

Define Policy For Permission Set

Managed Policy

If you have a list of managed polcies you'd like to attach, you can loop over and attach them indiviudally.

resource "aws_ssoadmin_managed_policy_attachment" "this" {
  for_each           = toset(var.managed_policy_arn)
  instance_arn       = tolist(data.aws_ssoadmin_instances.this.arns)[0]
  managed_policy_arn = each.value
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
Enter fullscreen mode Exit fullscreen mode
Inline Policy 
data "aws_iam_policy_document" "sample_bucket_read" {
  statement {
    sid = "0"
    actions = [
      "s3:GetObject"
    ]
    resources = [
      "arn:aws:s3:::sample-bucket/*"
    ]
  }
}

resource "aws_ssoadmin_permission_set_inline_policy" "this" {
  inline_policy      = data.aws_iam_policy_document.sample_bucket_read.json
  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
Enter fullscreen mode Exit fullscreen mode

Apply the permissions sets to Accounts 

data "aws_organizations_organization" "this" {}

resource "aws_ssoadmin_account_assignment" "this" {
  for_each           = toset(data.aws_organizations_organization.this.accounts[*].id)
  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
  principal_id       = data.aws_identitystore_group.this.group_id
  principal_type     = "GROUP"
  target_id          = sensitive(each.value)
  target_type        = "AWS_ACCOUNT"
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Read next

nivekalara237 profile image

How to combine SQS and SNS to implement multiple Consumers (Part 2)

Kevin Lactio Kemta -

lakmalya profile image

Managing Multiple Bitbucket Repositories with Terraform: A Deep Dive into terraform-bitbucket-multi-repo-manager

Dulanjana Lakmal -

seifrajhi profile image

Speed Up Microservices Development with Dapr on AWS EKS

saifeddine Rajhi -

vkazulkin profile image

Lambda function with GraalVM Native Image - Part 4 Measuring cold and warm starts using different Lambda memory settings

Vadym Kazulkin -