This module handles creation of AWS SSO permission sets and assignment to AWS SSO entities and AWS Accounts.
Before this module can be used, please ensure that the following pre-requisites are met:
- Enable AWS Organizations and add AWS Accounts you want to be managed by SSO. Documentation
- Enable AWS SSO. Documentation.
- Create AWS SSO entities (Users and Groups). Documentation.
- Ensure that Terraform is using a role with permissions required for AWS SSO management. Documentation.
More complex examples can be found in the examples directory. Simple use case:
module "sso" {
source = "avlcloudtechnologies/sso/aws"
permission_sets = {
AdministratorAccess = {
description = "Provides full access to AWS services and resources.",
session_duration = "PT2H",
managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"]
},
}
account_assignments = [
{
principal_name = "management"
principal_type = "GROUP"
permission_set = "AdministratorAccess"
account_ids = ["123456789", "234567890"]
},
]
}permission_sets is a map of maps. Key is used as unique value for for_each resources. Inner map has the following keys/value pairs.
| Name | Description | Type | If unset |
|---|---|---|---|
| description | (Optional) The description of the Permission Set. | string | Provider default behavior |
| relay_state | (Optional) The relay state URL used to redirect users within the application during the federation authentication process | string | Provider default behavior. |
| session_duration | (Optional) The length of time that the application user sessions are valid in the ISO-8601 standard | string | Provider default behavior. |
| tags | (Optional) Key-value map of resource tags. | string | Provider default behavior |
| managed_policies | (Optional) List of Managed IAM policies that are attached to permission set. | list(string) | Managed Policies not set. |
| inline_policy | (Optional) Inline policy that is attached to permission set. | string | Inline policy not set. |
account_assignments is a list of maps which have the following keys/value pairs.
| Name | Description | Type | If unset |
|---|---|---|---|
| principal_name | (Required) Name of the SSO entity that you want to assign the Permission Set. | string | Required |
| principal_type | (Required) Type of the SSO entity that you want to assign the Permission Set. Valid values: USER, GROUP | string | Required |
| permission_set | (Required) Name of the Permission Set which will be granted to SSO entity on specified AWS accounts. | string | Required |
| account_ids | (Required) AWS account IDs. | list | Required |
| Name | Version |
|---|---|
| terraform | >= 0.12.23 |
| aws | >= 3.27 |
| Name | Version |
|---|---|
| aws | >= 3.27 |
No modules.
| Name | Type |
|---|---|
| aws_ssoadmin_account_assignment.this | resource |
| aws_ssoadmin_managed_policy_attachment.this | resource |
| aws_ssoadmin_permission_set.this | resource |
| aws_ssoadmin_permission_set_inline_policy.this | resource |
| aws_identitystore_group.this | data source |
| aws_identitystore_user.this | data source |
| aws_ssoadmin_instances.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_assignments | List of maps containing mapping between user/group, permission set and assigned accounts list. See account_assignments description in README for more information about map values. | list(object({ |
[] |
no |
| permission_sets | Map of maps containing Permission Set names as keys. See permission_sets description in README for information about map values. | any |
{ |
no |
| Name | Description |
|---|---|
| aws_ssoadmin_account_assignments | Maps of account assignments to permission sets with keys user/group_name.permission_set_name.account_id and attributes listed in Terraform resource aws_ssoadmin_account_assignment documentation. |
| aws_ssoadmin_permission_sets | Maps of permission sets with attributes listed in Terraform resource aws_ssoadmin_permission_set documentation. |