Configuring AWS SSO with Terraform

Terraform provides several resources for configuring AWS SSO across an organization. Once the service is enabled, you will need to define an identity source. This can be using the built-in directory service, active directory, or any external identity provider with SAML integration.

At this time of writing, identitystore doesn't have a fully fleshed out API, so you will have to configure this manually. Once the identity store is configured, terraform can utilize those pushed or self-created users and groups to assign permission sets to accounts.

Get SSO Instance ID and Identity Group Via Lookup

	data "aws_ssoadmin_instances" "this" {}
	data "aws_identitystore_group" "this" {
	identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]

	filter {
	attribute_path = "DisplayName"
	attribute_value = var.group_name # Fill in the group you defined
	}
	}

view raw data.tf hosted with ❤ by GitHub

Create a Permission Set to Define Accounts

	resource "aws_ssoadmin_permission_set" "this" {
	name = var.policy_name
	description = var.policy_description
	session_duration = "PT12H" # Set this duration to the time you desire
	instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
	}

view raw permission_set.tf hosted with ❤ by GitHub

Define Policy For Permission Set

Managed Policy

If you have a list of managed polcies you'd like to attach, you can loop over and attach them indiviudally.

	resource "aws_ssoadmin_managed_policy_attachment" "this" {
	for_each = toset(var.managed_policy_arn)
	instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
	managed_policy_arn = each.value
	permission_set_arn = aws_ssoadmin_permission_set.this.arn
	}

view raw managed_policy.tf hosted with ❤ by GitHub

Inline Policy

	data "aws_iam_policy_document" "sample_bucket_read" {
	statement {
	sid = "0"
	actions = [
	"s3:GetObject"
	]
	resources = [
	"arn:aws:s3:::sample-bucket/*"
	]
	}
	}

	resource "aws_ssoadmin_permission_set_inline_policy" "this" {
	inline_policy = data.aws_iam_policy_document.sample_bucket_read.json
	instance_arn = aws_ssoadmin_permission_set.this.instance_arn
	permission_set_arn = aws_ssoadmin_permission_set.this.arn
	}

view raw inline_policy.tf hosted with ❤ by GitHub

Apply the permissions sets to Accounts

	data "aws_organizations_organization" "this" {}

	resource "aws_ssoadmin_account_assignment" "this" {
	for_each = toset(data.aws_organizations_organization.this.accounts[*].id)
	instance_arn = aws_ssoadmin_permission_set.this.instance_arn
	permission_set_arn = aws_ssoadmin_permission_set.this.arn
	principal_id = data.aws_identitystore_group.this.group_id
	principal_type = "GROUP"
	target_id = sensitive(each.value)
	target_type = "AWS_ACCOUNT"
	}

view raw ssoadmin_account_assignment.tf hosted with ❤ by GitHub