Configuring AWS SSO with Terraform

Terraform provides several resources for configuring AWS SSO across an organization. Once the service is enabled, you will need to define an identity source. This can be using the built-in directory service, active directory, or any external identity provider with SAML integration.

At this time of writing, identitystore doesn't have a fully fleshed out API, so you will have to configure this manually. Once the identity store is configured, terraform can utilize those pushed or self-created users and groups to assign permission sets to accounts.

Get SSO Instance ID and Identity Group Via Lookup

data "aws_ssoadmin_instances" "this" {}
data "aws_identitystore_group" "this" {
identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
filter {
attribute_path = "DisplayName"
attribute_value = var.group_name # Fill in the group you defined
}
}
view raw data.tf hosted with ❤ by GitHub

Create a Permission Set to Define Accounts

resource "aws_ssoadmin_permission_set" "this" {
name = var.policy_name
description = var.policy_description
session_duration = "PT12H" # Set this duration to the time you desire
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
}

Define Policy For Permission Set

Managed Policy

If you have a list of managed polcies you'd like to attach, you can loop over and attach them indiviudally.

resource "aws_ssoadmin_managed_policy_attachment" "this" {
for_each = toset(var.managed_policy_arn)
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
managed_policy_arn = each.value
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}

Inline Policy

data "aws_iam_policy_document" "sample_bucket_read" {
statement {
sid = "0"
actions = [
"s3:GetObject"
]
resources = [
      "arn:aws:s3:::sample-bucket/*"
]
}
}
resource "aws_ssoadmin_permission_set_inline_policy" "this" {
inline_policy = data.aws_iam_policy_document.sample_bucket_read.json
instance_arn = aws_ssoadmin_permission_set.this.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}

Apply the permissions sets to Accounts

data "aws_organizations_organization" "this" {}
resource "aws_ssoadmin_account_assignment" "this" {
for_each = toset(data.aws_organizations_organization.this.accounts[*].id)
instance_arn = aws_ssoadmin_permission_set.this.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.this.arn
principal_id = data.aws_identitystore_group.this.group_id
principal_type = "GROUP"
target_id = sensitive(each.value)
target_type = "AWS_ACCOUNT"
}