Configuring AWS SSO with Terraform
Terraform provides several resources for configuring AWS SSO across an organization. Once the service is enabled, you will need to define an identity source. This can be using the built-in directory service, active directory, or any external identity provider with SAML integration.
At this time of writing, identitystore doesn't have a fully fleshed out API, so you will have to configure this manually. Once the identity store is configured, terraform can utilize those pushed or self-created users and groups to assign permission sets to accounts.
Get SSO Instance ID and Identity Group Via Lookup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "aws_ssoadmin_instances" "this" {} | |
data "aws_identitystore_group" "this" { | |
identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] | |
filter { | |
attribute_path = "DisplayName" | |
attribute_value = var.group_name # Fill in the group you defined | |
} | |
} |
Create a Permission Set to Define Accounts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aws_ssoadmin_permission_set" "this" { | |
name = var.policy_name | |
description = var.policy_description | |
session_duration = "PT12H" # Set this duration to the time you desire | |
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] | |
} |
Define Policy For Permission Set
Managed Policy
If you have a list of managed polcies you'd like to attach, you can loop over and attach them indiviudally.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aws_ssoadmin_managed_policy_attachment" "this" { | |
for_each = toset(var.managed_policy_arn) | |
instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] | |
managed_policy_arn = each.value | |
permission_set_arn = aws_ssoadmin_permission_set.this.arn | |
} |
Inline Policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "aws_iam_policy_document" "sample_bucket_read" { | |
statement { | |
sid = "0" | |
actions = [ | |
"s3:GetObject" | |
] | |
resources = [ | |
"arn:aws:s3:::sample-bucket/*" | |
] | |
} | |
} | |
resource "aws_ssoadmin_permission_set_inline_policy" "this" { | |
inline_policy = data.aws_iam_policy_document.sample_bucket_read.json | |
instance_arn = aws_ssoadmin_permission_set.this.instance_arn | |
permission_set_arn = aws_ssoadmin_permission_set.this.arn | |
} |
Apply the permissions sets to Accounts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "aws_organizations_organization" "this" {} | |
resource "aws_ssoadmin_account_assignment" "this" { | |
for_each = toset(data.aws_organizations_organization.this.accounts[*].id) | |
instance_arn = aws_ssoadmin_permission_set.this.instance_arn | |
permission_set_arn = aws_ssoadmin_permission_set.this.arn | |
principal_id = data.aws_identitystore_group.this.group_id | |
principal_type = "GROUP" | |
target_id = sensitive(each.value) | |
target_type = "AWS_ACCOUNT" | |
} |