We value your privacy
This module manages a Single-Sign-On setup in AWS IAM Identity Center with group-level permission sets. IAM Identity Center allows to centralize all management of users and cross-account access, providing a superior experience over standard IAM when focusing on human users. The module uses Identity Center directory (default identity provider) as the only user source. Users are created with only a handful of mandatory fields to simplify and speed up their definition in code.
It is recommended to use this module at the top level of an AWS Organization, although it is fully usable in any of the child accounts (or those not belonging to any organization).
Adhering to best practices of security, the module enforces permissions management on group level, without directly attaching policies to specific users: any policy created outside of the module (including AWS-managed ones) can be attached to the group as an implicit permission set.
The module can optionally define a password policy of the account based on the built-in presets:
strict (default) - the most secure option (at least 16 characters, lowercase, uppercase, symbols, numbers, expires in 3 months)medium - safe preset (at least 14 characters, lowercase, uppercase, numbers, expires in 6 months)relaxed - the least secure preset (at least 12 characters, lowercase, numbers, expires in 1 year)not-managed - do not let the module set password requirementsOnce you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:
shellterraform login solutions.corewide.com
Initialize mandatory providers:
Copy and paste into your Terraform configuration and insert the variables:
hclmodule "tf_aws_identity_center_sso" {
source = "solutions.corewide.com/aws/tf-aws-identity-center-sso/aws"
version = "~> 1.0.0"
# specify module inputs here or try one of the examples below
...
}
Initialize the setup:
shellterraform init
Corewide DevOps team strictly follows Semantic Versioning
Specification
to
provide our clients with products that have predictable upgrades between versions. We
recommend
pinning
patch versions of our modules using pessimistic
constraint operator (~>) to prevent breaking changes during upgrades.
To get new features during the upgrades (without breaking compatibility), use
~> 1.0 and run
terraform init -upgrade
For the safest setup, use strict pinning with version = "1.0.0"
All notable changes to this project are documented here.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Minimal setup with two users in the same admin group:
hclmodule "sso" {
source = "solutions.corewide.com/aws/tf-aws-identity-center-sso/aws"
version = "~> 1.0"
users = {
hello = {
first_name = "World"
last_name = "1-1"
email = "[email protected]"
groups = ["Owners"]
}
world = {
first_name = "World"
last_name = "1-2"
email = "[email protected]"
groups = ["Owners"]
}
}
groups = {
Owners = {
description = "Top management"
existing_policy_names = ["AdministratorAccess"]
account_ids = ["self"]
}
}
}
A typical setup with cross-account permissions of multiple users in different groups:
hclmodule "sso" {
source = "solutions.corewide.com/aws/tf-aws-identity-center-sso/aws"
version = "~> 1.0"
users = {
hello = {
first_name = "World"
last_name = "1-1"
email = "[email protected]"
groups = ["Owners"]
}
world = {
first_name = "World"
last_name = "1-2"
email = "[email protected]"
groups = ["DevOps"]
}
mario = {
first_name = "World"
last_name = "2-1"
email = "[email protected]"
groups = ["Accounting", "Plumbing"]
}
}
groups = {
Owners = {
description = "Top management"
existing_policy_names = ["AdministratorAccess"]
account_ids = [
"self",
"111222333444",
"111222333445",
]
}
DevOps = {
description = "DevOps Engineers"
existing_policy_names = [
"DestructiveChangesCustomPolicy",
]
account_ids = [
"111222333444",
"111222333445",
]
}
Accounting = {
description = "Finance control"
existing_policy_names = ["Billing"]
account_ids = [
"self",
"111222333444",
"111222333445",
]
}
Plumbing = {
description = "Pipelines management"
existing_policy_names = ["AWSCodePipeline_FullAccess"]
account_ids = [
"111222333444",
]
}
}
}
| Variable | Description | Type | Default | Required | Sensitive |
|---|---|---|---|---|---|
groups[<key>] |
Group name | string |
yes | no | |
users[<key>] |
Username | string |
yes | no | |
groups |
Parameters of groups to create | map(object) |
{} |
no | no |
groups[<key>].account_ids |
AWS account IDs this group will have access to. "self" refers to the current account ID |
list(string) |
yes | no | |
groups[<key>].description |
Group description | string |
yes | no | |
groups[<key>].existing_policy_names |
Names of policies that were created outside of this module (AWS-managed or user-managed) | list(string) |
yes | no | |
password_policy |
Password policy mode. Available values: relaxed, medium, strict, not-managed | string |
strict |
no | no |
users |
Parameters of SSO users to create | map(object) |
{} |
no | no |
users[<key>].display_name |
How the user account should be displayed to other users | string |
no | no | |
users[<key>].email |
User's primary e-mail | string |
yes | no | |
users[<key>].first_name |
First name (given name) of the user | string |
yes | no | |
users[<key>].groups |
List of group names this user belongs to | list(string) |
yes | no | |
users[<key>].last_name |
Last name (family name) of the user | string |
yes | no |
| Output | Description | Type | Sensitive |
|---|---|---|---|
access_portal_url |
Endpoint of the AWS access portal | computed |
no |
groups |
Groups managed by the module | resource |
no |
permission_sets |
Permission sets of the groups | resource |
no |
users |
SSO users managed by the module | resource |
no |
| Dependency | Version | Kind |
|---|---|---|
terraform |
>= 1.3 |
CLI |
hashicorp/aws |
~> 5.50 |
provider |
