DEV Community

Daniel Quackenbush
Daniel Quackenbush

Posted on

Configuring AWS SSO

#sso #terraform #aws

Terraform provides several resources for configuring AWS SSO across an organization. Once the service is enabled, you will need to define an identity source. This can be using the built-in directory service, active directory, or any external identity provider with SAML integration. At this time of writing, identitystore doesn't have a fully fleshed out API, so you will have to configure this manually.

However, once the identity store is configured, it can utilize those pushed or self-created users and groups and assign permission sets to accounts.

 Get SSO Instance ID and Identity Group Via Lookup 

data "aws_ssoadmin_instances" "this" {}
data "aws_identitystore_group" "this" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]

  filter {
    attribute_path  = "DisplayName"
    attribute_value = var.group_name # Fill in the group you defined
  }
}
Enter fullscreen mode Exit fullscreen mode

 Create a Permission Set to Define Accounts 

resource "aws_ssoadmin_permission_set" "this" {
  name             = var.policy_name
  description      = var.policy_description
  session_duration = "PT12H" # Set this duration to the time you desire
  instance_arn     = tolist(data.aws_ssoadmin_instances.this.arns)[0]
}
Enter fullscreen mode Exit fullscreen mode

Define Policy For Permission Set

Managed Policy

If you have a list of managed polcies you'd like to attach, you can loop over and attach them indiviudally.

resource "aws_ssoadmin_managed_policy_attachment" "this" {
  for_each           = toset(var.managed_policy_arn)
  instance_arn       = tolist(data.aws_ssoadmin_instances.this.arns)[0]
  managed_policy_arn = each.value
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
Enter fullscreen mode Exit fullscreen mode
Inline Policy 
data "aws_iam_policy_document" "sample_bucket_read" {
  statement {
    sid = "0"
    actions = [
      "s3:GetObject"
    ]
    resources = [
      "arn:aws:s3:::sample-bucket/*"
    ]
  }
}

resource "aws_ssoadmin_permission_set_inline_policy" "this" {
  inline_policy      = data.aws_iam_policy_document.sample_bucket_read.json
  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
Enter fullscreen mode Exit fullscreen mode

Apply the permissions sets to Accounts 

data "aws_organizations_organization" "this" {}

resource "aws_ssoadmin_account_assignment" "this" {
  for_each           = toset(data.aws_organizations_organization.this.accounts[*].id)
  instance_arn       = aws_ssoadmin_permission_set.this.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
  principal_id       = data.aws_identitystore_group.this.group_id
  principal_type     = "GROUP"
  target_id          = sensitive(each.value)
  target_type        = "AWS_ACCOUNT"
}
Enter fullscreen mode Exit fullscreen mode

Latest comments (0)

Read next

mbartlet profile image

How to deploy to multiple providers with dynamic credentials at once in Terraform CDK for Python

M B -

vkazulkin profile image

Spring Boot 3 application on AWS Lambda - Part 2 Introduction to AWS Serverless Java Container

Vadym Kazulkin -

env0team profile image

A Complete Guide to Terraform Cloud Pricing

env0 Team -

rksalo88 profile image

Learning AWS Day by Day — Day 24 — S3 Introduction — Part 2

Saloni Singh -