This module handles creation of AWS SSO permission sets and assignment to AWS SSO entities and AWS Accounts.
Before this module can be used, please ensure that the following pre-requisites are met:
Enable AWS Organizations and add AWS Accounts you want to be managed by SSO. Documentation
Enable AWS SSO. Documentation .
Create AWS SSO entities (Users and Groups). Documentation .
Ensure that Terraform is using a role with permissions required for AWS SSO management. Documentation .
More complex examples can be found in the examples directory. Simple use case:
module "sso" {
source = " avlcloudtechnologies/sso/aws" permission_sets = = {
description = " Provides full access to AWS services and resources." = " PT2H" = [" arn:aws:iam::aws:policy/AdministratorAccess" account_assignments = = " management" = " GROUP" = " AdministratorAccess" = [" 123456789" " 234567890" permission_sets and account_assignmentspermission_sets is a map of maps. Key is used as unique value for for_each resources. Inner map has the following keys/value pairs.
Name
Description
Type
If unset
description
(Optional) The description of the Permission Set.
string
Provider default behavior
relay_state
(Optional) The relay state URL used to redirect users within the application during the federation authentication process
string
Provider default behavior.
session_duration
(Optional) The length of time that the application user sessions are valid in the ISO-8601 standard
string
Provider default behavior.
tags
(Optional) Key-value map of resource tags.
string
Provider default behavior
managed_policies
(Optional) List of Managed IAM policies that are attached to permission set.
list(string)
Managed Policies not set.
inline_policy
(Optional) Inline policy that is attached to permission set.
string
Inline policy not set.
account_assignments is a list of maps which have the following keys/value pairs.
Name
Description
Type
If unset
principal_name
(Required) Name of the SSO entity that you want to assign the Permission Set.
string
Required
principal_type
(Required) Type of the SSO entity that you want to assign the Permission Set. Valid values: USER, GROUP
string
Required
permission_set
(Required) Name of the Permission Set which will be granted to SSO entity on specified AWS accounts.
string
Required
account_ids
(Required) AWS account IDs.
list
Required
No modules.
Name
Description
Type
Default
Required
account_assignments List of maps containing mapping between user/group, permission set and assigned accounts list. See account_assignments description in README for more information about map values.
list(object({ []no
permission_sets Map of maps containing Permission Set names as keys. See permission_sets description in README for information about map values.
any{ no
Name
Description
aws_ssoadmin_account_assignments Maps of account assignments to permission sets with keys user/group_name.permission_set_name.account_id and attributes listed in Terraform resource aws_ssoadmin_account_assignment documentation.
aws_ssoadmin_permission_sets Maps of permission sets with attributes listed in Terraform resource aws_ssoadmin_permission_set documentation.
