The solution comprises of the following building blocks:
| Table Name | Contents | Use |
|---|---|---|
| Permission Set | All content of permission set JSON files | Staging - to compute delta while triggering permission set create/update/delete API |
| Permission Set Arn | Permission set name and arn value (generated by SSO on create API call) | Lookup - to map permission set name to arn value and vice versa |
| Links | All content of links file name split by dot (excluding the file extension) | Lookup - fetch one link entity value based on another entity value Lookup, determine pre-existing account assignment relationships Trigger - create/delete accountAssignment based on data changes |
| Provisioned Links | Link data abstracted to an individual account | Lookup - used to determine if a link has already been created |
| Function Group | Function | Code Path | Purpose | Trigger Source | Downstream Triggers |
|---|---|---|---|---|---|
| User Interface Handlers | Account Assignment API handler | lib/lambda-functions/user-interface-handlers/src/linkApi.ts | API proxy lambda for account assignment API operations | Account assignment API gateway | Account assignment topic |
| User Interface Handlers | Account Assignment S3 create/update handler | lib/lambda-functions/user-interface-handlers/src/linkCu.ts | S3 event handler lambda for account assignment create/update operations | S3 event notifications on link prefix and create object type events | Account assignment topic |
| User Interface Handlers | Account Assignment S3 delete handler | lib/lambda-functions/user-interface-handlers/src/linkDel.ts | S3 event handler lambda for account assignment delete operations | S3 event notifications on link prefix and remove object type events | Account assignment topic |
| User Interface Handlers | Permission set API handler | lib/lambda-functions/user-interface-handlers/src/permissionSetApi.ts | API proxy lambda for permission set API operations | Permission set API gateway | Permission set topic |
| User Interface Handlers | Permission set S3 create/update handler | lib/lambda-functions/user-interface-handlers/src/permissionSetCu.ts | S3 event handler lambda for permission set create/update operations | S3 event notifications on permission set prefix and create object type events | Permission set topic |
| User Interface Handlers | Permission set S3 delete handler | lib/lambda-functions/user-interface-handlers/src/permissionSetDel.ts | S3 event handler lambda for permission set delete operations | S3 event notifications on permission set prefix and remove object type events | Permission set topic |
| Application Handlers | AWS IAM Identity Center groups event handler | lib/lambda-functions/application-handlers/src/groupsCud.ts | Handler to process AWS IAM Identity Center group events | AWS IAM Identity Center group events rule (AWS IAM Identity Center event) through cross-account topic | Account assignment queue/ org entities state machine(org account) |
| Application Handlers | AWS IAM Identity Center users event handler | lib/lambda-functions/application-handlers/src/usersCud.ts | Handler to process AWS IAM Identity Center user events | AWS IAM Identity Center user events rule (AWS IAM Identity Center event) through cross-account topic | Account assignment queue/ org entities state machine(org account) |
| Application Handlers | Account assignments queue processor | lib/lambda-functions/application-handlers/src/linkManager.ts | Handler to process account assignment API operations from FIFO queue | Account assignment queue | n/a |
| Application Handlers | Account assignment topic processor | lib/lambda-functions/application-handlers/src/linkTopicProcessor.ts | Handler to determine type of account assignment operation | Account assignment topic | Account assignment queue/ org entities state machine(org account) |
| Application Handlers | Org events handler | lib/lambda-functions/application-handlers/src/orgEvents.ts | Handler to process org events | Org events rule(Org main account) through cross-account topic | Account assignment queue |
| Application Handlers | Permission set sync handler | lib/lambda-functions/application-handlers/src/permissionSetSync.ts | Handler to sync any pending account assignments for the permission set | Permission set topic processor | Account assignment queue/ org entities state machine(org account) |
| Application Handlers | Permission set topic processor | lib/lambda-functions/application-handlers/src/permissionSetTopicProcessor.ts | Handler to determine type of permissions set operation and process permission set API operations |
Permission set topic | n/a |
| Application Handlers | Org entities state machine listener | lib/lambda-functions/application-handlers/src/processTargetAccountSMListener.ts | Handler to process org entities state machine results | Org entities state machine(org account) through cross-accounn topic | Account assignment queue |
| Current config Handlers | Custom resource handler | lib/lambda-functions/current-config-handlers/src/triggerParentSM.ts | Cloud formation custom resource handler for importing current AWS IAM Identity Center configuration into the solution |
Cloud formation | Current configuration state machine(AWS IAM Identity Center account) |
| Current config Handlers | Custom resource status update handler | lib/lambda-functions/current-config-handlers/src/update-custom-resource.ts | Handler to update cloudformation with status of custom resource creation/update/delete | Cloud formation | n/a |
| Current config Handlers | Permission set import handler | lib/lambda-functions/current-config-handlers/src/import-permission-sets.ts | Handler to import permission sets into the solution | Import permission set state machine(AWS IAM Identity Center account) through cross-account topic |
n/a |
| Current config Handlers | Account assignment import handler | lib/lambda-functions/current-config-handlers/src/import-account-assignment.ts | Handler to import account assignments into the solution | Import account assignment state machine(AWS IAM Identity Center account) through cross-account topic |
n/a |
| Topic | Account | Publisher | Subscriber |
|---|---|---|---|
| Permission set processing topic |
Target | Permission set user interface handlers | Permission set topic processor |
| Account assignment processing topic |
Target | Account assignment user interface handlers | Account assignment topic processor |
| Permission set sync topic | Target | Permission set topic processor | Permission set sync handler |
| Error topic | Target | All lambda functions | Email provided in cdk.json |
| Org entities state machine topic |
Org main | Org entities state machine | Org entities state machine listener (target) |
| Org events topic | Org main | Org events event bridge rule | Org events handler(target) |
| SSO groups event topic | SSO | SSO groups events event bridge rule | AWS IAM Identity Center groups event handler(target) |
| SSO users event topic | SSO | SSO users events event bridge rule | AWS IAM Identity Center users event handler(target) |
| Import permission set topic | SSO | Import permission set state machine | Permission set import handler(target) |
| Import account assignment topic |
SSO | Import account assignment state machine | Account assignment import handler(target) |
| Queue | isFifo | Producer(s) | Message group ID | Message de-duplication ID | Consumer(s) |
|---|---|---|---|---|---|
| Account assignment | true | Account assignment topic processor, Org events handler, Permission set sync handler,AWS SSO groups event handler, AWS IAM Identity Center users event handler, Org entities state machine listener, |
accountId-permissionSetID-principalId | action-accountId-permissionSetID-principalId | Account assignments queue processor |
| S3 Bucket | Prefix Filtered on | Suffix filtered on | Lambda invoked |
|---|---|---|---|
| SSO artefacts bucket | permission_sets/ | .json | OBJECT_CREATED event type - Permission set create/update handler OBJECT_REMOVED event type - Permission set delete handler |
| SSO artefacts bucket | links_data/ | .ssofile | OBJECT_CREATED event type - link create/update handler OBJECT_REMOVED event type - link delete handler |
| API Name | Type | Integration | Authentication | Purpose | Receiver |
|---|---|---|---|---|---|
| Links API | Edge | Lambda Rest | IAM with permissions set to links api caller roleArn from cdk.json | Interface for linkAPI handler | linkAPI handler |
| Permission set API | Edge | Lambda Rest | IAM with permissions set to permission set caller roleArn from cdk.json | Interface for permissionSetAPI handler | permissionSetAPI handler |
| Step function Name | Deployed in | Trigger source(s) | Purpose |
|---|---|---|---|
| Org entities list | Org main | AWS IAM Identity Center groups event handler, AWS IAM Identity Center users event handler, Permission set sync handler, Account assignment topic processor |
Resolve target accounts by querying org API's |
| Import current config | SSO | Cloudformation custom resource handler | Trigger parent SM to orchestrate current SSO configuration import |
| Import permission set | SSO | Import current config SM | Import permission set objects |
| Import account assignment | SSO | Import permission set SM | Import account assignment objects |
| Layer Name | Runtime | Purpose | Referenced by |
|---|---|---|---|
| Node JS layer | NODEJS_20_X | Package AWS-JS SDK V3 modular clients, uuid, ajv and json-diff libs | All Lambda's |