AWS IAM Identity Center Terraform Module

Usage

In this example with yaml conf...

module "iam_identity_center" {
  source  = "voidsolutionsorg/iam-identity-center/aws"
  version = "1.0.0"

  # variables are configured via yaml files inside "conf" folder
}

# conf/attachments.yaml
---
# attachments
attachments:
  - permission_set_name: "AdministratorAccess"
    principal_type: "GROUP"
    principal_group_name: "Admin"
    target_account_id: "ACCOUNT_ID" # account id
  - permission_set_name: "CustomizedS3ReadAccessJsonPath"
    principal_type: "GROUP"
    principal_group_name: "TeamA"
    target_account_id: "ACCOUNT_ID" # account id

# conf/groups.yaml
---
# groups
groups:
  - name: "Admin"
    description: "Description for admin group"
    users: ["test.admin"]
  - name: "TeamA"
    description: "Description for team A"
    users: ["teamA.user1", "teamA.user2"]

# conf/permission_sets.yaml
---
# permission_sets
permission_sets:
  # managed policy and customer_managed_policy
  - name: "AdministratorAccess"
    description: "Description for administrator access"
    managed_policies: ["arn:aws:iam::aws:policy/AdministratorAccess"]
    customer_managed_policies:
      - name: "customized_billing_policy" # imagine we have a policy in IAM
        path: "/"
    session_duration: "PT4H"
  # example for inline with json path
  - name: "CustomizedS3ReadAccessJsonPath"
    description: "S3 read only"
    inline_policy_json_path: "./policies/S3ReadCustomizedBucket.json"
    session_duration: "PT4H"
    boundary_policy:
      type: "CUSTOMER_MANAGED"
      customer_policy_name: "s3_boundary_customer_managed_policy" # imagine we have a policy in IAM
      customer_policy_path: "/"

# conf/users.yaml
---
# users
users:
  - display_name: "Display Name"
    user_name: "test.admin"
    name:
      family_name: "Display"
      given_name: "Name"
    emails:
      - primary: true
        type: "AnyType"
        value: "[email protected]"
  - display_name: "Display Name"
    user_name: "teamA.user1"
    name:
      family_name: "Display"
      given_name: "Name"
    emails:
      - primary: true
        type: "AnyType"
        value: "[email protected]"
  - display_name: "Display Name"
    user_name: "teamA.user2"
    name:
      family_name: "Display"
      given_name: "Name"
    emails:
      - primary: true
        type: "AnyType"
        value: "[email protected]"

In this example with standard tf variables...

module "iam_identity_center" {
  source                        = "voidsolutionsorg/iam-identity-center/aws"
  version                       = "1.0.0"

  permission_sets = [
    { # managed policy and customer_managed_policy
      name             = "AdministratorAccess",
      description      = "Description for administrator access",
      managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"],
      customer_managed_policies = [
        {
          name = "customized_billing_policy" # imagine we have a policy in IAM
          path = "/"
        }
      ]
      session_duration = "PT4H"
    },
    { # example for inline with json path
      name                    = "CustomizedS3ReadAccessJsonPath",
      description             = "S3 read only",
      inline_policy_json_path = "./policies/S3ReadCustomizedBucket.json"
      session_duration        = "PT4H"
      boundary_policy = {
        type                 = "CUSTOMER_MANAGED"
        customer_policy_name = "s3_boundary_customer_managed_policy" # imagine we have a policy in IAM
        customer_policy_path = "/"
      }
    },
    { # example for inline with json path
      name             = "CustomizedS3ReadAccessInline",
      description      = "S3 read only",
      inline_policy    = <<EOF
      {
        "Version":"2012-10-17",
        "Statement":[
          {
              "Effect":"Allow",
              "Action":[
                "s3:GetObject",
                "s3:GetObjectVersion"
              ],
              "Resource":"arn:aws:s3:::example/*"
          }
        ]
      }
      EOF
      session_duration = "PT4H"
      boundary_policy = {
        type               = "MANAGED"
        managed_policy_arn = "arn:aws:iam::aws:policy/S3ReadOnly"
      }
    }
  ]

  users = [
    {
      display_name = "Display Name"
      user_name    = "test.admin"
      name = {
        family_name = "Display"
        given_name  = "Name"
      }
      emails = [
        {
          primary = true
          type    = "AnyType"
          value   = "[email protected]"
        }
      ]
    },
    {
      display_name = "Display Name"
      user_name    = "teamA.user1"
      name = {
        family_name = "Display"
        given_name  = "Name"
      }
      emails = [
        {
          primary = true
          type    = "AnyType"
          value   = "[email protected]"
        }
      ]
    },
    {
      display_name = "Display Name"
      user_name    = "teamA.user2"
      name = {
        family_name = "Display"
        given_name  = "Name"
      }
      emails = [
        {
          primary = true
          type    = "AnyType"
          value   = "[email protected]"
        }
      ]
    },
    {
      display_name = "Display Name"
      user_name    = "teamB.user1"
      name = {
        family_name = "Display"
        given_name  = "Name"
      }
      emails = [
        {
          primary = true
          type    = "AnyType"
          value   = "[email protected]"
        }
      ]
    }
  ]

  groups = [
    {
      name        = "Admin",
      description = "Description for admin group",
      users       = ["test.admin"]
    },
    {
      name        = "TeamA",
      description = "Description for team A",
      users       = ["teamA.user1", "teamA.user2"]
    },
    {
      name        = "TeamB",
      description = "Description for team B",
      users       = ["teamB.user1", "teamB.user2"]
    }
  ]

  attachments = [
    {
      permission_set_name  = "AdministratorAccess",
      principal_type       = "GROUP",
      principal_group_name = "Admin",
      target_account_id    = "ACCOUNT_ID" # account id
    },
    {
      permission_set_name  = "CustomizedS3ReadAccessJsonPath",
      principal_type       = "GROUP",
      principal_group_name = "TeamA",
      target_account_id    = "ACCOUNT_ID" # account id
    },
    {
      permission_set_name  = "CustomizedS3ReadAccessInline",
      principal_type       = "GROUP",
      principal_group_name = "TeamB",
      target_account_id    = "ACCOUNT_ID" # account id
    }
  ]
}

Examples

• Complete IAM Identity Center using yaml config files
• Complete IAM Identity Center using Terraform variables

Requirements

Name	Version
terraform	>= 1.5.0
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

No modules.

Resources

Name	Type
aws_identitystore_group.groups	resource
aws_identitystore_group_membership.membership	resource
aws_identitystore_user.users	resource
aws_ssoadmin_account_assignment.attachments	resource
aws_ssoadmin_customer_managed_policy_attachment.customer_managed_policies	resource
aws_ssoadmin_managed_policy_attachment.managed_policies	resource
aws_ssoadmin_permission_set.permission_sets	resource
aws_ssoadmin_permission_set_inline_policy.inline_policy	resource
aws_ssoadmin_permissions_boundary_attachment.customer_managed_boundary	resource
aws_ssoadmin_permissions_boundary_attachment.managed_boundary	resource
aws_ssoadmin_instances.this	data source

Inputs

Name	Description	Type	Default	Required
attachments	The list of attachments	list(object({ permission_set_arn = optional(string), permission_set_name = optional(string), principal_type = string, principal_id = optional(string), principal_group_name = optional(string), principal_user_username = optional(string), target_account_id = string, }))	[]	no
groups	The list of groups	list(object({ name = string, description = optional(string, null) users = optional(list(string), []) }))	[]	no
permission_sets	The list of permission sets	list(object({ name = string, description = optional(string, null) relay_state = optional(string, null) session_duration = optional(string, "PT1H") managed_policies = optional(list(string), []) customer_managed_policies = optional(any, []) inline_policy = optional(string, null) inline_policy_json_path = optional(string, null) boundary_policy = optional(object({ type = string managed_policy_arn = optional(string) customer_policy_name = optional(string) customer_policy_path = optional(string) })) }))	[]	no
users	The list of users	list(object({ display_name = string user_name = string locale = optional(string) nickname = optional(string) preferred_language = optional(string) profile_url = optional(string) timezone = optional(string) title = optional(string) user_type = optional(string) name = object({ family_name = string given_name = string }) emails = optional(list(object({ primary = optional(bool) type = optional(string) value = optional(string) }))) phone_numbers = optional(list(object({ primary = optional(bool) type = optional(string) value = optional(string) }))) addresses = optional(list(object({ country = optional(string) formatted = optional(string) locality = optional(string) postal_code = optional(string) primary = optional(string) region = optional(string) street_address = optional(string) type = optional(string) }))) }))	[]	no

Outputs

No outputs.

Authors

Module is maintained by Aleksa Siriški with help from the VoidSolutions team.

Module was originally made by Nikola Kolović with help from the CyberLab team.

License

Apache 2 Licensed. See LICENSE for full details.