Skip to main content
Control Tower 0.8.1

SSO Groups

View Source Release Notes

This module is only necessary when using Identity Providers that do not support group synchronization with AWS. Currently, Google is the only Identity Provider we are aware of that requires this module.

Example Usage:

#terragrunt.hcl

#Depend on any permission sets managed using terraform
dependency "full_access" {
  config_path = "../sso-permission-sets/full-access"
}

include {
  path = find_in_parent_folders()
}

locals {
  source_base_url = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git///modules/aws-sso/sso-groups"
  common_vars     = read_terragrunt_config(find_in_parent_folders("common.hcl"))
  account_ids     = local.common_vars.locals.account_ids

  #Create one or more groups
  admin_group = [
    "grunty@gruntwork.io",
    #...
  ]
}

inputs = {
  #Map the groups to any permission sets they should belong to
  group_to_accounts_and_permissions = {
    "GW Ops Admins Prod" = {
      users               = local.admin_group
      account_id          = local.account_ids.prod
      permission_set_arn  = dependency.full_access.outputs.arn
      permission_set_name = dependency.full_access.outputs.name
    },
    #...
  }
}

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S SSO-GROUPS MODULE
# ------------------------------------------------------------------------------------------------------

module "sso_groups" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-groups?ref=v0.8.1"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  group_to_accounts_and_permissions = <map(object(
    users = list(string)
    account_id = string
    permission_set_arn  = string
    permission_set_name = string
  ))>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # ID of the SSO Admin Identity Store where all the users and groups are
  # stored. This information will be dynamically looked up when set to null.
  sso_admin_identity_store_id = null

  # ARN of the SSO Admin instance where the Permission Set should be
  # provisioned. This instance will be dynamically looked up when set to null.
  sso_admin_instance_arn = null

}


Reference

Required

group_to_accounts_and_permissionsmap(object(…))required
map(object({
    # This is a list of user emails
    users = list(string)
    # Account ID
    account_id = string
    # This will be the arn of the Permission set
    permission_set_arn  = string
    permission_set_name = string
  }))

Optional

ID of the SSO Admin Identity Store where all the users and groups are stored. This information will be dynamically looked up when set to null.

null

ARN of the SSO Admin instance where the Permission Set should be provisioned. This instance will be dynamically looked up when set to null.

null