Skip to main content
Control Tower 0.8.1

SSO Permission Sets

View Source Release Notes

This module contains Terraform code to provision and manage best practices set of Permission Sets for AWS SSO (aka Identity Center).

Features

  • Define and provision a Permission Set
  • Assign managed and inline IAM Policies to the Permission Set.

Learn

What is AWS SSO / Identity Center?

You can learn more about AWS SSO (aka Identity Center) in the official documentation provided by AWS.

What is a Permission Set?

A Permission Set in AWS SSO is a logical grouping of AWS IAM Policies that define the permissions that an entity has to access an account. This Permission Set is then provisioned to an AWS Account to grant access through AWS SSO to users and groups defined in the AWS Identity Store.

Refer to the official documentation for more information on Permission Sets.

How do I create a permission set?

For example:

module "sso_permission_set" {
  source = "git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-permission-sets"

  name          = "GWFullAccess"
  description   = "Provides full (administrator) access to accounts"
  inline_policy = <<EOP
{
    "Statement": [
        {
            "Effect": "Allow",
            "NotAction": [
                "organizations:*",
                "account:*"
            ],
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
EOP
}

In the example above, the GWFullAccess Permission Set is assigned a custom inline IAM policy.

Once provisioned, users in the AWS Identity Store that are assigned to the specified group will automatically be granted access to the AWS Account with the IAM permissions defined on the Permission Set.

How do I provision a Permission Set to an Account?

Permission sets are normally bound to groups using your IDP.

For an example of a manual binding see the sso-groups module.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S SSO-PERMISSION-SETS MODULE
# ------------------------------------------------------------------------------------------------------

module "sso_permission_sets" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-permission-sets?ref=v0.8.1"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  description = <string>

  name = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The inline policy, as a string, to use for the permission set.
  inline_policy = null

  # A list of managed policy names to add to the Permission set.
  managed_policy_names = []

  # The length, in hours, that a session is valid.
  session_duration_hours = 1

  # ARN of the SSO Admin instance where the Permission Set should be
  # provisioned. This instance will be dynamically looked up when set to null.
  sso_admin_instance_arn = null

  # Tags to apply to the SSO Permission Set, defaults to empty map.
  tags = null

}


Reference

Required

descriptionstringrequired
namestringrequired

Optional

inline_policystringoptional

The inline policy, as a string, to use for the permission set.

null
managed_policy_nameslist(string)optional

A list of managed policy names to add to the Permission set.

[]

The length, in hours, that a session is valid.

1

ARN of the SSO Admin instance where the Permission Set should be provisioned. This instance will be dynamically looked up when set to null.

null
tagsmap(string)optional

Tags to apply to the SSO Permission Set, defaults to empty map.

null