Skip to main content
Control Tower 0.8.5

SSO Permission Sets

View Source Release Notes

This module contains Terraform code to provision and manage best practices set of Permission Sets for AWS SSO (aka Identity Center).

Features

  • Define and provision a Permission Set
  • Assign managed and inline IAM Policies to the Permission Set.

Learn

What is AWS SSO / Identity Center?

You can learn more about AWS SSO (aka Identity Center) in the official documentation provided by AWS.

What is a Permission Set?

A Permission Set in AWS SSO is a logical grouping of AWS IAM Policies that define the permissions that an entity has to access an account. This Permission Set is then provisioned to an AWS Account to grant access through AWS SSO to users and groups defined in the AWS Identity Store.

Refer to the official documentation for more information on Permission Sets.

How do I create a permission set?

For example:

module "sso_permission_set" {
  source = "git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-permission-sets"

  name          = "GWFullAccess"
  description   = "Provides full (administrator) access to accounts"
  inline_policy = <<EOP
{
    "Statement": [
        {
            "Effect": "Allow",
            "NotAction": [
                "organizations:*",
                "account:*"
            ],
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
EOP
}

In the example above, the GWFullAccess Permission Set is assigned a custom inline IAM policy.

Once provisioned, users in the AWS Identity Store that are assigned to the specified group will automatically be granted access to the AWS Account with the IAM permissions defined on the Permission Set.

How do I provision a Permission Set to an Account?

Permission sets are normally bound to groups using your IDP.

For an example of a manual binding see the sso-groups module.

What are permission boundaries?

Permission boundaries are an advanced feature of AWS IAM that allows you to set the maximum permissions that an entity. For example you can limit the permissions of a Permission Set to ReadOnlyAccess:

module "sso_permission_set" {
  source = "git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-permission-sets"

  name          = "GWReadOnlyAccess"
  description   = "Provides read-only access to accounts"
  managed_policy_names = ["ReadOnlyAccess"]

  permissions_boundary_managed_policy_name = ["ReadOnlyAccess"]
}

For more information on permission boundaries, see the official documentation.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S SSO-PERMISSION-SETS MODULE
# ------------------------------------------------------------------------------------------------------

module "sso_permission_sets" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-permission-sets?ref=v0.8.5"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  description = <string>

  name = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The inline policy, as a string, to use for the permission set.
  inline_policy = null

  # A list of managed policy names to add to the Permission set.
  managed_policy_names = []

  # The customer managed policy reference to use as the permissions boundary for
  # the Permission Set. Note that this is mutually exclusive with
  # `permissions_boundary_managed_policy_name`.
  permisions_boundary_customer_managed_policy_reference = null

  # The name of the managed policy to use as the permissions boundary for the
  # Permission Set. Note that this is mutually exclusive with
  # `permissions_boundary_customer_managed_policy_reference`.
  permissions_boundary_managed_policy_name = null

  # The length, in hours, that a session is valid.
  session_duration_hours = 1

  # ARN of the SSO Admin instance where the Permission Set should be
  # provisioned. This instance will be dynamically looked up when set to null.
  sso_admin_instance_arn = null

  # Tags to apply to the SSO Permission Set, defaults to empty map.
  tags = null

}


Reference

Required

descriptionstringrequired
namestringrequired

Optional

inline_policystringoptional

The inline policy, as a string, to use for the permission set.

null
managed_policy_nameslist(string)optional

A list of managed policy names to add to the Permission set.

[]

The customer managed policy reference to use as the permissions boundary for the Permission Set. Note that this is mutually exclusive with permissions_boundary_managed_policy_name.

object({
    name = string
    path = optional(string, "/")
  })
null

The name of the managed policy to use as the permissions boundary for the Permission Set. Note that this is mutually exclusive with permissions_boundary_customer_managed_policy_reference.

null

The length, in hours, that a session is valid.

1

ARN of the SSO Admin instance where the Permission Set should be provisioned. This instance will be dynamically looked up when set to null.

null
tagsmap(string)optional

Tags to apply to the SSO Permission Set, defaults to empty map.

null