Skip to main content
Control Tower 0.4.3

SSO Permission Sets

View SourceRelease Notes

This module contains Terraform code to provision and manage best practices set of Permission Sets for AWS SSO (aka Identity Center).

Features

  • Define and provision multiple Permission Sets.
  • Assign Permission Sets directly to AWS Identity Store Groups so that they are immediately available to access your AWS Accounts.
  • Assign managed and inline IAM Policies to the Permission Sets.

Learn

What is AWS SSO / Identity Center?

You can learn more about AWS SSO (aka Identity Center) in the official documentation provided by AWS.

What is a Permission Set?

A Permission Set in AWS SSO is a logical grouping of AWS IAM Policies that define the permissions that an entity has to access an account. This Permission Set is then provisioned to an AWS Account to grant access through AWS SSO to users and groups defined in the AWS Identity Store.

Refer to the official documentation for more information on Permission Sets.

How do I provision a Permission Set to an Account?

You can use this module to provision a Permission Set to an Account or multiple AWS Accounts. To provision the Permission Set, it must be assigned to an AWS Account and a Group. This combination grants access to the AWS Account to the Group with the given Permission Set.

You can specify the Account and Group pair in the accounts sub property of the Permission Set configuration passed to the permission_sets input variable to provision the Permission Set to the given AWS Account.

For example:

module "sso_permission_sets" {
# ... other args omitted for brevity ...

permission_sets = {
TFFullAccess = {
# ... other args omitted for brevity ...

managed_policy_names = ["AdministratorAccess"]
accounts = [
{
id = "000000000000" # AWS Account ID
group_name = "FullAccess" # Name of the group in AWS SSO Identity Store
group_id = null
},
{
id = "1234567891234" # AWS Account ID
group_name = null
group_id = "fffaaaaa-0000-1111-2222-1111ccccbbbb" # ID of the group in AWS SSO Identity Store
},
]
}
}

In the example above, the TFFullAccess Permission Set is assigned the AdministratorAccess managed IAM policy, and provisioned to the AWS Account with ID 000000000000 for the SSO Identity Store group with the name FullAccess. It is also provisioned to the AWS Account with ID 1234567891234 for the SSO Identity Store group with the ID fffaaaaa-0000-1111-2222-1111ccccbbbb.

Once provisioned, users in the AWS Identity Store that are assigned to the specified group will automatically be granted access to the AWS Account with the IAM permissions defined on the Permission Set.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S SSO-PERMISSION-SETS MODULE
# ------------------------------------------------------------------------------------------------------

module "sso_permission_sets" {

source = "git::git@github.com:gruntwork-io/terraform-aws-control-tower.git//modules/aws-sso/sso-permission-sets?ref=v0.4.3"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

description = <string>

name = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# The inline policy, as a string, to use for the permission set.
inline_policy = null

# A list of managed policy names to add to the Permission set.
managed_policy_names = []

# The length, in hours, that a session is valid.
session_duration_hours = 1

# ARN of the SSO Admin instance where the Permission Set should be
# provisioned. This instance will be dynamically looked up when set to null.
sso_admin_instance_arn = null

# Tags to apply to the SSO Permission Set, defaults to empty map.
tags = null

}


Reference

Required

descriptionstringrequired
namestringrequired

Optional

inline_policystringoptional

The inline policy, as a string, to use for the permission set.

null
managed_policy_nameslist(string)optional

A list of managed policy names to add to the Permission set.

[]

The length, in hours, that a session is valid.

1

ARN of the SSO Admin instance where the Permission Set should be provisioned. This instance will be dynamically looked up when set to null.

null
tagsmap(string)optional

Tags to apply to the SSO Permission Set, defaults to empty map.

null