Skip to content

Terraform module for AWS to create and manage Organizations and SSO

License

Notifications You must be signed in to change notification settings

chris-qa-org/terraform-aws-organzation-and-sso

Repository files navigation

AWS Organization and SSO terraform module

Terraform CI GitHub release

This module creates and manages AWS Organizations, Organization units, Accounts, SSO Permission sets and group/user assignments.

Limitations

  • Identity store Users and Groups must be created manually, as the identity store api does not currently support creating users or groups (hashicorp/terraform-provider-aws#18812)
  • SSO must be enabled manually

Usage

module "aws_organizations_and_sso" {
  source  = "chris-qa-org/organzation-and-sso/aws"
  version = "1.1.2"

  sso_permission_sets = {
    "admin" = {
      description = "Administrator access",
      relay_state = "https://console.aws.amazon.com/billing/home?region=eu-west-2#/",
      session_duration = "PT1H", ## ISO-8601 standard (https://en.wikipedia.org/wiki/ISO_8601#Time_intervals)
      managed_policies = [
        "AdministratorAccess"
      ],
      inline_policy = data.aws_iam_policy_document.example.json,
    },
    "read-only" = {
      description = "Read Only",
      relay_state = "https://console.aws.amazon.com/ec2/v2/home?region=eu-west-2#/",
      managed_policies = [
        "AWSReadOnlyAccess"
      ]
    },
    "billing" = {
      description = "Billing Access",
      relay_state = "https://console.aws.amazon.com/billing/home?#/",
      managed_policies = [
        "job-function/Billing"
      ]
    }
  }

  organization_config = {
    units = {
      "organization-unit-name" = {
        accounts = {
          "new-account-name" = {
            email = "[email protected]",
            group_assignments = {
              "SysAdmins" = {
                permission_sets = [
                  "admin"
                ]
              },
              "External" = {
                permission_sets = [
                  "read-only"
                ]
              }
            }
            user_assignments = {
              "Alex" = {
                permission_sets = [
                  "billing"
                ]
              }
            }
          },
          "existing-account-name" = {
            email = "[email protected]"
            # If the account has been imported into terrafrom, this must be set to "NULL"
            # This behaviour cannot be changed once the account is created (only the root user account will be able to change it)
            # (Terraform import example can be found at https://github.com/chris-qa-org/terraform-aws-organzation-and-sso/blob/main/examples/existing-account-import/README.md)
            iam_user_access_to_billing = "NULL"
            group_assignments = {
              "SysAdmins" = {
                permission_sets = [
                  "admin"
                ]
              }
            }
            user_assignments = {
              "Alex" = {
                permission_sets = [
                  "billing"
                ]
              }
            }
          }
        }
      }
    },
    service_access_principals = [
      "sso.amazonaws.com" ## Automatically added if `enable_sso` is enabled
    ],
    feature_set = "ALL",
    enabled_policy_types = [
      "SERVICE_CONTROL_POLICY"
    ]
  }

  enable_sso = true

  default_tags = {
    project = "My Project"
  }
}

Permission sets config

  • sso_permission_sets
    • Description: SSO Permission Set definitions
    • Value: SSO Permission Set definitions (map(any))
  • sso_permission_sets.<permission-set-name>
    • Description: SSO Permission Set definition
    • Key: Name of SSO Permission Set definition
    • Value: SSO Permission Set definition (map(any))
  • sso_permission_sets.<permission-set-name>.description
    • Description: The description of the Permission Set
    • Value: Description (string)
  • sso_permission_sets.<permission-set-name>.relay_state
    • Description: The relay state URL used to redirect users within the application during the federation authentication process
    • Value: Relay state (string)
  • sso_permission_sets.<permission-set-name>.session_duration
    • Description: The length of time that the application user sessions are valid in the ISO-8601 standard
    • Value: Session duration (string)
  • sso_permission_sets.<permission-set-name>.managed_policies
    • Description: Managed policies to associate with the permission set
    • Value: Names of AWS managed polices (list)
  • sso_permission_sets.<permission-set-name>.inline_policy
    • Description: The IAM inline policy to attach to the Permission Set
    • Value: JSON formatted policy (string)

Organization config

  • organization_config.units
    • Description: Organization Unit definitions
    • Value: Organization unit definitions (map(any))
  • organization_config.units.<org-unit-name>
    • Description: Organization Unit definition (map(any))
    • Key: The name for the organizational unit (string)
    • Value: Organization unit configuration (map(any))
  • organization_config.units.<org-unit-name>.accounts
    • Description: Organization account definitions (map(any))
    • Value: Organization account definitions map(any)
  • organization_config.units.<org-unit-name>.accounts.<account-name>
    • Description: Organization account definition (map(any))
    • Key: A friendly name for the member account (string)
    • Value: Account configuration (map(any))
  • organization_config.units.<org-name>.accounts.<account-name>.email
    • Description: The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.
    • Value: Email of root user string
  • organization_config.units.<org-name>.accounts.<account-name>.iam_user_access_to_billing
    • Description: If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.
    • Value: ALLOW/DENY/NULL (string)
    • Default: ALLOW
    • Note: This must be set to "NULL" if you are terraform importing an AWS account, otherwise it will atttempt to remove the account from the Organization, and create a new account.
  • organization_config.units.<org-name>.accounts.<account-name>.group_assignments
    • Description: Group assignment definitions.
    • Value: Group assignment definition (map)
  • organization_config.units.<org-name>.accounts.<account-name>.group_assignments.<group_name>
    • Description: Group assignment definition
    • Key: Group name
    • Value: Group assignment config (map)
  • organization_config.units.<org-name>.accounts.<account-name>.group_assignments.<group_name>.permission_sets
    • Description: Group assignment definition
    • Value: Permission set names (list)
  • organization_config.units.<org-name>.accounts.<account-name>.user_assignments
    • Description: User assignment definitions.
    • Value: User assignment definition (map)
  • organization_config.units.<org-name>.accounts.<account-name>.user_assignments.<user_name>
    • Description: User assignment definition
    • Key: User name
    • Value: User assignment config (map)
  • organization_config.units.<org-name>.accounts.<account-name>.group_assignments.<user_name>.permission_sets
    • Description: User assignment definition
    • Value: Permission set names (list)
  • organization_config.service_access_principals
    • Description: List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL.
    • Value: Service access principals (list)
  • organization_config.feature_set
    • Description: Specify "ALL" or "CONSOLIDATED_BILLING".
    • Value: Feature set (string)
  • organization_config.enabled_policy_types
    • Description: List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types
    • Value: Enabled policy types (list)

Requirements

Name Version
terraform >= 1.1.5
aws >= 5.0

Providers

Name Version
aws 5.57.0

Resources

Name Type
aws_organizations_account.account resource
aws_organizations_organization.root resource
aws_organizations_organizational_unit.unit resource
aws_ssoadmin_account_assignment.group_assignment resource
aws_ssoadmin_account_assignment.user_assignment resource
aws_ssoadmin_managed_policy_attachment.attachment resource
aws_ssoadmin_permission_set.permission_set resource
aws_ssoadmin_permission_set_inline_policy.policy resource
aws_identitystore_group.aws data source
aws_identitystore_user.aws data source
aws_ssoadmin_instances.ssoadmin_instances data source

Inputs

Name Description Type Default Required
enable_sso Enable AWS SSO bool true no
organization_config Organization configuration any
{
"units": {}
}
no
sso_permission_sets AWS SSO Permission sets any {} no

Outputs

Name Description
aws_organizations_account Attributes for the AWS Organization Accounts (aws_organizations_account): https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account#attributes-reference
aws_organizations_organization Attributes for the AWS Organization (aws_organizations_organization: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization#attributes-reference)
aws_organizations_organizational_unit Atrributes for the AWS Organizational Units (aws_organizations_organizational_unit): https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organizational_unit#attributes-reference
aws_ssoadmin_instances Attributes for the SSO Admin instances (aws_ssoadmin_instances: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances)
aws_ssoadmin_permission_set Attributes for the AWS SSO Permission Sets (aws_ssoadmin_permission_set): https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set