You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Identity store Users and Groups must be created manually, as the identity store api does not currently support creating users or groups (hashicorp/terraform-provider-aws#18812)
SSO must be enabled manually
Usage
module"aws_organizations_and_sso" {
source="chris-qa-org/organzation-and-sso/aws"version="1.1.2"sso_permission_sets={
"admin"= {
description ="Administrator access",
relay_state ="https://console.aws.amazon.com/billing/home?region=eu-west-2#/",
session_duration ="PT1H", ## ISO-8601 standard (https://en.wikipedia.org/wiki/ISO_8601#Time_intervals)
managed_policies = [
"AdministratorAccess"
],
inline_policy = data.aws_iam_policy_document.example.json,
},
"read-only"= {
description ="Read Only",
relay_state ="https://console.aws.amazon.com/ec2/v2/home?region=eu-west-2#/",
managed_policies = [
"AWSReadOnlyAccess"
]
},
"billing"= {
description ="Billing Access",
relay_state ="https://console.aws.amazon.com/billing/home?#/",
managed_policies = [
"job-function/Billing"
]
}
}
organization_config={
units = {
"organization-unit-name"= {
accounts = {
"new-account-name"= {
email ="[email protected]",
group_assignments = {
"SysAdmins"= {
permission_sets = [
"admin"
]
},
"External"= {
permission_sets = [
"read-only"
]
}
}
user_assignments = {
"Alex"= {
permission_sets = [
"billing"
]
}
}
},
"existing-account-name"= {
email ="[email protected]"# If the account has been imported into terrafrom, this must be set to "NULL"# This behaviour cannot be changed once the account is created (only the root user account will be able to change it)# (Terraform import example can be found at https://github.com/chris-qa-org/terraform-aws-organzation-and-sso/blob/main/examples/existing-account-import/README.md)
iam_user_access_to_billing ="NULL"
group_assignments = {
"SysAdmins"= {
permission_sets = [
"admin"
]
}
}
user_assignments = {
"Alex"= {
permission_sets = [
"billing"
]
}
}
}
}
}
},
service_access_principals = [
"sso.amazonaws.com"## Automatically added if `enable_sso` is enabled
],
feature_set ="ALL",
enabled_policy_types = [
"SERVICE_CONTROL_POLICY"
]
}
enable_sso=truedefault_tags={
project ="My Project"
}
}
Description: The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.
Description: If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.
Value: ALLOW/DENY/NULL (string)
Default: ALLOW
Note: This must be set to "NULL" if you are terraform importing an AWS account, otherwise it will atttempt to remove the account from the Organization, and create a new account.
Description: List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL.
Value: Service access principals (list)
organization_config.feature_set
Description: Specify "ALL" or "CONSOLIDATED_BILLING".
Value: Feature set (string)
organization_config.enabled_policy_types
Description: List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types
