Terraform-provider-aws: Support for Managing AWS SSO Permission Sets

Being able to manage permission sets with terraform would make life so much easier.

User/Group IDs can be discovered through the Identity Store APIs. https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html Using a filter of DisplayName you can discover the id which would then be usable in calls to the SSO apis.

My suggestion would be to create a separate feature request outlining any potential Identity Store data sources.

@bflad Good point. I had updated my original description to add the data sources, but it probably makes sense as a separate issue. I'll revert.

What about other settings, like using external identity source e.g. Azure AD. There one would need to define also Authentication and SCIM settings and output the related values. In that case principals would be groups originated from AAD, and one could use a data resource to get the group Id based on the group name.

@mao65fi I feel that identity provider integration is out of scope for this ticket, and AWS also has not yet provided an API for changing those settings either, so you should knock on their door first.

This issue should focus on what we already have and that's the permission set handing.

Hi! I desperately need these Terraform resources in my life ;). I'm interested in working on this issue and submitting a PR. Is anyone else already working on this? I see that @bflad has already merged in the corresponding SDK changes so I'm hoping it's relatively straight-forward.

Note: I've been a pretty heavy user of AWS SSO since it was released last December, so I'm happy to help design & test if someone else is already working on it.

Following up on @burck1's comment, I'm also happy to assist ongoing efforts with this issue. Is anyone currently working on this?

Hi @sklarsa! I've started this work a bit. Right now I really just have the scaffolding for an aws_sso_permission_set resource. I can open a WIP PR today to show what I have.

For splitting up the work, I was thinking of doing separate PRs; one for the aws_sso_permission_set resource and one for the aws_sso_assignment resource. I'm basing this split on the corresponding CloudFormation design. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SSO.html. I also suspect we'll need some corresponding data sources.

What I haven't yet figured out is how & when to provision the permission set. https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ProvisionPermissionSet.html I.E. Whenever any of the properties of the aws_sso_permission_set resource are updated, the ProvisionPermissionSet API will need to be called to push those changes to the associated accounts.

To help us to continue to move forward, please go give a thumbs up on #15808.

We've completed most of the work for supporting the AWS SSO and AWS SSO Identity Store resources and datasources in Terraform. The #15322 [WIP] PR encompasses all of that work. But, the contribution guide for this repo recommends submitting small pull requests with the minimum required resources, so we've submitted #15808 as our initial PR with just data.aws_sso_instance, data.aws_sso_permission_set, and aws_sso_permission_set. Once that's merged, we will submit PRs for all of the other resources and data sources since they depend on that initial PR.

Hi all 👋, just wanted to point to our recently published public roadmap which features a commitment to support this feature. We are little behind on our previous quarter commitments, but as soon as we have an engineer available we will be in touch to start the review process.

Thanks to @burck1 and others for the all the work so far, this is a very popular feature and we're looking forward to making in available in the provider soon!

Hi @breathingdust. That's great!

One change I would recommend updating in the roadmap would be the resources listed. Based on #15322, we should list:

New Resources

• aws_sso_permission_set
• aws_sso_assignment

New Data Sources

• aws_sso_instance
• aws_sso_permission_set
• aws_identity_store_group
• aws_identity_store_user

Thanks!

A suggestion to make the aws_sso_assignment resource easier to work with, could this consider an accounts data source? This would support globbing, since a lot of organisations use naming conventions for AWS accounts based on teams/services using them. So as a simple example:

data awssso_accounts "team-name" {
  search_patterns = ["aws-serviceA-*", "aws-teamA-*", "aws-storage-*"]
}

That way, using a foreach we could create multiple assignments shortly and concisely. If the above returns a map of AccountName => AccountId, then we use foreach in the aws_sso_assignment resource to ensure we create assignments for that group for each of the accounts we intend them to have access to, within one simple block, rather than having to explicitly create a block for every single account that the group with have this permission set in.

Indeed, to create an Admin permission set provisioned across all accounts in an organization, that you might wish to provide your administrative team, the search_patterns would just be ["*"] to create the association everywhere.

Hi @TomNorth. Great idea! Though I don't think the AWS SSO API provides a mechanism to get a list of accounts, you should be able to use the aws_organizations_organization data source for a similar purpose.

data "aws_organizations_organization" "example" {}

output "account_names" {
  value = data.aws_organizations_organization.example.accounts[*].name
}

output "account_ids" {
  value = data.aws_organizations_organization.example.accounts[*].id
}

Then once you have the accounts list, you should be able to filter the results using some of terraform's interpolation functions.