Terraform-provider-aws: Implement AWS SSO resource
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Quote from the AWS documentation:
AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications.
The AWS SSO service has had a very limited API until now, requiring manual interaction with the AWS console to configure its aspects. This has changed recently, and most of the functionality is now accessible via a public API.
At the moment, there is no API to create new SSO instances, but it seems like there can only be one instance per account. Perhaps it's possible to retrieve the list of available SSO instances with a ListInstances call and simply use the first one available. Or, the user needs to select an instance by ARN explicitly.
To retrieve group and user GUIDs by name, the AWS SSO Identity Store API could be used.
New or Affected Resource(s)
- aws_sso
Potential Terraform Configuration
Here is one example for the AttachManagedPolicyToPermissionSet and CreateAccountAssignment APIs:
data "aws_caller_identity" "current" {}
data "aws_iam_policy" "administrator" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_sso_permission_set" "set" {
sso_arn = "InstanceArn"
name = "Name"
description = "Description"
session_duration = "8h"
}
resource "aws_sso_managed_policy_attachment" "attachment" {
sso_arn = "InstanceArn"
policy_arn = data.aws_iam_policy.administrator.arn
permission_set_arn = aws_sso_permission_set.set.arn
}
resource "aws_sso_account_assignment" "assignment" {
sso_arn = "InstanceArn"
permission_set_arn = aws_sso_permission_set.set.arn
# principal_group is mutually exclusive with principal_user
principal_group = "group-name"
target_account = data.aws_caller_identity.current.account_id
}
References
- This is a follow-up to: #15018
- API reference: https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_Operations.html
onitake
All 2 comments
I've got a draft PR (#15322) for #15108 which would relate to this. For that PR, the plan is currently to implement an aws_sso_assignment resource with a target_type = "AWS_ACCOUNT" property. This is based on how AWS has designed the AWS::SSO::Assignment CloudFormation resource. Check out the description in the draft PR (#15322) for how it's currently designed.
burck1
on 7 Oct 2020
To help us to continue to move forward, please go give a thumbs up on #15808.
We've completed most of the work for supporting the AWS SSO and AWS SSO Identity Store resources and datasources in Terraform. The #15322 [WIP] PR encompasses all of that work. But, the contribution guide for this repo recommends submitting small pull requests with the minimum required resources, so we've submitted #15808 as our initial PR with just data.aws_sso_instance, data.aws_sso_permission_set, and aws_sso_permission_set. Once that's merged, we will submit PRs for all of the other resources and data sources since they depend on that initial PR.
burck1
on 3 Nov 2020
Related issues
hashibot
路
3Comments
reedloden
路
3Comments
blaltarriba
路
3Comments
carmas
路
3Comments
hashibot
路
3Comments
Most helpful comment
To help us to continue to move forward, please go give a thumbs up on #15808.
We've completed most of the work for supporting the AWS SSO and AWS SSO Identity Store resources and datasources in Terraform. The #15322 [WIP] PR encompasses all of that work. But, the contribution guide for this repo recommends submitting small pull requests with the minimum required resources, so we've submitted #15808 as our initial PR with just
data.aws_sso_instance,data.aws_sso_permission_set, andaws_sso_permission_set. Once that's merged, we will submit PRs for all of the other resources and data sources since they depend on that initial PR.