You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This module provisions AWS IAM Identity Center (formerly AWS Single Sign-On) resources:
An Identity Store group and group memberships for each user that is specified (the module does not provision users for you)
Alternatively, you may supply your own pre-existing Identity Store group. This is especially useful if you make use of an external IdP such as Okta. In this case, set create_group = false but still provide the group_name. You should also omit users to avoid drift from the IdP.
A Permission Set with options for inline, AWS-managed, and customer-managed policy attachments to attach to the group
Account assignments provisioning the permission set in each specified account
Prerequisites
In order to use AWS IAM Identity Center, your account must be managed by AWS Organizations.
At the time of this writing (2023-11-09), you must manually click the Enable button in the AWS IAM Identity Center web console to create an instance in your account
Usage
Example where you wish to provision users and groups
Example where an external IdP + SCIM handles users and groups
module"sre_admin" {
source="trussworks/sso-group/aws"version="~> 1.0"accounts=[
data.aws_caller_identity_current.account_id,
var.another_account_id
]
create_group=falsegroup_name="group-name"# must match the group name that already existspermission_set_name="permission-set-name"policy_aws_managed=[
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}