Automate AWS SSO Using Terraform
Leveraging Terraform to automate the setup and configuration of SSO resources, streamline user management, and enhance security.
Managing user access and permissions across multiple AWS accounts in an AWS Organization can be a complex and time-consuming task. However, with the power of Infrastructure as Code (IaC) Terraform, you can automate the provisioning and management of Single Sign-on (SSO) users, groups, and permission sets within your AWS Organization. This article will guide you through the process of leveraging Terraform to automate the setup and configuration of SSO resources, streamline user management, and enhance security.
Let’s consider a real-world example of how AWS SSO can be used in a company that has multiple AWS accounts and wants to manage user access more efficiently.
Assume, Company ABC has two multiple accounts in “Production” and “Non-Production” each containing various resources and services. The company wants to grant specific groups of users(let’s say L1 Ops Team) access to the S3 service in production accounts and full compute admin access to non-production accounts while maintaining centralized control over user management.
Now, when a user belonging to the “L1_Ops_Group” logs in to the AWS SSO portal, they will see the “Production” account and have access to the S3 service within that account.
On the other hand, when a user of the same group logs in to the AWS SSO portal, they will see the “Non-Production” account and have full compute administration access within that account. This becomes possible with permission sets assigned to “L1_Ops_Group”.
As you can see in the following diagram, the user group has two permission sets that are assigned to the AWS account. A permission set is a collection of permissions that define what actions a user or group can perform within AWS accounts or applications and that is why when you assign users or groups to any AWS account, you specify the permission sets to which the users access enabling fine-grained access control across AWS accounts.
Benefits that AWS IAM Identity Center provide?
AWS IAM Identity Center also provides better visibility into which users accessed which accounts and applications from the user portal by recording all user portal sign-in activities in AWS CloudTrail. AWS IAM Identity Center records details such as the IP address, user name, date, and time of the sign-in request. Any changes made by administrators in the AWS IAM Identity Center console also are recorded in CloudTrail, and you can use security information and event management (SIEM) solutions such as Splunk and Sumo Logic to analyze the associated CloudTrail logs.
Components of SSO:
The AWS SSO service consists of several components that collectively facilitate centralized user management and access control.
- AWS SSO Directory: The AWS SSO Directory is the central identity store for user management. It allows you to create and manage user identities, groups, and their associated permissions. The directory can be used as a standalone directory or integrated with external identity sources such as Microsoft Active Directory (AD) through AWS Managed Microsoft AD.
- AWS SSO Instance: An AWS SSO Instance is a deployment of the AWS SSO service within your AWS account. It acts as a container for managing user access and permissions across multiple AWS accounts.
- User and Group Management: AWS SSO enables you to create and manage individual user accounts and group memberships.
- Permission Sets: Permission Sets in AWS SSO are predefined collections of permissions that define what actions users or groups can perform within AWS accounts or applications.
- Account Assignments: Account Assignments in AWS SSO determine which users or groups have access to specific AWS accounts. By assigning users or groups to target accounts, you control their access to resources within those accounts.
key features of the AWS IAM Identity Center
- AWS IAM Identity Center user portal.
- Integration with AWS Organizations.
- Integration with on-premises Active Directory or Any cloud Directory service.
- Centralized permissions management.
- Centralized auditing.
- Highly available multi-tenant IAM Identity Center infrastructure.
Prerequisites:
Before diving into the implementation, ensure that you have the following prerequisites in place:
- An AWS Organization with multiple AWS accounts.
- Terraform is installed on your local machine.
- AWS CLI configured with appropriate IAM credentials.
- Sufficient permissions to create and manage AWS SSO resources.
Configuring AWS SSO with Terraform
Terraform provides several resources for configuring AWS SSO across an organization. Once the service is enabled, you will need to define an identity source. This can be using the built-in directory service, active directory, or any external identity provider with SAML integration.
At this time of writing, the identity store doesn’t have a fully fleshed-out API, so you will have to configure this manually. Once the identity store is configured, terraform can utilize those pushed or self-created users and groups to assign permission sets to accounts.
configuring AWS SSO with Terraform can vary depending on the specific requirements and configurations of each company. However, Terraform provides the necessary resources and configurations to set up AWS SSO effectively.
I encourage readers to get hands-on experience with the code as you have learned about AWS SSO and its integration with Terraform, it’s time to roll up your sleeves and get your hands dirty. Here is the terraform code. If you are familiar with console-based SSO management, implementing this code is straightforward and simple.
Attention: Before you run this code, make sure AWS SSO is enabled in your AWS environment.
# Provider
provider "aws" {
region = "us-east-1"
profile = "master"
}
# Data block to fetch the SSO admin instance. Once you enabled SSO admin from console, you need data block to fetch this in your code.
data "aws_ssoadmin_instances" "example" {}
############################## Users,Group,Group's Membership #########################################
# Create SSO user1
resource "aws_identitystore_user" "example" {
identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]
display_name = "sumit Kumar"
user_name = "sumitk"
name {
given_name = "sumit"
family_name = "kumar"
}
emails {
value = "sumitk@gmail.com" # Replace with your email ID
}
}
########################### Groups #################################################
# Create Group
resource "aws_identitystore_group" "example" {
identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]
display_name = "L1-ops-group"
description = "This is my AWS ops Group"
}
####################### Group Membership ############################################
# Create Group Membership for the user
resource "aws_identitystore_group_membership" "example" {
identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]
group_id = aws_identitystore_group.example.group_id
member_id = aws_identitystore_user.example.user_id
}
##################### Permission Sets #######################################
# Create Custom Permission Set for S3 Read only
resource "aws_ssoadmin_permission_set" "mypermissionset" {
name = "my-s3-permissionset"
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
}
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
actions = [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
]
resources = [
"arn:aws:s3:::*",
]
}
}
# Custom permission set Inline policy
resource "aws_ssoadmin_permission_set_inline_policy" "example" {
inline_policy = data.aws_iam_policy_document.example.json
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
permission_set_arn = aws_ssoadmin_permission_set.mypermissionset.arn
}
# Create Managed Permission Set for full EC2 Admin
resource "aws_ssoadmin_permission_set" "ec2_admin_permissionset" {
name = "ec2-admin-permissionset"
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
}
resource "aws_ssoadmin_managed_policy_attachment" "ec2_admin_managed_policy_attachment" {
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
managed_policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
permission_set_arn = aws_ssoadmin_permission_set.ec2_admin_permissionset.arn
}
########################## AWS Account/OU Assignment ###################################
# Create Account Assignment to the group with Custom permission sets --> Production Account
resource "aws_ssoadmin_account_assignment" "example" {
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
permission_set_arn = aws_ssoadmin_permission_set.mypermissionset.arn # Custom Permission set
principal_id = aws_identitystore_group.example.group_id # Group
principal_type = "GROUP"
target_id = "45465656566" # Production Account
target_type = "AWS_ACCOUNT"
# target_type = "AWS_OU" #incase you want to target OU.
}
# Create Account Assignment to the same group with Managed Permission sets --> Non-PRD
resource "aws_ssoadmin_account_assignment" "example2" {
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
permission_set_arn = aws_ssoadmin_permission_set.ec2_admin_permissionset.arn # Managed permission sets
principal_id = aws_identitystore_group.example.group_id # Group
principal_type = "GROUP"
target_id = "776677755" # Non-Prd Account, you can also replace it with OU ID
target_type = "AWS_ACCOUNT"
# target_type = "AWS_OU" #incase you want to target OU.
}
# Bonus Tips: if you already created permission sets in AWS Console, you can retreive
# the permission sets and refer into your Account Assignment resource block.here is the data block for your ref.
# Feel free to use it for another account or OU.
# Create Permission set READOnly Access data block
# data "aws_ssoadmin_permission_set" "permissionset" {
# instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
# name = "ViewOnlyAccess"
# }
# Create Permission set system Admin Access data block
# data "aws_ssoadmin_permission_set" "permissionset" {
# instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
# name = "SystemAdministrator"
# }
Let’s run this code
Plan: 9 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_ssoadmin_permission_set.mypermissionset: Creating...
aws_ssoadmin_permission_set.ec2_admin_permissionset: Creating...
aws_identitystore_group.example: Creating...
aws_identitystore_user.example: Creating...
aws_identitystore_group.example: Creation complete after 1s [id=d-9067a4180a/741884c8-e0f1-70aa-c328-cc29dcd88bff]
aws_identitystore_user.example: Creation complete after 1s [id=d-9067a4180a/e438f418-90e1-70ba-afc1-1f6505e2ad44]
aws_identitystore_group_membership.example: Creating...
aws_ssoadmin_permission_set.mypermissionset: Creation complete after 2s [id=arn:aws:sso:::permissionSet/ssoins-7223f0621619fe40/ps-e173d4e37622ba9e,arn:aws:sso:::instance/ssoins-7223f0621619fe40]
aws_ssoadmin_account_assignment.example: Creating...
aws_ssoadmin_permission_set_inline_policy.example: Creating...
aws_identitystore_group_membership.example: Creation complete after 1s [id=d-9067a4180a/d408d4f8-20b1-7007-ed73-e46375bb1f02]
aws_ssoadmin_permission_set.ec2_admin_permissionset: Creation complete after 2s [id=arn:aws:sso:::permissionSet/ssoins-7223f0621619fe40/ps-793fa66b9f509835,arn:aws:sso:::instance/ssoins-7223f0621619fe40]
aws_ssoadmin_managed_policy_attachment.ec2_admin_managed_policy_attachment: Creating...
aws_ssoadmin_account_assignment.example2: Creating...
aws_ssoadmin_permission_set_inline_policy.example: Creation complete after 6s [id=arn:aws:sso:::permissionSet/ssoins-7223f0621619fe40/ps-e173d4e37622ba9e,arn:aws:sso:::instance/ssoins-7223f0621619fe40]
aws_ssoadmin_managed_policy_attachment.ec2_admin_managed_policy_attachment: Creation complete after 7s [id=arn:aws:iam::aws:policy/AmazonEC2FullAccess,arn:aws:sso:::permissionSet/ssoins-7223f0621619fe40/ps-793fa66b9f509835,arn:aws:sso:::instance/ssoins-7223f0621619fe40]
aws_ssoadmin_account_assignment.example: Still creating... [10s elapsed]
aws_ssoadmin_account_assignment.example2: Still creating... [10s elapsed]
aws_ssoadmin_account_assignment.example: Creation complete after 11s [id=741884c8-e0f1-70aa-c328-cc29dcd88bff,GROUP,6425318213,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-7223f0621619fe40/ps-e173d4e37622ba9e,arn:aws:sso:::instance/ssoins-7223f0621619fe40]
aws_ssoadmin_account_assignment.example2: Creation complete after 12s [id=741884c8-e0f1-70aa-c328-cc29dcd88bff,GROUP,0624308849,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-7223f0621619fe40/ps-793fa66b9f509835,arn:aws:sso:::instance/ssoins-7223f0621619fe40]
Apply complete! Resources: 9 added, 0 changed, 0 destroyed.Verify the state list:
$ terraform state list
data.aws_iam_policy_document.example
data.aws_ssoadmin_instances.example
aws_identitystore_group.example
aws_identitystore_group_membership.example
aws_identitystore_user.example
aws_ssoadmin_account_assignment.example
aws_ssoadmin_account_assignment.example2
aws_ssoadmin_managed_policy_attachment.ec2_admin_managed_policy_attachment
aws_ssoadmin_permission_set.ec2_admin_permissionset
aws_ssoadmin_permission_set.mypermissionset
aws_ssoadmin_permission_set_inline_policy.exampleVerify Console Output:
Verify SSO User login:
After you verified everything, Don’t forget to clean up your environment :)
That's it for now. I explained how AWS SSO simplifies user management and access control across multiple AWS Accounts. AWS SSO with Terraform is an efficient way to scalable user management and access control.
Did you love to read this?
If you agree, like it, or share this with your friends.
