Creates an Identity Provider, assume role policy and default roles in IAM to be used for SSO.
module "google_sso" {
source = "git@github.com:deliveryhero/tf-aws-saml-sso.git?ref=0.1"
idp_data = "<EntitiesDescriptor Name=...></EntitiesDescriptor>" or aws_secretsmanager_secret_version.example.secret_string
}
It is assumed that your G Suite Administrator has already setup the SAML provider and custom user attributes. If not, here is a guide. You need to obtain the GoogleIDPMetadata
XML file from the G Suite Administrator.
The G Suite Administrator will also need to add attributes to each Google user in order to allow them access to roles within the AWS account. Once this is all complete, a new application called Amazon Web Services
will be visible in your Google Apps list, top right corner of a Google app web page.
aws-google-auth is recommended for CLI/API access.
Documentation should be modified within main.tf
and generated using terraform-docs:
terraform-docs ./
MIT Licensed. See LICENSE for full details.
Name | Version |
---|---|
aws | n/a |
Name | Description |
---|---|
administrator_role_arn | Adminstrator role ARN |
developer_role_arn | Developer role ARN |
ec2fullaccess_role_arn | EC2 full access role ARN |
poweruser_role_arn | Poweruser role ARN |
readonly_role_arn | Read only role ARN |
saml_provider_arn | ARN of the SAML provider |
sysadmin_role_arn | Sysadmin role ARN |
Name | Description | Type | Default | Required |
---|---|---|---|---|
allow_explicit_sso_admin_users | Enable a trust relationship of the sso admin Role for certain user emails provided with allowed_sso_assume_policy_users | bool |
false |
no |
allowed_sso_admin_assume_policy_user_emails | List of User Emails to explicitly allow using a sso admin role | list(string) |
[] |
no |
extra_policies_administrator | Any extra policy ARNs to attach to the administrator role | list(any) |
[] |
no |
extra_policies_developer | Any extra policy ARNs to attach to the developer role | list(any) |
[] |
no |
extra_policies_ec2fullaccess | Any extra policy ARNs to attach to the EC2 full access role | list(any) |
[] |
no |
extra_policies_poweruser | Any extra policy ARNs to attach to the power user role | list(any) |
[] |
no |
extra_policies_readonly | Any extra policy ARNs to attach to the read only role | list(any) |
[] |
no |
extra_policies_sysadmin | Any extra policy ARNs to attach to the sysadmin role | list(any) |
[] |
no |
iam_assume_role_extra_identifiers | ARNs for additional federated identity providers that can assume the roles | list(any) |
[] |
no |
iam_role_path | Path of the IAM roles. | string |
"/sso/" |
no |
iam_role_prefix | A string prefixed to all role names | string |
"sso-" |
no |
idp_data | A string contained saml IDP metadata | string |
n/a | yes |
role_max_session_duration | Max session duration in seconds | string |
"43200" |
no |
saml_provider_name | Name of the provider. Visible in IAM console. | string |
n/a | yes |
tags | A map of tags to add to all resources. | map(string) |
{} |
no |