Skip to content
/ tf-aws-saml-sso Public

Creates an Identity Provider and default roles in IAM to be used for SSO

License

MIT license
13 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

deliveryhero/tf-aws-saml-sso

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.terraform-docs.yaml
.terraform-docs.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
aws_iam_saml_provider.tf
aws_iam_saml_provider.tf
 
 
iam.tf
iam.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

tf-aws-saml-sso

Creates an Identity Provider, assume role policy and default roles in IAM to be used for SSO.

Example

 module "google_sso" {
   source             = "git@github.com:deliveryhero/tf-aws-saml-sso.git?ref=0.1"
   idp_data = "<EntitiesDescriptor Name=...></EntitiesDescriptor>" or aws_secretsmanager_secret_version.example.secret_string
 }

Setup with Google SAML

It is assumed that your G Suite Administrator has already setup the SAML provider and custom user attributes. If not, here is a guide. You need to obtain the GoogleIDPMetadata XML file from the G Suite Administrator.

The G Suite Administrator will also need to add attributes to each Google user in order to allow them access to roles within the AWS account. Once this is all complete, a new application called Amazon Web Services will be visible in your Google Apps list, top right corner of a Google app web page.

aws-google-auth is recommended for CLI/API access.

Documentation generation

Documentation should be modified within main.tf and generated using terraform-docs:

terraform-docs ./

License

MIT Licensed. See LICENSE for full details.

Providers

Name Version
aws n/a

Outputs

Name Description
administrator_role_arn Adminstrator role ARN
developer_role_arn Developer role ARN
ec2fullaccess_role_arn EC2 full access role ARN
poweruser_role_arn Poweruser role ARN
readonly_role_arn Read only role ARN
saml_provider_arn ARN of the SAML provider
sysadmin_role_arn Sysadmin role ARN

Inputs

Name Description Type Default Required
allow_explicit_sso_admin_users Enable a trust relationship of the sso admin Role for certain user emails provided with allowed_sso_assume_policy_users bool false no
allowed_sso_admin_assume_policy_user_emails List of User Emails to explicitly allow using a sso admin role list(string) [] no
extra_policies_administrator Any extra policy ARNs to attach to the administrator role list(any) [] no
extra_policies_developer Any extra policy ARNs to attach to the developer role list(any) [] no
extra_policies_ec2fullaccess Any extra policy ARNs to attach to the EC2 full access role list(any) [] no
extra_policies_poweruser Any extra policy ARNs to attach to the power user role list(any) [] no
extra_policies_readonly Any extra policy ARNs to attach to the read only role list(any) [] no
extra_policies_sysadmin Any extra policy ARNs to attach to the sysadmin role list(any) [] no
iam_assume_role_extra_identifiers ARNs for additional federated identity providers that can assume the roles list(any) [] no
iam_role_path Path of the IAM roles. string "/sso/" no
iam_role_prefix A string prefixed to all role names string "sso-" no
idp_data A string contained saml IDP metadata string n/a yes
role_max_session_duration Max session duration in seconds string "43200" no
saml_provider_name Name of the provider. Visible in IAM console. string n/a yes
tags A map of tags to add to all resources. map(string) {} no

About

Creates an Identity Provider and default roles in IAM to be used for SSO

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

13 stars

Watchers

11 watching

Forks

7 forks
Report repository

Releases 4

Add an ability to add a list of user emails for admin role Latest
Mar 30, 2023
+ 3 releases

Packages

 
 
 

Contributors 3

  •  
  •  
  •  

Languages