Configures the AWS side of an AWS/Okta SSO integration. Per the Okta how-to guide, this will create a SAML provider and a user with minimal IAM access to enable Okta to sync AWS roles.
Example:
data "local_file" "metadata" {
filename = "metadata.xml"
}
module "okta-sso" {
source = "git::ssh://git@github.com/rhythmictech/terraform-okta-sso"
saml_providers = {
"someco" = data.local_file.metadata.content
}
}
IAM roles are mapped to Okta groups, and users can assume those roles via Okta SAML integration. For each such IAM role, the trust relationship needs to be modified to permit Okta access. The following aws_iam_policy_document
provides a sample policy that can be used as the assume policy for a role:
data "aws_iam_policy_document" "this" {
statement {
effect = "Allow"
actions = ["sts:AssumeRoleWithSAML"]
principals {
type = "Federated"
identifiers = ["arn:aws:iam::${local.account_id}:saml-provider/someco"]
}
condition {
test = "StringEquals"
variable = "SAML:aud"
values = ["https://signin.aws.amazon.com/saml"]
}
}
}
If upgrading from version 1.0 (or prior) to v2.0.0 (or later), you must be careful to properly reshuffle your SAML providers. You can either let TF nuke and recreate them or manually manage state to rename things. If you are using one of the SAML providers to authenticate your terraform session, proceed with caution.
Name | Version |
---|---|
terraform | >= 0.14 |
aws | >= 4.10 |
Name | Version |
---|---|
aws | 5.14.0 |
No modules.
Name | Type |
---|---|
aws_iam_access_key.this | resource |
aws_iam_group.this | resource |
aws_iam_group_policy.this | resource |
aws_iam_saml_provider.this | resource |
aws_iam_user.this | resource |
aws_iam_user_group_membership.this | resource |
aws_secretsmanager_secret.this | resource |
aws_secretsmanager_secret_version.this | resource |
aws_iam_policy_document.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
iam_group_name | Name of the IAM group Okta IAM policies will be attached to | string |
"okta-sso" |
no |
iam_user_name | Username for the Okta service account | string |
"okta-sso" |
no |
kms_key_id | kms key id to encrypt Okta Secret | string |
"" |
no |
saml_providers | A map of SAML provider names and metadata | map(string) |
n/a | yes |
tags | Tags to apply to supported resources | map(string) |
{} |
no |
Name | Description |
---|---|
iam_access_key_okta_user | ID of IAM access key for new Okta user |
iam_user_okta | User name for new Okta user |
secretsmanager_secret_okta_user_secret_key | ARN of Secrets Manager secret containing new Okta user's IAM access key |