Skip to content

rhythmictech/terraform-aws-okta-sso

BranchesTags

Repository files navigation

terraform-aws-okta-sso

tflint tfsec yamllint misspell pre-commit-check follow on Twitter

Configures the AWS side of an AWS/Okta SSO integration. Per the Okta how-to guide, this will create a SAML provider and a user with minimal IAM access to enable Okta to sync AWS roles.

Example:

data "local_file" "metadata" {
  filename = "metadata.xml"
}

module "okta-sso" {
  source    = "git::ssh://git@github.com/rhythmictech/terraform-okta-sso"
  saml_providers = {
    "someco" = data.local_file.metadata.content
  }
}

IAM roles are mapped to Okta groups, and users can assume those roles via Okta SAML integration. For each such IAM role, the trust relationship needs to be modified to permit Okta access. The following aws_iam_policy_document provides a sample policy that can be used as the assume policy for a role:

data "aws_iam_policy_document" "this" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRoleWithSAML"]

    principals {
      type        = "Federated"
      identifiers = ["arn:aws:iam::${local.account_id}:saml-provider/someco"]
    }

    condition {
      test     = "StringEquals"
      variable = "SAML:aud"
      values   = ["https://signin.aws.amazon.com/saml"]
    }
  }
}

Upgrade Notes

If upgrading from version 1.0 (or prior) to v2.0.0 (or later), you must be careful to properly reshuffle your SAML providers. You can either let TF nuke and recreate them or manually manage state to rename things. If you are using one of the SAML providers to authenticate your terraform session, proceed with caution.

Requirements

Name Version
terraform >= 0.14
aws >= 4.10

Providers

Name Version
aws 5.14.0

Modules

No modules.

Resources

Name Type
aws_iam_access_key.this resource
aws_iam_group.this resource
aws_iam_group_policy.this resource
aws_iam_saml_provider.this resource
aws_iam_user.this resource
aws_iam_user_group_membership.this resource
aws_secretsmanager_secret.this resource
aws_secretsmanager_secret_version.this resource
aws_iam_policy_document.this data source

Inputs

Name Description Type Default Required
iam_group_name Name of the IAM group Okta IAM policies will be attached to string "okta-sso" no
iam_user_name Username for the Okta service account string "okta-sso" no
kms_key_id kms key id to encrypt Okta Secret string "" no
saml_providers A map of SAML provider names and metadata map(string) n/a yes
tags Tags to apply to supported resources map(string) {} no

Outputs

Name Description
iam_access_key_okta_user ID of IAM access key for new Okta user
iam_user_okta User name for new Okta user
secretsmanager_secret_okta_user_secret_key ARN of Secrets Manager secret containing new Okta user's IAM access key

About

registry.terraform.io/modules/rhythmictech/okta-sso/aws

Topics

aws terraform aws-iam terraform-modules okta terraform-module

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

8 stars

Watchers

2 watching

Forks

5 forks
Report repository

Releases 10

Unpin provider versions Latest
Aug 25, 2023
+ 9 releases

Packages

No packages published

Contributors 5

Languages