/cloud-platform-terraform-aws-sso

Allow web console logins using Github credentials via SAML

Primary LanguageHCLMIT LicenseMIT

cloud-platform-terraform-aws-sso

This module maps Github users to the AWS web console via SAML and implements ABAC (Attribute-based access control) using resource tags.

Usage

See the examples/ folder.

To run terraform apply, the AWS account (numeric) ID and Auth0 tennant (name) must be passed, AWS profile set in local config and env vars AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, AUTH0_DOMAIN exported, pointing to an app that has create privileges in the tenant (for us, it's the one called terraform-provider-auth0).

The add groups Auth0 rule needs 2 variables defined in its config, AWS_ACCOUNT_ID and AWS_SAML_PROVIDER_NAME (DNS name of the tenant).

This module sets the auth0 var AWS_SAML_PROVIDER_NAME, AWS_ACCOUNT_ID is also needed but for us it's already set in global-resources/auth0.tf

Requirements

Name Version
terraform >= 0.14

Providers

Name Version
auth0 n/a
aws n/a
curl n/a

Modules

No modules.

Resources

Name Type
auth0_client.saml resource
auth0_rule.saml_mappings resource
auth0_rule_config.aws_saml_provider_name resource
aws_iam_policy.iam_for_github resource
aws_iam_policy.rds_for_github resource
aws_iam_policy.s3_for_github resource
aws_iam_policy.sns_for_github resource
aws_iam_policy.sqs_for_github resource
aws_iam_policy.vpc_for_github resource
aws_iam_role.github_access resource
aws_iam_role_policy_attachment.iam_for_github resource
aws_iam_role_policy_attachment.rds_for_github resource
aws_iam_role_policy_attachment.s3_for_github resource
aws_iam_role_policy_attachment.sns_for_github resource
aws_iam_role_policy_attachment.sqs_for_github resource
aws_iam_role_policy_attachment.vpc_for_github resource
aws_iam_saml_provider.auth0 resource
aws_caller_identity.current data source
aws_iam_account_alias.current data source
aws_iam_policy_document.federated_role_trust_policy data source
aws_iam_policy_document.iam_for_github data source
aws_iam_policy_document.rds_for_github data source
aws_iam_policy_document.s3_for_github data source
aws_iam_policy_document.sns_for_github data source
aws_iam_policy_document.sqs_for_github data source
aws_iam_policy_document.vpc_for_github data source
aws_region.current data source
curl_curl.saml_metadata data source

Inputs

Name Description Type Default Required
auth0_tenant_domain Auth0 domain string n/a yes
aws_account_id The AWS Account numeric ID string n/a yes
aws_callback_url AWS SSO callback URL string "https://signin.aws.amazon.com/saml" no

Outputs

Name Description
saml_login_page n/a

Reading Material

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_abac-saml.html