Manage AWS IAM Identity Center permission sets and account assignments with Terraform.
This pattern is twinned with terraform-aws-identity-center-users-and-groups.
module "idc" {
source = "aws-samples/identity-center/aws"
version = "1.0.1"
permission_sets = "./permission_sets.yml"
account_assignments = "./account_assignments.yml"
}permission_sets and account_assignments are defined using yaml templates. These module inputs should point at the yaml file location. Example permission_sets.yml and account_assignments.yml.
module "idc" {
...
policies = "./policies/"
}policies is used for inline policies on permission sets. This input should point at a directory of IAM policy json files. Example policies directory.
This pattern does not setup users and groups. These are typically handled by an external Identity Provider (IdP).
If you are not using an IdP and want to create groups in Identity Center, use this pattern: terraform-aws-identity-center-users-and-groups.
We have deliberately segregated the two patterns:
- You may be using an external IdP
- You may be planning to use an external IdP and want to build a pattern that can be de-coupled in the future
- At scale, any explicit or implicit dependencies (
depends_on) between account assignments and group membership can have unintended consequences.- Example: with a dependency, adding a user to a group can cause terraform to refresh all account assignments that feature that group (into the 100s or 1000s depending on the scale of your AWS Organization).
This pattern can be used with delegated administration in Identity Center. Separate instances of the pattern would need to be deployed to the management account and delegated account.
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.