/terraform-aws-google-sso

Terraform module to provision the SSOSync Lambda

Primary LanguageHCLMIT LicenseMIT

Terraform Module for AWS/Google SSO Sync

This module deploys the AWS/Google SSOSync Lambda. You must follow the instructions in the SSOSync project to prepare your Google directory, create your Google credentials and prepare your SCIM endpoint. Before using this module, Google must already be configured as the SAML provider for IAM Identity Center.

It is recommended that you deploy this module in the delegated administrator account for IAM Identity Center.

Usage:

module "sso_sync" {
  source = "github.com/thoughtbot/terraform-aws-google-sso?ref=VERSION"

  google_admin_email         = "google-admin@example.com"
  google_credentials         = local.secrets.GoogleCredentials
  google_group_match         = "email:aws-*"
  name                       = "aws-google-sso-sync"
  scim_endpoint_access_token = local.secrets.SCIMEndpointAccessToken
  scim_endpoint_url          = local.secrets.SCIMEndpointUrl
  semantic_version           = "2.0.2"
}


locals {
  secrets = jsondecode(
    data.aws_secretsmanager_secret_version.sso_sync.secret_string
  )
}

data "aws_secretsmanager_secret_version" "sso_sync" {
  secret_id = "aws-google-sso-sync"
}

Requirements

Name Version
terraform >= 1.0
aws ~> 4.0

Providers

Name Version
aws ~> 4.0

Modules

No modules.

Resources

Name Type
aws_serverlessapplicationrepository_cloudformation_stack.this resource
aws_region.current data source
aws_ssoadmin_instances.this data source

Inputs

Name Description Type Default Required
application_id ID of the serverless application to deploy; defaults to official SSOSync string null no
google_admin_email Email address of the Google admin who created the service account string n/a yes
google_credentials Service account credentials for syncing users and groups string n/a yes
google_group_match Pattern for finding which groups to sync (default all) string "" no
google_ignore_groups Google groups to ignore (default none) string "" no
google_ignore_users Google users to ignore (default none) string "" no
google_user_match Pattern for finding which users to sync (defaults to all in matched groups) string "" no
identity_store_id ID of the identity store to sync; defaults to the first store string null no
name Name of the CloudFormation stack string "aws-google-sso-sync" no
region AWS region in which to deploy the Lambda; defaults to current string null no
scim_endpoint_access_token Access token for AWS SCIM provisioner string n/a yes
scim_endpoint_url URL for AWS SCIM provisioner string n/a yes
semantic_version Version of SSOSync to deploy string n/a yes
tags Tags to apply to created resources map(string) {} no

Outputs

Name Description
stack_id ID of the created CloudFormation stack
stack_outputs Outputs from the CloudFormation stack