Module Banner

terraform-aws-arc-iam-identity-center ¶

Module: sourcefuse/arc-iam-identity-center/aws

Registry: https://registry.terraform.io/modules/sourcefuse/arc-iam-identity-center/aws

Category: Security / Identity

Source: https://github.com/sourcefuse/terraform-aws-arc-iam-identity-center

Overview¶

Manages AWS IAM Identity Center (SSO) — permission sets, account assignments, and user/group provisioning — for centralized multi-account access.

What It Does¶

Permission sets with AWS managed and inline policies
Account assignments for users and groups
Auto-discovery of Identity Center instance
Session duration configuration
Support for multiple accounts and organizational units

For more information about this repository and its usage, please see Terraform AWS IAM IDENTITY CENTER Usage Guide.

Quickstart¶

provider "aws" {
  region = var.region
}

variable "region" {
  description = "AWS region"
  type        = string
  default     = "us-east-1"
}

module "aws_sso" {
  source = "sourcefuse/arc-iam-identity-center/aws"

  # Identity Center Configuration (optional - auto-discovers if not provided)
  identity_center_instance_arn = "arn:aws:sso:::instance/ssoins-1234567890abcdef"

  # Permission Sets
  permission_sets = {
    "AdminAccess" = {
      description      = "Full administrative access"
      session_duration = "PT8H"
      aws_managed_policies = [
        "arn:aws:iam::aws:policy/AdministratorAccess"
      ]
    }
    "ReadOnlyAccess" = {
      description      = "Read-only access across AWS services"
      session_duration = "PT4H"
      aws_managed_policies = [
        "arn:aws:iam::aws:policy/ReadOnlyAccess"
      ]
    }
  }

  # Create Groups
  identity_store_groups = {
    "Admins" = {
      display_name = "Administrators"
      description  = "System administrators"
    }
    "Developers" = {
      display_name = "Developers"
      description  = "Development team"
    }
  }

  # Account Assignments
  account_assignments = {
    "admins-full-access" = {
      permission_set_name = "AdminAccess"
      principal_type      = "GROUP"
      principal_id        = "Admins"
      target_type         = "AWS_ACCOUNT"
      target_id          = "123456789012"
    }
    "devs-readonly" = {
      permission_set_name = "ReadOnlyAccess"
      principal_type      = "GROUP"
      principal_id        = "Developers"
      target_type         = "AWS_ACCOUNT"
      target_id          = "123456789012"
    }
  }

  tags = {
    Environment = "production"
    Project     = "identity-management"
    Owner       = "platform-team"
  }
}

Complete User, Group Management Setup (Recommended)¶

provider "aws" {
  region = var.region
}

variable "region" {
  description = "AWS region"
  type        = string
  default     = "us-east-1"
}

module "aws_sso" {
  source = "sourcefuse/arc-iam-identity-center/aws"

  identity_center_instance_arn = "arn:aws:sso:::instance/ssoins-1234567890abcdef"

  # Permission Sets with clear descriptions
  permission_sets = {
    "FullAdmin" = {
      description      = "FULL ADMIN - Complete AWS access (use with caution)"
      session_duration = "PT2H"
      aws_managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"]
    }
    "Developer" = {
      description      = "DEVELOPER - Can create/modify most resources except IAM"
      session_duration = "PT8H"
      aws_managed_policies = ["arn:aws:iam::aws:policy/PowerUserAccess"]
    }
    "ReadOnly" = {
      description      = "READ ONLY - Can view all resources but cannot modify"
      session_duration = "PT12H"
      aws_managed_policies = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
    }
  }

  # Users with groups and direct assignments in one place
  identity_store_users = {
    "john.manager" = {
      user_name    = "john.manager"
      display_name = "John Manager"
      given_name   = "John"
      family_name  = "Manager"
      email        = "john.manager@company.com"
      title        = "Engineering Manager"

      # Groups this user belongs to
      groups = ["Managers"]

      # Direct assignments (optional)
      direct_assignments = []
    }

    "alice.developer" = {
      user_name    = "alice.developer"
      display_name = "Alice Developer"
      given_name   = "Alice"
      family_name  = "Developer"
      email        = "alice.developer@company.com"
      title        = "Senior Software Engineer"

      # Groups this user belongs to
      groups = ["SeniorDevelopers"]

      # Additional direct access beyond group permissions
      direct_assignments = [
        {
          permission_set = "Developer"
          account_id     = "111111111111"  # Production account
          reason         = "Senior dev needs prod deployment access"
        }
      ]
    }
  }

  # Groups
  identity_store_groups = {
    "Managers" = {
      display_name = "Managers"
      description  = "Engineering and team managers"
    }
    "SeniorDevelopers" = {
      display_name = "Senior Developers"
      description  = "Experienced developers with advanced permissions"
    }
  }

  # Group-based account assignments
  account_assignments = {
    "managers-admin-prod" = {
      permission_set_name = "FullAdmin"
      principal_type      = "GROUP"
      principal_id        = "Managers"
      target_type         = "AWS_ACCOUNT"
      target_id          = "111111111111"
    }
    "senior-devs-dev-access" = {
      permission_set_name = "Developer"
      principal_type      = "GROUP"
      principal_id        = "SeniorDevelopers"
      target_type         = "AWS_ACCOUNT"
      target_id          = "222222222222"
    }
  }

  tags = {
    Environment = "multi-account"
    Project     = "arc"
    Owner       = "platform-team"
  }
}

Advanced Setup with Custom Policies¶

provider "aws" {
  region = var.region
}

variable "region" {
  description = "AWS region"
  type        = string
  default     = "us-east-1"
}

module "aws_sso" {
  source = "sourcefuse/arc-iam-identity-center/aws"

  identity_center_instance_arn = "arn:aws:sso:::instance/ssoins-1234567890abcdef"

  # Advanced permission sets with all policy types
  permission_sets = {
    "DataScientist" = {
      description      = "Data science and analytics access"
      session_duration = "PT12H"

      # AWS Managed Policies
      aws_managed_policies = [
        "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
        "arn:aws:iam::aws:policy/AmazonSageMakerReadOnly"
      ]

      # Customer Managed Policies (must exist in your account)
      customer_managed_policies = [
        {
          name = "DataLakeAccess"
          path = "/data-science/"
        }
      ]

      # Inline Policy for specific permissions
      inline_policy = jsonencode({
        Version = "2012-10-17"
        Statement = [
          {
            Effect = "Allow"
            Action = [
              "sagemaker:CreateNotebookInstance",
              "sagemaker:StartNotebookInstance"
            ]
            Resource = "*"
            Condition = {
              StringEquals = {
                "aws:RequestedRegion" = ["us-east-1", "us-west-2"]
              }
            }
          }
        ]
      })

      # Permission Boundary for security
      permissions_boundary = {
        customer_managed_policy_reference = {
          name = "DataScientistBoundary"
          path = "/boundaries/"
        }
      }
    }
  }

  # Rest of configuration...
  identity_store_groups = {
    "DataScience" = {
      display_name = "Data Science Team"
      description  = "Data scientists and ML engineers"
    }
  }

  account_assignments = {
    "datascience-prod" = {
      permission_set_name = "DataScientist"
      principal_type      = "GROUP"
      principal_id        = "DataScience"
      target_type         = "AWS_ACCOUNT"
      target_id          = "111111111111"
    }
  }

  tags = {
    Environment = "production"
    Project     = "advanced-sso"
    Owner       = "data-team"
  }
}

Required Inputs¶

Name	Type	Description
`permission_sets`	`map(object)`	Permission set definitions
`account_assignments`	`list(object)`	Account-to-principal-to-permission-set mappings
## Key Outputs

Name	Description
`permission_set_arns`	Map of permission set name to ARN
## Full Variable & Output Reference

The complete inputs/outputs reference is auto-generated below.

License¶

This project is licensed under the MIT License - see the LICENSE file for details.

Requirements¶

Name	Version
terraform	>= 1.5.0
aws	>= 5.0, < 7.0

Providers¶

Name	Version
aws	4.67.0

Modules¶

No modules.

Resources¶

Name	Type
aws_identitystore_group.main	resource
aws_identitystore_group_membership.main	resource
aws_identitystore_user.main	resource
aws_ssoadmin_account_assignment.main	resource
aws_ssoadmin_application.main	resource
aws_ssoadmin_application_assignment.main	resource
aws_ssoadmin_customer_managed_policy_attachment.customer_managed	resource
aws_ssoadmin_managed_policy_attachment.aws_managed	resource
aws_ssoadmin_permission_set.main	resource
aws_ssoadmin_permission_set_inline_policy.inline	resource
aws_ssoadmin_permissions_boundary_attachment.boundary	resource
aws_ssoadmin_instances.existing	data source

Inputs¶

Name	Description	Type	Default	Required
account_assignments	Map of account assignments to create	map(object({ permission_set_name = string principal_type = string principal_id = string target_type = string target_id = string }))	`{}`	no
application_assignments	Map of application assignments to create	map(object({ application_name = string principal_type = string principal_id = string }))	`{}`	no
applications	Map of applications to create	map(object({ name = string description = optional(string, "") application_provider_arn = string portal_options = optional(object({ sign_in_options = optional(object({ origin = string application_url = optional(string) })) visibility = optional(string, "ENABLED") })) tags = optional(map(string), {}) }))	`{}`	no
group_memberships	Map of group memberships to create	map(object({ group_name = string user_name = string }))	`{}`	no
identity_center_instance_arn	ARN of existing Identity Center instance (optional - will auto-discover if not provided)	`string`	`null`	no
identity_store_groups	Map of Identity Store groups to create	map(object({ display_name = string description = optional(string, "") }))	`{}`	no
identity_store_users	Map of Identity Store users to create	map(object({ user_name = string display_name = optional(string) given_name = string family_name = string email = string locale = optional(string, "en-US") nickname = optional(string) timezone = optional(string, "UTC") title = optional(string) groups = optional(list(string), []) direct_assignments = optional(list(object({ permission_set = string account_id = string reason = optional(string, "") })), []) }))	`{}`	no
name_prefix	Prefix for resource names	`string`	`""`	no
name_suffix	Suffix for resource names	`string`	`""`	no
permission_sets	Map of permission sets to create	map(object({ description = optional(string, "") session_duration = optional(string, "PT1H") relay_state = optional(string) aws_managed_policies = optional(list(string), []) customer_managed_policies = optional(list(object({ name = string path = optional(string, "/") })), []) inline_policy = optional(string) permissions_boundary = optional(object({ customer_managed_policy_reference = optional(object({ name = string path = optional(string, "/") })) managed_policy_arn = optional(string) })) tags = optional(map(string), {}) }))	`{}`	no
tags	A map of tags to assign to all resources	`map(string)`	`{}`	no

Outputs¶

Name	Description
account_assignments	Map of created account assignments
application_assignments	Map of created application assignments
applications	Map of created applications
identity_center_instance_arn	ARN of the Identity Center instance
identity_store_groups	Map of created Identity Store groups
identity_store_id	ID of the Identity Store
identity_store_users	Map of created Identity Store users
permission_sets	Map of created permission sets

Development¶

Prerequisites¶

Configurations¶

Configure pre-commit hooks
1
pre-commit install

Configure golang deps for tests

go get github.com/gruntwork-io/terratest/modules/terraform
go get github.com/stretchr/testify/assert

Git commits¶

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

git commit -m "your commit message #major"

By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly

Contributing¶

See CONTRIBUTING.md for commit conventions and development setup.

Authors¶

This project is authored by: - SourceFuse

terraform-aws-arc-iam-identity-center¶