|
| 1 | +# Terraform AWS ARC IAM Identity Center Module Usage Guide |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +### Purpose of the Document |
| 6 | + |
| 7 | +This document provides guidelines and instructions for users looking to implement the Terraform AWS ARC IAM Identity Center module for managing AWS SSO resources. |
| 8 | + |
| 9 | +### Module Overview |
| 10 | + |
| 11 | +The Terraform AWS ARC IAM Identity Center module provides a secure and modular foundation for deploying and managing AWS IAM Identity Center (AWS SSO) resources on AWS, including permission sets, users, groups, and account assignments. |
| 12 | + |
| 13 | +### Prerequisites |
| 14 | + |
| 15 | +Before using this module, ensure you have the following: |
| 16 | + |
| 17 | +- AWS credentials configured with appropriate IAM Identity Center permissions. |
| 18 | +- Terraform installed (>= 1.5.0). |
| 19 | +- AWS CLI configured (optional but recommended). |
| 20 | +- A working knowledge of AWS IAM Identity Center, AWS Organizations, and Terraform concepts. |
| 21 | +- An existing AWS IAM Identity Center instance (or the module will auto-discover it). |
| 22 | + |
| 23 | +## Getting Started |
| 24 | + |
| 25 | +### Module Source |
| 26 | + |
| 27 | +To use the module in your Terraform configuration, include the following source block: |
| 28 | + |
| 29 | +```hcl |
| 30 | +provider "aws" { |
| 31 | + region = var.region |
| 32 | +} |
| 33 | +
|
| 34 | +variable "region" { |
| 35 | + description = "AWS region" |
| 36 | + type = string |
| 37 | + default = "us-east-1" |
| 38 | +} |
| 39 | +
|
| 40 | +module "aws_sso" { |
| 41 | + source = "sourcefuse/arc-iam-identity-center/aws" |
| 42 | + version = "~> 1.0" |
| 43 | +
|
| 44 | + # Basic configuration |
| 45 | + permission_sets = { |
| 46 | + "AdminAccess" = { |
| 47 | + description = "Full administrative access" |
| 48 | + session_duration = "PT8H" |
| 49 | + aws_managed_policies = [ |
| 50 | + "arn:aws:iam::aws:policy/AdministratorAccess" |
| 51 | + ] |
| 52 | + } |
| 53 | + } |
| 54 | +
|
| 55 | + identity_store_groups = { |
| 56 | + "Admins" = { |
| 57 | + display_name = "Administrators" |
| 58 | + description = "System administrators" |
| 59 | + } |
| 60 | + } |
| 61 | +
|
| 62 | + account_assignments = { |
| 63 | + "admins-full-access" = { |
| 64 | + permission_set_name = "AdminAccess" |
| 65 | + principal_type = "GROUP" |
| 66 | + principal_id = "Admins" |
| 67 | + target_type = "AWS_ACCOUNT" |
| 68 | + target_id = "123456789012" |
| 69 | + } |
| 70 | + } |
| 71 | +
|
| 72 | + tags = { |
| 73 | + Environment = "production" |
| 74 | + Project = "identity-management" |
| 75 | + } |
| 76 | +} |
| 77 | +``` |
| 78 | + |
| 79 | +Refer to the [Terraform Registry](https://registry.terraform.io/modules/sourcefuse/arc-iam-identity-center/aws/latest) for the latest version. |
| 80 | + |
| 81 | +### Integration with Existing Terraform Configurations |
| 82 | + |
| 83 | +Integrate the module with your existing Terraform mono repo configuration, follow the steps below: |
| 84 | + |
| 85 | +- Create a new folder in terraform/ named `iam-identity-center`. |
| 86 | +- Create the required files, see the examples to base off of. |
| 87 | +- Configure with your backend: |
| 88 | + - Create the environment backend configuration file: config.<environment>.hcl |
| 89 | + - region: Where the backend resides |
| 90 | + - key: iam-identity-center/terraform.tfstate |
| 91 | + - bucket: Bucket name where the terraform state will reside |
| 92 | + - dynamodb_table: Lock table so there are not duplicate tfplans in the mix |
| 93 | + - encrypt: Encrypt all traffic to and from the backend |
| 94 | + |
| 95 | +### Required AWS Permissions |
| 96 | + |
| 97 | +Ensure that the AWS credentials used to execute Terraform have the necessary permissions to create, list and modify: |
| 98 | + |
| 99 | +- IAM Identity Center instances and configurations |
| 100 | +- SSO Admin permission sets and policy attachments |
| 101 | +- SSO Admin account assignments |
| 102 | +- Identity Store users and groups |
| 103 | +- Identity Store group memberships |
| 104 | +- SSO Admin applications and application assignments |
| 105 | + |
| 106 | +## Module Configuration |
| 107 | + |
| 108 | +### Input Variables |
| 109 | + |
| 110 | +For a list of input variables, see the README [Inputs](../../README.md#inputs) section. |
| 111 | + |
| 112 | +### Output Values |
| 113 | + |
| 114 | +For a list of outputs, see the README [Outputs](../../README.md#outputs) section. |
| 115 | + |
| 116 | +## Module Usage |
| 117 | + |
| 118 | +### Basic Usage |
| 119 | + |
| 120 | +For basic usage, see the [examples](../../examples/) folder. |
| 121 | + |
| 122 | +This example will create: |
| 123 | + |
| 124 | +- Permission sets with AWS managed policies |
| 125 | +- Identity Store groups for organizing users |
| 126 | +- Account assignments linking groups to AWS accounts |
| 127 | +- Proper IAM policies and permissions for SSO access |
| 128 | + |
| 129 | +### Tips and Recommendations |
| 130 | + |
| 131 | +- The module focuses on provisioning IAM Identity Center resources following AWS best practices. The convention-based approach enables easy management of users, groups, and permissions across multiple AWS accounts. |
| 132 | +- Use the `complete-user-group-management` example for the most intuitive user management experience. |
| 133 | +- Consider using group-based assignments rather than direct user assignments for better maintainability. |
| 134 | +- Set appropriate session durations based on security requirements and user needs. |
| 135 | +- Use permission boundaries for additional security controls when needed. |
| 136 | +- Adjust the configuration parameters as needed for your specific use case. |
| 137 | + |
| 138 | +## Troubleshooting |
| 139 | + |
| 140 | +### Reporting Issues |
| 141 | + |
| 142 | +If you encounter a bug or issue, please report it on the [GitHub repository](https://github.com/sourcefuse/terraform-aws-arc-iam-identity-center/issues). |
| 143 | + |
| 144 | +## Security Considerations |
| 145 | + |
| 146 | +### AWS IAM Identity Center |
| 147 | + |
| 148 | +Understand the security considerations related to IAM Identity Center on AWS when using this module: |
| 149 | + |
| 150 | +- Identity Center operates at the organization level and requires AWS Organizations |
| 151 | +- Permission sets define what users can do in assigned accounts |
| 152 | +- Session durations should be set based on security requirements |
| 153 | +- Use permission boundaries for additional security controls |
| 154 | +- Regular audit of user access and permissions is recommended |
| 155 | + |
| 156 | +### Best Practices for AWS IAM Identity Center |
| 157 | + |
| 158 | +Follow best practices to ensure secure IAM Identity Center configurations: |
| 159 | + |
| 160 | +- [AWS IAM Identity Center Security Best Practices](https://docs.aws.amazon.com/singlesignon/latest/userguide/security-best-practices.html) |
| 161 | +- Use least privilege principle when creating permission sets |
| 162 | +- Implement proper group-based access control |
| 163 | +- Enable CloudTrail logging for audit purposes |
| 164 | +- Use MFA for enhanced security |
| 165 | +- Regularly review and rotate access permissions |
| 166 | + |
| 167 | +## Contributing and Community Support |
| 168 | + |
| 169 | +### Contributing Guidelines |
| 170 | + |
| 171 | +Contribute to the module by following the guidelines outlined in the [CONTRIBUTING.md](../../CONTRIBUTING.md) file. |
| 172 | + |
| 173 | +### Reporting Bugs and Issues |
| 174 | + |
| 175 | +If you find a bug or issue, report it on the [GitHub repository](https://github.com/sourcefuse/terraform-aws-arc-iam-identity-center). |
| 176 | + |
| 177 | +## License |
| 178 | + |
| 179 | +### License Information |
| 180 | + |
| 181 | +This module is licensed under the Apache 2.0 license. Refer to the [LICENSE](../../LICENSE) file for more details. |
| 182 | + |
| 183 | +### Open Source Contribution |
| 184 | + |
| 185 | +Contribute to open source by using and enhancing this module. Your contributions are welcome! |
0 commit comments