π‘ Learn more about Masterpoint below.
This Terraform module provisions, configures, and manages AWS IAM Identity Center (SSO) with built-in user provisioning, including assigning users, groups, and permission sets.
- This is designed to be seamless for organizations that want to manage users within the AWS Identity Center directory as their identity source instead of an external identity provider (such as Okta, Azure Active Directory, etc.). This means that all users are managed by IaC.
- Authentication is handled by AWS Identity Center. Upon user creation by TF, the user will be in AWS Identity Center directory.
- However, the AWS Terraform provider does not support the setting the option to send credentials/verification email after creation, so the administrator must go into the AWS Identity Center directory console and and enable "Send email OTP for users created from API", or manually request to send a verification email per each user so users can reset their own password.
- However, the AWS Terraform provider does not support the setting the option to send credentials/verification email after creation, so the administrator must go into the AWS Identity Center directory console and and enable "Send email OTP for users created from API", or manually request to send a verification email per each user so users can reset their own password.
- You will need to manually (ClickOps) enable AWS Identity Center & create an SSO instance in the AWS account that you want to be set as the "management account" for your organization. See https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html.
- The SSO instance itself is not managed by Terraform, there is no Terraform resource for it. Settings like MFA configurations must be updated on the AWS console ClickOps.
- After enabling, Terraform can reference it using the
data "aws_ssoadmin_instances" "sso" {}data source.
data "aws_ssoadmin_instances" "sso" {}
locals {
instance_arn = tolist(data.aws_ssoadmin_instances.sso.arns)[0]
identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0]
}
module "aws_sso" {
source = "github.com/masterpointio/terraform-aws-identity-center-users?ref=v1.x.x"
instance_arn = local.instance_arn
identity_store_id = local.identity_store_id
users = [
{
user_name = "john.doe"
given_name = "John"
family_name = "Doe"
email = "[email protected]"
},
]
groups = [
{
name = "Administrators"
description = "Full administrative access"
members = ["john.doe"]
assignments = [
{
permission_set = "AdministratorAccess"
account_ids = ["123456789012", "234567890123"]
}
]
},
]
permission_sets = [
{
name = "AdministratorAccess"
description = "Full administrator access to an account."
session_duration = "PT12H"
managed_policies = [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
]
}Here are some examples of using this module:
examples/complete- example using atfvarsfile to manage users, groups, and permission setsexamples/json-user-management- example using ajsonfile to manage users, groups, and permission setsexamples/yaml-user-management- example using ayamlfile to manage users, groups, and permission sets
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 5.0 |
| Name | Version |
|---|---|
| aws | >= 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_identitystore_group.groups | resource |
| aws_identitystore_group_membership.memberships | resource |
| aws_identitystore_user.users | resource |
| aws_ssoadmin_account_assignment.assignments | resource |
| aws_ssoadmin_customer_managed_policy_attachment.customer_policies | resource |
| aws_ssoadmin_managed_policy_attachment.policies | resource |
| aws_ssoadmin_permission_set.permissions | resource |
| aws_ssoadmin_permission_set_inline_policy.inline_policies | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| groups | List of SSO groups | list(object({ |
n/a | yes |
| identity_store_id | Identity store ID | string |
n/a | yes |
| instance_arn | SSO instance ARN | string |
n/a | yes |
| permission_sets | List of permission sets | list(object({ |
n/a | yes |
| users | List of SSO users | list(object({ |
n/a | yes |
| Name | Description |
|---|---|
| account_assignments | List of account assignments. |
| group_memberships | List of group memberships. |
| groups | Map of groups. |
| permission_sets | Map of permission sets. |
| users | Map of users. |
Powered by the Masterpoint team and driven forward by contributions from the community β€οΈ
Contributions are welcome and appreciated!
Found an issue or want to request a feature? Open an issue
Want to fix a bug you found or add some functionality? Fork, clone, commit, push, and PR β we'll check it out.
Established in 2016, Masterpoint is a team of experienced software and platform engineers specializing in Infrastructure as Code (IaC). We provide expert guidance to organizations of all sizes, helping them leverage the latest IaC practices to accelerate their engineering teams.
Our mission is to simplify cloud infrastructure so developers can innovate faster, safer, and with greater confidence. By open-sourcing tools and modules that we use internally, we aim to contribute back to the community, promoting consistency, quality, and security.
- π Open Source: We live and breathe open source, contributing to and maintaining hundreds of projects across multiple organizations.
- π 1% for the Planet: Demonstrating our commitment to environmental sustainability, we are proud members of 1% for the Planet, pledging to donate 1% of our annual sales to environmental nonprofits.
- πΊπ¦ 1% Towards Ukraine: With team members and friends affected by the ongoing Russo-Ukrainian war, we donate 1% of our annual revenue to invasion relief efforts, supporting organizations providing aid to those in need. Here's how you can help Ukraine with just a few clicks.
We're active members of the community and are always publishing content, giving talks, and sharing our hard earned expertise. Here are a few ways you can see what we're up to:
... and be sure to connect with our founder, Matt Gowie.
Copyright Β© 2016-2025 Masterpoint Consulting LLC