Implement AWS SSO resource

[onitake]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Quote from the AWS documentation:

AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications.

The AWS SSO service has had a very limited API until now, requiring manual interaction with the AWS console to configure its aspects. This has changed recently, and most of the functionality is now accessible via a public API.

At the moment, there is no API to create new SSO instances, but it seems like there can only be one instance per account. Perhaps it's possible to retrieve the list of available SSO instances with a ListInstances call and simply use the first one available. Or, the user needs to select an instance by ARN explicitly.

To retrieve group and user GUIDs by name, the AWS SSO Identity Store API could be used.

New or Affected Resource(s)

• aws_sso

Potential Terraform Configuration

Here is one example for the AttachManagedPolicyToPermissionSet and CreateAccountAssignment APIs:

data "aws_caller_identity" "current" {}
data "aws_iam_policy" "administrator" {
  arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_sso_permission_set" "set" {
  sso_arn = "InstanceArn"
  name = "Name"
  description = "Description"
  session_duration = "8h"
}
resource "aws_sso_managed_policy_attachment" "attachment" {
  sso_arn = "InstanceArn"
  policy_arn = data.aws_iam_policy.administrator.arn
  permission_set_arn = aws_sso_permission_set.set.arn
}
resource "aws_sso_account_assignment" "assignment" {
  sso_arn = "InstanceArn"
  permission_set_arn = aws_sso_permission_set.set.arn
  # principal_group is mutually exclusive with principal_user
  principal_group = "group-name"
  target_account = data.aws_caller_identity.current.account_id
}

References

• This is a follow-up to: When will AWS SSO resource be supported?  #15018
• API reference: https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_Operations.html

[burck1]

I've got a draft PR (#15322) for #15108 which would relate to this. For that PR, the plan is currently to implement an aws_sso_assignment resource with a target_type = "AWS_ACCOUNT" property. This is based on how AWS has designed the AWS::SSO::Assignment CloudFormation resource. Check out the description in the draft PR (#15322) for how it's currently designed.

[burck1]

To help us to continue to move forward, please go give a thumbs up on #15808.

We've completed most of the work for supporting the AWS SSO and AWS SSO Identity Store resources and datasources in Terraform. The #15322 [WIP] PR encompasses all of that work. But, the contribution guide for this repo recommends submitting small pull requests with the minimum required resources, so we've submitted #15808 as our initial PR with just data.aws_sso_instance, data.aws_sso_permission_set, and aws_sso_permission_set. Once that's merged, we will submit PRs for all of the other resources and data sources since they depend on that initial PR.

[anGie44]

Hi @onitake et al. 👋 Noting here initial support for managing SSO permission sets, inline and managed policy attachments has been released with v3.23.0 of the Terraform AWS Provider. We expect the new data-source and resources introduced in #15322 (identity_store users and groups, and sso account assignment) will be in a forthcoming release.

v3.23.0 of the Terraform AWS Provider includes the following:

• ssoadmin_permission_set (data-source and resource)
• ssoadmin_instances (data-source)
• ssoadmin_managed_policy_attachment (resource)
• ssoadmin_permission_set_inline_policy (resource)

[anGie44]

Hi again @onitake et al. 👋 Noting here that additional support for managing SSO Account Assignments and reading individual IdentityStore User and Group has been merged and will release with v3.24.0 of the Terraform AWS Provider, likely out later today.

Added support includes:

• data_source_aws_identitystore_user
• data_source_aws_identitystore_group
• resource_aws_ssoadmin_account_assignment

[ghost]

This has been released in version 3.24.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!