Use this module to dynamic manage AWS IAM Identity Center Permission Sets using Terraform and JSON file templates.
Ensure that you have an instance of IAM Identity Center set up and enabled across your organization. For detailed guidance, refer to the Enabling AWS IAM Identity Center documentation. It is highly recommended to use an IAM Identity Center administrator delegated account for managing Permission Sets. For more information, see Delegated administration.
- AWS account and credentials
- Terraform set up
- JSON file templates
Make sure you are logged in the AWS account where the IAM Identity Center is deployed or in the delegated administrator account.
Create a directory to store your JSON file templates, which will include the Permission Set definitions (name, policies, assignments, etc.). When using this module, you should specify the path to this folder in the templates_path variable.
Templates directory structure sample (e.g. templates):
templates
├── my-permission-set.json
└── other-permission-set.jsonPermission Set template sample (e.g. my-permission-set.json):
{
"Name": "MyPermissionSet",
"Comment": "This permission set will be created and assigned to the group MyGroup for all accounts within the organization.",
"Description": "My Permission Set",
"SessionDuration": "PT1H",
"ManagedPolicies": [
"arn:aws:iam::aws:policy/AdministratorAccess"
],
"CustomerPolicies": [],
"CustomPolicy": {},
"PermissionBoundary": {
"ManagedPolicy": "",
"CustomerPolicy": ""
},
"Tags": {
"Team": "MyTeam"
},
"Assignments": [
{
"all_accounts": true,
"principal": "MyGroup",
"type": "GROUP",
"account_id": [],
"account_ou": [],
"account_tag": []
}
]
}Next, you can call the module, specifying the AWS provider and the IAM Identity Center region (e.g. us-east-1):
provider "aws" {
region = "{{ region }}"
}
module "aws_permission_sets" {
source = "aws-ia/permission-sets/aws"
templates_path = "./templates"
tags = var.tags
}See the JSON schema for Permission Set templates:
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"properties": {
"Name": {
"type": "string"
},
"Comment": {
"type": "string"
},
"Description": {
"type": "string"
},
"SessionDuration": {
"type": "string"
},
"ManagedPolicies": {
"type": "array",
"items": {
"type": "string"
}
},
"CustomerPolicies": {
"type": "array",
"items": {
"type": "string"
}
},
"CustomPolicy": {
"type": "object",
"properties": {
"items": {
"type": "string"
}
}
},
"PermissionBoundary": {
"type": "object",
"properties": {
"ManagedPolicy": {
"type": "string"
},
"CustomerPolicy": {
"type": "string"
}
}
},
"Tags": {
"type": "object",
"properties": {
"Teams": {
"type": "string"
}
}
},
"Assignments": {
"type": "array",
"items": {
"type": "object",
"properties": {
"all_accounts": {
"type": "boolean"
},
"principal": {
"type": "string"
},
"type": {
"type": "string",
"enum": ["GROUP", "USER"]
},
"account_id": {
"type": "array",
"items": {
"type": "string"
}
},
"account_ou": {
"type": "array",
"items": {
"type": "string"
}
},
"account_tag": {
"type": "object",
"items": {
"type": "string"
}
}
},
"required": ["all_accounts", "principal", "type"]
}
}
},
"anyOf": [
{
"required": [
"Name",
"Comment",
"Description",
"SessionDuration",
"ManagedPolicies",
"PermissionBoundary",
"Assignments"
]
},
{
"required": [
"Name",
"Comment",
"Description",
"SessionDuration",
"CustomerPolicies",
"PermissionBoundary",
"Assignments"
]
},
{
"required": [
"Name",
"Comment",
"Description",
"SessionDuration",
"CustomPolicy",
"PermissionBoundary",
"Assignments"
]
}
]
}Please see our developer documentation for guidance on contributing to this module.
| Name | Version |
|---|---|
| terraform | >=1.6 |
| aws | >=5.0 |
| Name | Version |
|---|---|
| aws | >=5.0 |
No modules.
| Name | Type |
|---|---|
| aws_ssoadmin_account_assignment.assignment | resource |
| aws_ssoadmin_customer_managed_policy_attachment.customer_policy | resource |
| aws_ssoadmin_managed_policy_attachment.managed_policy | resource |
| aws_ssoadmin_permission_set.permission_set | resource |
| aws_ssoadmin_permission_set_inline_policy.inline_policy | resource |
| aws_ssoadmin_permissions_boundary_attachment.boundary | resource |
| aws_identitystore_group.sso | data source |
| aws_identitystore_user.sso | data source |
| aws_organizations_organization.org | data source |
| aws_organizations_organizational_unit_descendant_accounts.accounts_per_ou | data source |
| aws_organizations_organizational_unit_descendant_accounts.org_accounts | data source |
| aws_organizations_resource_tags.account_tags | data source |
| aws_ssoadmin_instances.sso | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| tags | Specifies a map of tags to be applied to the resources created by the module. | map(string) |
{} |
no |
| templates_path | Specifies the path to the folder containing the permission set templates to be read by the module. | string |
"./templates" |
no |
| Name | Description |
|---|---|
| assignments | Permission Sets assignments |
| permission_sets | Permission Sets definitions |