This module is used to configure AWS roles for use with SSO and implements the official CloudFormation Stack.
References:
module "sso_roles" {
source = "dod-iac/sso-roles/aws"
aws_sso_metadata_url = "http://example.com/"
tags = {
Project = var.project
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}For more detailed help see the references:
- Enabling SAML 2.0 federation with AWS SSO and AWS Govcloud (US)
- Troubleshooting SAML 2.0 federation with AWS
This section details some helpful information when creating a new SSO Application.
This module comes with three pre-configured roles that can be created. By default they are not created. This list of roles is:
- Admin Access
- Power User Access
- Read Only Access
If you are providing an external IAM role then you do not need to enable any of these.
- Display Name:
<account-alias> (<role name) - Description:
Access to AWS GovCloud Account <account-alias>
- Application start URL: Leave blank
- Relay state: Leave blank
- Session Duration: 1 hour
- Application ACS URL: https://signin.amazonaws-us-gov.com/saml
- Application SAML audience:
urn:amazon:webservices:govcloud
| User attribute in the application | Maps to this string value or user attribute in AWS SSO | Format |
|---|---|---|
| Subject | ${user:name} |
persistent |
| https://aws.amazon.com/SAML/Attributes/RoleSessionName | ${user:email} |
unspecified |
| https://aws.amazon.com/SAML/Attributes/Role | <saml-provider-arn>,<iam-role-arn> |
unspecified |
Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to master branch.
Terraform 0.11 and 0.12 are not supported.
This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | ~> 3.0 |
| http | >= 2.0 |
| Name | Version |
|---|---|
| aws | ~> 3.0 |
| http | >= 2.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_role.admin_role | resource |
| aws_iam_role.power_user_role | resource |
| aws_iam_role.read_only_role | resource |
| aws_iam_role_policy_attachment.admin_managed_policy | resource |
| aws_iam_role_policy_attachment.power_user_managed_policy | resource |
| aws_iam_role_policy_attachment.read_only_managed_policy | resource |
| aws_iam_saml_provider.saml | resource |
| aws_caller_identity.current | data source |
| aws_iam_account_alias.current | data source |
| aws_iam_policy_document.role_assume | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| http_http.metadata | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_role_name | Role name for administrator access. | string |
"AWS_SSO_AdministratorAccessRole" |
no |
| application_acs_url | The Assertion Consumer Service (ACS) URL is used to identify where the service provider accepts SAML assertions. | string |
"https://signin.amazonaws-us-gov.com/saml" |
no |
| aws_sso_metadata_url | Publicly accessible HTTPS location where SAML metadata.xml can be downloaded. | string |
n/a | yes |
| enable_admin_role | Create an administrative role. | string |
false |
no |
| enable_power_user_role | Create a power user role. | string |
false |
no |
| enable_read_only_role | Create a read-only role. | string |
false |
no |
| max_session_duration_seconds | Maximum CLI Session duration in seconds | number |
14400 |
no |
| power_user_role_name | Role name for power user access. | string |
"AWS_SSO_PowerUserAccessRole" |
no |
| read_only_role_name | Role name for read-only access. | string |
"AWS_SSO_ReadOnlyAccessRole" |
no |
| saml_provider_name | The name of the IAM SAML identity provider that will be created in Identity and Access Management. | string |
"AWS-SSO" |
no |
| tags | Tags to be applied to resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| assume_role_policy | IAM Assume Role Policy to use with other SAML enabled roles. |
| identity_provider_arn | ARN for SAML Identity Provider created in IAM |
| max_session_duration_seconds | Maximum CLI Session duration in seconds |
| role_arn_admin | ARN for Admin role |
| role_arn_power_user | ARN for Power User role |
| role_arn_read_only | ARN for Read Only role |