Skip to content

2.0.0
Compare
Choose a tag to compare
@EreminAnton EreminAnton released this 09 Sep 09:38
· 4 commits to main since this release
2.0.0
f63fc54

BREAKING CHANGES:

We have added more information to the audit entry. Please refer to the section '## New Audit Entry' for details.
Changes in Slack App manifest. Please refer to the end of '## Group Assignments Mode' for details.

In releases prior to 2.0.0, Elevator did not check for double slashes in the path of the Audit entry bucket, which could cause Athena queries to fail. If your S3 bucket contains double slashes in the path, you can run the provided script to fix the issue. You can find the script here. Replace SOURCE_PREFIX, DESTINATION_PREFIX, and BUCKET_NAME with your own values.

Group Assignments Mode

Starting from version 2.0, Terraform AWS SSO Elevator introduces support for group access. Users can now use the /group-access command, which, instead of showing the form for account assignments, will present a Slack form where users can select the group they want access to, specify a reason, and define the duration for which access is required.

The basic logic for access, configuration, and Slack integration remains the same as before. To enable the new Group Assignments Mode, you need to provide the module with the new group_config Terraform variable:

group_config = [
    {              
      "Resource" : ["99999999-8888-7777-6666-555555555555"], #ManagementAccountAdmins
      "Approvers" : [
        "email@gmail.com"
      ]
      "ApprovalIsNotRequired": true
    },
    {              
      "Resource" : ["11111111-2222-3333-4444-555555555555"], #prod read only
      "Approvers" : [
        "email@gmail.com"
      ]
      "AllowSelfApproval" : true,
    },
    {
      "Resource" : ["44445555-3333-2222-1111-555557777777"], #ProdAdminAccess
      "Approvers" : [
        "email@gmail.com"
      ]
    },
]

There are two key differences compared to the standard Elevator configuration:

  • ResourceType is not required for group access configurations.
  • In the Resource field, you must provide group IDs instead of account IDs.
    The Elevator will only work with groups specified in the configuration.

If you were using Terraform AWS SSO Elevator before version 2.0.0, you need to update your Slack app manifest by adding a new shortcut to enable this functionality:

{
  "name": "group-access",
  "type": "global",
  "callback_id": "request_for_group_membership",
  "description": "Request access to SSO Group"
}

To disable this functionality, simply remove the shortcut from the manifest.

New Information in Audit Entry

Starting with version 2.0.0, the audit entry will now include the following new fields:

    version = 1
    group_name: Literal["NA"] | str = "NA"
    group_id: Literal["NA"] | str = "NA"
    group_membership_id: Literal["NA"] | str = "NA"
    audit_entry_type: Literal["group"] | Literal["account"]

Additionally, any entry can use "NA" as a placeholder for missing information, except for the following fields:

reason: Literal["scheduled_revocation"] | Literal["automated_revocation"] | str
operation_type: Literal["grant"] | Literal["revoke"]
audit_entry_type: Literal["group"] | Literal["account"]

Other changes:

  • Allow changing the log retention for API Gateway and Lambda functions by providing var.logs_retention_in_days.
  • Pass var.tags to the API Gateway module.
  • Added a script to fix file paths in S3.
  • Now, if a user tries to use a mode of the SSO Elevator that doesn't have any statements configured, the Elevator will send a message about it in Slack.

Full Changelog: 1.4.1...2.0.0

Assets 2
Loading