In the company, we use AWS SSO for user authentication; when a new user is created from Azure AD, it will automatically synced by AWS IAM Identity Center and Azure AD integration, and then our team will need to handle the SSO user assignment to put them in the required AWS accounts with requested permission sets, it became a pain when such requests coming more frequently and every time an individual user or a whole team with different accounts and permission requirements need to be fulfilled, so how to handle this efficiently become my recent topic.
So far, I have tried shell script and Python script to read the user name, AWS account ID, and permission sets ARN from a CSV file, then complete the task with AWScli. However it is not smart enough when the request or scenario changes. I have to adjust the script everytime.
Managing individual request via Terraform
Let’s start with handling user assignment individually with terraform first. here I have 2 requests:
A user “user1@company.com”, under a group called “AD-RDS-READ-ONLY” in AWS IAM Identity Center, I need to create a permission set in aws account “123456789”, and assign to this user.
The second request is from security team, we have 3 security team members (security1@company.com, security2@company.com, security3@company.com), under a group called “AD-ACM-FULL-ACCESS” in AWS IAM Identity Center, they all need full access for AWS certificate manager access, for all of our 3 AWS accounts (12345678901, 12345678902, and 12345678903).
Terraform Modularity
How about the Terraform module, as I will get different user assignment requests with different permission sets and AWS accounts? I guess a Terraform module for SSO user assignment is the best way to make the Terraform code more clean and reuseable. There are many benefits to infrastructure as code with modularity. It can reduce code duplication, is easy to update, and has a clear code structure, which fits my AWS SSO user assignment task and challenge perfectly.
To achieve this, I will need to create a folder called “sso_user_assignment_module”, inside the folder it will contain:
A “main.tf” file to define the resources for creating permission sets and assigning them to users.
A “variables.tf” to define the input variables for the module
A “outputs.tf” file to define the outputs of the module.
now we need to Create a Terraform configuration that uses this module and set the environment variables accordingly. go back to the root folder, create a root “main.tf” file to call the module and pass the necessary variables.
root “variables.tf” file to define the input variables for the root configuration.
now is the place we can reuse the module to create the root “terraform.tfvars” which provides the actual values for the variables to define each assignment request. in future we only set each request here as environment variables, and then apply the terraform module.
Conclusion
Now, we can achieve the task individually via terraform code and a Terraform module to handle the creation of AWS SSO users, This setup combines all three requests into a single Terraform configuration, leveraging the reusable module for creating permission sets and managing user assignments, it is more efficient, dynamically, and reusable. In future, we only define permission sets and maintain new users and assignments in the environment variables .tf file, then run Terraform apply to get the job done. The change also can be tracked when leveraging Git as version control.