AWS Identity Center (SSO) Module
Deploy AWS Identity Center (formerly AWS SSO) for centralized user and permission management across AWS accounts.
What You'll Build
- AWS Identity Center instance in management account
- Groups for role-based access control (RBAC)
- Permission sets defining AWS service permissions
- Account assignments linking users/groups to accounts and permission sets
- Optional external identity provider integration (Okta, Entra ID, etc.)
How to Use
module "identity_center" {
source = "github.com/nnthanh101/terraform-aws/modules/sso"
directory_type = "IDENTITY_STORE" # or "ACTIVE_DIRECTORY"
# Create groups
groups = {
developers = {
name = "developers"
description = "Development team members"
}
admins = {
name = "admins"
description = "Admin team members"
}
}
# Create permission sets
permission_sets = {
developer = {
name = "Developer"
description = "Developer permissions"
session_duration = "PT4H"
managed_policies = [
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
]
}
admin = {
name = "Admin"
description = "Administrator permissions"
session_duration = "PT1H"
managed_policies = [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
}
# Assign accounts and permission sets to groups
account_assignments = {
dev_account = {
account_id = var.dev_account_id
principal_id = module.identity_center.groups["developers"].id
permission_set_arn = module.identity_center.permission_sets["developer"].arn
}
prod_account = {
account_id = var.prod_account_id
principal_id = module.identity_center.groups["admins"].id
permission_set_arn = module.identity_center.permission_sets["admin"].arn
}
}
tags = {
Environment = "prod"
Service = "identity"
}
}
Key Variables
| Variable | Type | Purpose |
|---|---|---|
directory_type | string | "IDENTITY_STORE" (internal) or "ACTIVE_DIRECTORY" (external AD) |
groups | map(object) | RBAC groups for users |
permission_sets | map(object) | Named permission bundles |
account_assignments | map(object) | Principal → Account × Permission Set mappings |
managed_policies | list(string) | AWS managed policy ARNs per permission set |
inline_policy | string | Custom inline IAM policy JSON |
Outputs
| Output | Use Case |
|---|---|
instance_arn | Identity Center instance ARN |
groups | Group IDs for account assignments |
permission_sets | Permission set ARNs for assignment |
account_assignments | Status of account assignments |
Integration
- AWS Accounts: Assign users/groups to specific accounts
- External IdP: Connect Okta, Azure AD, or custom SAML provider
- IAM Roles: Permission sets create temporary IAM roles in member accounts
- AWS CLI: Users authenticate via
aws sso login --profile <profile> - CloudTrail: All SSO logins are logged in the management account
Source Reference
Module: terraform-aws/modules/sso