cloud-platform-terraform-aws-sso

This module maps Github users to the AWS web console via SAML and implements ABAC (Attribute-based access control) using resource tags.

Usage

See the examples/ folder.

To run terraform apply, the AWS account (numeric) ID and Auth0 tennant (name) must be passed, AWS profile set in local config and env vars AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, AUTH0_DOMAIN exported, pointing to an app that has create privileges in the tenant (for us, it's the one called terraform-provider-auth0).

The add groups Auth0 rule needs 2 variables defined in its config, AWS_ACCOUNT_ID and AWS_SAML_PROVIDER_NAME (DNS name of the tenant).

This module sets the auth0 var AWS_SAML_PROVIDER_NAME, AWS_ACCOUNT_ID is also needed but for us it's already set in global-resources/auth0.tf

Requirements

Name	Version
terraform	>= 1.2.5
auth0	>= 0.34.0
aws	>= 4.45.0
curl	>= 1.0.2

Providers

Name	Version
auth0	>= 0.34.0
aws	>= 4.45.0
curl	>= 1.0.2

Modules

No modules.

Resources

Name	Type
auth0_client.saml	resource
auth0_rule.saml_mappings	resource
auth0_rule_config.aws_saml_provider_name	resource
aws_iam_policy.api_gateway_for_github	resource
aws_iam_policy.github_access	resource
aws_iam_policy.github_access_2	resource
aws_iam_role.github_access	resource
aws_iam_role_policy_attachment.api_gateway_for_github	resource
aws_iam_role_policy_attachment.github_access	resource
aws_iam_role_policy_attachment.github_access_2	resource
aws_iam_saml_provider.auth0	resource
aws_caller_identity.current	data source
aws_iam_account_alias.current	data source
aws_iam_policy_document.api_gateway_for_github	data source
aws_iam_policy_document.cloudwatch_for_github	data source
aws_iam_policy_document.cognito_idp_for_github	data source
aws_iam_policy_document.combined	data source
aws_iam_policy_document.combined_2	data source
aws_iam_policy_document.elasticache_for_github	data source
aws_iam_policy_document.federated_role_trust_policy	data source
aws_iam_policy_document.iam_for_github	data source
aws_iam_policy_document.kms_for_github	data source
aws_iam_policy_document.opensearch_for_github	data source
aws_iam_policy_document.pi_for_github	data source
aws_iam_policy_document.rds_for_github	data source
aws_iam_policy_document.s3_for_github	data source
aws_iam_policy_document.secretsmanager_for_github	data source
aws_iam_policy_document.sns_for_github	data source
aws_iam_policy_document.sqs_for_github	data source
aws_iam_policy_document.vpc_for_github	data source
curl_curl.saml_metadata	data source

Inputs

Name	Description	Type	Default	Required
auth0_tenant_domain	Auth0 domain	`string`	n/a	yes
aws_callback_url	AWS SSO callback URL	`string`	`"https://signin.aws.amazon.com/saml"`	no

Outputs

Name	Description
saml_login_page	n/a

Reading Material

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_abac-saml.html

Name		Name	Last commit message	Last commit date
Latest commit History 71 Commits
.github/workflows		.github/workflows
examples		examples
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
add-github-teams-to-saml-mappings.js		add-github-teams-to-saml-mappings.js
api-gateway.tf		api-gateway.tf
auth0.tf		auth0.tf
aws.tf		aws.tf
cloudwatch.tf		cloudwatch.tf
cognito-idp.tf		cognito-idp.tf
elasticache.tf		elasticache.tf
iam.tf		iam.tf
kms.tf		kms.tf
main.tf		main.tf
opensearch.tf		opensearch.tf
outputs.tf		outputs.tf
pi.tf		pi.tf
rds.tf		rds.tf
s3.tf		s3.tf
secretsmanager.tf		secretsmanager.tf
sns.tf		sns.tf
sqs.tf		sqs.tf
variables.tf		variables.tf
versions.tf		versions.tf
vpc.tf		vpc.tf

License

ministryofjustice/cloud-platform-terraform-aws-sso

Folders and files

Latest commit

History

Repository files navigation

cloud-platform-terraform-aws-sso

Usage

Requirements

Providers

Modules

Resources

Inputs

Outputs

Reading Material

About

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Languages