Skip to content

ministryofjustice/cloud-platform-terraform-aws-sso

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cloud-platform-terraform-aws-sso

This module maps Github users to the AWS web console via SAML and implements ABAC (Attribute-based access control) using resource tags.

Usage

See the examples/ folder.

To run terraform apply, the AWS account (numeric) ID and Auth0 tennant (name) must be passed, AWS profile set in local config and env vars AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, AUTH0_DOMAIN exported, pointing to an app that has create privileges in the tenant (for us, it's the one called terraform-provider-auth0).

The add groups Auth0 rule needs 2 variables defined in its config, AWS_ACCOUNT_ID and AWS_SAML_PROVIDER_NAME (DNS name of the tenant).

This module sets the auth0 var AWS_SAML_PROVIDER_NAME, AWS_ACCOUNT_ID is also needed but for us it's already set in global-resources/auth0.tf

Requirements

Name Version
terraform >= 1.2.5
auth0 >= 0.34.0
aws >= 4.45.0
curl >= 1.0.2

Providers

Name Version
auth0 >= 0.34.0
aws >= 4.45.0
curl >= 1.0.2

Modules

No modules.

Resources

Name Type
auth0_action.saml_mappings resource
auth0_client.saml resource
aws_iam_policy.api_gateway_for_github resource
aws_iam_policy.github_access resource
aws_iam_policy.github_access_2 resource
aws_iam_role.github_access resource
aws_iam_role_policy_attachment.api_gateway_for_github resource
aws_iam_role_policy_attachment.github_access resource
aws_iam_role_policy_attachment.github_access_2 resource
aws_iam_saml_provider.auth0 resource
aws_caller_identity.current data source
aws_iam_account_alias.current data source
aws_iam_policy_document.api_gateway_for_github data source
aws_iam_policy_document.backups_for_github data source
aws_iam_policy_document.bedrock_for_github data source
aws_iam_policy_document.cloudwatch_for_github data source
aws_iam_policy_document.cognito_idp_for_github data source
aws_iam_policy_document.combined data source
aws_iam_policy_document.combined_2 data source
aws_iam_policy_document.ecr_for_github data source
aws_iam_policy_document.elasticache_for_github data source
aws_iam_policy_document.federated_role_trust_policy data source
aws_iam_policy_document.iam_for_github data source
aws_iam_policy_document.kms_for_github data source
aws_iam_policy_document.mq_for_github data source
aws_iam_policy_document.opensearch_for_github data source
aws_iam_policy_document.pi_for_github data source
aws_iam_policy_document.rds_for_github data source
aws_iam_policy_document.s3_for_github data source
aws_iam_policy_document.secretsmanager_for_github data source
aws_iam_policy_document.sns_for_github data source
aws_iam_policy_document.sqs_for_github data source
aws_iam_policy_document.vpc_for_github data source
curl_curl.saml_metadata data source

Inputs

Name Description Type Default Required
auth0_tenant_domain Auth0 domain string n/a yes
aws_callback_url AWS SSO callback URL string "https://signin.aws.amazon.com/saml" no

Outputs

Name Description
saml_login_page n/a

Reading Material

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_abac-saml.html