github.com/alibabacloud-automation/terraform-alicloud-landing-zone-cloudsso

Release v1.0.0

Homepage Go HCL Documentation

License
Apache-2.0
Install
go get github.com/alibabacloud-automation/terraform-alicloud-landing-zone-cloudsso

Documentation

Terraform module to implements Multi-Account Single Sign-On by Cloud SSO.

terraform-alicloud-landing-zone-cloudsso

English | 简体中文

When enterprises adopt a multi-account cloud architecture, configuring personnel identities and permission policies for each account becomes very cumbersome and time-consuming. This module leverages the product capabilities of cloud SSO to provide a centralized way to manage identities and permissions across multiple accounts, simplifying the complexity of identity configuration for enterprise IT administrators.

Structure

Prerequisites

Enable Alicloud CloudSSO

Usage

Manage Alicloud CloudSSO users, groups, access configurations and access assignments with Terraform. If you have already created users and groups through SCIM synchronization or other methods, the users and groups parameters could be set to empty list or ignored.

provider "alicloud" {
  region = "cn-shanghai"
}

data "alicloud_resource_manager_resource_directories" "default" {}

data "alicloud_resource_manager_accounts" "default" {}

module "cloudsso" {
  source = "alibabacloud-automation/landing-zone-cloudsso/alicloud"
  users = [
    {
      user_name = "tf-example-user1",
      display_name = "tf-example-user1",
      first_name = "tf",
      last_name = "example",
      email = "tf-example-user1@email.com",
      description = "This user is used for tf example."
    },
    {    
      user_name = "tf-example-user2",
      display_name = "tf-example-user2",
      first_name = "tf",
      last_name = "example",
      email = "tf-example-user2@email.com",
      description = "This user is used for tf example."
    }
  ]

  groups = [
    {
      group_name = "tf-example-group1",
      description = "This group is used for tf example.",
      users = ["tf-example-user1", "tf-example-user2"]
    },
    {
      group_name = "tf-example-group2",
      description = "This group is used for tf example.",
      users = ["tf-example-user1"]
    }
  ]
  
  access_configurations = [
    {
      access_configuration_name = "Admin",
      description = "This is a test access configuration for tf example",
      session_duration = 1000,
      permission_policies = [
        {
            policy_name = "AdministratorAccess",
            policy_type = "System",
        },
        {
            policy_name = "TestInlineAccess",
            policy_type = "Inline",
            policy_document = "{\"Statement\":[{\"Action\":\"ecs:Get*\",\"Effect\":\"Allow\",\"Resource\":[\"*\"]}],\"Version\":\"1\"}"
        }
      ]
    }
  ]

  access_assignments = [
    {
      principal_name = "tf-example-user1",
      principal_type = "User",
      access_configurations = ["Admin"],
      accounts = [data.alicloud_resource_manager_resource_directories.default.directories[0].master_account_id]
    },
    {
      principal_name = "tf-example-group1",
      principal_type = "Group",
      access_configurations = ["Admin"],
      accounts = [data.alicloud_resource_manager_accounts.default.accounts[0].account_id]
    }
  ]
}

Examples

Requirements

Name Version
terraform >= 1.3.10
alicloud >= 1.145.0

Providers

Name Version
alicloud >= 1.145.0

Modules

Name Source Version
cloud_sso_access_assignment ./modules/cloud_sso_access_assignment n/a
cloud_sso_users_and_groups ./modules/cloud_sso_users_and_groups n/a

Resources

Name Type
alicloud_cloud_sso_access_configuration.default resource
alicloud_cloud_sso_directories.default data source

Inputs

Name Description Type Default Required
access_assignments A list of access assignments in which each element contains the following attributes: The principal_namecan be either a user name or a group name, depending on the principal_type (valid values: User, Group). The access_configurations should be a list of access configurations names. The accounts should be a list of account IDs which could contain the master account or member accounts in Resource Directory. 
list(object({
    principal_name        = string
    principal_type        = string
    access_configurations = list(string)
    accounts              = list(string)
  }))
 [] no
access_configurations A list of cloud sso access configurations in which each element contains the following attributes. The access_configuration_name must be unique in cloud sso. The value of session_duration(Unit: Seconds) should between 900 to 43200. The permission policies is a list of Policy which will be assigned to the access configuration. The permission_policy_type can be either System or Inline. If permission_policy_type is set to Inline, permission_policy_document is required. 
list(object({
    access_configuration_name = string
    description               = optional(string)
    session_duration          = optional(number)
    permission_policies = optional(list(object({
      policy_name     = string
      policy_type     = string
      policy_document = optional(string)
    })), [])
  }))
 [] no
groups A list of cloud sso groups. The group_name must be unique in cloud sso and the users is a list of user name. 
list(object({
    group_name  = string
    description = optional(string)
    users       = optional(list(string), [])
  }))
 [] no
users A list of cloud sso users. The user_name must be unique in cloud sso. 
list(object({
    user_name    = string
    display_name = optional(string)
    first_name   = optional(string)
    last_name    = optional(string)
    email        = optional(string)
    description  = optional(string)
  }))
 [] no

Outputs

Name Description
access_assignments_ids the id of access assignments. The value formats as <directory_id>:<access_configuration_id>:<target_type>:<target_id>:<principal_type>:<principal_id>
access_configuration_ids The access configuration id list of access configurations.
group_ids The id of groups
user_attachment_ids The id of user attachments. The value formats as <directory_id>:<group_id>:<user_id>
user_ids The id of users.

Submit Issues

If you have any problems when using this module, please opening a provider issue and let us know.

Note: There does not recommend opening an issue on this repo.

Authors

Created and maintained by Alibaba Cloud Terraform Team(terraform@alibabacloud.com).

License

MIT Licensed. See LICENSE for full details.

Reference

Stats

Dependencies
0
Dependent packages
0
Dependent repositories
0
Total releases
1
Latest release
First release
Stars
0
Forks
2
Watchers
1
Contributors
2
Repository size
3.16 MB
SourceRank
7

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

v1.0.0

Contributors

shanye997 Alibaba OSS


See all contributors

Login to resync this project