NTC Identity Center

Release Notes Source Code Implementation Blueprint

Description

NTC Identity Center streamlines identity and access management (IAM) across your AWS environment by integrating with AWS IAM Identity Center. This building block enables centralized user and group management, providing seamless single sign-on (SSO) access to multiple AWS accounts and applications. With fine-grained access controls and a standardized setup process, NTC Identity Center enforces consistent governance at scale. It also integrates with external identity providers, to align with your organizational needs.

Usage

Latest Release	1.0.4

IAM Identity Center

Decide if you want to use an external identity provider and if you want your users and groups to be synchronized automatically.

# --------------------------------------------------------------------------------------------------
# ¦ LOCALS
# --------------------------------------------------------------------------------------------------
locals {
  # (optional) users and groups with global permissions for all accounts
  global_sso_permissions = {
    admin_groups = [
      "aws-c2-admin"
    ]
    billing_groups = [
      "aws-c2-billing"
    ]
    support_groups = [
      "aws-c2-support"
    ]
  }
}

# --------------------------------------------------------------------------------------------------
# ¦ NTC IDENTITY CENTER - SSO
# --------------------------------------------------------------------------------------------------
module "ntc_identity_center" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-identity-center?ref=X.X.X"

  # identity center supports automatic provisioning (synchronization) of users and groups from your identity provider (IdP)
  # using the System for Cross-domain Identity Management (SCIM) v2.0 protocol
  is_automatic_provisioning_enabled = true

  # (optional) users that should be manually provisioned in IAM Identity Center via Terraform. 
  # automatic provisioning must be disabled.
  # Users will not be synced back to external identitiy provider!
  manual_provisioning_sso_users = []

  # (optional) groups that should be manually provisioned in IAM Identity Center via Terraform.
  # automatic provisioning must be disabled.
  # Groups will not be synced back to external identitiy provider!
  manual_provisioning_sso_groups = []

  # permission sets can be a combination of aws and customer managed policies
  # https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html
  permission_sets = [
    {
      name : "AdministratorAccess"
      description : "This permission set grants administrator access"
      session_duration : 2
      inline_policy_json : ""
      managed_policies : [
        {
          managed_by : "aws"
          policy_name : "AdministratorAccess"
          policy_path : "/"
        }
      ]
      boundary_policy : {}
    },
    {
      name : "Billing+ViewOnlyAccess"
      description : "This permission set grants billing and read-only access"
      session_duration : 10
      inline_policy_json : ""
      managed_policies : [
        {
          managed_by : "aws"
          policy_name : "Billing"
          policy_path : "/job-function/"
        },
        {
          managed_by : "aws"
          policy_name : "ViewOnlyAccess"
          policy_path : "/job-function/"
        }
      ]
      boundary_policy : {}
    },
    {
      name : "SupportUser+ReadOnlyAccess"
      description : "This permission set grants support and read-only access"
      session_duration : 10
      inline_policy_json : ""
      managed_policies : [
        {
          managed_by : "aws"
          policy_name : "SupportUser"
          policy_path : "/job-function/"
        },
        {
          managed_by : "aws"
          policy_name : "ReadOnlyAccess"
          policy_path : "/"
        }
      ]
      boundary_policy : {}
    }
  ]

  account_assignments = [
    # assignments can also be static, but using the 'ntc-account-factory' account map enables dynamic assignments.
    for account in module.ntc_parameters_reader.account_map :
    {
      account_name = account.account_name
      account_id   = account.account_id
      permissions = [
        {
          permission_set_name : "AdministratorAccess"
          # e.g. combine global sso permissions with sso permissions from account map
          groups : concat(local.global_sso_permissions.admin_groups, try(account.customer_values.sso_admin_groups, []))
          # alternatively groups can also be dynamically associated via predefined naming
          # groups : ["sg-aws-admin-${account.account_id}"]
        },
        {
          permission_set_name : "Billing+ViewOnlyAccess"
          # e.g. combine global sso permissions with sso permissions from account map
          groups : concat(local.global_sso_permissions.billing_groups, try(account.customer_values.sso_billing_groups, []))
          # alternatively groups can also be dynamically associated via predefined naming
          # groups : ["sg-aws-billing-${account.account_id}"]
        },
        {
          permission_set_name : "SupportUser+ReadOnlyAccess"
          # e.g. combine global sso permissions with sso permissions from account map
          groups : concat(local.global_sso_permissions.support_groups, try(account.customer_values.sso_support_groups, []))
          # alternatively groups can also be dynamically associated via predefined naming
          # groups : ["sg-aws-support-${account.account_id}"]
        }
      ]
    }
    # remove SSO permission if account is marked for decommissioning
    if try(account.account_tags["AccountDecommission"], false) == false
  ]

  providers = {
    aws = aws.euc1
  }
}

Requirements

The following requirements are needed by this module:

• terraform (>= 1.3.0)

• aws (>= 5.14)

Providers

The following providers are used by this module:

• aws (>= 5.14)

Modules

No modules.

Resources

The following resources are used by this module:

• aws_identitystore_group.ntc_manual_provisioning (resource)
• aws_identitystore_group_membership.ntc_manual_provisioning (resource)
• aws_identitystore_user.ntc_manual_provisioning (resource)
• aws_ssoadmin_account_assignment.ntc_groups (resource)
• aws_ssoadmin_account_assignment.ntc_users (resource)
• aws_ssoadmin_customer_managed_policy_attachment.ntc_customer_managed (resource)
• aws_ssoadmin_managed_policy_attachment.ntc_aws_managed (resource)
• aws_ssoadmin_permission_set.ntc_sso (resource)
• aws_ssoadmin_permission_set_inline_policy.ntc_inline (resource)
• aws_ssoadmin_permissions_boundary_attachment.ntc_boundary_aws_managed (resource)
• aws_ssoadmin_permissions_boundary_attachment.ntc_boundary_customer_managed (resource)
• aws_identitystore_group.ntc_get_group (data source)
• aws_identitystore_user.ntc_get_user (data source)
• aws_partition.current (data source)
• aws_ssoadmin_instances.ntc_get_instance (data source)

Required Inputs

No required inputs.

Optional Inputs

The following input variables are optional (have default values):

account_assignments

Description: A list of account assignments.

Type:

list(object({
    account_name = string,
    account_id   = string,
    permissions = list(object({
      permission_set_name = string
      users               = optional(list(string), [])
      groups              = optional(list(string), [])
    }))
  }))

Default: []

is_automatic_provisioning_enabled

Description: Set to false to provision users and groups with Terraform instead of relying on automatic provisioning via SCIM.
Automatic provisioning must be configured manually in the AWS console.
Automatic provisioning must be disabled to manage users and groups with Terraform.

Type: bool

Default: false

manual_provisioning_sso_groups

Description: A list of groups to provision in identity store. Automatic provisioning must be disabled to manage groups and membership assignments with Terraform.

Type:

list(object({
    group_name              = string
    group_member_user_names = list(string)
    group_description       = optional(string, null)
  }))

Default: []

manual_provisioning_sso_users

Description: A list of users to provision in identity store. Automatic provisioning must be disabled to manage users with Terraform.

Type:

list(object({
    user_name     = string
    primary_email = string
    first_name    = string
    last_name     = string
  }))

Default: []

permission_sets

Description: A list of permission sets.

Type:

list(object({
    name               = string
    description        = string
    session_duration   = number
    inline_policy_json = string
    managed_policies = list(object({
      managed_by  = string
      policy_name = string
      policy_path = string
    }))
    boundary_policy = map(object({
      managed_by  = string
      policy_name = string
      policy_path = string
    }))
  }))

Default: []

Outputs

The following outputs are exported:

identity_store_arn

Description: The Amazon Resource Name (ARN) of the SSO Instance.

identity_store_id

Description: Identity Store ID associated with the Single Sign-On Instance.

sso_group_assignments

Description: Map of group assignments with Single Sign-On.

sso_permission_sets

Description: Map of permission sets configured to be used with Single Sign-On.

sso_user_assignments

Description: Map of user assignments with Single Sign-On.