NTC Identity Center

Release Notes Implementation Blueprint 🔒 Source Code

Migrating to v2?

NTC Identity Center v2 introduces major improvements including AWS Provider v6 support and AWS European Sovereign Cloud compatibility.

📖 Read the Migration Guide for step-by-step instructions.

Description

NTC Identity Center streamlines identity and access management (IAM) across your AWS environment by integrating with AWS IAM Identity Center. This building block enables centralized user and group management, providing seamless single sign-on (SSO) access to multiple AWS accounts and applications. With fine-grained access controls and a standardized setup process, NTC Identity Center enforces consistent governance at scale. It also integrates with external identity providers, to align with your organizational needs.

Prerequisites Required

AWS IAM Identity Center must be enabled and configured manually before using this module. This includes enabling Identity Center, configuring your identity source, and setting up external provider integrations if applicable.

For detailed step-by-step instructions, see the Prerequisites documentation.

Usage

Latest Release	2.0.0

Loading usage example from blueprint...

Requirements

The following requirements are needed by this module:

terraform (>= 1.5.0)
aws (>= 6.0)

Providers

The following providers are used by this module:

aws (>= 6.0)

Modules

No modules.

Resources

The following resources are used by this module:

aws_identitystore_group.ntc_manual_provisioning (resource)
aws_identitystore_group_membership.ntc_manual_provisioning (resource)
aws_identitystore_user.ntc_manual_provisioning (resource)
aws_ssoadmin_account_assignment.ntc_groups (resource)
aws_ssoadmin_account_assignment.ntc_users (resource)
aws_ssoadmin_customer_managed_policy_attachment.ntc_customer_managed (resource)
aws_ssoadmin_managed_policy_attachment.ntc_aws_managed (resource)
aws_ssoadmin_permission_set.ntc_sso (resource)
aws_ssoadmin_permission_set_inline_policy.ntc_inline (resource)
aws_ssoadmin_permissions_boundary_attachment.ntc_boundary_aws_managed (resource)
aws_ssoadmin_permissions_boundary_attachment.ntc_boundary_customer_managed (resource)
aws_identitystore_group.ntc_get_group (data source)
aws_identitystore_user.ntc_get_user (data source)
aws_partition.current (data source)
aws_ssoadmin_instances.ntc_get_instance (data source)

Required Inputs

No required inputs.

Optional Inputs

The following input variables are optional (have default values):

account_assignments

Description: A list of account assignments.

Type:

list(object({
    account_name = string,
    account_id   = string,
    permissions = list(object({
      permission_set_name = string
      users               = optional(list(string), [])
      groups              = optional(list(string), [])
    }))
  }))

Default: []

is_automatic_provisioning_enabled

Description: Set to false to provision users and groups with Terraform instead of relying on automatic provisioning via SCIM.
Automatic provisioning must be configured manually in the AWS console.
Automatic provisioning must be disabled to manage users and groups with Terraform.

Type: bool

Default: false

manual_provisioning_sso_groups

Description: A list of groups to provision in identity store. Automatic provisioning must be disabled to manage groups and membership assignments with Terraform.

Type:

list(object({
    group_name              = string
    group_member_user_names = list(string)
    group_description       = optional(string, null)
  }))

Default: []

manual_provisioning_sso_users

Description: A list of users to provision in identity store. Automatic provisioning must be disabled to manage users with Terraform.

Type:

list(object({
    user_name     = string
    primary_email = string
    first_name    = string
    last_name     = string
  }))

Default: []

permission_sets

Description: A list of permission sets.

Type:

list(object({
    name               = string
    description        = string
    session_duration   = number
    inline_policy_json = string
    managed_policies = list(object({
      managed_by  = string
      policy_name = string
      policy_path = string
    }))
    boundary_policy = map(object({
      managed_by  = string
      policy_name = string
      policy_path = string
    }))
  }))

Default: []

region

Description: AWS region where the resources will be created. Omit to use the provider default region.

Type: string

Default: null

Outputs

The following outputs are exported:

identity_store_arn

Description: The Amazon Resource Name (ARN) of the SSO Instance.

identity_store_id

Description: Identity Store ID associated with the Single Sign-On Instance.

sso_group_assignments

Description: Map of group assignments with Single Sign-On.

sso_permission_sets

Description: Map of permission sets configured to be used with Single Sign-On.

sso_user_assignments

Description: Map of user assignments with Single Sign-On.

Description​

Usage​

Requirements​

Providers​

Modules​

Resources​

Required Inputs​

Optional Inputs​

account_assignments​

is_automatic_provisioning_enabled​

manual_provisioning_sso_groups​

manual_provisioning_sso_users​

permission_sets​

region​

Outputs​

identity_store_arn​

identity_store_id​

sso_group_assignments​

sso_permission_sets​

sso_user_assignments​

Description

Usage

Requirements

Providers

Modules

Resources

Required Inputs

Optional Inputs

account_assignments

is_automatic_provisioning_enabled

manual_provisioning_sso_groups

manual_provisioning_sso_users

permission_sets

region

Outputs

identity_store_arn

identity_store_id

sso_group_assignments

sso_permission_sets

sso_user_assignments