This project intends to provision the Single Sign On functionality for AzureAd users on AWS accounts.
To execute this project it is necessary configuring the following items:
- AWS Organizations Account
- Azure Account
- AWS SSO application between AzureAD and AWS
- Automatic Users/Groups Provisioning between AzureAD and AWS
- Create a Terraform Application on Azure
- Install TF_ENV
To add a new user it is necessary to edit the vars-users.auto.tfvars file, adding a new entry in the user users dictionary. The new entry must be in accordance with the following template:
/*
"username" = {
"firstName" = "Name"
"lastName" = "Surname"
"role" = "developers" // Role in the company, this value must be one of the role_groups` dictionary keys. Defined in the vars-groups.auto. file
"squad" = "time1" // Optional variable, meaning that the user is part of a squad. This value must be one of the squad_groups` dictionary keys. Defined in the vars-groups.auto.tfvars file
}
*/
"tiago.missao" = {
"firstName" = "Tiago"
"lastName" = "Missão"
"role" = "admin"
"squad" = "time1"
}To add a new AWS account it is necessary to edit the vars-aws-accounts.auto.tfvars, adding a new entry in the aws_accounts_permissions dictionary. The new entry must be in accordance with the following template:
/*
"AWS_ACCOUNT_ID" = {
"role" = "aws_permission" // Role in the company, this value must be one of the role_groups` dictionary keys. Defined in the vars-groups.auto.tfvars file, followed by the AWS` policy associated to the role.
// Also, The "aws_permission" value must be one of the aws_permissions_sets` keys defined ing the vars-aws-accounts.auto.tfvars file
}
*/
"887526423960" = {
"admin" = "administrator"
"tech_leaders" = "poweruser"
"developers" = "readonly"
"readers" = "readonly"
}To add a new role group it is necessary to edit the vars-groups.auto.tfvars file, adding a new entry in the role_groups dictionary. The new entry must be in accordance with the following template:
/*
"Group`s Identifier" = {
"name" = "Group`s name" (Display Name)
},
*/
"admin" = {
"name" = "Admins"
},To add a new squad group it is necessary to edit the vars-groups.auto.tfvars file, adding a new entry in the squad_groups dictionary. The new entry must be in accordance with the following template:
/*
"Group`s Identifier" = {
"name" = "Group`s name" (Display Name)
},
*/
"time1" = {
"name" = "Time Devops"
},This project is executed by Terraform tool. And can be archieved by performing the following steps:
tfenv install # Install the correct Terraform`s version used by the project. The Terraform`s version is defined in the [.terraform-version](./src/.terraform-version) file
tfenv use # Configures the runtime to use the correct terraform`s version
terraform plan # Creates an execution plan, showing all the modifications that will be applied
terraform apply # Applies all the modificationsThe execution time should takes at least 40 minutes since the syncronization process between AzureAD and AWS occurs in a 40 minutes interval.
