📖
AWS IAM Identity Center(SSO)とAWS Organizationsのメモ
IAM Identity CenterはSingle Sign-Onから名称が変更されたり、Organizationsとの関係があったりで複雑なので自分用にまとめます。コードはTerraformドキュメントからの抜粋ですのでリンク先を参照してください。
全体像
IAM Identity Center
AWS CLIでは aws identitystore で操作します。
ログインや資格情報の取得は aws sso コマンドを使用します。
ユーザー
aws_identitystore_user でユーザーを定義します。
resource "aws_identitystore_user" "example" {
identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]
display_name = "John Doe"
user_name = "johndoe"
name {
given_name = "John"
family_name = "Doe"
}
emails {
value = "john@example.com"
}
}
グループ
aws_identitystore_group でグループを定義します。
resource "aws_identitystore_group" "this" {
display_name = "Example group"
description = "Example description"
identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]
}
aws_identitystore_group_membership でグループに参加するユーザーを定義します。
resource "aws_identitystore_group_membership" "example" {
identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]
group_id = aws_identitystore_group.example.group_id
member_id = aws_identitystore_user.example.user_id
}
許可セット
aws_ssoadmin_permission_set で許可セットを定義します。
resource "aws_ssoadmin_permission_set" "example" {
name = "Example"
description = "An example"
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-east-1#"
session_duration = "PT2H"
}
許可の紐付け
aws_ssoadmin_managed_policy_attachment で許可セットにAWSマネージドポリシーを紐づけます。
resource "aws_ssoadmin_managed_policy_attachment" "example" {
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
managed_policy_arn = "arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup"
permission_set_arn = aws_ssoadmin_permission_set.example.arn
}
aws_ssoadmin_customer_managed_policy_attachmentで許可セットにカスタマーマネージドポリシーを紐づけます。
resource "aws_ssoadmin_customer_managed_policy_attachment" "example" {
instance_arn = aws_ssoadmin_permission_set.example.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.example.arn
customer_managed_policy_reference {
name = aws_iam_policy.example.name
path = "/"
}
}
aws_ssoadmin_permission_set_inline_policy で許可セットにインラインポリシーを紐づけます。
resource "aws_ssoadmin_permission_set_inline_policy" "example" {
inline_policy = data.aws_iam_policy_document.example.json
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
permission_set_arn = aws_ssoadmin_permission_set.example.arn
}
aws_ssoadmin_permissions_boundary_attachment で許可セットに許可の境界を紐付けます。
resource "aws_ssoadmin_permissions_boundary_attachment" "example" {
instance_arn = aws_ssoadmin_permission_set.example.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.example.arn
permissions_boundary {
customer_managed_policy_reference {
name = aws_iam_policy.example.name
path = "/"
}
}
}
aws_ssoadmin_account_assignment で許可セットをアカウントに紐付けます。
resource "aws_ssoadmin_account_assignment" "example" {
instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
permission_set_arn = data.aws_ssoadmin_permission_set.example.arn
principal_id = data.aws_identitystore_group.example.group_id
principal_type = "GROUP"
target_id = "123456789012"
target_type = "AWS_ACCOUNT"
}
Organizations
OrganizationsのAWS CLIは aws organizations で一通り操作できます。
Organizations
aws_organizations_organization で Organizationsを定義します。
resource "aws_organizations_organization" "org" {
aws_service_access_principals = [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
]
feature_set = "ALL"
}
aws_organizations_organizational_unit でOUを定義します。
resource "aws_organizations_organizational_unit" "example" {
name = "example"
parent_id = aws_organizations_organization.example.roots[0].id
}
AWSアカウント
aws_organizations_account でAWSアカウントを定義します。
resource "aws_organizations_account" "account" {
name = "my_new_account"
email = "john@doe.org"
}
aws_organizations_delegated_administrator で委任管理者アカウントを定義します。
resource "aws_organizations_delegated_administrator" "example" {
account_id = "123456789012"
service_principal = "principal"
}
aws_organizations_resource_policy で委任ポリシーを定義します
resource "aws_organizations_resource_policy" "example" {
content = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegatingNecessaryDescribeListActions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribePolicy",
"organizations:DescribeEffectivePolicy",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListPolicies",
"organizations:ListPoliciesForTarget",
"organizations:ListTargetsForPolicy",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
]
}
EOF
}
ポリシー
aws_organizations_policy でポリシーを定義します。
resource "aws_organizations_policy" "example" {
name = "example"
content = data.aws_iam_policy_document.example.json
}
aws_organizations_policy_attachment でポリシーを紐付けます。
# Organization Account
resource "aws_organizations_policy_attachment" "account" {
policy_id = aws_organizations_policy.example.id
target_id = "123456789012"
}
# Organization Root
resource "aws_organizations_policy_attachment" "root" {
policy_id = aws_organizations_policy.example.id
target_id = aws_organizations_organization.example.roots[0].id
}
# Organization Unit
resource "aws_organizations_policy_attachment" "unit" {
policy_id = aws_organizations_policy.example.id
target_id = aws_organizations_organizational_unit.example.id
}
Discussion