IAM Identity Center Module (sso v1.3.0)

Derived from aws-ia/terraform-aws-sso v1.0.4 (Apache-2.0). Enterprise SSO landing zone with profile-only configuration, account-name resolution via Organizations, YAML APRA CPS 234 audit trail, and 10 Terraform test files.

Overview

Attribute	Value
Module	terraform-aws/modules/sso
Version	v1.3.0 (2026-03-05)
Source	github.com/nnthanh101/terraform-aws//modules/sso or local ../../modules/sso
Home Region	Configurable via var.sso_region (dual-provider: aws.identity_center alias)
Pattern	Direct aws_ssoadmin_* + aws_identitystore_* resources
Config API	HCL variables + YAML (via config_path); account names or IDs (Organizations lookup optional)
Cost	$0/month (IAM Identity Center is free)
Terraform	>= 1.11.0
AWS Provider	>= 6.28, < 7.0
Compliance	APRA CPS 234 session durations (4h/8h enforced); FOCUS 1.2+ cost tags
Tests	10 snapshot tests + module examples (tier 1, 2-3s, $0)

Core Features

• Account-name resolution: enable_organizations_lookup = true → use account names in YAML configs (profile-only compatible)
• Dual-provider setup: Default provider + identity_center alias for home-region isolation
• YAML configuration path: config_path = "/path/to/config" reads permission_sets.yaml + account_assignments.yaml for APRA CPS 234 audit trail
• Group, user, permission set, and account assignment management via HCL or YAML
• External IdP support: principal_idp = "EXTERNAL" for Entra ID, Okta, Google federation
• Application portal: SAML/SCIM app definitions with portal sign-in options
• Session duration enforcement: Least-privilege tiers (Admin 1h, PowerUser 4h, ReadOnly 8h, SecurityAudit 8h per CPS 234)

Quick Start — HCL Variable Config

module "identity_center" {
  source = "../../modules/sso"  # local, or github.com/nnthanh101/terraform-aws//modules/sso

  sso_region = var.sso_region  # e.g. "ap-southeast-2" (home region)

  sso_groups = {
    PlatformTeam = {
      group_name        = "PlatformTeam"
      group_description = "Platform engineering team"
    }
  }

  permission_sets = {
    Admin = {
      description          = "Full administrator access"
      session_duration     = "PT1H"  # APRA CPS 234: 1h max for Admin
      aws_managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"]
    }
    PowerUser = {
      description      = "PowerUser access"
      session_duration = "PT4H"  # 4h for PowerUser
      aws_managed_policies = ["arn:aws:iam::aws:policy/PowerUserAccess"]
    }
    ReadOnly = {
      description      = "ReadOnly access"
      session_duration = "PT8H"  # 8h for ReadOnly
      aws_managed_policies = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
    }
  }

  account_assignments = {
    PlatformAdmins = {
      principal_name  = "PlatformTeam"
      principal_type  = "GROUP"
      principal_idp   = "INTERNAL"  # Use EXTERNAL for Entra ID
      permission_sets = ["Admin"]
      account_names   = ["b2b-account"]  # Requires enable_organizations_lookup=true
    }
  }

  enable_organizations_lookup = true  # Resolve account names to IDs
}

YAML Configuration (APRA CPS 234 Audit Trail)

For profile-only deployments, use YAML for centralized permission and account mapping:

config/
  permission_sets.yaml     # Permission set definitions
  account_assignments.yaml # Account-to-group mappings

Then reference in Terraform:

module "identity_center" {
  source = "../../modules/sso"

  config_path                = "${path.module}/config"
  enable_organizations_lookup = true
}

The module reads YAML files (precedence over HCL variables), enabling a profile-only Terraform workflow where sensitive account IDs are never hardcoded.

Outputs

Output	Type	Description
sso_instance_arn	string	ARN of the SSO instance
identity_store_id	string	Identity Store ID (link to Entra for external IdP)
permission_set_arns	map(string)	Permission set name → ARN
sso_groups_ids	map(string)	Group name → ID
sso_users_ids	map(string)	User name → ID
account_assignment_data	list(object)	Flattened assignment tuples
principals_and_assignments	map(object)	Nested principal-account-permission map
sso_applications_arns	map(string)	Application name → ARN (for portal)
config_path	string	Resolved YAML config directory path

Testing

# Tier 1: Snapshot tests (10 tests, 2-3s, $0, local provider)
task test:tier1 MODULE=sso

# Tier 2: Skipped (ssoadmin API not in LocalStack Free)

# Tier 3: Real AWS (HITL gate, $0 — SSO is free)
# Post-HITL enablement: terraform plan in accounts/management-account/

Entra ID Federation

To enable external IdP (Entra ID, Okta, Google):

1. Configure external IdP in AWS SSO console (manual, one-time)
2. Set principal_idp = "EXTERNAL" in account assignments
3. Existing Identity Store users can be made EXTERNAL; new users can sync from Entra via SCIM

See Entra ID Federation for setup guide.

Related Modules

• cloudposse/terraform-aws-sso: Similar pattern, account-name mapping via locals
• aws-iam-identity-center: Stable registry publication

References

• AWS IAM Identity Center User Guide
• Entra ID integration guide
• ADR-021: Parallel 2-Account Topology
• AWS SSO Best Practices
• APRA CPS 234 Session Duration Enforcement