IAM Identity Center Module

Derived from aws-ia/terraform-aws-iam-identity-center v1.0.4 (Apache-2.0). Custom direct resources (aws_ssoadmin_*, aws_identitystore_*) with HCL variable inputs.

Overview

Attribute	Value
Region	us-east-1 (global service)
Pattern	Custom direct resources (ADR-007: aws-ia fork)
Config API	HCL variables + YAML config (via config_path)
Upstream	aws-ia/terraform-aws-iam-identity-center v1.0.4
Cost	$0/month (IAM Identity Center is free)
Terraform	>= 1.11.0
AWS Provider	>= 6.28, < 7.0

Usage

module "identity_center" {
  source = "oceansoft/iam-identity-center/aws"

  sso_groups = {
    PlatformTeam = { group_name = "PlatformTeam", group_description = "Platform team" }
  }

  permission_sets = {
    Admin = {
      description          = "Full administrator access"
      session_duration     = "PT4H"
      aws_managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"]
    }
  }

  account_assignments = {
    PlatformAdmins = {
      principal_name  = "PlatformTeam"
      principal_type  = "GROUP"
      principal_idp   = "INTERNAL"
      permission_sets = ["Admin"]
      account_ids     = ["123456789012"]
    }
  }
}

Outputs

Output	Type	Description
permission_set_arns	map(string)	Permission set name to ARN
sso_groups_ids	map(string)	Group key to group ID
sso_users_ids	map(string)	User key to user ID
sso_instance_arn	string	SSO instance ARN
identity_store_id	string	Identity Store ID
account_assignment_data	list(object)	Flattened assignments
principals_and_assignments	map(object)	Map of principal-account-permission assignments
sso_applications_arns	map(string)	Application name to ARN
sso_applications_group_assignments	map(string)	App-group assignment to principal ID
sso_applications_user_assignments	map(string)	App-user assignment to principal ID

Testing

task test:tier1    # 7 snapshot tests (2-3s, $0, mock_provider)
task test:tier2    # SKIP — ssoadmin API not in LocalStack Free
task test:tier3    # Real AWS (HITL gate, $0 — SSO is free)