bahrmichael/100-sso-_tasks.yml

## 100-sso-_tasks.yml
Parameters:
  <<: !Include '../organization-parameters.yml'

  appName:
    Type: String
    Default: 'sso'

  # AWS SSO instance ARN
  instanceArn:
    Type: String
    Default: replace-me:SSO-ID

  # Principal ID from Identity Provider's group used by administrators
  adminGroup:
    Type: String
    Default: replace-me:Admin-Group-ID

  # Principal ID from Identity Provider's group used by developers
  developerGroup:
    Type: String
    Default: replace-me:Developer-Group-ID

SsoAdministrator:
  Type: update-stacks
  Template: ./aws-sso.yml
  StackName: !Sub '${resourcePrefix}-${appName}-admin'
  StackDescription: 'Full permission role used by Admin group within whole organization'
  TerminationProtection: false
  DefaultOrganizationBindingRegion: !Ref primaryRegion
  DefaultOrganizationBinding:
    IncludeMasterAccount: true
  OrganizationBindings:
    TargetBinding:
      Account: '*'
  Parameters:
    instanceArn: !Ref instanceArn
    principalId: !Ref adminGroup
    permissionSetName: 'Administrator'
    managedPolicies: [ 'arn:aws:iam::aws:policy/AdministratorAccess' ]
    sessionDuration: 'PT1H'
    masterAccountId: !Ref MasterAccount

SsoDeveloper:
  Type: update-stacks
  Template: ./aws-sso.yml
  StackName: !Sub '${resourcePrefix}-${appName}-developer'
  StackDescription: 'Read and Write role used by Developer group'
  TerminationProtection: false
  DefaultOrganizationBindingRegion: !Ref primaryRegion
  DefaultOrganizationBinding:
    IncludeMasterAccount: true
  OrganizationBindings:
    TargetBinding:
      OrganizationalUnit:
        - !Ref ActiveOU
  Parameters:
    instanceArn: !Ref instanceArn
    principalId: !Ref developerGroup
    permissionSetName: 'Developer'
    managedPolicies: [ 'arn:aws:iam::aws:policy/PowerUserAccess' ]
    sessionDuration: 'PT12H'
	Parameters:
	<<: !Include '../organization-parameters.yml'

	appName:
	Type: String
	Default: 'sso'

	# AWS SSO instance ARN
	instanceArn:
	Type: String
	Default: replace-me:SSO-ID

	# Principal ID from Identity Provider's group used by administrators
	adminGroup:
	Type: String
	Default: replace-me:Admin-Group-ID

	# Principal ID from Identity Provider's group used by developers
	developerGroup:
	Type: String
	Default: replace-me:Developer-Group-ID

	SsoAdministrator:
	Type: update-stacks
	Template: ./aws-sso.yml
	StackName: !Sub '${resourcePrefix}-${appName}-admin'
	StackDescription: 'Full permission role used by Admin group within whole organization'
	TerminationProtection: false
	DefaultOrganizationBindingRegion: !Ref primaryRegion
	DefaultOrganizationBinding:
	IncludeMasterAccount: true
	OrganizationBindings:
	TargetBinding:
	Account: '*'
	Parameters:
	instanceArn: !Ref instanceArn
	principalId: !Ref adminGroup
	permissionSetName: 'Administrator'
	managedPolicies: [ 'arn:aws:iam::aws:policy/AdministratorAccess' ]
	sessionDuration: 'PT1H'
	masterAccountId: !Ref MasterAccount

	SsoDeveloper:
	Type: update-stacks
	Template: ./aws-sso.yml
	StackName: !Sub '${resourcePrefix}-${appName}-developer'
	StackDescription: 'Read and Write role used by Developer group'
	TerminationProtection: false
	DefaultOrganizationBindingRegion: !Ref primaryRegion
	DefaultOrganizationBinding:
	IncludeMasterAccount: true
	OrganizationBindings:
	TargetBinding:
	OrganizationalUnit:
	- !Ref ActiveOU
	Parameters:
	instanceArn: !Ref instanceArn
	principalId: !Ref developerGroup
	permissionSetName: 'Developer'
	managedPolicies: [ 'arn:aws:iam::aws:policy/PowerUserAccess' ]
	sessionDuration: 'PT12H'