Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Parameters:
<<: !Include '../organization-parameters.yml'
appName:
Type: String
Default: 'sso'
# AWS SSO instance ARN
instanceArn:
Type: String
Default: replace-me:SSO-ID
# Principal ID from Identity Provider's group used by administrators
adminGroup:
Type: String
Default: replace-me:Admin-Group-ID
# Principal ID from Identity Provider's group used by developers
developerGroup:
Type: String
Default: replace-me:Developer-Group-ID
SsoAdministrator:
Type: update-stacks
Template: ./aws-sso.yml
StackName: !Sub '${resourcePrefix}-${appName}-admin'
StackDescription: 'Full permission role used by Admin group within whole organization'
TerminationProtection: false
DefaultOrganizationBindingRegion: !Ref primaryRegion
DefaultOrganizationBinding:
IncludeMasterAccount: true
OrganizationBindings:
TargetBinding:
Account: '*'
Parameters:
instanceArn: !Ref instanceArn
principalId: !Ref adminGroup
permissionSetName: 'Administrator'
managedPolicies: [ 'arn:aws:iam::aws:policy/AdministratorAccess' ]
sessionDuration: 'PT1H'
masterAccountId: !Ref MasterAccount
SsoDeveloper:
Type: update-stacks
Template: ./aws-sso.yml
StackName: !Sub '${resourcePrefix}-${appName}-developer'
StackDescription: 'Read and Write role used by Developer group'
TerminationProtection: false
DefaultOrganizationBindingRegion: !Ref primaryRegion
DefaultOrganizationBinding:
IncludeMasterAccount: true
OrganizationBindings:
TargetBinding:
OrganizationalUnit:
- !Ref ActiveOU
Parameters:
instanceArn: !Ref instanceArn
principalId: !Ref developerGroup
permissionSetName: 'Developer'
managedPolicies: [ 'arn:aws:iam::aws:policy/PowerUserAccess' ]
sessionDuration: 'PT12H'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment