├── sso_automation_app ├── __init__.py └── sso_stack.py ├── cdk.json ├── requirements.txt ├── CODE_OF_CONDUCT.md ├── source.bat ├── inline_policies ├── powerusercustompolicy.json ├── devopscustompolicy.json └── developercustompolicy.json ├── LICENSE ├── setup.py ├── app.py ├── example_assignments.json ├── org_enum.py ├── example_permsets.json ├── CONTRIBUTING.md ├── .gitignore ├── id_center_automation.py └── README.md /sso_automation_app/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /cdk.json: -------------------------------------------------------------------------------- 1 | { 2 | "app": "python app.py", 3 | "context": { 4 | "@aws-cdk:enableDiffNoFail": "true", 5 | "@aws-cdk/core:stackRelativeExports": "true" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | attrs 2 | aws-cdk-lib 3 | boto3 4 | botocore 5 | cattrs 6 | constructs>=10.0.0,<11.0.0 7 | jmespath 8 | jsii 9 | publication 10 | python-dateutil 11 | s3transfer 12 | six 13 | typing-extensions 14 | urllib3 15 | cdk-nag>=2.14.11 16 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /source.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | rem The sole purpose of this script is to make the command 4 | rem 5 | rem source .env/bin/activate 6 | rem 7 | rem (which activates a Python virtualenv on Linux or Mac OS X) work on Windows. 8 | rem On Windows, this command just runs this batch file (the argument is ignored). 9 | rem 10 | rem Now we don't need to document a Windows command for activating a virtualenv. 11 | 12 | echo Executing .env\Scripts\activate.bat for you 13 | .env\Scripts\activate.bat 14 | -------------------------------------------------------------------------------- /inline_policies/powerusercustompolicy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventPrivilegeEscalation", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "iam:PassRole" 9 | ], 10 | "Resource": [ 11 | "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSAdministratorAccess_*", 12 | "arn:aws:iam::*:role/*ControlTower*", 13 | "arn:aws:iam::*:role/*controltower*" 14 | ] 15 | } 16 | ] 17 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from setuptools import find_packages, setup 2 | 3 | with open("README.md") as fp: 4 | long_description = fp.read() 5 | 6 | setup( 7 | name="sso_automation_app", 8 | version="1.0.0", 9 | 10 | description="A CDK Python app for AWS IAM Identity Center Automation", 11 | long_description=long_description, 12 | long_description_content_type="text/markdown", 13 | 14 | author="author", 15 | 16 | package_dir={"": "sso_automation_app"}, 17 | packages=find_packages(where="sso_automation_app"), 18 | 19 | install_requires=[ 20 | "aws-cdk-lib>=2.0.0", 21 | ], 22 | 23 | python_requires=">=3.7.10", 24 | 25 | classifiers=[ 26 | "Development Status :: 4 - Beta", 27 | 28 | "Intended Audience :: Developers", 29 | 30 | "License :: OSI Approved :: Apache Software License", 31 | 32 | "Programming Language :: JavaScript", 33 | "Programming Language :: Python :: 3 :: Only", 34 | "Programming Language :: Python :: 3.6", 35 | "Programming Language :: Python :: 3.7", 36 | "Programming Language :: Python :: 3.8", 37 | 38 | "Topic :: Software Development :: Code Generators", 39 | "Topic :: Utilities", 40 | 41 | "Typing :: Typed", 42 | ], 43 | ) 44 | -------------------------------------------------------------------------------- /app.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from aws_cdk import App, Environment, Aspects 4 | from sso_automation_app.sso_stack import AWSSSOStack 5 | import logging 6 | import cdk_nag 7 | 8 | logger = logging.getLogger(__name__) 9 | loghandler = logging.StreamHandler() 10 | formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s") 11 | loghandler.setFormatter(formatter) 12 | logger.addHandler(loghandler) 13 | logger.setLevel(logging.DEBUG) 14 | 15 | app = App() 16 | profile = app.node.try_get_context("profile") 17 | account_id = app.node.try_get_context("accountID") 18 | region_name = app.node.try_get_context("region") 19 | stage = app.node.try_get_context("stage") 20 | stage_bucket = app.node.try_get_context("stagebucket") 21 | organization_id = app.node.try_get_context("orgid") 22 | sso_permission_sets = app.node.try_get_context("permsets") 23 | sso_assignments = app.node.try_get_context("assignments") 24 | 25 | env_info = Environment(account=account_id, region=region_name) 26 | 27 | if profile and env_info: 28 | if sso_permission_sets and sso_assignments: 29 | AWSSSOStack(app, "awssso-stack", sso_permission_sets, sso_assignments, profile, env=env_info) 30 | Aspects.of(app).add(cdk_nag.AwsSolutionsChecks()) 31 | else: 32 | logger.debug("Failed to specify a profile and environment") 33 | 34 | app.synth() 35 | -------------------------------------------------------------------------------- /example_assignments.json: -------------------------------------------------------------------------------- 1 | { 2 | "assignments": [ 3 | { 4 | "permissionSet": "FullAdminPermSet", 5 | "groupName": "SSOCloudAdmin", 6 | "target": "all" 7 | }, 8 | { 9 | "permissionSet": "CWDashboardReadPermSet", 10 | "groupName": "OutpostMonitor", 11 | "target": "ou-1abc-a1bcdefg" 12 | }, 13 | { 14 | "permissionSet": "PowerUserPermSet", 15 | "groupName": "PowerUser", 16 | "target": "ou-2abc-a2bcdefg" 17 | }, 18 | { 19 | "permissionSet": "FullBillingPermSet", 20 | "groupName": "Billing", 21 | "target": "123456789012" 22 | }, 23 | { 24 | "permissionSet": "BillingReadPermSet", 25 | "groupName": "BillingRead", 26 | "target": "123456789012" 27 | }, 28 | { 29 | "permissionSet": "CWDashboardReadPermSet", 30 | "groupName": "CustomerOpsA", 31 | "target": "123456789012" 32 | }, 33 | { 34 | "permissionSet": "CustDeveloperPermSet", 35 | "groupName": "CustomerDevelopersA", 36 | "target": "123456789012" 37 | }, 38 | { 39 | "permissionSet": "CustDevOpsPermSet", 40 | "groupName": "CustomerDevOpsA", 41 | "target": "123456789012" 42 | } 43 | ] 44 | } -------------------------------------------------------------------------------- /org_enum.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import boto3 4 | import logging 5 | 6 | logger = logging.getLogger(__name__) 7 | loghandler = logging.StreamHandler() 8 | formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s") 9 | loghandler.setFormatter(formatter) 10 | logger.addHandler(loghandler) 11 | logger.setLevel(logging.DEBUG) 12 | 13 | 14 | def get_accounts_for_ou(profile, ou): 15 | accounts = [] 16 | session = boto3.Session(profile_name=profile) 17 | org_session = session.client("organizations", region_name="us-east-1") 18 | paginator = org_session.get_paginator('list_organizational_units_for_parent') 19 | for response in paginator.paginate(ParentId=ou): 20 | sub_ous = [data['Id'] for data in response['OrganizationalUnits']] 21 | for sub_ou_id in sub_ous: 22 | accounts.extend(get_accounts_for_ou(profile, sub_ou_id)) 23 | paginator = org_session.get_paginator('list_accounts_for_parent') 24 | for response in paginator.paginate(ParentId=ou): 25 | accounts.extend(data['Id'] for data in response['Accounts']) 26 | 27 | return accounts 28 | 29 | 30 | def get_all_accounts(profile): 31 | session = boto3.Session(profile_name=profile) 32 | org_session = session.client("organizations", region_name="us-east-1") 33 | paginator = org_session.get_paginator('list_accounts') 34 | page_iterator = paginator.paginate() 35 | accounts = [] 36 | for page in page_iterator: 37 | for acct in page['Accounts']: 38 | if acct['Status'] == "ACTIVE": 39 | accounts.append(acct['Id']) 40 | return accounts 41 | -------------------------------------------------------------------------------- /example_permsets.json: -------------------------------------------------------------------------------- 1 | { 2 | "permissionSets": [ 3 | { 4 | "permissionSetName": "CWDashboardReadPermSet", 5 | "managedPolicies": [ 6 | "arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess", 7 | "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess", 8 | "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" 9 | ], 10 | "customPolicy": "" 11 | }, 12 | { 13 | "permissionSetName": "FullAdminPermSet", 14 | "managedPolicies": ["arn:aws:iam::aws:policy/AdministratorAccess"], 15 | "customPolicy": "" 16 | }, 17 | { 18 | "permissionSetName": "PowerUserPermSet", 19 | "managedPolicies": ["arn:aws:iam::aws:policy/PowerUserAccess"], 20 | "customPolicy": "powerusercustompolicy.json" 21 | }, 22 | { 23 | "permissionSetName": "FullBillingPermSet", 24 | "managedPolicies": ["arn:aws:iam::aws:policy/job-function/Billing"], 25 | "customPolicy": "" 26 | }, 27 | { 28 | "permissionSetName": "BillingReadPermSet", 29 | "managedPolicies": ["arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess"], 30 | "customPolicy": "" 31 | }, 32 | { 33 | "permissionSetName": "DeveloperPermSet", 34 | "managedPolicies": [ 35 | "arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess", 36 | "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess", 37 | "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" 38 | ], 39 | "customPolicy": "developercustompolicy.json" 40 | }, 41 | { 42 | "permissionSetName": "DevOpsPermSet", 43 | "managedPolicies": [ 44 | "arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess", 45 | "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess", 46 | "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" 47 | ], 48 | "customPolicy": "devopscustompolicy.json" 49 | } 50 | ] 51 | } -------------------------------------------------------------------------------- /inline_policies/devopscustompolicy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventPrivilegeEscalation", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "iam:PassRole" 9 | ], 10 | "Resource": [ 11 | "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSAdministratorAccess_*", 12 | "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSPowerUserAccess_*", 13 | "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSServiceCatalogAdminFullAccess_*", 14 | "arn:aws:iam::*:role/*ControlTower*", 15 | "arn:aws:iam::*:role/*controltower*" 16 | ] 17 | }, 18 | { 19 | "Sid": "WhitelistedActionsForCustomerDevOps", 20 | "Effect": "Allow", 21 | "Action": [ 22 | "eks:*", 23 | "ec2:*", 24 | "autoscaling:*", 25 | "s3:*", 26 | "logs:*", 27 | "events:*", 28 | "iam:PassRole" 29 | ], 30 | "Resource": "*" 31 | }, 32 | { 33 | "Sid": "AllowServiceLinkedRolesCreation", 34 | "Effect": "Allow", 35 | "Action": "iam:CreateServiceLinkedRole", 36 | "Resource": "*", 37 | "Condition": { 38 | "StringEquals": { 39 | "iam:AWSServiceName": [ 40 | "autoscaling.amazonaws.com", 41 | "ec2scheduled.amazonaws.com", 42 | "elasticloadbalancing.amazonaws.com", 43 | "spot.amazonaws.com", 44 | "spotfleet.amazonaws.com", 45 | "transitgateway.amazonaws.com" 46 | ] 47 | } 48 | } 49 | }, 50 | { 51 | "Sid": "CWDashboardFullAccess", 52 | "Effect": "Allow", 53 | "Action": [ 54 | "cloudwatch:PutDashboard", 55 | "cloudwatch:DeleteDashboards" 56 | ], 57 | "Resource": "*" 58 | } 59 | ] 60 | } -------------------------------------------------------------------------------- /inline_policies/developercustompolicy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "PreventPrivilegeEscalation", 6 | "Effect": "Deny", 7 | "Action": [ 8 | "iam:PassRole" 9 | ], 10 | "Resource": [ 11 | "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSAdministratorAccess_*", 12 | "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSPowerUserAccess_*", 13 | "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSServiceCatalogAdminFullAccess_*", 14 | "arn:aws:iam::*:role/*ControlTower*", 15 | "arn:aws:iam::*:role/*controltower*" 16 | ] 17 | }, 18 | { 19 | "Sid": "WhitelistedActionsForCustomerDevelopers", 20 | "Effect": "Allow", 21 | "Action": [ 22 | "eks:*", 23 | "ec2:*", 24 | "autoscaling:*", 25 | "logs:CreateLogGroup", 26 | "logs:CreateLogStream", 27 | "logs:PutLogEvents" 28 | ], 29 | "Resource": "*" 30 | }, 31 | { 32 | "Sid": "AllowServiceLinkedRolesCreation", 33 | "Effect": "Allow", 34 | "Action": "iam:CreateServiceLinkedRole", 35 | "Resource": "*", 36 | "Condition": { 37 | "StringEquals": { 38 | "iam:AWSServiceName": [ 39 | "autoscaling.amazonaws.com", 40 | "ec2scheduled.amazonaws.com", 41 | "elasticloadbalancing.amazonaws.com", 42 | "spot.amazonaws.com", 43 | "spotfleet.amazonaws.com", 44 | "transitgateway.amazonaws.com" 45 | ] 46 | } 47 | } 48 | }, 49 | { 50 | "Sid": "AllowAccessToWhitelistedS3buckets", 51 | "Effect": "Allow", 52 | "Action": [ 53 | "s3:AbortMultipartUpload", 54 | "s3:CreateAccessPoint", 55 | "s3:DeleteAccessPoint", 56 | "s3:DeleteAccessPointPolicy", 57 | "s3:DeleteObject", 58 | "s3:DeleteObjectTagging", 59 | "s3:GetAccessPoint", 60 | "s3:GetAccessPointPolicy", 61 | "s3:GetAccessPointPolicyStatus", 62 | "s3:GetBucketAcl", 63 | "s3:GetBucketLocation", 64 | "s3:GetObject", 65 | "s3:GetObjectAcl", 66 | "s3:GetObjectTagging", 67 | "s3:GetObjectVersion", 68 | "s3:GetObjectVersionAcl", 69 | "s3:GetObjectVersionTagging", 70 | "s3:ListAccessPoints", 71 | "s3:ListBucket", 72 | "s3:ListBucketMultipartUploads", 73 | "s3:ListMultipartUploadParts", 74 | "s3:PutAccessPointPolicy", 75 | "s3:PutObject", 76 | "s3:PutObjectAcl", 77 | "s3:PutObjectTagging", 78 | "s3:PutObjectVersionTagging" 79 | ], 80 | "Resource": "*" 81 | } 82 | ] 83 | } -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Input Files 2 | assignments.json 3 | permsets.json 4 | 5 | #Output Files 6 | cfn_templates/ 7 | org_data.json 8 | 9 | # Byte-compiled / optimized / DLL files 10 | __pycache__/ 11 | *.py[cod] 12 | *$py.class 13 | 14 | # C extensions 15 | *.so 16 | 17 | # Distribution / packaging 18 | .Python 19 | build/ 20 | develop-eggs/ 21 | dist/ 22 | downloads/ 23 | eggs/ 24 | .eggs/ 25 | lib/ 26 | lib64/ 27 | parts/ 28 | sdist/ 29 | var/ 30 | wheels/ 31 | share/python-wheels/ 32 | *.egg-info/ 33 | .installed.cfg 34 | *.egg 35 | MANIFEST 36 | 37 | # CDK Context & Staging files 38 | cdk.context.json 39 | .cdk.staging/ 40 | cdk.out/ 41 | *.tabl.json 42 | 43 | # PyInstaller 44 | # Usually these files are written by a python script from a template 45 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 46 | *.manifest 47 | *.spec 48 | 49 | # Installer logs 50 | pip-log.txt 51 | pip-delete-this-directory.txt 52 | 53 | # Unit test / coverage reports 54 | htmlcov/ 55 | .tox/ 56 | .nox/ 57 | .coverage 58 | .coverage.* 59 | .cache 60 | nosetests.xml 61 | coverage.xml 62 | *.cover 63 | *.py,cover 64 | .hypothesis/ 65 | .pytest_cache/ 66 | cover/ 67 | 68 | # Translations 69 | *.mo 70 | *.pot 71 | 72 | # Flask stuff: 73 | instance/ 74 | .webassets-cache 75 | 76 | # Scrapy stuff: 77 | .scrapy 78 | 79 | # Sphinx documentation 80 | docs/_build/ 81 | 82 | # PyBuilder 83 | .pybuilder/ 84 | target/ 85 | 86 | # Jupyter Notebook 87 | .ipynb_checkpoints 88 | 89 | # IPython 90 | profile_default/ 91 | ipython_config.py 92 | 93 | # pyenv 94 | # For a library or package, you might want to ignore these files since the code is 95 | # intended to run in multiple environments; otherwise, check them in: 96 | # .python-version 97 | 98 | # pipenv 99 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 100 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 101 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 102 | # install all needed dependencies. 103 | #Pipfile.lock 104 | 105 | # poetry 106 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 107 | # This is especially recommended for binary packages to ensure reproducibility, and is more 108 | # commonly ignored for libraries. 109 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 110 | #poetry.lock 111 | 112 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 113 | __pypackages__/ 114 | 115 | # Celery stuff 116 | celerybeat-schedule 117 | celerybeat.pid 118 | 119 | # SageMath parsed files 120 | *.sage.py 121 | 122 | # Environments 123 | .env 124 | .venv 125 | env/ 126 | venv/ 127 | ENV/ 128 | env.bak/ 129 | venv.bak/ 130 | 131 | # Spyder project settings 132 | .spyderproject 133 | .spyproject 134 | 135 | # Rope project settings 136 | .ropeproject 137 | 138 | # mkdocs documentation 139 | /site 140 | 141 | # mypy 142 | .mypy_cache/ 143 | .dmypy.json 144 | dmypy.json 145 | 146 | # Pyre type checker 147 | .pyre/ 148 | 149 | # pytype static type analyzer 150 | .pytype/ 151 | 152 | # Cython debug symbols 153 | cython_debug/ 154 | 155 | # PyCharm 156 | # JetBrains specific template is maintainted in a separate JetBrains.gitignore that can 157 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 158 | # and can be added to the global gitignore or merged into this file. For a more nuclear 159 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 160 | .idea/ 161 | 162 | # VSCode 163 | # Store launch config in repo but not settings 164 | .vscode/settings.json 165 | /.favorites.json 166 | 167 | # VSCode history plugin 168 | .vscode/.history/ 169 | 170 | # Cloud9 171 | .c9 172 | .nzm-* -------------------------------------------------------------------------------- /id_center_automation.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import json 5 | import subprocess 6 | import logging 7 | import os 8 | import boto3 9 | 10 | logger = logging.getLogger(__name__) 11 | loghandler = logging.StreamHandler() 12 | formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s") 13 | loghandler.setFormatter(formatter) 14 | logger.addHandler(loghandler) 15 | logger.setLevel(logging.DEBUG) 16 | 17 | 18 | def build_parser(): 19 | arg_parser = argparse.ArgumentParser() 20 | arg_parser.add_argument("-v", "--version", action="version", version=f'%(prog)s 1.0.0') 21 | subparsers = arg_parser.add_subparsers(dest='subcommand', help="sub-command help") 22 | sso_parser = subparsers.add_parser('id-center', help='AWS IAM Identity Center stack') 23 | sso_parser.add_argument("--permsets", dest="permsets", help="File containing permission sets") 24 | sso_parser.add_argument("--assignments", dest="assignments", help="File containing assignments") 25 | sso_parser.add_argument("--mgmtacct", help="AWS Organizations Management Account") 26 | sso_parser.add_argument("-p", "--profile", dest="profile", required=True, help="Your AWS profile") 27 | sso_parser.add_argument("-r", "--region", dest="region", required=True, help="AWS Region") 28 | sso_parser.add_argument("-d", "--deploy", action="store_true", default=False, required=False, help="Deploy changes") 29 | sso_parser.add_argument("--destroy", action="store_true", default=False, required=False, help="Destroy the deployed CFN stack") 30 | 31 | org_parser = subparsers.add_parser('describe-org', help='Describe entire AWS Organization') 32 | org_parser.add_argument("-p", "--profile", dest="profile", required=True, help="Your AWS profile") 33 | 34 | return arg_parser 35 | 36 | 37 | if __name__ == "__main__": 38 | parser = build_parser() 39 | args = parser.parse_args() 40 | 41 | if args.profile: 42 | session = boto3.Session(profile_name=args.profile) 43 | 44 | if args.subcommand == "describe-org": 45 | org_client = session.client('organizations') 46 | 47 | aws_organization = {} 48 | org_response = org_client.describe_organization() 49 | aws_organization['Organization'] = org_response['Organization'] 50 | 51 | root_response = org_client.list_roots() 52 | aws_organization['Roots'] = root_response['Roots'] 53 | 54 | root_count = -1 55 | for root_ou in root_response['Roots']: 56 | root_count += 1 57 | 58 | org_id = root_ou['Id'] 59 | aws_organization['Roots'][root_count]['Children'] = [] 60 | ou_response = org_client.list_children(ParentId=org_id, ChildType='ORGANIZATIONAL_UNIT') 61 | 62 | for child_ou in ou_response['Children']: 63 | ou_unit_id = child_ou['Id'] 64 | ou_details = org_client.describe_organizational_unit(OrganizationalUnitId=ou_unit_id) 65 | aws_organization['Roots'][root_count]['Children'].append(ou_details['OrganizationalUnit']) 66 | logger.debug(aws_organization) 67 | json_string = json.dumps(aws_organization, indent=4) 68 | org_info_file = 'org_data.json' 69 | 70 | # Write out Org Structure using a JSON string 71 | with open(org_info_file, 'w') as outfile: 72 | outfile.write(json_string) 73 | 74 | logger.info(f"AWS Organization info saved in {org_info_file}") 75 | 76 | if args.subcommand == "id-center": 77 | output_dir = "./cfn_templates/" 78 | output_file = "aws_sso_auto.json" 79 | sso_stack = output_dir + output_file 80 | 81 | if args.permsets and args.assignments and args.destroy is False: 82 | if not os.path.exists(output_dir): 83 | os.makedirs(output_dir) 84 | 85 | synth_cmd = "cdk synth -j --ec2creds false -c permsets=" + args.permsets + " -c assignments=" + \ 86 | args.assignments + " -c accountID=" + args.mgmtacct + " -c region=" + args.region + \ 87 | " -c profile=" + args.profile + " --profile " + args.profile + " > " + sso_stack 88 | 89 | sso_response = subprocess.run(synth_cmd, shell=True) 90 | 91 | if sso_response.returncode == 0: 92 | logger.info(f"Template generated in {sso_stack}") 93 | else: 94 | logger.info(f"Failed to synth template for AWS IAM Identity Center permission sets") 95 | 96 | if args.deploy: 97 | sso_deploy_cmd = "cdk deploy --ec2creds false -c permsets=" + args.permsets + " -c assignments=" + \ 98 | args.assignments + " -c accountID=" + args.mgmtacct + " -c region=" + args.region + \ 99 | " -c profile=" + args.profile + " --profile " + args.profile 100 | sso_deploy_resp = subprocess.run(sso_deploy_cmd, shell=True) 101 | 102 | if args.permsets and args.assignments and args.destroy: 103 | cmd = "cdk destroy --ec2creds false -c permsets=" + args.permsets + " -c assignments=" + args.assignments \ 104 | + " -c accountID=" + args.mgmtacct + " -c region=" + args.region + " -c profile=" + args.profile \ 105 | + " --profile " + args.profile 106 | sso_response = subprocess.run(cmd, shell=True) 107 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS IAM Identity Center Configuration Automation 2 | 3 | This project accelerates the implementation of # AWS IAM Identity Center by automating the configuration of permission sets and assignments using AWS Cloud Development Kit (CDK). 4 | 5 | ## Prerequisites 6 | 7 | Before you start you should have the following prerequisites: 8 | 9 | - An organization in [AWS Organizations](https://docs.aws.amazon.com/organizations/index.html) 10 | - [Groups](https://docs.aws.amazon.com/singlesignon/latest/userguide/users-groups-provisioning.html#groups-concept) in [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) 11 | - Administrative access for the Organization Management account 12 | - Python version 3.7.10 or later 13 | - Git 14 | - [AWS CDK v2](https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html) 15 | 16 | ## Environment Set up 17 | 18 | Clone this repo: 19 | ```shell 20 | $ git clone https://github.com/aws-samples/aws-iam-identity-center-automation.git 21 | ``` 22 | 23 | To create a virtualenv run the following command after installing python: 24 | ```shell 25 | python3 -m venv .env 26 | ``` 27 | 28 | On ***macOS/Linux*** run the following command to activate your virtualenv: 29 | ```shell 30 | source .env/bin/activate 31 | ```` 32 | 33 | On ***Windows*** run the following command to activate the virtualenv: 34 | ```shell 35 | .env\Scripts\activate.bat 36 | ```` 37 | 38 | Once the virtualenv is activated, install the required dependencies: 39 | ```shell 40 | pip install -r requirements.txt 41 | ``` 42 | 43 | We recommend setting up a [named profile for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) using the administrative credentials for the Organization Management account to use when running commands. You can also [configure your AWS profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) using the following command, which will set up the default profile: 44 | ```shell 45 | aws configure 46 | ``` 47 | 48 | ## Test 49 | Run the Help (-h) command to make sure that you have your environment setup correctly: 50 | 51 | ```shell 52 | python id_center_automation.py id-center -h 53 | ``` 54 | 55 | You can use the following command to output a JSON file named "org_data.json", that describes your AWS Organization structure with the 56 | necessary IDs to use in the AWS IAM Identity Center input files: 57 | ```shell 58 | python id_center_automation.py describe-org --profile IAMIdentityCenter-test 59 | ``` 60 | 61 | ## Bootstrap AWS Environment 62 | 63 | Generate and deploy the CDK Bootstrap CloudFormation template manually. 64 | 65 | ***macOS/Linux:*** 66 | ```shell 67 | cdk bootstrap --show-template > ./cfn_templates/bootstrap-template.yaml 68 | ``` 69 | 70 | ***Windows:*** 71 | ```shell 72 | powershell "cdk bootstrap --show-template | Out-File -encoding utf8 ./cfn_templates/bootstrap-template.yaml" 73 | ``` 74 | 75 | Once you have the CDK Bootstrap template generated login to the [AWS Console](https://console.aws.amazon.com/) and deploy it using CloudFormation. 76 | 77 | This prepares the environment so that you can deploy your changes directly using CDK. Please note, we always recommend 78 | a thorough review before deploying though. 79 | 80 | ## AWS IAM Identity Center Automation 81 | 82 | ### Custom Policies 83 | Create all your inline custom IAM policies inside the sub folder [inline_policies](/inline_policies/), there are a few examples there already. 84 | 85 | ### Define Permission Sets 86 | Create a file named “permsets.json” in the root folder and put in the details for the permission sets you would like to create. 87 | You can use the [example_permsets.json](example_permsets.json) file included in the root folder to get started. 88 | 89 | ### Define Assignments 90 | Next, create a text file named “assignments.json” in the root folder and put in the details 91 | for the new account assignments you would like to create. Use the target to change the 92 | scope with the option to apply to all accounts, all accounts under an OU or one specific 93 | account. You can use the [example_assignments.json](example_assignments.json) file included in the root folder to get started. 94 | 95 | ### Generate, Deploy and Destroy 96 | 97 | The following command will generate the cloudformation to apply the configured changes without deploying them 98 | ```shell 99 | python id_center_automation.py id-center --region us-east-1 --profile IAMIdentityCenter-test --mgmtacct 123456789012 --permsets permsets.json --assignments assignments.json 100 | ``` 101 | 102 | Deploy the stack by adding the "--deploy" flag 103 | ```shell 104 | python id_center_automation.py id-center --region us-east-1 --profile IAMIdentityCenter-test --mgmtacct 123456789012 --permsets permsets.json --assignments assignments.json --deploy 105 | ``` 106 | 107 | Destroy the stack by adding the "--destroy" flag 108 | ```shell 109 | python id_center_automation.py id-center --region us-east-1 --profile IAMIdentityCenter-test --mgmtacct 123456789012 --permsets permsets.json --assignments assignments.json --destroy 110 | ``` 111 | 112 | ### Troubleshooting 113 | 114 | #### Error: The CreateStackSet operation fails. 115 | An error occurred (ValidationError) when calling the CreateStackSet operation: You must enable organizations access to operate a service managed stack set 116 | 117 | #### Resolution: Enable Trusted Access. 118 | 119 | Follow these instructions to [Enable Trusted Access](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html): 120 | https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html 121 | 122 | ## Security 123 | 124 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 125 | 126 | ## License 127 | 128 | This library is licensed under the MIT-0 License. See the LICENSE file. 129 | -------------------------------------------------------------------------------- /sso_automation_app/sso_stack.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | from aws_cdk import Environment, Stack 3 | from aws_cdk import aws_sso as sso 4 | from constructs import Construct 5 | import json 6 | import logging 7 | import re 8 | import org_enum 9 | 10 | logger = logging.getLogger(__name__) 11 | ch = logging.StreamHandler() 12 | formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s") 13 | ch.setFormatter(formatter) 14 | logger.addHandler(ch) 15 | logger.setLevel(logging.DEBUG) 16 | 17 | pattern_email = r'^[a-zA-Z0-9]+(([\.]|[-]|[_]|[+])(?![\.-_])\w+)?[@][^-][a-zA-Z0-9-]+[^-](\.[a-zA-Z]{2,4}){1,3}$' 18 | pattern_account = r'123456789|(\d)\1{11,11}' 19 | pattern_account_id = r'^(\d){12}$' 20 | 21 | 22 | def check_email(email): 23 | flag = False 24 | if re.search(pattern_email, email): 25 | flag = True 26 | return bool(flag) 27 | 28 | 29 | def check_acct(acct): 30 | flag = False 31 | if re.search(pattern_account_id, acct): 32 | if re.search(pattern_account, acct): 33 | return bool(flag) 34 | else: 35 | flag = True 36 | return bool(flag) 37 | 38 | 39 | def get_permission_sets(permission_sets_file): 40 | managed_policy_list = [] 41 | permission_set_name = [] 42 | custom_policy_list = [] 43 | with open(permission_sets_file, "r") as perm_file: 44 | permission_sets = json.load(perm_file) 45 | 46 | for permset in permission_sets["permissionSets"]: 47 | logger.debug("permset: " + json.dumps(permset)) 48 | 49 | permission_set_name.append(permset["permissionSetName"]) 50 | managed_policy_list.append(permset["managedPolicies"]) 51 | custom_policy_list.append(permset["customPolicy"]) 52 | 53 | return permission_set_name, managed_policy_list, custom_policy_list 54 | 55 | 56 | def list_sso_instances(sso_session): 57 | paginator = sso_session.get_paginator('list_instances') 58 | page_iterator = paginator.paginate() 59 | for page in page_iterator: 60 | for instance in page['Instances']: 61 | # Note: assume one SSO instance only 62 | instance_arn = instance["InstanceArn"] 63 | id_store = instance["IdentityStoreId"] 64 | return instance_arn, id_store 65 | 66 | 67 | def get_group_ids(profile, id_store, group_name): 68 | session = boto3.Session(profile_name=profile) 69 | id_store_client = session.client("identitystore") 70 | group_details = {} 71 | groups = id_store_client.list_groups(IdentityStoreId=id_store, 72 | Filters=[{'AttributePath': 'DisplayName', 'AttributeValue': group_name}]) 73 | for response in groups['Groups']: 74 | group_details[group_name] = response['GroupId'] 75 | 76 | return group_details 77 | 78 | 79 | def get_target_account(profile, target): 80 | org_accounts = [] 81 | o = re.match(r'^ou-', target) 82 | m = re.fullmatch(r'All', target, flags=re.I) 83 | a = re.match(r'[0-9]', target) 84 | if m: 85 | org_accounts = org_enum.get_all_accounts(profile) 86 | if a: 87 | org_accounts.append(target) 88 | if o: 89 | org_accounts = org_enum.get_accounts_for_ou(profile, target) 90 | return org_accounts 91 | 92 | 93 | def get_assign(assignments_file, profile, sso_id_store): 94 | allocated = [] 95 | with open(assignments_file, "r") as assign_file: 96 | assignments = json.load(assign_file) 97 | 98 | for assign in assignments["assignments"]: 99 | logger.debug("assign: " + json.dumps(assign)) 100 | 101 | perm_set = assign["permissionSet"] 102 | grp_name = assign["groupName"] 103 | group_details = get_group_ids(profile, sso_id_store, grp_name) 104 | 105 | target = assign["target"] 106 | target_accounts = get_target_account(profile, target) 107 | 108 | allocated.append((group_details, target_accounts, perm_set)) 109 | return allocated 110 | 111 | 112 | class AWSSSOStack(Stack): 113 | 114 | def __init__(self, scope: Construct, id: str, ssopermsets: str, ssoassigns: str, profile: str, 115 | env: Environment, **kwargs) -> None: 116 | super().__init__(scope, id, **kwargs) 117 | 118 | self.permnames, self.managedpolicies, self.custompolicies = get_permission_sets(ssopermsets) 119 | self.session = boto3.Session(profile_name=profile) 120 | self.sso_session = self.session.client('sso-admin', region_name=env.region) 121 | self.ssoinstancearn, self.ssoidstore = list_sso_instances(self.sso_session) 122 | 123 | perm_sets = {} 124 | index = 0 125 | for perm_name in self.permnames: 126 | new_perm_set = sso.CfnPermissionSet(self, perm_name, instance_arn=self.ssoinstancearn, name=perm_name) 127 | 128 | if self.custompolicies[index]: 129 | with open('./inline_policies/' + self.custompolicies[index], 'r') as f: 130 | check = f.read() 131 | try: 132 | custom_policy_contents = json.loads(check) 133 | except ValueError as e: 134 | logger.debug( 135 | f"Inline Policy {self.custompolicies[index]} is not in a valid JSON format. Error {e}") 136 | 137 | new_perm_set.inline_policy = custom_policy_contents 138 | 139 | if isinstance(self.managedpolicies[index], list) and self.managedpolicies[index] != "": 140 | new_perm_set.managed_policies = self.managedpolicies[index] 141 | elif self.managedpolicies[index] != "": 142 | new_perm_set.managed_policies = [self.managedpolicies[index]] 143 | 144 | self.permset = new_perm_set 145 | perm_sets[perm_name] = self.permset.attr_permission_set_arn 146 | index += 1 147 | # Get default permission sets 148 | try: 149 | list_paginator = self.sso_session.get_paginator('list_permission_sets') 150 | for response in list_paginator.paginate(InstanceArn=self.ssoinstancearn): 151 | for ps in response['PermissionSets']: 152 | details = self.sso_session.describe_permission_set( 153 | InstanceArn=self.ssoinstancearn, 154 | PermissionSetArn=ps 155 | ) 156 | ps_name = details['PermissionSet']['Name'] 157 | # if ps_name.startswith('AWS'): 158 | perm_sets[ps_name] = details['PermissionSet']['PermissionSetArn'] 159 | except Exception as e: 160 | print(e) 161 | 162 | self.permission_set_arns = perm_sets 163 | self.allocated = get_assign(ssoassigns, profile, self.ssoidstore) 164 | logger.debug(f"{self.allocated}") 165 | count = 1 166 | for item in self.allocated: 167 | logger.debug(f"item: {item}") 168 | 169 | # if item[0] is empty it's likely an invalid sso group name 170 | if len(item[0]) <= 0: 171 | logger.warning("Please check the SSO group names in your assignments file") 172 | 173 | for acct_id in item[1]: 174 | logger.debug(f"acct_id: {acct_id}") 175 | for k in item[0].keys(): 176 | grp_name = k 177 | for v in item[0].values(): 178 | principal_id = v 179 | 180 | self.assign = sso.CfnAssignment( 181 | self, grp_name + "Assignment" + acct_id, 182 | instance_arn=self.ssoinstancearn, 183 | permission_set_arn=self.permission_set_arns[item[2]], 184 | principal_id=principal_id, 185 | principal_type="GROUP", 186 | target_id=acct_id, 187 | target_type="AWS_ACCOUNT" 188 | ) 189 | count += 1 190 | --------------------------------------------------------------------------------