{"id":30199619,"url":"https://github.com/masterpointio/terraform-aws-identity-center-users","last_synced_at":"2026-05-18T15:07:44.921Z","repository":{"id":302149466,"uuid":"1006342870","full_name":"masterpointio/terraform-aws-identity-center-users","owner":"masterpointio","description":"Terraform module to manage AWS IAM Identity Center (SSO) users, including assigning users, groups, and permission sets.","archived":false,"fork":false,"pushed_at":"2026-04-02T23:39:45.000Z","size":218,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-03T09:06:59.081Z","etag":null,"topics":["aws","aws-sso","aws-sso-users","iam-identity-center","identity-center","identity-center-users","opentofu","sso","sso-users","terraform"],"latest_commit_sha":null,"homepage":"https://masterpoint.io","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/masterpointio.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-22T03:41:24.000Z","updated_at":"2026-04-02T23:39:30.000Z","dependencies_parsed_at":"2025-06-30T21:26:31.170Z","dependency_job_id":"ebc4d842-0731-461e-a16a-4c98df69a836","html_url":"https://github.com/masterpointio/terraform-aws-identity-center-users","commit_stats":null,"previous_names":["masterpointio/terraform-aws-identity-center-users"],"tags_count":1,"template":false,"template_full_name":"masterpointio/terraform-module-template","purl":"pkg:github/masterpointio/terraform-aws-identity-center-users","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/masterpointio%2Fterraform-aws-identity-center-users","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/masterpointio%2Fterraform-aws-identity-center-users/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/masterpointio%2Fterraform-aws-identity-center-users/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/masterpointio%2Fterraform-aws-identity-center-users/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/masterpointio","download_url":"https://codeload.github.com/masterpointio/terraform-aws-identity-center-users/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/masterpointio%2Fterraform-aws-identity-center-users/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33181831,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-18T09:27:30.708Z","status":"ssl_error","status_checked_at":"2026-05-18T09:27:28.300Z","response_time":71,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-sso","aws-sso-users","iam-identity-center","identity-center","identity-center-users","opentofu","sso","sso-users","terraform"],"created_at":"2025-08-13T08:07:04.194Z","updated_at":"2026-05-18T15:07:44.905Z","avatar_url":"https://github.com/masterpointio.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Banner][banner-image]](https://masterpoint.io/)\n\n# terraform-aws-identity-center-users\n\n[![Release][release-badge]][latest-release]\n\n💡 Learn more about Masterpoint [below](#who-we-are-𐦂𖨆𐀪𖠋).\n\n## Purpose and Functionality\n\nThis Terraform module provisions, configures, and manages AWS IAM Identity Center (SSO) with built-in user provisioning, including assigning users, groups, and permission sets.\n\n- This is designed to be seamless for organizations that want to **manage users within the AWS Identity Center directory as their identity source** instead of an external identity provider (such as Okta, Azure Active Directory, etc.). This means that all users are managed by IaC.\n\n### Notes\n\n- Authentication is handled by AWS Identity Center. Upon user creation by TF, the user will be in AWS Identity Center directory.\n  - However, the AWS Terraform provider does not support the setting the option to send credentials/verification email after creation, so the administrator must go into the AWS Identity Center directory console and and enable [\"Send email OTP for users created from API\"](https://docs.aws.amazon.com/singlesignon/latest/userguide/userswithoutpwd.html), or manually request to send a verification email per each user so users can reset their own password.\n    ![AWS Identity Center Email OTP](./aws-identity-center-user-email-otp.png)\n    ![AWS Identity Center User Verification](./aws-identity-center-user-verification-screenshot.png)\n\n## Usage\n\n### Prerequisites\n\n- You will need to manually (ClickOps) enable AWS Identity Center \u0026 create an SSO instance in the AWS account that you want to be set as the \"management account\" for your organization. See https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html.\n  - The SSO instance itself is not managed by Terraform, there is no Terraform resource for it. Settings like MFA configurations must be updated on the AWS console ClickOps.\n- After enabling, Terraform can reference it using the `data \"aws_ssoadmin_instances\" \"sso\" {}` data source.\n\n### See below for a simplistic example of how to use this module\n\n```hcl\ndata \"aws_ssoadmin_instances\" \"sso\" {}\n\nlocals {\n  instance_arn      = tolist(data.aws_ssoadmin_instances.sso.arns)[0]\n  identity_store_id = tolist(data.aws_ssoadmin_instances.sso.identity_store_ids)[0]\n}\n\nmodule \"aws_sso\" {\n  source = \"github.com/masterpointio/terraform-aws-identity-center-users?ref=v1.x.x\"\n\n  instance_arn      = local.instance_arn\n  identity_store_id = local.identity_store_id\n\n  users = [\n    {\n      user_name   = \"john.doe\"\n      given_name  = \"John\"\n      family_name = \"Doe\"\n      email       = \"john.doe@example.com\"\n    },\n  ]\n\n  groups = [\n    {\n      name        = \"Administrators\"\n      description = \"Full administrative access\"\n      members     = [\"john.doe\"]\n      assignments = [\n        {\n          permission_set = \"AdministratorAccess\"\n          account_ids    = [\"123456789012\", \"234567890123\"]\n        }\n      ]\n    },\n  ]\n\n  permission_sets = [\n    {\n      name             = \"AdministratorAccess\"\n      description      = \"Full administrator access to an account.\"\n      session_duration = \"PT12H\"\n      managed_policies = [\n        \"arn:aws:iam::aws:policy/AdministratorAccess\"\n      ]\n    }\n  ]\n}\n```\n\n## Examples\n\nHere are some examples of using this module:\n\n- [`examples/complete`](./examples/complete) - example using a `tfvars` file to manage users, groups, and permission sets\n- [`examples/json-user-management`](./examples/json-user-management) - example using a `json` file to manage users, groups, and permission sets\n- [`examples/yaml-user-management`](./examples/yaml-user-management) - example using a `yaml` file to manage users, groups, and permission sets\n\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- markdownlint-disable MD013 --\u003e\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.0.0 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 5.0 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 5.0 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_identitystore_group.groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group) | resource |\n| [aws_identitystore_group_membership.memberships](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_group_membership) | resource |\n| [aws_identitystore_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_user) | resource |\n| [aws_ssoadmin_account_assignment.assignments](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource |\n| [aws_ssoadmin_customer_managed_policy_attachment.customer_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource |\n| [aws_ssoadmin_managed_policy_attachment.policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource |\n| [aws_ssoadmin_permission_set.permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource |\n| [aws_ssoadmin_permission_set_inline_policy.inline_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_groups\"\u003e\u003c/a\u003e [groups](#input\\_groups) | List of SSO groups | \u003cpre\u003elist(object({\u003cbr/\u003e    name        = string\u003cbr/\u003e    description = string\u003cbr/\u003e    members     = list(string)\u003cbr/\u003e    assignments = optional(list(object({\u003cbr/\u003e      permission_set = string\u003cbr/\u003e      account_ids    = list(string)\u003cbr/\u003e    })), [])\u003cbr/\u003e  }))\u003c/pre\u003e | n/a | yes |\n| \u003ca name=\"input_identity_store_id\"\u003e\u003c/a\u003e [identity\\_store\\_id](#input\\_identity\\_store\\_id) | Identity store ID | `string` | n/a | yes |\n| \u003ca name=\"input_instance_arn\"\u003e\u003c/a\u003e [instance\\_arn](#input\\_instance\\_arn) | SSO instance ARN | `string` | n/a | yes |\n| \u003ca name=\"input_permission_sets\"\u003e\u003c/a\u003e [permission\\_sets](#input\\_permission\\_sets) | List of permission sets | \u003cpre\u003elist(object({\u003cbr/\u003e    name             = string\u003cbr/\u003e    description      = string\u003cbr/\u003e    managed_policies = optional(list(string), [])\u003cbr/\u003e    session_duration = optional(string, \"PT12H\") # The length of time that the application user sessions in the ISO-8601 standard\u003cbr/\u003e    inline_policy    = optional(string, null)\u003cbr/\u003e    relay_state      = optional(string, null)\u003cbr/\u003e    tags             = optional(map(string), {})\u003cbr/\u003e    customer_managed_policy_attachments = optional(list(object({\u003cbr/\u003e      name = string\u003cbr/\u003e      path = optional(string, \"/\")\u003cbr/\u003e    })), [])\u003cbr/\u003e  }))\u003c/pre\u003e | n/a | yes |\n| \u003ca name=\"input_users\"\u003e\u003c/a\u003e [users](#input\\_users) | List of SSO users | \u003cpre\u003elist(object({\u003cbr/\u003e    user_name   = string\u003cbr/\u003e    given_name  = string\u003cbr/\u003e    family_name = string\u003cbr/\u003e    email       = string\u003cbr/\u003e  }))\u003c/pre\u003e | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_account_assignments\"\u003e\u003c/a\u003e [account\\_assignments](#output\\_account\\_assignments) | List of account assignments. |\n| \u003ca name=\"output_group_memberships\"\u003e\u003c/a\u003e [group\\_memberships](#output\\_group\\_memberships) | List of group memberships. |\n| \u003ca name=\"output_groups\"\u003e\u003c/a\u003e [groups](#output\\_groups) | Map of groups. |\n| \u003ca name=\"output_permission_sets\"\u003e\u003c/a\u003e [permission\\_sets](#output\\_permission\\_sets) | Map of permission sets. |\n| \u003ca name=\"output_users\"\u003e\u003c/a\u003e [users](#output\\_users) | Map of users. |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n\u003c!-- markdownlint-enable MD013 --\u003e\n\u003c!-- prettier-ignore-end --\u003e\n\n## Built By\n\nPowered by the [Masterpoint team](https://masterpoint.io/who-we-are/) and driven forward by contributions from the community ❤️\n\n[![Contributors][contributors-image]][contributors-url]\n\n## Contribution Guidelines\n\nContributions are welcome and appreciated!\n\nFound an issue or want to request a feature? [Open an issue][issues-url]\n\nWant to fix a bug you found or add some functionality? Fork, clone, commit, push, and PR — we'll check it out.\n\n## Who We Are 𐦂𖨆𐀪𖠋\n\nEstablished in 2016, Masterpoint is a team of experienced software and platform engineers specializing in Infrastructure as Code (IaC). We provide expert guidance to organizations of all sizes, helping them leverage the latest IaC practices to accelerate their engineering teams.\n\n### Our Mission\n\nOur mission is to simplify cloud infrastructure so developers can innovate faster, safer, and with greater confidence. By open-sourcing tools and modules that we use internally, we aim to contribute back to the community, promoting consistency, quality, and security.\n\n### Our Commitments\n\n- 🌟 **Open Source**: We live and breathe open source, contributing to and maintaining hundreds of projects across multiple organizations.\n- 🌎 **1% for the Planet**: Demonstrating our commitment to environmental sustainability, we are proud members of [1% for the Planet](https://www.onepercentfortheplanet.org), pledging to donate 1% of our annual sales to environmental nonprofits.\n- 🇺🇦 **1% Towards Ukraine**: With team members and friends affected by the ongoing [Russo-Ukrainian war](https://en.wikipedia.org/wiki/Russo-Ukrainian_War), we donate 1% of our annual revenue to invasion relief efforts, supporting organizations providing aid to those in need. [Here's how you can help Ukraine with just a few clicks](https://masterpoint.io/updates/supporting-ukraine/).\n\n## Connect With Us\n\nWe're active members of the community and are always publishing content, giving talks, and sharing our hard earned expertise. Here are a few ways you can see what we're up to:\n\n[![LinkedIn][linkedin-badge]][linkedin-url] [![Newsletter][newsletter-badge]][newsletter-url] [![Blog][blog-badge]][blog-url] [![YouTube][youtube-badge]][youtube-url]\n\n... and be sure to connect with our founder, [Matt Gowie](https://www.linkedin.com/in/gowiem/).\n\n## License\n\n[Apache License, Version 2.0][license-url].\n\n[![Open Source Initiative][osi-image]][license-url]\n\nCopyright © 2016-2025 [Masterpoint Consulting LLC](https://masterpoint.io/)\n\n\u003c!-- MARKDOWN LINKS \u0026 IMAGES --\u003e\n\n[banner-image]: https://masterpoint-public.s3.us-west-2.amazonaws.com/v2/standard-long-fullcolor.png\n[license-url]: https://opensource.org/license/apache-2-0\n[osi-image]: https://i0.wp.com/opensource.org/wp-content/uploads/2023/03/cropped-OSI-horizontal-large.png?fit=250%2C229\u0026ssl=1\n[linkedin-badge]: https://img.shields.io/badge/LinkedIn-Follow-0A66C2?style=for-the-badge\u0026logoColor=white\n[linkedin-url]: https://www.linkedin.com/company/masterpoint-consulting\n[blog-badge]: https://img.shields.io/badge/Blog-IaC_Insights-55C1B4?style=for-the-badge\u0026logoColor=white\n[blog-url]: https://masterpoint.io/updates/\n[newsletter-badge]: https://img.shields.io/badge/Newsletter-Subscribe-ECE295?style=for-the-badge\u0026logoColor=222222\n[newsletter-url]: https://newsletter.masterpoint.io/\n[youtube-badge]: https://img.shields.io/badge/YouTube-Subscribe-D191BF?style=for-the-badge\u0026logo=youtube\u0026logoColor=white\n[youtube-url]: https://www.youtube.com/channel/UCeeDaO2NREVlPy9Plqx-9JQ\n[release-badge]: https://img.shields.io/github/v/release/masterpointio/terraform-aws-identity-center-users?color=0E383A\u0026label=Release\u0026style=for-the-badge\u0026logo=github\u0026logoColor=white\n[latest-release]: https://github.com/masterpointio/terraform-aws-identity-center-users/releases/latest\n[contributors-image]: https://contrib.rocks/image?repo=masterpointio/terraform-aws-identity-center-users\n[contributors-url]: https://github.com/masterpointio/terraform-aws-identity-center-users/graphs/contributors\n[issues-url]: https://github.com/masterpointio/terraform-aws-identity-center-users/issues\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmasterpointio%2Fterraform-aws-identity-center-users","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmasterpointio%2Fterraform-aws-identity-center-users","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmasterpointio%2Fterraform-aws-identity-center-users/lists"}