AWS Single Sign-On Resource

[pritho]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Create a resource to manage AWS Single Sign-On, as per the newly aanounced support for integrating with Azure AD: https://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/

New or Affected Resource(s)

AWS Single-Sign On

• aws_single_sign_on

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• #0000

[bflad]

Hi @krathow 👋 Can you please point to the AWS CLI, AWS API Reference, or AWS Go SDK documentation that shows how these components can be created? For example, the AWS Go SDK sso package does not implement this type of functionality. I believe this functionality is not publicly available for programmatic creation at the current time, which means that the Terraform AWS Provider cannot implement support for this.

[pritho]

Hi @bflad , you're absolutely right, I'm checking with AWS where they are in means of automation and wil reopen this issue once an appropriate API is available.

[mmerickel]

I'm not sure this should be closed... it may just not be possible to implement until the underlying libraries are updated but surely that's coming? I'd like to follow this, or another issue to monitor its progress anyway.

[pritho]

@mmerickel : yes, sounds good, I've got a case open with AWS to get notified once the API is available. I'll update this issue once it's available. For the mean time I'll keep this open

[christophetd]

@krathow Thanks for looking into this, it's definitely much needed! Did you get any timeline from the AWS side? It's unfortunate they chose to release such an important service without an API.

[pritho]

@christophetd unfortunately I did not get any information yet. I've escalated the topic again but did not get anything back.
I keep on trying to get something...

[Computer15776]

It looks like account assignment has been made available in the AWS Go SDK, relevant announcement here.

[jbscare]

How does this issue relate to #15108 ?

[bflad]

Hi folks 👋 Since #15108 has more concrete details relating to the SSO API released yesterday, I'm going to close this issue in preference of that one. Please 👍 upvote and subscribe there for further updates.

[sean-nixon]

@bflad I noticed this issue has been closed in favor of my issue. The API released yesterday only pertains to managing AWS SSO permission sets and assignments. It does not actually allow enabling AWS SSO or configuring any other AWS SSO settings such as integration with Azure AD. I wonder if this issue should still remain open to track the request for those features, even if there's no API available for them yet.

[bflad]

Great point, @sean-nixon 👍 Since there's nothing concrete about the implementation details of that particular portion of SSO support since it hasn't been released by AWS, there's nothing actionable for this project (and we have a lot of open, actionable items already 😉 ). I'm worried about having multiple SSO issues open and folks being confused what to follow for updates on particular functionality.

For anyone interested in the SSO functionality such as AzureAD, our best recommendation at this time is to contact AWS Support with a feature request asking for programmatic (API) support. That AWS service team can also reach out to the maintainers here through the Amazon Partner Network if they would like to collaborate ahead of any potential launch. Until it is announced publicly, our preference will be to not keep an issue open for functionality that cannot be implemented.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!