100-sso-_tasks.yml

Parameters:
  <<: !Include '../organization-parameters.yml'

  appName:
    Type: String
    Default: 'sso'

  # AWS SSO instance ARN
  instanceArn:
    Type: String
    Default: replace-me:SSO-ID

  # Principal ID from Identity Provider's group used by administrators
  adminGroup:
    Type: String
    Default: replace-me:Admin-Group-ID

  # Principal ID from Identity Provider's group used by developers
  developerGroup:
    Type: String
    Default: replace-me:Developer-Group-ID

SsoAdministrator:
  Type: update-stacks
  Template: ./aws-sso.yml
  StackName: !Sub '${resourcePrefix}-${appName}-admin'
  StackDescription: 'Full permission role used by Admin group within whole organization'
  TerminationProtection: false
  DefaultOrganizationBindingRegion: !Ref primaryRegion
  DefaultOrganizationBinding:
    IncludeMasterAccount: true
  OrganizationBindings:
    TargetBinding:
      Account: '*'
  Parameters:
    instanceArn: !Ref instanceArn
    principalId: !Ref adminGroup
    permissionSetName: 'Administrator'
    managedPolicies: [ 'arn:aws:iam::aws:policy/AdministratorAccess' ]
    sessionDuration: 'PT1H'
    masterAccountId: !Ref MasterAccount

SsoDeveloper:
  Type: update-stacks
  Template: ./aws-sso.yml
  StackName: !Sub '${resourcePrefix}-${appName}-developer'
  StackDescription: 'Read and Write role used by Developer group'
  TerminationProtection: false
  DefaultOrganizationBindingRegion: !Ref primaryRegion
  DefaultOrganizationBinding:
    IncludeMasterAccount: true
  OrganizationBindings:
    TargetBinding:
      OrganizationalUnit:
        - !Ref ActiveOU
  Parameters:
    instanceArn: !Ref instanceArn
    principalId: !Ref developerGroup
    permissionSetName: 'Developer'
    managedPolicies: [ 'arn:aws:iam::aws:policy/PowerUserAccess' ]
    sessionDuration: 'PT12H'