This Terraform module configures a Lambda function for provisioning (and deprovisioning) AWS SSO Identity Store users and groups from EntraID.
The Lambda function used to use the SCIM endpoints (hence its name, moj-terraform-scim-github), but now uses the direct Identity Store API. The SCIM API has limitations such as not being able to list more than 50 groups or members (and doesn't support startIndex, so you can't paginate them), whereas the Identity Store API does allow pagination. This allows us to deprovision users and groups using the Identity Store API, which you cannot do easily with the SCIM API.
This function only syncs EntraID groups that begin with azure-aws-sso-
module "scim" {
source = "github.com/ministryofjustice/moj-terraform-scim-entra-id"
# Required variables for the module
azure_tenant_id = "your-tenant-id"
azure_client_id = "your-client-id"
azure_client_secret = "your-client-secret"
}| Name | Version |
|---|---|
| terraform | >= 1.0 |
| archive | >= 2.4.0 |
| aws | >= 5.0.0 |
| Name | Version |
|---|---|
| archive | >= 2.4.0 |
| aws | >= 5.0.0 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_event_rule.lambda_schedule | resource |
| aws_cloudwatch_event_target.lambda_target | resource |
| aws_cloudwatch_log_group.default | resource |
| aws_iam_policy.default | resource |
| aws_iam_role.default | resource |
| aws_iam_role_policy_attachment.default | resource |
| aws_lambda_function.default | resource |
| aws_lambda_permission.allow_eventbridge | resource |
| archive_file.function | data source |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.default | data source |
| aws_kms_alias.lambda | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| azure_client_id | Client ID for AzureAD application | string |
n/a | yes |
| azure_client_secret | Client Secret for AzureAD application | string |
n/a | yes |
| azure_tenant_id | Tenant ID for to use for user sync | string |
n/a | yes |
| tags | Tags to apply to resources | map(any) |
{} |
no |
| Name | Description |
|---|---|
| lambda_function_name | Name of the deployed Lambda function |