Centralizing User Access Management Using Terraform for SaaS Applications — Part 1

Centralizing User Access Management Using Terraform for SaaS Applications — Part 1

In today’s SaaS-driven world, managing employee access to multiple applications is a critical yet challenging task for organizations. Whether onboarding a new hire or ensuring prompt offboarding, having a centralized system for managing user access is essential for efficiency, security, and compliance.

In Maya Kaczorowski’s blog post about What sucks in security? Research findings from 50+ security leaders it mentioned that Access management is the top security issue.

In this blog, we’ll explore how Terraform can serve as a robust tool for provisioning and deprovisioning user access to SaaS applications.

? Why Centralized User Access Management is Essential

As organizations grow, so does the complexity of managing user access to a multitude of SaaS tools. Manual processes for granting or revoking access are not only time-consuming but also prone to human error, creating security risks and operational inefficiencies.

A centralized system for managing user access:

  • Streamlines Onboarding and Offboarding: Ensures that employees have immediate access to necessary tools when joining and lose access promptly when they leave.
  • Improves Security: Reduces the risk of unauthorized access by ensuring accurate and timely permission changes.
  • Supports Compliance: Provides an audit trail to meet regulatory requirements and internal governance policies.

Terraform, as an Infrastructure-as-Code (IaC) tool, is perfectly suited for automating user access management across multiple SaaS platforms.

✔️ Standardizing Identity for SaaS Applications

Before diving into Terraform configurations, it’s essential to establish identity standards. These ensure consistency and simplify the integration of new SaaS applications.

Key Identity Standards:

  1. Naming Conventions: Use consistent usernames, such as first.last, across all applications.
  2. Email Address Structure: Adopt a standard format like [email protected] for all user accounts.
  3. Role-Based Access Control (RBAC): Define roles based on job functions or teams (e.g., “developer”, “marketing”) to simplify permission assignments.
  4. Lifecycle Management: Automate processes for onboarding, offboarding, and role changes to minimize errors and enhance security.

? Terraform for User Provisioning and Deprovisioning

Terraform enables you to manage user access programmatically, ensuring consistency and scalability. With its extensive provider ecosystem, Terraform can integrate seamlessly with a wide range of SaaS applications like GitLab, AWS, and Google Workspace.

⚠️ In this post will only cover 2 SaaS service as example such as AWS & Gitlab

?Benefits of Using Terraform:

  1. Centralized Management: Define and manage all user access configurations in one place.
  2. Automation: Automate repetitive tasks such as provisioning and deprovisioning.
  3. Version Control: Track changes to user access configurations using version control systems like Git.
  4. Scalability: Easily extend configurations as your organization adopts new SaaS tools.
  5. Auditability: Maintain a detailed history of all access changes for compliance and governance.

? Terraform Example: Automating Onboarding and Offboarding

Here’s how you can use Terraform to manage user access for a SaaS application like GitLab.

? Provisioning a New User

provider "gitlab" {
token = var.gitlab_token
}

resource "gitlab_user" "new_employee" {
username = "john.doe"
email = "[email protected]"
name = "John Doe"
state = "active"
}

This configuration automatically provisions a new user in Gitlab.

? Deprovisioning a User

resource "gitlab_user" "new_employee" {
username = "john.doe"
email = "[email protected]"
name = "John Doe"
state = "deactivate" # <-- state change to deactivate to revoke access
}

This configuration automatically revokes Gitlab access for an employee leaving the company, ensuring immediate offboarding.

?️ Terraform Project Structure for User Access Management

A well-organized Terraform project structure is key to managing user access efficiently, especially in larger organizations. Here’s a example structure:

access_management/
├── data
│ ├── rbac.yaml # contains permission and privilege information
│ └── users.yaml # contains user information about particular saas service
├── modules
│ ├── aws # AWS related configuration
│ │ ├── iam.tf
│ │ ├── main.tf
│ │ ├── providers.tf
│ │ └── variables.tf
│ ├── gitlab # Gitlab related configuration
│ │ ├── groups.tf
│ │ ├── main.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
├── main.tf
└── variables.tf

? Benefits of This Structure:

  1. Modularity: Each module handles a specific task (e.g., provisioning or deprovisioning), making it reusable across environments.
  2. Separation of Concerns: Providers, modules, and environment-specific configurations are logically separated for clarity.
  3. Scalability: Easily add new SaaS providers or modules as your organization adopts more tools.

?️ User & Privilege Information

rbac.yaml

This YAML file defines configuration data for AWS and GitLab groups, used by Terraform to manage resources dynamically.

aws:
groups:
- name: DevOps
policies: [arn:aws:iam::aws:policy/AdministratorAccess]

- name: Security
policies: [arn:aws:iam::aws:policy/SecurityAudit]

- name: Developer
policies: [arn:aws:iam::aws:policy/AmazonS3FullAccess]

gitlab:
groups: ["devops", "security", "product"]

This structure provides a centralized way to define group policies and roles for multiple systems, improving consistency and manageability.

users.yaml

This YAML file defines user-specific configurations for managing resources across multiple platforms (GitLab and AWS). Each user’s details include their roles, platform-specific groups, and general information.

users:
- username: "john.doe"
gitlab:
group: ["devops::maintainer", "product"]
state: active
aws:
path: "/"
group: [DevOps]
user_info:
name: "John Doe"
email: "[email protected]"
team: devops

This YAML allows Terraform to dynamically provision and manage users across platforms based on a single source of truth.

Modules

Example of modules/aws/main.tf

locals {
aws_user = { for user in var.users : user["username"] => user if contains(keys(user), "aws") }
}

resource "aws_iam_user" "user" {
for_each = local.aws_user
name = each.value["username"]
path = lookup(each.value, "path", "/")
tags = lookup(each.value, "tags", {})
permissions_boundary = lookup(each.value["aws"], "permissions_boundary", null)
}

resource "aws_iam_user_login_profile" "user_login_profile" {
for_each = local.aws_user
user = aws_iam_user.user[each.value["username"]].name
password_reset_required = true
}

resource "aws_iam_user_group_membership" "membership" {
for_each = local.aws_user

groups = each.value["aws"].group
user = each.value.username

depends_on = [
aws_iam_user.user
]
}

This module defines IAM user resources for AWS, filtering input user data (var.users) to only include those with AWS-specific configurations.

1. locals.aws_user:

  • Filters var.users to include only users with an "aws" key.
  • Maps username as the key for easy reference.

2. aws_iam_user Resource:

  • Creates an IAM user for each filtered user.
  • Sets user properties like name, path, and optional tags.
  • Optionally applies a permissions boundary if defined in the aws block.

3. aws_iam_user_login_profile Resource:

  • Configures login profiles for each IAM user (used for console access).
  • Sets password_reset_required to true.

4. aws_iam_user_group_membership Resource:

  • Assigns IAM users to specific groups defined in the aws block of the user data.
  • Depends on the aws_iam_user resource to ensure the user is created before adding to groups.

This modular approach simplifies managing IAM users, login profiles, and group memberships while keeping the configuration dynamic and reusable.

main.tf

In the root directory main.tf, you can invoke modules with environment-specific configurations like so:

locals {
users = yamldecode(file("${path.module}/data/users.yaml"))
}

locals {
rbac = yamldecode(file("${path.module}/data/rbac.yaml"))
}

locals {
provider_creds = jsondecode(data.aws_secretsmanager_secret_version.credentials.secret_string)
}

data "aws_secretsmanager_secret_version" "credentials" {
secret_id = var.secret_manager_creds_name
}

data "aws_secretsmanager_secret_version" "credentials" {
secret_id = var.secret_manager_creds_name
}

module "provision_users_aws" {
source = "./modules/aws"
users = local.users["users"]
rbac = local.rbac["aws"]["groups"]
}

This Terraform code dynamically provisions AWS resources for users based on configuration data stored in YAML files.

Local Variables

local.users:

  • Loads and decodes the users.yaml file from the module's data directory.
  • Provides user-specific configurations (e.g., usernames, group assignments, and platform details).
  • Example: local.users["users"] references the list of users from the YAML file.

local.rbac:

  • Loads and decodes the rbac.yaml file from the module's data directory.
  • Contains Role-Based Access Control (RBAC) definitions, including groups and policies.
  • Example: local.rbac["aws"]["groups"] references AWS IAM group configurations.

local.provider_creds:

  • Decodes the JSON string (credentials.secret_string) from AWS Sercret Manager into a structured object for use within Terraform.
  • Provides credentials (e.g., access keys, tokens) for dynamic provisioning of cloud resources in modules or resources.
  • Creating AWS Secret Manager is needed in order to load the credentials
  • Example content of AWS Secret Manager:
{
"cloudflare":{
"api_key":"XXX"
},
"grafana":{
"api_key":"XXX"
},
"gitlab":{
"access_token":"XXX"
}
}

AWS Module (module "provision_users_aws")

source:

  • Specifies the module’s location (./modules/aws), which contains the Terraform code to manage AWS resources.

Inputs:

users:

  • Passes the list of users from users.yaml to the module.
  • The module uses this data to create AWS IAM users and assign them to groups.

rbac:

  • Passes AWS group definitions from rbac.yaml to the module.
  • Used to manage IAM group memberships and attach policies.

Purpose

  1. Dynamic Provisioning:
  • Allows Terraform to dynamically create and manage AWS IAM users and groups based on YAML files.
  • Centralizes configurations in YAML, making them easy to update and maintain.

2. RBAC Management:

  • Ensures consistent assignment of users to groups and policies using the rbac.yaml definitions.

3. Modular Design:

  • Keeps the AWS-specific logic encapsulated in ./modules/aws, making the code reusable and scalable.

? Full code available on : https://github.com/mfakbar127/terraform-central-user-access-management

?‍? Deployment Architecture for Centralized User Access Management

A robust deployment architecture is crucial for managing Terraform configurations and ensuring the system is secure, scalable, and resilient. Below is a recommended architecture for deploying and managing Terraform for user provisioning and deprovisioning across SaaS applications.

? Key Components of the Architecture:

  1. Terraform State Management:
  • Use S3 Bucket for storing the Terraform state file. This ensures that the state file is accessible and version-controlled.
  • Enable DynamoDB State Locking to prevent concurrent modifications to the state file, ensuring consistency when multiple users or CI/CD pipelines are applying changes.

2. CI/CD Pipeline for Automation:

  • Integrate Terraform into a GitLab CI/CD Pipeline to automate the provisioning and deprovisioning workflows.
  • Use GitLab’s Merge Request approvals to ensure that all changes to user access are reviewed before being applied.

3. Secure Credential Storage:

  • Store sensitive credentials such as API tokens for SaaS applications in AWS Secret Manager. This ensures that credentials are encrypted at rest and only accessible by authorized entities.

4. Environment Separation:

  • Separate configurations for staging and production environments using distinct Terraform workspaces or variable files.
  • This ensures changes can be tested in a non-production environment before being applied to production.

5. Monitoring and Logging:

  • Enable detailed logging for Terraform runs in the CI/CD pipeline to track changes and identify potential issues.

? Workflow Overview:

  1. Initiate Change:
  • A developer or administrator submits a Merge Request (MR) in GitLab with changes to the Terraform configuration.

2. Code Review and Approval:

  • The MR is reviewed and approved by the appropriate team members.

3. Terraform Execution:

  • Upon approval, GitLab CI/CD triggers a Terraform run to apply the changes.
  • The state is securely stored in the S3 bucket, with DynamoDB ensuring no conflicting changes occur.

4. Provisioning/Deprovisioning:

  • Terraform interacts with the APIs of the specified SaaS applications to provision or deprovision user access.

5. Password Distribution:

  • If a SaaS application does not support sending a password reset link, manual password distribution may be necessary. This involves securely sharing the password with the employee, ensuring it adheres to organizational security policies.
  • Example: AWS IAM does not provide a mechanism to send a password reset link directly to users. In such cases, administrators must generate an initial password, securely share it with the employee, and ensure that the employee resets it upon first login.
  • To avoid manual password distribution read Areas for Improvement below.

6. Audit and Monitoring:

  • Logs are stored in GitLab CI/CD and AWS CloudTrail for auditing purposes.

?Terraform Up & Runnning

Once Terraform configuration is ready and reviewed, it’s time to bring it to life. This involves executing the following commands to plan and apply your changes:

Add new user to users.yaml

As example we will add new user John Doe as seen below

users:
- username: "john.doe"
gitlab:
group: ["devops::reporter", "security::maintainer"]
state: active
aws:
path: "/"
group: [Security]
user_info:
name: "John Doe"
email: "[email protected]"
team: security

Preview Changes with terraform plan

Before applying any changes, use the terraform plan command to review the proposed updates:

This command will display a detailed list of actions Terraform intends to perform, such as creating, modifying, or destroying resources. Carefully review the output to ensure everything aligns with your expectations.

Apply Changes with terraform apply

Once you’ve verified the plan, execute the changes using the terraform apply command:

Terraform will prompt for confirmation before proceeding. After confirmation, it will provision or deprovision resources based on your configuration.

? Areas for Improvement

While Terraform provides a solid foundation for managing user provisioning and deprovisioning, there are several areas where the system can be enhanced to improve efficiency, security, and user experience:

1. Implement Single Sign-On (SSO)

Integrating an SSO service like Keycloak or Okta can simplify the authentication process by allowing users to access multiple SaaS applications with a single set of credentials. This reduces password fatigue, enhances security, and centralizes identity management, making it easier to enforce access policies across your organization and avoid manual password distribution.

2. Automated Compliance and Policy Validation

Integrate compliance tools to automatically validate Terraform configurations against industry standards and internal policies. This ensures that access rules are consistent, secure, and auditable, minimizing risks of misconfigurations.

3. Real-Time Monitoring and Alerts

Add monitoring tools to track changes to user access configurations in real time. Solutions like AWS CloudWatch or custom logging mechanisms can be used to send alerts when suspicious or unauthorized modifications are detected.

4. Support for Internal Applications

Develop custom Terraform providers to manage access for internal applications not covered by existing providers. This ensures that your entire application ecosystem benefits from centralized provisioning and deprovisioning.

5. Role-Based Access Automation

Enhance RBAC by automating the assignment of roles based on team or group membership. This reduces manual effort, ensures consistency, and minimizes the risk of excessive permissions.

6. Periodic Access Reviews

Implement mechanisms to periodically review and validate user access. This helps identify stale or unnecessary permissions and ensures compliance with least privilege principles.

By focusing on these areas, organizations can further strengthen their IAM systems, making them more resilient, scalable, and aligned with modern security practices.

? What’s Next?

In the upcoming parts, we’ll dive deeper into integrating this setup with other essential tools to enhance automation and security

  • Part 2: Integrating Terraform with GitLab CI
    Learn to automate provisioning with CI/CD pipelines, approvals, and secure credential management.
  • Part 3: Integrating Terraform with SSO (Keycloak/Okta)
    Discover how to centralize authentication and streamline role management with SSO integration.

? Conclusion

Managing user access across numerous SaaS applications can quickly become unmanageable as a company grows. A centralized approach using Terraform streamlines this process, enabling efficient onboarding and offboarding of employees while maintaining robust governance and security.

By adopting Terraform as your provisioning tool, you gain the ability to define access policies as code, track changes through version control, and automate workflows with CI/CD pipelines. With proper integration into tools like AWS (for state management) and GitLab (for automation), the solution becomes not only scalable but also auditable, ensuring compliance with organizational and regulatory requirements.


Centralizing User Access Management Using Terraform for SaaS Applications — Part 1 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

原始链接: https://infosecwriteups.com/centralizing-user-access-management-using-terraform-for-saas-applications-part-1-8bb7d8dc3faa?source=rss----7b722bfd1b8d---4
侵权请联系站方: [email protected]

相关推荐

换一批