Infrastructure as Code · Apache 2.0
terraform-iam-baseline
Production-ready Terraform modules for IAM baseline across Okta, Microsoft Entra ID, and AWS IAM Identity Center.
About
Opinionated Terraform module set establishing IAM baseline configurations for the three most-deployed workforce identity platforms: Okta tenant baseline (sign-on policies, MFA factors, group structure, application catalog), Microsoft Entra ID Conditional Access baseline (named locations, risk-based policies, compliance device requirement), and AWS IAM Identity Center baseline (permission sets, account assignments, SAML integrations).
Designed as a starting point for IAM-as-code programs: forkable, parameterized, with sensible defaults derived from baseline hardening guidance (CIS, NIST 800-53, Okta + Microsoft published recommendations).
Features
- Okta tenant baseline — sign-on policies, MFA factors, group structure
- Microsoft Entra ID Conditional Access baseline — named locations, risk policies, device compliance
- AWS IAM Identity Center baseline — permission sets, account assignments, SAML
- Configurable defaults aligned with CIS + NIST baselines
- Per-environment overlays (dev / staging / production)
- CI examples (GitHub Actions, GitLab CI, Terraform Cloud)
Install
module "okta_baseline" {
source = "askmeidentity/iam-baseline/okta"
version = "~> 1.0"
tenant_domain = "acme.okta.com"
admin_email = "[email protected]"
enforce_mfa = true
phishing_resistant_admin = true
}
Usage
Drop the module into an existing Terraform repo, set the required variables, and apply. The module is idempotent and safe to re-apply against existing tenants.Related resources