How to Automate SSO Assignments Across Member Accounts Using Terraform?

I'm working with an organizational account that utilizes IAM Identity Center, and I'm trying to automate the process of creating SSO assignments for a specific permission set in member accounts. I'm implementing this with Terraform for managing all my resources and I want to develop a module that allows the member accounts to send the Active Directory group information and trigger the SSO assignment in the organizational account. However, I need to ensure that the execution role in the member accounts does not have any create or delete permissions related to SSO. The assignment is only intended to be executed once.

My ultimate goal is to streamline the automation of SSO assignments using a Terraform module while maintaining security guardrails.

Currently, I have a couple of ideas:
1. Creating a Lambda function in the organizational account that the member accounts can push the AD group and account ID to, which then handles the assignment creation. The downside is I'd have to expose a secure endpoint for the Lambda.
2. Assuming a role in the organizational account that allows the member account to create an SSO assignment specifically for that permission set ARN. However, I'm concerned about security implications and complexity as more accounts might need to access this role.

I'd really appreciate any guidance or insights on this to avoid overcomplicating things while streamlining the process.