Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement]: Exclusive management of aws_ssoadmin_managed_policy_attachment and aws_ssoadmin_customer_managed_policy_attachment #33242

Open
lorengordon opened this issue Aug 30, 2023 · 1 comment
Open

[Enhancement]: Exclusive management of aws_ssoadmin_managed_policy_attachment and aws_ssoadmin_customer_managed_policy_attachment #33242

lorengordon opened this issue Aug 30, 2023 · 1 comment
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ssoadmin Issues and PRs that pertain to the ssoadmin service.

Comments

@lorengordon
Copy link
Contributor

lorengordon commented Aug 30, 2023
edited

Description

We would like to be able to manage the exact set of managed policies attached to an AWS SSO Permission Set. Currently, using aws_ssoadmin_customer_managed_policy_attachment or aws_ssoadmin_managed_policy_attachment, the attachments are "non-exclusive". Meaning, if a user attaches another policy to the permission set, terraform is blind to that change, and cannot detect or alert or remove the attachment.

This would be similar to the implementation of exclusive management of IAM Role attachments, or Security Group rules.

Affected Resource(s) and/or Data Source(s)

  • aws_ssoadmin_permission_set
  • aws_ssoadmin_managed_policy_attachment
  • aws_ssoadmin_customer_managed_policy_attachment

Potential Terraform Configuration

This could be accomplished by adding new attributes to the aws_ssoadmin_permission_set resource. For example:

resource "aws_ssoadmin_permission_set" "example" {
  name             = var.name
  description      = var.description
  instance_arn     = local.sso_instance_arn
  relay_state      = var.relay_state
  session_duration = var.session_duration
  tags             = var.tags

  managed_policy_attachments = [...]
  customer_managed_policy_attachments = [...]
}

Alternatively, aligning with the desire to map a resource to a single primary API call, it could be accomplished through new "plural" resources:

resource "aws_ssoadmin_managed_policy_attachments" "example" {

  instance_arn       = local.sso_instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.example.arn

  managed_policy_arns = [...]
}

resource "aws_ssoadmin_customer_managed_policy_attachments" "example" {

  instance_arn       = local.sso_instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.example.arn

  customer_managed_policy_attachments = [...]
}

References

Would you like to implement a fix?

None
@lorengordon lorengordon added the enhancement Requests to existing resources that expand the functionality or scope. label Aug 30, 2023
@github-actions github-actions bot added the service/ssoadmin Issues and PRs that pertain to the ssoadmin service. label Aug 30, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Aug 30, 2023
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Aug 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ssoadmin Issues and PRs that pertain to the ssoadmin service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lorengordon @justinretzolk