hashicorp · ewbankkit · Sep 8, 2022 · Jul 21, 2022 · Jul 21, 2022 · Jul 21, 2022
diff --git a/.changelog/25915.txt b/.changelog/25915.txt
@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_ssoadmin_customer_managed_policy_attachment
+```
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -2065,10 +2065,11 @@ func New(_ context.Context) (*schema.Provider, error) {
 			"aws_ssm_resource_data_sync":        ssm.ResourceResourceDataSync(),
 			"aws_ssm_service_setting":           ssm.ResourceServiceSetting(),
 
-			"aws_ssoadmin_account_assignment":           ssoadmin.ResourceAccountAssignment(),
-			"aws_ssoadmin_managed_policy_attachment":    ssoadmin.ResourceManagedPolicyAttachment(),
-			"aws_ssoadmin_permission_set":               ssoadmin.ResourcePermissionSet(),
-			"aws_ssoadmin_permission_set_inline_policy": ssoadmin.ResourcePermissionSetInlinePolicy(),
+			"aws_ssoadmin_account_assignment":                 ssoadmin.ResourceAccountAssignment(),
+			"aws_ssoadmin_customer_managed_policy_attachment": ssoadmin.ResourceCustomerManagedPolicyAttachment(),
+			"aws_ssoadmin_managed_policy_attachment":          ssoadmin.ResourceManagedPolicyAttachment(),
+			"aws_ssoadmin_permission_set":                     ssoadmin.ResourcePermissionSet(),
+			"aws_ssoadmin_permission_set_inline_policy":       ssoadmin.ResourcePermissionSetInlinePolicy(),
 
 			"aws_storagegateway_cache":                   storagegateway.ResourceCache(),
 			"aws_storagegateway_cached_iscsi_volume":     storagegateway.ResourceCachediSCSIVolume(),

diff --git a/internal/service/ssoadmin/customer_managed_policy_attachment.go b/internal/service/ssoadmin/customer_managed_policy_attachment.go
@@ -0,0 +1,229 @@
+package ssoadmin
+
+import (
+	"fmt"
+	"log"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ssoadmin"
+	"github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2/tfawserr"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/hashicorp/terraform-provider-aws/internal/conns"
+	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
+)
+
+const (
+	customerPolicyAttachmentTimeout = 5 * time.Minute
+)
+
+func ResourceCustomerManagedPolicyAttachment() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceCustomerManagedPolicyAttachmentCreate,
+		Read:   resourceCustomerManagedPolicyAttachmentRead,
+		Delete: resourceCustomerManagedPolicyAttachmentDelete,
+
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"customer_managed_policy_reference": {
+				Type:     schema.TypeList,
+				Required: true,
+				ForceNew: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ForceNew:     true,
+							ValidateFunc: validation.StringLenBetween(0, 128),
+						},
+						"path": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							Default:      "/",
+							ForceNew:     true,
+							ValidateFunc: validation.StringLenBetween(0, 512),
+						},
+					},
+				},
+			},
+			"instance_arn": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: verify.ValidARN,
+			},
+			"permission_set_arn": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: verify.ValidARN,
+			},
+		},
+	}
+}
+
+func resourceCustomerManagedPolicyAttachmentCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*conns.AWSClient).SSOAdminConn
+
+	tfMap := d.Get("customer_managed_policy_reference").([]interface{})[0].(map[string]interface{})
+	policyName := tfMap["name"].(string)
+	policyPath := tfMap["path"].(string)
+	instanceARN := d.Get("instance_arn").(string)
+	permissionSetARN := d.Get("permission_set_arn").(string)
+	id := CustomerManagedPolicyAttachmentCreateResourceID(policyName, policyPath, permissionSetARN, instanceARN)
+	input := &ssoadmin.AttachCustomerManagedPolicyReferenceToPermissionSetInput{
+		CustomerManagedPolicyReference: expandCustomerManagedPolicyReference(tfMap),
+		InstanceArn:                    aws.String(instanceARN),
+		PermissionSetArn:               aws.String(permissionSetARN),
+	}
+
+	log.Printf("[INFO] Attaching customer managed policy reference to permission set: %s", input)
+	_, err := tfresource.RetryWhenAWSErrCodeEquals(customerPolicyAttachmentTimeout, func() (interface{}, error) {
+		return conn.AttachCustomerManagedPolicyReferenceToPermissionSet(input)
+	}, ssoadmin.ErrCodeConflictException, ssoadmin.ErrCodeThrottlingException)
+
+	if err != nil {
+		return fmt.Errorf("creating SSO Customer Managed Policy Attachment (%s): %w", id, err)
+	}
+
+	d.SetId(id)
+
+	// After the policy has been attached to the permission set, provision in all accounts that use this permission set.
+	if err := provisionPermissionSet(conn, permissionSetARN, instanceARN); err != nil {
+		return err
+	}
+
+	return resourceCustomerManagedPolicyAttachmentRead(d, meta)
+}
+
+func resourceCustomerManagedPolicyAttachmentRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*conns.AWSClient).SSOAdminConn
+
+	policyName, policyPath, permissionSetARN, instanceARN, err := CustomerManagedPolicyAttachmentParseResourceID(d.Id())
+
+	if err != nil {
+		return err
+	}
+
+	policy, err := FindCustomerManagedPolicy(conn, policyName, policyPath, permissionSetARN, instanceARN)
+
+	if !d.IsNewResource() && tfresource.NotFound(err) {
+		log.Printf("[WARN] SSO Customer Managed Policy Attachment (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	if err != nil {
+		return fmt.Errorf("reading SSO Customer Managed Policy Attachment (%s): %w", d.Id(), err)
+	}
+
+	if err := d.Set("customer_managed_policy_reference", []interface{}{flattenCustomerManagedPolicyReference(policy)}); err != nil {
+		return fmt.Errorf("setting customer_managed_policy_reference: %w", err)
+	}
+	d.Set("instance_arn", instanceARN)
+	d.Set("permission_set_arn", permissionSetARN)
+
+	return nil
+}
+
+func resourceCustomerManagedPolicyAttachmentDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*conns.AWSClient).SSOAdminConn
+
+	policyName, policyPath, permissionSetARN, instanceARN, err := CustomerManagedPolicyAttachmentParseResourceID(d.Id())
+
+	if err != nil {
+		return err
+	}
+
+	input := &ssoadmin.DetachCustomerManagedPolicyReferenceFromPermissionSetInput{
+		CustomerManagedPolicyReference: &ssoadmin.CustomerManagedPolicyReference{
+			Name: aws.String(policyName),
+			Path: aws.String(policyPath),
+		},
+		InstanceArn:      aws.String(instanceARN),
+		PermissionSetArn: aws.String(permissionSetARN),
+	}
+
+	log.Printf("[INFO] Detaching customer managed policy reference from permission set: %s", input)
+	_, err = tfresource.RetryWhenAWSErrCodeEquals(customerPolicyAttachmentTimeout, func() (interface{}, error) {
+		return conn.DetachCustomerManagedPolicyReferenceFromPermissionSet(input)
+	}, ssoadmin.ErrCodeConflictException, ssoadmin.ErrCodeThrottlingException)
+
+	if tfawserr.ErrCodeEquals(err, ssoadmin.ErrCodeResourceNotFoundException) {
+		return nil
+	}
+
+	if err != nil {
+		return fmt.Errorf("deleting SSO Customer Managed Policy Attachment (%s): %w", d.Id(), err)
+	}
+
+	// After the policy has been detached from the permission set, provision in all accounts that use this permission set.
+	if err := provisionPermissionSet(conn, permissionSetARN, instanceARN); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+const customerManagedPolicyAttachmentIDSeparator = ","
+
+func CustomerManagedPolicyAttachmentCreateResourceID(policyName, policyPath, permissionSetARN, instanceARN string) string {
+	parts := []string{policyName, policyPath, permissionSetARN, instanceARN}
+	id := strings.Join(parts, customerManagedPolicyAttachmentIDSeparator)
+
+	return id
+}
+
+func CustomerManagedPolicyAttachmentParseResourceID(id string) (string, string, string, string, error) {
+	parts := strings.Split(id, customerManagedPolicyAttachmentIDSeparator)
+
+	if len(parts) == 4 && parts[0] != "" && parts[1] != "" && parts[2] != "" && parts[3] != "" {
+		return parts[0], parts[1], parts[2], parts[3], nil
+	}
+
+	return "", "", "", "", fmt.Errorf("unexpected format for ID (%[1]s), expected CUSTOMER_MANAGED_POLICY_NAME%[2]sCUSTOMER_MANAGED_POLICY_PATH%[2]sPERMISSION_SET_ARN%[2]sINSTANCE_ARN", id, customerManagedPolicyAttachmentIDSeparator)
+}
+
+func expandCustomerManagedPolicyReference(tfMap map[string]interface{}) *ssoadmin.CustomerManagedPolicyReference {
+	if tfMap == nil {
+		return nil
+	}
+
+	apiObject := &ssoadmin.CustomerManagedPolicyReference{}
+
+	if v, ok := tfMap["name"].(string); ok && v != "" {
+		apiObject.Name = aws.String(v)
+	}
+
+	if v, ok := tfMap["path"].(string); ok && v != "" {
+		apiObject.Path = aws.String(v)
+	}
+
+	return apiObject
+}
+
+func flattenCustomerManagedPolicyReference(apiObject *ssoadmin.CustomerManagedPolicyReference) map[string]interface{} {
+	if apiObject == nil {
+		return nil
+	}
+
+	tfMap := map[string]interface{}{}
+
+	if v := apiObject.Name; v != nil {
+		tfMap["name"] = aws.StringValue(v)
+	}
+
+	if v := apiObject.Path; v != nil {
+		tfMap["path"] = aws.StringValue(v)
+	}
+
+	return tfMap
+}