From 5399b77c069b766634ad8d0ca01de65c31adbf34 Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Tue, 10 Mar 2026 03:37:12 +0100
Subject: [PATCH] Add IAM permissions for SSO account assignment role
 management

create_account_assignment creates IAM roles behind the scenes for the
SSO-managed permission sets. The Lambda needs iam:CreateRole, GetRole,
AttachRolePolicy etc. scoped to the SSO-reserved role path.
---
 terraform/platform/lambdas/main.tf | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
index cb4d8e0..98e8d55 100644
--- a/terraform/platform/lambdas/main.tf
+++ b/terraform/platform/lambdas/main.tf
@@ -451,6 +451,29 @@ resource "aws_iam_role_policy" "team_provisioner" {
         ]
         Resource = "*"
       },
+      {
+        Sid    = "IAMForSSOAssignment"
+        Effect = "Allow"
+        Action = [
+          "iam:GetSAMLProvider",
+          "iam:GetRole",
+          "iam:CreateRole",
+          "iam:AttachRolePolicy",
+          "iam:PutRolePolicy",
+          "iam:UpdateRole",
+          "iam:UpdateRoleDescription",
+          "iam:ListAttachedRolePolicies",
+          "iam:ListRolePolicies",
+          "iam:DeleteRole",
+          "iam:DeleteRolePolicy",
+          "iam:DetachRolePolicy",
+        ]
+        # Scoped to SSO-managed roles and SAML providers
+        Resource = [
+          "arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/*",
+          "arn:aws:iam::${var.aws_account_id}:saml-provider/AWSSSO_*",
+        ]
+      },
     ]
   })
 }