Skip to content

Resource: awsSsoadminCustomerManagedPolicyAttachment

Provides a customer managed policy attachment for a Single Sign-On (SSO) Permission Set resource

\~> NOTE: Creating this resource will automatically Provision the Permission Set to apply the corresponding updates to all assigned accounts.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamPolicyExample = new aws.iamPolicy.IamPolicy(this, "example", {
  description: "My test policy",
  name: "TestPolicy",
  policy:
    '${jsonencode({\n    Version = "2012-10-17"\n    Statement = [\n      {\n        Action = [\n          "ec2:Describe*",\n        ]\n        Effect   = "Allow"\n        Resource = "*"\n      },\n    ]\n  })}',
});
const dataAwsSsoadminInstancesExample =
  new aws.dataAwsSsoadminInstances.DataAwsSsoadminInstances(
    this,
    "example_1",
    {}
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsSsoadminInstancesExample.overrideLogicalId("example");
const awsSsoadminPermissionSetExample =
  new aws.ssoadminPermissionSet.SsoadminPermissionSet(this, "example_2", {
    instanceArn: `\${tolist(${dataAwsSsoadminInstancesExample.arns})[0]}`,
    name: "Example",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSsoadminPermissionSetExample.overrideLogicalId("example");
const awsSsoadminCustomerManagedPolicyAttachmentExample =
  new aws.ssoadminCustomerManagedPolicyAttachment.SsoadminCustomerManagedPolicyAttachment(
    this,
    "example_3",
    {
      customerManagedPolicyReference: {
        name: awsIamPolicyExample.name,
        path: "/",
      },
      instanceArn: awsSsoadminPermissionSetExample.instanceArn,
      permissionSetArn: awsSsoadminPermissionSetExample.arn,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSsoadminCustomerManagedPolicyAttachmentExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • instanceArn - (Required, Forces new resource) The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed.
  • permissionSetArn - (Required, Forces new resource) The Amazon Resource Name (ARN) of the Permission Set.
  • customerManagedPolicyReference - (Required, Forces new resource) Specifies the name and path of a customer managed policy. See below.

Customer Managed Policy Reference

The customerManagedPolicyReference config block describes a customer managed IAM policy. You must have an IAM policy that matches the name and path in each AWS account where you want to deploy your specified permission set.

  • name - (Required, Forces new resource) Name of the customer managed IAM Policy to be attached.
  • path - (Optional, Forces new resource) The path to the IAM policy to be attached. The default is /. See IAM Identifiers for more information.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - Policy Name, Policy Path, Permission Set Amazon Resource Name (ARN), and SSO Instance ARN, each separated by a comma (,).

Import

SSO Managed Policy Attachments can be imported using the name, path, permissionSetArn, and instanceArn separated by a comma (,) e.g.,

$ terraform import aws_ssoadmin_customer_managed_policy_attachment.example TestPolicy,/,arn:aws:sso:::permissionSet/ssoins-2938j0x8920sbj72/ps-80383020jr9302rk,arn:aws:sso:::instance/ssoins-2938j0x8920sbj72