Skip to content

Resource: awsSsoadminPermissionSetInlinePolicy

Provides an IAM inline policy for a Single Sign-On (SSO) Permission Set resource

\~> NOTE: AWS Single Sign-On (SSO) only supports one IAM inline policy per awsSsoadminPermissionSet resource. Creating or updating this resource will automatically Provision the Permission Set to apply the corresponding updates to all assigned accounts.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentExample =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "example", {
    statement: [
      {
        actions: ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
        resources: ["arn:aws:s3:::*"],
        sid: "1",
      },
    ],
  });
const dataAwsSsoadminInstancesExample =
  new aws.dataAwsSsoadminInstances.DataAwsSsoadminInstances(
    this,
    "example_1",
    {}
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsSsoadminInstancesExample.overrideLogicalId("example");
const awsSsoadminPermissionSetExample =
  new aws.ssoadminPermissionSet.SsoadminPermissionSet(this, "example_2", {
    instanceArn: `\${tolist(${dataAwsSsoadminInstancesExample.arns})[0]}`,
    name: "Example",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSsoadminPermissionSetExample.overrideLogicalId("example");
const awsSsoadminPermissionSetInlinePolicyExample =
  new aws.ssoadminPermissionSetInlinePolicy.SsoadminPermissionSetInlinePolicy(
    this,
    "example_3",
    {
      inlinePolicy: dataAwsIamPolicyDocumentExample.json,
      instanceArn: `\${tolist(${dataAwsSsoadminInstancesExample.arns})[0]}`,
      permissionSetArn: awsSsoadminPermissionSetExample.arn,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSsoadminPermissionSetInlinePolicyExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • inlinePolicy - (Required) The IAM inline policy to attach to a Permission Set.
  • instanceArn - (Required, Forces new resource) The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed.
  • permissionSetArn - (Required, Forces new resource) The Amazon Resource Name (ARN) of the Permission Set.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The Amazon Resource Names (ARNs) of the Permission Set and SSO Instance, separated by a comma (,).

Import

SSO Permission Set Inline Policies can be imported using the permissionSetArn and instanceArn separated by a comma (,) e.g.,

$ terraform import aws_ssoadmin_permission_set_inline_policy.example arn:aws:sso:::permissionSet/ssoins-2938j0x8920sbj72/ps-80383020jr9302rk,arn:aws:sso:::instance/ssoins-2938j0x8920sbj72