Resource: awsSsoadminPermissionsBoundaryAttachment
Attaches a permissions boundary policy to a Single Sign-On (SSO) Permission Set resource.
\~> NOTE: A permission set can have at most one permissions boundary attached; using more than one awsSsoadminPermissionsBoundaryAttachment
references the same permission set will show a permanent difference.
Example Usage
Attaching a customer-managed policy
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamPolicyExample = new aws.iamPolicy.IamPolicy(this, "example", {
description: "My test policy",
name: "TestPolicy",
policy:
'${jsonencode({\n Version = "2012-10-17"\n Statement = [\n {\n Action = [\n "ec2:Describe*",\n ]\n Effect = "Allow"\n Resource = "*"\n },\n ]\n })}',
});
const dataAwsSsoadminInstancesExample =
new aws.dataAwsSsoadminInstances.DataAwsSsoadminInstances(
this,
"example_1",
{}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsSsoadminInstancesExample.overrideLogicalId("example");
const awsSsoadminPermissionSetExample =
new aws.ssoadminPermissionSet.SsoadminPermissionSet(this, "example_2", {
instanceArn: `\${tolist(${dataAwsSsoadminInstancesExample.arns})[0]}`,
name: "Example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSsoadminPermissionSetExample.overrideLogicalId("example");
const awsSsoadminPermissionsBoundaryAttachmentExample =
new aws.ssoadminPermissionsBoundaryAttachment.SsoadminPermissionsBoundaryAttachment(
this,
"example_3",
{
instanceArn: awsSsoadminPermissionSetExample.instanceArn,
permissionSetArn: awsSsoadminPermissionSetExample.arn,
permissionsBoundary: {
customerManagedPolicyReference: {
name: awsIamPolicyExample.name,
path: "/",
},
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSsoadminPermissionsBoundaryAttachmentExample.overrideLogicalId("example");
Attaching an AWS-managed policy
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssoadminPermissionsBoundaryAttachment.SsoadminPermissionsBoundaryAttachment(
this,
"example",
{
instanceArn: "${aws_ssoadmin_permission_set.example.instance_arn}",
permissionSetArn: "${aws_ssoadmin_permission_set.example.arn}",
permissionsBoundary: {
managedPolicyArn: "arn:aws:iam::aws:policy/ReadOnlyAccess",
},
}
);
Argument Reference
The following arguments are required:
instanceArn
- (Required, Forces new resource) The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed.permissionSetArn
- (Required, Forces new resource) The Amazon Resource Name (ARN) of the Permission Set.permissionsBoundary
- (Required, Forces new resource) The permissions boundary policy. See below.
Permissions Boundary
The permissionsBoundary
config block describes the permissions boundary policy to attach. You can reference either an AWS-managed policy, or a customer managed policy, but only one may be set.
managedPolicyArn
- (Optional) AWS-managed IAM policy ARN to use as the permissions boundary.customerManagedPolicyReference
- (Optional) Specifies the name and path of a customer managed policy. See below.
Customer Managed Policy Reference
The customerManagedPolicyReference
config block describes a customer managed IAM policy. You must have an IAM policy that matches the name and path in each AWS account where you want to deploy your specified permission set.
name
- (Required, Forces new resource) Name of the customer managed IAM Policy to be attached.path
- (Optional, Forces new resource) The path to the IAM policy to be attached. The default is/
. See IAM Identifiers for more information.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- Permission Set Amazon Resource Name (ARN) and SSO Instance ARN, separated by a comma (,
).
Import
SSO Admin Permissions Boundary Attachments can be imported using the permissionSetArn
and instanceArn
, separated by a comma (,
) e.g.,