Skip to content

Resource: awsSsoadminPermissionsBoundaryAttachment

Attaches a permissions boundary policy to a Single Sign-On (SSO) Permission Set resource.

\~> NOTE: A permission set can have at most one permissions boundary attached; using more than one awsSsoadminPermissionsBoundaryAttachment references the same permission set will show a permanent difference.

Example Usage

Attaching a customer-managed policy

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamPolicyExample = new aws.iamPolicy.IamPolicy(this, "example", {
  description: "My test policy",
  name: "TestPolicy",
  policy:
    '${jsonencode({\n    Version = "2012-10-17"\n    Statement = [\n      {\n        Action = [\n          "ec2:Describe*",\n        ]\n        Effect   = "Allow"\n        Resource = "*"\n      },\n    ]\n  })}',
});
const dataAwsSsoadminInstancesExample =
  new aws.dataAwsSsoadminInstances.DataAwsSsoadminInstances(
    this,
    "example_1",
    {}
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsSsoadminInstancesExample.overrideLogicalId("example");
const awsSsoadminPermissionSetExample =
  new aws.ssoadminPermissionSet.SsoadminPermissionSet(this, "example_2", {
    instanceArn: `\${tolist(${dataAwsSsoadminInstancesExample.arns})[0]}`,
    name: "Example",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSsoadminPermissionSetExample.overrideLogicalId("example");
const awsSsoadminPermissionsBoundaryAttachmentExample =
  new aws.ssoadminPermissionsBoundaryAttachment.SsoadminPermissionsBoundaryAttachment(
    this,
    "example_3",
    {
      instanceArn: awsSsoadminPermissionSetExample.instanceArn,
      permissionSetArn: awsSsoadminPermissionSetExample.arn,
      permissionsBoundary: {
        customerManagedPolicyReference: {
          name: awsIamPolicyExample.name,
          path: "/",
        },
      },
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSsoadminPermissionsBoundaryAttachmentExample.overrideLogicalId("example");

Attaching an AWS-managed policy

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ssoadminPermissionsBoundaryAttachment.SsoadminPermissionsBoundaryAttachment(
  this,
  "example",
  {
    instanceArn: "${aws_ssoadmin_permission_set.example.instance_arn}",
    permissionSetArn: "${aws_ssoadmin_permission_set.example.arn}",
    permissionsBoundary: {
      managedPolicyArn: "arn:aws:iam::aws:policy/ReadOnlyAccess",
    },
  }
);

Argument Reference

The following arguments are required:

  • instanceArn - (Required, Forces new resource) The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed.
  • permissionSetArn - (Required, Forces new resource) The Amazon Resource Name (ARN) of the Permission Set.
  • permissionsBoundary - (Required, Forces new resource) The permissions boundary policy. See below.

Permissions Boundary

The permissionsBoundary config block describes the permissions boundary policy to attach. You can reference either an AWS-managed policy, or a customer managed policy, but only one may be set.

  • managedPolicyArn - (Optional) AWS-managed IAM policy ARN to use as the permissions boundary.
  • customerManagedPolicyReference - (Optional) Specifies the name and path of a customer managed policy. See below.

Customer Managed Policy Reference

The customerManagedPolicyReference config block describes a customer managed IAM policy. You must have an IAM policy that matches the name and path in each AWS account where you want to deploy your specified permission set.

  • name - (Required, Forces new resource) Name of the customer managed IAM Policy to be attached.
  • path - (Optional, Forces new resource) The path to the IAM policy to be attached. The default is /. See IAM Identifiers for more information.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - Permission Set Amazon Resource Name (ARN) and SSO Instance ARN, separated by a comma (,).

Import

SSO Admin Permissions Boundary Attachments can be imported using the permissionSetArn and instanceArn, separated by a comma (,) e.g.,

$ terraform import aws_ssoadmin_permissions_boundary_attachment.example arn:aws:sso:::permissionSet/ssoins-2938j0x8920sbj72/ps-80383020jr9302rk,arn:aws:sso:::instance/ssoins-2938j0x8920sbj72