Resource: aws_ssoadmin_permissions_boundary_attachment

Attaches a permissions boundary policy to a Single Sign-On (SSO) Permission Set resource.

Example Usage

Attaching a customer-managed policy

data "aws_ssoadmin_instances" "example" {}

resource "aws_ssoadmin_permission_set" "example" {
  name         = "Example"
  instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0]
}

resource "aws_iam_policy" "example" {
  name        = "TestPolicy"
  description = "My test policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

resource "aws_ssoadmin_permissions_boundary_attachment" "example" {
  instance_arn       = aws_ssoadmin_permission_set.example.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.example.arn
  permissions_boundary {
    customer_managed_policy_reference {
      name = aws_iam_policy.example.name
      path = "/"
    }
  }
}

Attaching an AWS-managed policy

resource "aws_ssoadmin_permissions_boundary_attachment" "example" {
  instance_arn       = aws_ssoadmin_permission_set.example.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.example.arn
  permissions_boundary {
    managed_policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
  }
}

Argument Reference

The following arguments are required:

Permissions Boundary

The permissions_boundary config block describes the permissions boundary policy to attach. You can reference either an AWS-managed policy, or a customer managed policy, but only one may be set.

Customer Managed Policy Reference

The customer_managed_policy_reference config block describes a customer managed IAM policy. You must have an IAM policy that matches the name and path in each AWS account where you want to deploy your specified permission set.

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Timeouts

Configuration options:

Import

In Terraform v1.5.0 and later, use an import block to import SSO Admin Permissions Boundary Attachments using the permission_set_arn and instance_arn, separated by a comma (,). For example:

import {
  to = aws_ssoadmin_permissions_boundary_attachment.example
  id = "arn:aws:sso:::permissionSet/ssoins-2938j0x8920sbj72/ps-80383020jr9302rk,arn:aws:sso:::instance/ssoins-2938j0x8920sbj72"
}

Using terraform import, import SSO Admin Permissions Boundary Attachments using the permission_set_arn and instance_arn, separated by a comma (,). For example:

% terraform import aws_ssoadmin_permissions_boundary_attachment.example arn:aws:sso:::permissionSet/ssoins-2938j0x8920sbj72/ps-80383020jr9302rk,arn:aws:sso:::instance/ssoins-2938j0x8920sbj72