AWS SSO Managed Policy Attachment
This page shows how to write Terraform and CloudFormation for AWS SSO Managed Policy Attachment and write them securely.
aws_ssoadmin_managed_policy_attachment (Terraform)
The Managed Policy Attachment in AWS SSO can be configured in Terraform with the resource name aws_ssoadmin_managed_policy_attachment
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ssoadmin_managed_policy_attachment" "admin" {
instance_arn = local.instance_arn
managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
permission_set_arn = aws_ssoadmin_permission_set.admin.arn
}
resource "aws_ssoadmin_managed_policy_attachment" "administrator-access-policy" {
instance_arn = local.sso_instance_arn
managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
permission_set_arn = aws_ssoadmin_permission_set.administrator-access.arn
}
resource "aws_ssoadmin_managed_policy_attachment" "delivery_pipelines_policies" {
for_each = toset(["arn:aws:iam::aws:policy/AWSCodePipeline_ReadOnlyAccess", "arn:aws:iam::aws:policy/AWSCodeBuildReadOnlyAccess"])
instance_arn = aws_ssoadmin_permission_set.delivery_pipelines_readonly.instance_arn
managed_policy_arn = each.key
permission_set_arn = aws_ssoadmin_permission_set.delivery_pipelines_readonly.arn
}
resource "aws_ssoadmin_managed_policy_attachment" "permissionset_policy" {
instance_arn = tolist(data.aws_ssoadmin_instances.ssos.arns)[0]
managed_policy_arn = var.policy_arn
permission_set_arn = aws_ssoadmin_permission_set.permissionset.arn
}
resource "aws_ssoadmin_managed_policy_attachment" "this" {
for_each = length(var.managed_policy_arns) > 0 ? toset(var.managed_policy_arns) : []
instance_arn = var.instance_arn
managed_policy_arn = each.value
permission_set_arn = aws_ssoadmin_permission_set.this.arn
}
Parameters
-
id
optional computed - string -
instance_arn
required - string -
managed_policy_arn
required - string -
managed_policy_name
optional computed - string -
permission_set_arn
required - string
Explanation in Terraform Registry
Provides an IAM managed policy for a Single Sign-On (SSO) Permission Set resource
NOTE: Creating this resource will automatically Provision the Permission Set to apply the corresponding updates to all assigned accounts.
AWS::SSO::PermissionSet (CloudFormation)
The PermissionSet in SSO can be configured in CloudFormation with the resource name AWS::SSO::PermissionSet
. The following sections describe 8 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::SSO::PermissionSet
Properties:
Name: ExampleSet
InstanceArn: !Ref SSOInstance
PolicyDocument:
Version: 2012-10-17
Type: AWS::SSO::PermissionSet
Properties:
Name: TestPS1
Description: Readonly Access
InstanceArn: arn:aws:sso:::instance/ssoins-6804ad5dfea0d87e
ManagedPolicies:
Type: AWS::SSO::PermissionSet
Properties:
Name: TestPS2
Description: Readonly Access
InstanceArn: arn:aws:sso:::instance/ssoins-6804ad5dfea0d87e
ManagedPolicies:
Type: AWS::SSO::PermissionSet
Properties:
Description: 'Permission set being used for AdministratorAccess that bypasses X SCPs'
SessionDuration: 'PT12H' # The length of time that the application user sessions are valid for in the ISO-8601 standard.
InstanceArn: !Ref pAwsSsoInsanceArn
Name: 'FullAdministratorAccess'
Type: AWS::SSO::PermissionSet
Properties:
Name: TestPSABC
Description: Readonly Access
InstanceArn: !Ref instanceArn
ManagedPolicies:
"Type": "AWS::SSO::PermissionSet",
"Properties": {
"InstanceArn": "arn:aws:sso:::instance/ssoins-111222333444",
"Name": "MyPermissionSet",
"ManagedPolicies": [
{
"resourceType": "AWS::SSO::PermissionSet",
"filePath": null
},
{
"resourceType": "AWS::SSO::InstanceAccessControlAttributeConfiguration",
"filePath": null
"AWS::SSO::PermissionSet": {
"Type": "AWS::SSO::PermissionSet",
"Properties": {}
},
"AWS::Pinpoint::PushTemplate": {
"Type": "AWS::Pinpoint::PushTemplate",
Parameters
-
Name
required - String -
Description
optional - String -
InstanceArn
required - String -
SessionDuration
optional - String -
RelayStateType
optional - String -
ManagedPolicies
optional - List -
InlinePolicy
optional - Json -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
Specifies a permission set within a specified SSO instance.
Frequently asked questions
What is AWS SSO Managed Policy Attachment?
AWS SSO Managed Policy Attachment is a resource for SSO of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS SSO Managed Policy Attachment?
For Terraform, the dharada1/aws-sso-sample, ministryofjustice/aws-root-account and tintulip/cla-organisation source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the ArjenSchwarz/cloudformation-macros, org-formation/org-formation-cli and org-formation/org-formation-cli source code examples are useful. See the CloudFormation Example section for further details.