Top / Amazon Web Service / AWS SSO / Managed Policy Attachment

AWS SSO Managed Policy Attachment

This page shows how to write Terraform and CloudFormation for AWS SSO Managed Policy Attachment and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_ssoadmin_managed_policy_attachment (Terraform)

The Managed Policy Attachment in AWS SSO can be configured in Terraform with the resource name aws_ssoadmin_managed_policy_attachment. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

aws_sso_permission_set.tf#L7
resource "aws_ssoadmin_managed_policy_attachment" "admin" {
  instance_arn       = local.instance_arn
  managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
  permission_set_arn = aws_ssoadmin_permission_set.admin.arn
}
sso-admin-permission-sets.tf#L15
resource "aws_ssoadmin_managed_policy_attachment" "administrator-access-policy" {
  instance_arn       = local.sso_instance_arn
  managed_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
  permission_set_arn = aws_ssoadmin_permission_set.administrator-access.arn
}
main.tf#L98
resource "aws_ssoadmin_managed_policy_attachment" "delivery_pipelines_policies" {
  for_each           = toset(["arn:aws:iam::aws:policy/AWSCodePipeline_ReadOnlyAccess", "arn:aws:iam::aws:policy/AWSCodeBuildReadOnlyAccess"])
  instance_arn       = aws_ssoadmin_permission_set.delivery_pipelines_readonly.instance_arn
  managed_policy_arn = each.key
  permission_set_arn = aws_ssoadmin_permission_set.delivery_pipelines_readonly.arn
}
main.tf#L9
resource "aws_ssoadmin_managed_policy_attachment" "permissionset_policy" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.ssos.arns)[0]
  managed_policy_arn = var.policy_arn
  permission_set_arn = aws_ssoadmin_permission_set.permissionset.arn
}
main.tf#L10
resource "aws_ssoadmin_managed_policy_attachment" "this" {
  for_each           = length(var.managed_policy_arns) > 0 ? toset(var.managed_policy_arns) : []
  instance_arn       = var.instance_arn
  managed_policy_arn = each.value
  permission_set_arn = aws_ssoadmin_permission_set.this.arn
}

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides an IAM managed policy for a Single Sign-On (SSO) Permission Set resource

NOTE: Creating this resource will automatically Provision the Permission Set to apply the corresponding updates to all assigned accounts.

>> from Terraform Registry

AWS::SSO::PermissionSet (CloudFormation)

The PermissionSet in SSO can be configured in CloudFormation with the resource name AWS::SSO::PermissionSet. The following sections describe 8 examples of how to use the resource and its parameters.

Example Usage from GitHub

example-policy.yml#L9
    Type: AWS::SSO::PermissionSet
    Properties:
      Name: ExampleSet
      InstanceArn: !Ref SSOInstance
      PolicyDocument:
        Version: 2012-10-17
permission-set-using-json-string-1.yml#L6
    Type: AWS::SSO::PermissionSet
    Properties:
      Name: TestPS1
      Description: Readonly Access
      InstanceArn:  arn:aws:sso:::instance/ssoins-6804ad5dfea0d87e
      ManagedPolicies:
permission-set-using-json-string-2.yml#L6
    Type: AWS::SSO::PermissionSet
    Properties:
      Name: TestPS2
      Description: Readonly Access
      InstanceArn:  arn:aws:sso:::instance/ssoins-6804ad5dfea0d87e
      ManagedPolicies:
template.yml#L36
    Type: AWS::SSO::PermissionSet
    Properties:
      Description: 'Permission set being used for AdministratorAccess that bypasses X SCPs'
      SessionDuration: 'PT12H' # The length of time that the application user sessions are valid for in the ISO-8601 standard.
      InstanceArn: !Ref pAwsSsoInsanceArn
      Name: 'FullAdministratorAccess'
example.yml#L15
    Type: AWS::SSO::PermissionSet
    Properties:
      Name: TestPSABC
      Description: Readonly Access
      InstanceArn: !Ref instanceArn
      ManagedPolicies:
test_file_2.json#L647
            "Type": "AWS::SSO::PermissionSet",
            "Properties": {
                "InstanceArn": "arn:aws:sso:::instance/ssoins-111222333444",
                "Name": "MyPermissionSet",
                "ManagedPolicies": [
                    {
awsResouceIconMatches.json#L3092
        "resourceType": "AWS::SSO::PermissionSet",
        "filePath": null
      },
      {
        "resourceType": "AWS::SSO::InstanceAccessControlAttributeConfiguration",
        "filePath": null
template.json#L2351
    "AWS::SSO::PermissionSet": {
      "Type": "AWS::SSO::PermissionSet",
      "Properties": {}
    },
    "AWS::Pinpoint::PushTemplate": {
      "Type": "AWS::Pinpoint::PushTemplate",

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

Specifies a permission set within a specified SSO instance.

>> from AWS CloudFormation Documentation

The Other Related AWS SSO Resources

Frequently asked questions

What is AWS SSO Managed Policy Attachment?

AWS SSO Managed Policy Attachment is a resource for SSO of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS SSO Managed Policy Attachment?

For Terraform, the dharada1/aws-sso-sample, ministryofjustice/aws-root-account and tintulip/cla-organisation source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the ArjenSchwarz/cloudformation-macros, org-formation/org-formation-cli and org-formation/org-formation-cli source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents