-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
r/aws_sso_permission_set: New Resource #15808
Conversation
Hi @lawdhavmercy @burck1, thank you for this PR and your patience! Are you still interested and available to work on this? We have been unable to get to the SSO service until now but we aim to get this work in before the end of the year. To be upfront about the process, here is what to expect: A design for this service, essentially covering the resources/data-sources we feel are essential for a practitioner's enablement, has been created internally and is currently in review by our team. Once the design is approved, implementation will need to follow the design. Hopefully, we can use some or all of your work to support this core service. We won't know until we have consensus on the design, however. Once we have approval, I'll circle back here and provide an update/initial code review. Currently the list of data-sources/resources we are considering (per RoadMap and some of which are covered in this PR as well as in #15322) include: Resources:
DataSources:
**Note: to keep inline with the service package -> resource/data-source naming, we'll be using the |
Hi @anGie44! Great to hear. Once the design is finalized, we'd be happy to help migrate our code to the updated design. Feel free to reach out as soon as the design is ready. One nuance of the ssoadmin apis that may help inform your design is the ProvisionPermissionSet request. This API must be called after any updates to the permission set resource or else the change will not actually be propagated to the assigned accounts. This is in fact the reason why we decided not to create separate aws_ssoadmin_permission_set_inline_policy and aws_ssoadmin_managed_policy_attachment resources and instead made those properties of the permission set resource. I.E. Whenever those policies are modified, the ProvisionPermissionSet API must be called. Separating out those resources means you would need to call the ProvisionPermissionSet API within the update function for each of those resources which means you would run into conflicts whenever more than one of those resources has changed. The API prevents multiple provisionings to the same assigned account from happening at once. The solution we ended up coming up with was simply to incorporate the inline and managed policies as properties of the permission set resource so that we would only need to call the ProvisionPermissionSet API one time within the permission set resource's update function. I discussed this a bit in this comment: #15322 (comment) Let us know if you have any questions. Note: We have been running our custom version of the aws provider with the changes from #15322 in production for over a month now without any problems. |
The code for calling the ProvisionPermissionSet API can be found here: terraform-provider-aws/aws/resource_aws_sso_permission_set.go Lines 483 to 506 in 1b750b9
|
Thanks for clarifying @burck1 -- definitely to our advantage that these changes have been tested in production 👍 My only hesitation in not moving out the policy related attributes to their own resources is the need to make various API calls to gather these attributes on import/read which strays a bit from convention. You mentioned in your testing you came across the need to call |
Hi @anGie44. Some great questions!
True that is strays from convention. Unfortunately we couldn't find any other AWS resources in this repo that we could model our changes after that also had to follow this pattern of calling a different API (like
I think this is a miss in the AWS documentation. I just tested this out with the AWS CLI (IDs are obfuscated). Currently the only way to tell if you need to call the # This is the current permission set settings
$ aws sso-admin describe-permission-set --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111"
{
"PermissionSet": {
"Name": "alex-test",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111",
"Description": "before update",
"CreatedDate": "2020-12-11T17:18:37.654000-06:00",
"SessionDuration": "PT1H"
}
}
# There is currently one account assigned to the permission set that has been provisioned with the latest changes
$ aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111" --provisioning-status LATEST_PERMISSION_SET_PROVISIONED
{
"AccountIds": [
"012345678910"
]
}
# There is currently no accounts assigned to the permission set that have not been provisioned with the latest changes
$ aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111" --provisioning-status LATEST_PERMISSION_SET_NOT_PROVISIONED
{
"AccountIds": []
}
# Let's update the description of the permission set
$ aws sso-admin update-permission-set --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111" --description "after update"
# We can see the updated description
$ aws sso-admin describe-permission-set --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111"
{
"PermissionSet": {
"Name": "alex-test",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111",
"Description": "after update",
"CreatedDate": "2020-12-11T17:18:37.654000-06:00",
"SessionDuration": "PT1H"
}
}
# but now there are currently no accounts assigned to the permission set that have been provisioned with the latest changes
$ aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111" --provisioning-status LATEST_PERMISSION_SET_PROVISIONED
{
"AccountIds": []
}
# and our account now shows up as not being provisioned with the latest changes
$ aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111" --provisioning-status LATEST_PERMISSION_SET_NOT_PROVISIONED
{
"AccountIds": [
"012345678910"
]
}
# so we can now call provision-permission-set
$ aws sso-admin provision-permission-set --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111" --target-type ALL_PROVISIONED_ACCOUNTS
{
"PermissionSetProvisioningStatus": {
"Status": "IN_PROGRESS",
"RequestId": "47ac8a85-2212-41d6-8bde-c69a7a81c834",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111"
}
}
# and await for status to be SUCCEEDED
$ aws sso-admin describe-permission-set-provisioning-status --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --provision-permission-set-request-id "47ac8a85-2212-41d6-8bde-c69a7a81c834"
{
"PermissionSetProvisioningStatus": {
"Status": "SUCCEEDED",
"RequestId": "47ac8a85-2212-41d6-8bde-c69a7a81c834",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111",
"CreatedDate": "2020-12-11T17:50:26.049000-06:00"
}
}
# and now our account is back to having the latest permission set changes provisioned
$ aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111" --provisioning-status LATEST_PERMISSION_SET_PROVISIONED
{
"AccountIds": [
"012345678910"
]
}
# and none that are not at the latest
$ aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn "arn:aws:sso:::instance/ssoins-9999999999999999" --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-9999999999999999/ps-1111111111111111" --provisioning-status LATEST_PERMISSION_SET_NOT_PROVISIONED
{
"AccountIds": []
} Note: We also need to call I can also provide some screenshots of the AWS console as well if that helps. |
Regarding this note, does it make sense for @lawdhavmercy and I to go ahead and update this PR and #15322 as follows? Resources
Data Sources
|
Also, regarding the terraform-provider-aws/aws/data_source_aws_sso_instance.go Lines 53 to 55 in 1b750b9
We could not find a way to create multiple AWS SSO Instances from the AWS console, so we think that AWS just decided to design the ListInstances API like the ListAccountAliases API in that they can only ever return zero or one instances, but our assumption could be flawed here. It may be a good idea to get in contact with AWS to see if this assumption is correct. It would be unfortunate if it was possible for there to be more than one sso instance because that would mean it would require users of the |
Hmm given the API method seems to imply more than 1, we could proactively account for this by making the data source plural i.e. have a field for |
Co-authored-by: angie pinilla <angelinepinilla@gmail.com>
Co-authored-by: angie pinilla <angelinepinilla@gmail.com>
Co-authored-by: angie pinilla <angelinepinilla@gmail.com>
Co-authored-by: angie pinilla <angelinepinilla@gmail.com>
Co-authored-by: angie pinilla <angelinepinilla@gmail.com>
Co-authored-by: angie pinilla <angelinepinilla@gmail.com>
Co-authored-by: angie pinilla <angelinepinilla@gmail.com>
Co-authored-by: angie pinilla <angelinepinilla@gmail.com>
df09a26
to
ca0a0f2
Compare
Thanks again for your all your contributions and time @burck1 @lawdhavmercy 🚀 🚀 |
This has been released in version 3.23.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Relates #15108
Relates #15540
Release note for CHANGELOG:
Output from acceptance testing:
Commerical Organizations-Only
Commerical: