Managed
Provides an IAM managed policy for a Single Sign-On (SSO) Permission Set resource
NOTE: Creating this resource will automatically Provision the Permission Set to apply the corresponding updates to all assigned accounts.
Example Usage
Basic Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = aws.ssoadmin.getInstances({});
const examplePermissionSet = new aws.ssoadmin.PermissionSet("example", {
name: "Example",
instanceArn: example.then(example => example.arns?.[0]),
});
const exampleManagedPolicyAttachment = new aws.ssoadmin.ManagedPolicyAttachment("example", {
instanceArn: example.then(example => example.arns?.[0]),
managedPolicyArn: "arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup",
permissionSetArn: examplePermissionSet.arn,
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.ssoadmin.get_instances()
example_permission_set = aws.ssoadmin.PermissionSet("example",
name="Example",
instance_arn=example.arns[0])
example_managed_policy_attachment = aws.ssoadmin.ManagedPolicyAttachment("example",
instance_arn=example.arns[0],
managed_policy_arn="arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup",
permission_set_arn=example_permission_set.arn)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = Aws.SsoAdmin.GetInstances.Invoke();
var examplePermissionSet = new Aws.SsoAdmin.PermissionSet("example", new()
{
Name = "Example",
InstanceArn = example.Apply(getInstancesResult => getInstancesResult.Arns[0]),
});
var exampleManagedPolicyAttachment = new Aws.SsoAdmin.ManagedPolicyAttachment("example", new()
{
InstanceArn = example.Apply(getInstancesResult => getInstancesResult.Arns[0]),
ManagedPolicyArn = "arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup",
PermissionSetArn = examplePermissionSet.Arn,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ssoadmin"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := ssoadmin.GetInstances(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
examplePermissionSet, err := ssoadmin.NewPermissionSet(ctx, "example", &ssoadmin.PermissionSetArgs{
Name: pulumi.String("Example"),
InstanceArn: pulumi.String(example.Arns[0]),
})
if err != nil {
return err
}
_, err = ssoadmin.NewManagedPolicyAttachment(ctx, "example", &ssoadmin.ManagedPolicyAttachmentArgs{
InstanceArn: pulumi.String(example.Arns[0]),
ManagedPolicyArn: pulumi.String("arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup"),
PermissionSetArn: examplePermissionSet.Arn,
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssoadmin.SsoadminFunctions;
import com.pulumi.aws.ssoadmin.PermissionSet;
import com.pulumi.aws.ssoadmin.PermissionSetArgs;
import com.pulumi.aws.ssoadmin.ManagedPolicyAttachment;
import com.pulumi.aws.ssoadmin.ManagedPolicyAttachmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var example = SsoadminFunctions.getInstances();
var examplePermissionSet = new PermissionSet("examplePermissionSet", PermissionSetArgs.builder()
.name("Example")
.instanceArn(example.applyValue(getInstancesResult -> getInstancesResult.arns()[0]))
.build());
var exampleManagedPolicyAttachment = new ManagedPolicyAttachment("exampleManagedPolicyAttachment", ManagedPolicyAttachmentArgs.builder()
.instanceArn(example.applyValue(getInstancesResult -> getInstancesResult.arns()[0]))
.managedPolicyArn("arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup")
.permissionSetArn(examplePermissionSet.arn())
.build());
}
}Content copied to clipboard
resources:
examplePermissionSet:
type: aws:ssoadmin:PermissionSet
name: example
properties:
name: Example
instanceArn: ${example.arns[0]}
exampleManagedPolicyAttachment:
type: aws:ssoadmin:ManagedPolicyAttachment
name: example
properties:
instanceArn: ${example.arns[0]}
managedPolicyArn: arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup
permissionSetArn: ${examplePermissionSet.arn}
variables:
example:
fn::invoke:
function: aws:ssoadmin:getInstances
arguments: {}Content copied to clipboard
With Account Assignment
Because destruction of a managed policy attachment resource also re-provisions the associated permission set to all accounts, explicitly indicating the dependency with the account assignment resource via the
depends_onmeta argument is necessary to ensure proper deletion order when these resources are used together.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = aws.ssoadmin.getInstances({});
const examplePermissionSet = new aws.ssoadmin.PermissionSet("example", {
name: "Example",
instanceArn: example.then(example => example.arns?.[0]),
});
const exampleGroup = new aws.identitystore.Group("example", {
identityStoreId: example.then(example => example.identityStoreIds?.[0]),
displayName: "Admin",
description: "Admin Group",
});
const exampleAccountAssignment = new aws.ssoadmin.AccountAssignment("example", {
instanceArn: example.then(example => example.arns?.[0]),
permissionSetArn: examplePermissionSet.arn,
principalId: exampleGroup.groupId,
principalType: "GROUP",
targetId: "123456789012",
targetType: "AWS_ACCOUNT",
});
const exampleManagedPolicyAttachment = new aws.ssoadmin.ManagedPolicyAttachment("example", {
instanceArn: example.then(example => example.arns?.[0]),
managedPolicyArn: "arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup",
permissionSetArn: examplePermissionSet.arn,
}, {
dependsOn: [exampleAccountAssignment],
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.ssoadmin.get_instances()
example_permission_set = aws.ssoadmin.PermissionSet("example",
name="Example",
instance_arn=example.arns[0])
example_group = aws.identitystore.Group("example",
identity_store_id=example.identity_store_ids[0],
display_name="Admin",
description="Admin Group")
example_account_assignment = aws.ssoadmin.AccountAssignment("example",
instance_arn=example.arns[0],
permission_set_arn=example_permission_set.arn,
principal_id=example_group.group_id,
principal_type="GROUP",
target_id="123456789012",
target_type="AWS_ACCOUNT")
example_managed_policy_attachment = aws.ssoadmin.ManagedPolicyAttachment("example",
instance_arn=example.arns[0],
managed_policy_arn="arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup",
permission_set_arn=example_permission_set.arn,
opts = pulumi.ResourceOptions(depends_on=[example_account_assignment]))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = Aws.SsoAdmin.GetInstances.Invoke();
var examplePermissionSet = new Aws.SsoAdmin.PermissionSet("example", new()
{
Name = "Example",
InstanceArn = example.Apply(getInstancesResult => getInstancesResult.Arns[0]),
});
var exampleGroup = new Aws.IdentityStore.Group("example", new()
{
IdentityStoreId = example.Apply(getInstancesResult => getInstancesResult.IdentityStoreIds[0]),
DisplayName = "Admin",
Description = "Admin Group",
});
var exampleAccountAssignment = new Aws.SsoAdmin.AccountAssignment("example", new()
{
InstanceArn = example.Apply(getInstancesResult => getInstancesResult.Arns[0]),
PermissionSetArn = examplePermissionSet.Arn,
PrincipalId = exampleGroup.GroupId,
PrincipalType = "GROUP",
TargetId = "123456789012",
TargetType = "AWS_ACCOUNT",
});
var exampleManagedPolicyAttachment = new Aws.SsoAdmin.ManagedPolicyAttachment("example", new()
{
InstanceArn = example.Apply(getInstancesResult => getInstancesResult.Arns[0]),
ManagedPolicyArn = "arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup",
PermissionSetArn = examplePermissionSet.Arn,
}, new CustomResourceOptions
{
DependsOn =
{
exampleAccountAssignment,
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/identitystore"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ssoadmin"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := ssoadmin.GetInstances(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
examplePermissionSet, err := ssoadmin.NewPermissionSet(ctx, "example", &ssoadmin.PermissionSetArgs{
Name: pulumi.String("Example"),
InstanceArn: pulumi.String(example.Arns[0]),
})
if err != nil {
return err
}
exampleGroup, err := identitystore.NewGroup(ctx, "example", &identitystore.GroupArgs{
IdentityStoreId: pulumi.String(example.IdentityStoreIds[0]),
DisplayName: pulumi.String("Admin"),
Description: pulumi.String("Admin Group"),
})
if err != nil {
return err
}
exampleAccountAssignment, err := ssoadmin.NewAccountAssignment(ctx, "example", &ssoadmin.AccountAssignmentArgs{
InstanceArn: pulumi.String(example.Arns[0]),
PermissionSetArn: examplePermissionSet.Arn,
PrincipalId: exampleGroup.GroupId,
PrincipalType: pulumi.String("GROUP"),
TargetId: pulumi.String("123456789012"),
TargetType: pulumi.String("AWS_ACCOUNT"),
})
if err != nil {
return err
}
_, err = ssoadmin.NewManagedPolicyAttachment(ctx, "example", &ssoadmin.ManagedPolicyAttachmentArgs{
InstanceArn: pulumi.String(example.Arns[0]),
ManagedPolicyArn: pulumi.String("arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup"),
PermissionSetArn: examplePermissionSet.Arn,
}, pulumi.DependsOn([]pulumi.Resource{
exampleAccountAssignment,
}))
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ssoadmin.SsoadminFunctions;
import com.pulumi.aws.ssoadmin.PermissionSet;
import com.pulumi.aws.ssoadmin.PermissionSetArgs;
import com.pulumi.aws.identitystore.Group;
import com.pulumi.aws.identitystore.GroupArgs;
import com.pulumi.aws.ssoadmin.AccountAssignment;
import com.pulumi.aws.ssoadmin.AccountAssignmentArgs;
import com.pulumi.aws.ssoadmin.ManagedPolicyAttachment;
import com.pulumi.aws.ssoadmin.ManagedPolicyAttachmentArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var example = SsoadminFunctions.getInstances();
var examplePermissionSet = new PermissionSet("examplePermissionSet", PermissionSetArgs.builder()
.name("Example")
.instanceArn(example.applyValue(getInstancesResult -> getInstancesResult.arns()[0]))
.build());
var exampleGroup = new Group("exampleGroup", GroupArgs.builder()
.identityStoreId(example.applyValue(getInstancesResult -> getInstancesResult.identityStoreIds()[0]))
.displayName("Admin")
.description("Admin Group")
.build());
var exampleAccountAssignment = new AccountAssignment("exampleAccountAssignment", AccountAssignmentArgs.builder()
.instanceArn(example.applyValue(getInstancesResult -> getInstancesResult.arns()[0]))
.permissionSetArn(examplePermissionSet.arn())
.principalId(exampleGroup.groupId())
.principalType("GROUP")
.targetId("123456789012")
.targetType("AWS_ACCOUNT")
.build());
var exampleManagedPolicyAttachment = new ManagedPolicyAttachment("exampleManagedPolicyAttachment", ManagedPolicyAttachmentArgs.builder()
.instanceArn(example.applyValue(getInstancesResult -> getInstancesResult.arns()[0]))
.managedPolicyArn("arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup")
.permissionSetArn(examplePermissionSet.arn())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleAccountAssignment)
.build());
}
}Content copied to clipboard
resources:
examplePermissionSet:
type: aws:ssoadmin:PermissionSet
name: example
properties:
name: Example
instanceArn: ${example.arns[0]}
exampleGroup:
type: aws:identitystore:Group
name: example
properties:
identityStoreId: ${example.identityStoreIds[0]}
displayName: Admin
description: Admin Group
exampleAccountAssignment:
type: aws:ssoadmin:AccountAssignment
name: example
properties:
instanceArn: ${example.arns[0]}
permissionSetArn: ${examplePermissionSet.arn}
principalId: ${exampleGroup.groupId}
principalType: GROUP
targetId: '123456789012'
targetType: AWS_ACCOUNT
exampleManagedPolicyAttachment:
type: aws:ssoadmin:ManagedPolicyAttachment
name: example
properties:
instanceArn: ${example.arns[0]}
managedPolicyArn: arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup
permissionSetArn: ${examplePermissionSet.arn}
options:
dependsOn:
- ${exampleAccountAssignment}
variables:
example:
fn::invoke:
function: aws:ssoadmin:getInstances
arguments: {}Content copied to clipboard
Import
Using pulumi import, import SSO Managed Policy Attachments using the managed_policy_arn, permission_set_arn, and instance_arn separated by a comma (,). For example:
$ pulumi import aws:ssoadmin/managedPolicyAttachment:ManagedPolicyAttachment example arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup,arn:aws:sso:::permissionSet/ssoins-2938j0x8920sbj72/ps-80383020jr9302rk,arn:aws:sso:::instance/ssoins-2938j0x8920sbj72Content copied to clipboard
Properties
Link copied to clipboard
The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed.
Link copied to clipboard
The IAM managed policy Amazon Resource Name (ARN) to be attached to the Permission Set.
Link copied to clipboard
The name of the IAM Managed Policy.
Link copied to clipboard
The Amazon Resource Name (ARN) of the Permission Set.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard