account assignment throwing errors in master account only where we have configured SSO service

[pavankumarshambhu]

module "sso" {
source = "../terraform-modules/sso"

permission_sets = {

  master-rtc-finance = {
  description      = "Finance Team Of RTC Access To AWS Master Account",
  session_duration = "PT8H",
  relay_state      = "https://s3.console.aws.amazon.com/s3/buckets/rtc-monthly-invoices?region=eu-central-1&tab=objects"
  inline_policy    = file("policies/finance_rtc_policy.json")
},

}

account_assignments = [

 {
  principal_name = "app_sso_aws_sinch_rtc_finance"
  principal_type = "GROUP"
  permission_set = "master-rtc-finance"
  account_ids    = ["797180668684"]
},

]
}

==============

No issues when i use the module when its trying to create the permission set at first. Issue is only when i am trying to do the account assiggnment is when im seeing this issue. This happens only when trying to create the resources in master account where i have configured the sso service

================

TERRAFORM PLAN OUTPUT

Terraform will perform the following actions:

Terraform will perform the following actions:

module.sso.aws_ssoadmin_account_assignment.this["app_sso_aws_sinch_rtc_finance.master-rtc-finance.797180668684"] will be created

• resource "aws_ssoadmin_account_assignment" "this" {
  • id = (known after apply)
  • instance_arn = "arn:aws:sso:::instance/ssoins-6987325f4070a778"
  • permission_set_arn = (known after apply)
  • principal_id = "9967182253-cbe1a0b4-a479-43f6-9a0e-a8da3523e720"
  • principal_type = "GROUP"
  • target_id = "797180668684"
  • target_type = "AWS_ACCOUNT"
    }

module.sso.aws_ssoadmin_permission_set.this["master-rtc-finance"] will be created

• resource "aws_ssoadmin_permission_set" "this" {
  • arn = (known after apply)
  • created_date = (known after apply)
  • description = "Finance Team Of RTC Access To AWS Master Account"
  • id = (known after apply)
  • instance_arn = "arn:aws:sso:::instance/ssoins-6987325f4070a778"
  • name = "master-rtc-finance"
  • relay_state = "https://s3.console.aws.amazon.com/s3/buckets/rtc-monthly-invoices?region=eu-central-1&tab=objects"
  • session_duration = "PT8H"
  • tags_all = {
    • "cg_iac" = "terraform"
      }
      }

module.sso.aws_ssoadmin_permission_set_inline_policy.this["master-rtc-finance"] will be created

• resource "aws_ssoadmin_permission_set_inline_policy" "this" {
  • id = (known after apply)
  • inline_policy = jsonencode(
    {
    + Statement = [
    + {
    + Action = [
    + "s3:ListBucket",
    + "s3:GetObject",
    ]
    + Effect = "Allow"
    + Resource = [
    + "arn:aws:s3:::rtc-monthly-invoices",
    + "arn:aws:s3:::rtc-monthly-invoices/",
    ]
    },
    + {
    + Action = "s3:HeadBucket"
    + Effect = "Allow"
    + Resource = ""
    },
    ]
    + Version = "2012-10-17"
    }
    )
  • instance_arn = "arn:aws:sso:::instance/ssoins-6987325f4070a778"
  • permission_set_arn = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.
module.sso.aws_ssoadmin_permission_set.this["master-rtc-finance"]: Creating...
module.sso.aws_ssoadmin_permission_set.this["master-rtc-finance"]: Creation complete after 1s [id=arn:aws:sso:::permissionSet/ssoins-6987325f4070a778/ps-d3d988f762fbd9d1,arn:aws:sso:::instance/ssoins-6987325f4070a778]
module.sso.aws_ssoadmin_permission_set_inline_policy.this["master-rtc-finance"]: Creating...
module.sso.aws_ssoadmin_account_assignment.this["app_sso_aws_sinch_rtc_finance.master-rtc-finance.797180668684"]: Creating...
module.sso.aws_ssoadmin_permission_set_inline_policy.this["master-rtc-finance"]: Creation complete after 6s [id=arn:aws:sso:::permissionSet/ssoins-6987325f4070a778/ps-d3d988f762fbd9d1,arn:aws:sso:::instance/ssoins-6987325f4070a778]
╷
│ Error: waiting for SSO Account Assignment for GROUP (9967182253-cbe1a0b4-a479-43f6-9a0e-a8da3523e720) to be created: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s()
│
│ with module.sso.aws_ssoadmin_account_assignment.this["app_sso_aws_sinch_rtc_finance.master-rtc-finance.797180668684"],
│ on ../terraform-modules/sso/main.tf line 95, in resource "aws_ssoadmin_account_assignment" "this":
│ 95: resource "aws_ssoadmin_account_assignment" "this" {

[aurimasmick]

Hi @pavankumarshambhu,
This looks like the issue described here:
hashicorp/terraform-provider-aws#22952
Can you check if you are not hitting any SSO limits?
https://docs.aws.amazon.com/singlesignon/latest/userguide/limits.html

[noce2]

Getting this issue also. @pavankumarshambhu / @aurimasmick any fixes? I checked in my case and I was not running into any limits

[maxvandermeij]

Got similar issues described above. Found out using the aws cli it was due to permission errors. It seems the management account does not use the Service principal and thus uses the role/user you are assigned with to create/list/update Saml identity providers required for the account assignment.

I've solved it by adding the following permissions to the role running terraform:

 "iam:GetSAMLProvider",
 "iam:ListSAMLProviderTags",
 "iam:ListSAMLProviders",
 "iam:TagSAMLProvider",
 "iam:UntagSAMLProvider",
 "iam:UpdateSAMLProvider",

You can see the actual error with the following commands

aws sso-admin list-account-assignment-creation-status --instance-arn arn:aws:sso:::instance/$id
aws sso-admin describe-account-assignment-creation-status --instance-arn  arn:aws:sso:::instance/$id--account-assignment-creation-request-id $request-id

[pavankumarshambhu]

@maxvandermeij thanks a lot.
those two commands shared really helped in checking which permissions were missing in the role being used by terraform.

"iam:CreateRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",

it was missing above permissions in my case.
now im able to deploy resources through terraform in master account

command output which helped in determing it for one of the failed request id

aws sso-admin describe-account-assignment-creation-status --instance-arn arn:aws:sso:::instance/$id--account-assignment-creation-request-id $request-id

{
"AccountAssignmentCreationStatus": {
"Status": "FAILED",
"RequestId": "3d6f474f-2267-451d-9d8c-40352a683aaa",
"FailureReason": "Received a 403 status error: Access denied by IAM. Please check your policy, or wait for role propagation to complete. IAM Error: User: arn:aws:sts:::assumed-role/SSO-Terraform-Role/terraform-aws-sso is not authorized to perform: iam:AttachRolePolicy on resource: role AWSReservedSSO_Master-Billing-Cost_2257a6c066c3e619 because no identity-based policy allows the iam:AttachRolePolicy action (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: 16181209-4cbe-4617-b3c6-094f96e7c31b; Proxy: null)",
"TargetId": "",
"TargetType": "AWS_ACCOUNT",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-6987325f4070a778/ps-80768d1c308e5daf",
"PrincipalType": "GROUP",
"PrincipalId": "9967182253-70973ba0-162e-4d9b-a35f-1e2f2486be35",
"CreatedDate": "2023-05-23T16:10:00.135000+05:30"
}
}

[aurimasmick]

Also worth mentioning that adding account assignments in the Management account requires MFA. So when using AWS cli, in the profile config (in ~/.aws/config) make sure that you have the below:
mfa_serial = arn:aws:iam::1234567890:mfa/MFA_NAME