Enable multiple managed policies to be attached to a single aws_ssoadmin_managed_policy_attachment resource

[plynch-magnolia]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In the new aws_ssoadmin_managed_policy_attachment resource there is presently only support for one managed policy per resource. I am proposing the managed_policy_arn accept a list of values as there could easily be multiple managed policies to attach. In the current solution, you have to create a new TF resource for each policy you want to attach to a role.

New or Affected Resource(s)

• aws_ssoadmin_managed_policy_attachment

Potential Terraform Configuration

resource "aws_ssoadmin_managed_policy_attachment" "role_policy" {
  instance_arn = aws_ssoadmin_permission_set.sre_sso.instance_arn
  managed_policy_arn = [
    "arn:aws:iam::aws:policy/IAMFullAccess", 
    "arn:aws:iam::aws:policy/AmazonS3FullAccess", 
    "arn:aws:iam::aws:policy/AWSLambda_FullAccess"]
  permission_set_arn = aws_ssoadmin_permission_set.sre_sso.arn
}

References

• r/aws_sso_permission_set: New Resource #15808
• r/ssoadmin_account_assignment: new resource; d/identitystore: new data sources #15322

[grealish]

This is becoming an urgent issue with a number of our clients, how can we get this escalated to get resources behind this to set up a solution on a PR? Can as escalate vi AWS Support? or talk with Hashicorp directly?

[rainmanh]

This question was raised awhile ago but I will answer for the record @grealish
The resource works in the same way as the aws_iam_user_policy_attachment
You have to instantiate the resource aws_iam_user_policy_attachment as many times as policies you want to attach.
i.e.:

resource "aws_ssoadmin_managed_policy_attachment" "SecurityAudit_IAMReadOnlyAccess" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.<name>.arns)[0]
    managed_policy_arn  = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
  permission_set_arn = aws_ssoadmin_permission_set.SecurityAudit.arn
}

resource "aws_ssoadmin_managed_policy_attachment" "SecurityAudit_SecurityAudit" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.<name>.arns)[0]
    managed_policy_arn  = "arn:aws:iam::aws:policy/SecurityAudit"
  permission_set_arn = aws_ssoadmin_permission_set.SecurityAudit.arn
}

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!