[Enhancement]: Exclusive management of aws_ssoadmin_managed_policy_attachment and aws_ssoadmin_customer_managed_policy_attachment #33242
Labels
enhancement
Requests to existing resources that expand the functionality or scope.
service/ssoadmin
Issues and PRs that pertain to the ssoadmin service.
Description
We would like to be able to manage the exact set of managed policies attached to an AWS SSO Permission Set. Currently, using
aws_ssoadmin_customer_managed_policy_attachment
oraws_ssoadmin_managed_policy_attachment
, the attachments are "non-exclusive". Meaning, if a user attaches another policy to the permission set, terraform is blind to that change, and cannot detect or alert or remove the attachment.This would be similar to the implementation of exclusive management of IAM Role attachments, or Security Group rules.
Affected Resource(s) and/or Data Source(s)
Potential Terraform Configuration
This could be accomplished by adding new attributes to the
aws_ssoadmin_permission_set
resource. For example:Alternatively, aligning with the desire to map a resource to a single primary API call, it could be accomplished through new "plural" resources:
References
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: