Enable multiple managed policies to be attached to a single aws_ssoadmin_managed_policy_attachment resource

[plynch-magnolia]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In the new aws_ssoadmin_managed_policy_attachment resource there is presently only support for one managed policy per resource. I am proposing the managed_policy_arn accept a list of values as there could easily be multiple managed policies to attach. In the current solution, you have to create a new TF resource for each policy you want to attach to a role.

New or Affected Resource(s)

• aws_ssoadmin_managed_policy_attachment

Potential Terraform Configuration

resource "aws_ssoadmin_managed_policy_attachment" "role_policy" {
  instance_arn = aws_ssoadmin_permission_set.sre_sso.instance_arn
  managed_policy_arn = [
    "arn:aws:iam::aws:policy/IAMFullAccess", 
    "arn:aws:iam::aws:policy/AmazonS3FullAccess", 
    "arn:aws:iam::aws:policy/AWSLambda_FullAccess"]
  permission_set_arn = aws_ssoadmin_permission_set.sre_sso.arn
}

References

• r/aws_sso_permission_set: New Resource #15808
• r/ssoadmin_account_assignment: new resource; d/identitystore: new data sources #15322

[grealish]

This is becoming an urgent issue with a number of our clients, how can we get this escalated to get resources behind this to set up a solution on a PR? Can as escalate vi AWS Support? or talk with Hashicorp directly?

[rainmanh]

This question was raised awhile ago but I will answer for the record @grealish
The resource works in the same way as the aws_iam_user_policy_attachment
You have to instantiate the resource aws_iam_user_policy_attachment as many times as policies you want to attach.
i.e.:

resource "aws_ssoadmin_managed_policy_attachment" "SecurityAudit_IAMReadOnlyAccess" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.<name>.arns)[0]
    managed_policy_arn  = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
  permission_set_arn = aws_ssoadmin_permission_set.SecurityAudit.arn
}

resource "aws_ssoadmin_managed_policy_attachment" "SecurityAudit_SecurityAudit" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.<name>.arns)[0]
    managed_policy_arn  = "arn:aws:iam::aws:policy/SecurityAudit"
  permission_set_arn = aws_ssoadmin_permission_set.SecurityAudit.arn
}