I've created 2 policies and tried to attach as an inline policy on AWS SSO permission sets. However, it only applies either one of policy. How can I apply both policies as inline policy on SSO permission set?
resource "aws_iam_policy" "DenyAccess_nonUSRegions" {
name = "DenyAccess_nonUSRegions"
description = "DenyAccess_nonUSRegions"
policy = data.aws_iam_policy_document.DenyAccess_nonUSRegions.json
}
resource "aws_iam_policy" "role" {
name = "Deny_Specific_IAM_Actions"
description = "Deny_Specific_IAM_Actions"
policy = data.aws_iam_policy_document.Deny_Specific_IAM_Actions.json
}
resource "aws_ssoadmin_permission_set_inline_policy" "role" {
inline_policy = data.aws_iam_policy_document.Deny_Specific_IAM_Actions.json
instance_arn = aws_ssoadmin_permission_set.permission.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission.arn
}
resource "aws_ssoadmin_permission_set_inline_policy" "DenyAccess_nonUSRegions" {
inline_policy = data.aws_iam_policy_document.DenyAccess_nonUSRegions.json
instance_arn = aws_ssoadmin_permission_set.permission.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission.arn
}
CodePudding user response:
In order to apply both policies as inline policies on an AWS SSO permission set, you can use the aws_ssoadmin_permission_set_inline_policy resource to create two separate inline policies, one for each of your existing policies.
You would need to update your Terraform configuration to create two aws_ssoadmin_permission_set_inline_policy resources, one for each of your existing policies.
For example, you can create the first inline policy using the aws_ssoadmin_permission_set_inline_policy resource, and reference the DenyAccess_nonUSRegions policy that you have created.
resource "aws_ssoadmin_permission_set_inline_policy"
"DenyAccess_nonUSRegions" {
inline_policy =
data.aws_iam_policy_document.DenyAccess_nonUSRegions.json
instance_arn =
aws_ssoadmin_permission_set.permission.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission.arn
}
Then, you can create the second inline policy, using the aws_ssoadmin_permission_set_inline_policy resource, and reference the Deny_Specific_IAM_Actions policy that you have created.
resource "aws_ssoadmin_permission_set_inline_policy" "role" {
inline_policy =
data.aws_iam_policy_document.Deny_Specific_IAM_Actions.json
instance_arn =
aws_ssoadmin_permission_set.permission.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.permission.arn
}
It's important to note that you should use different names for each aws_ssoadmin_permission_set_inline_policy resource , as they need to be unique across the same permission set.
With these two inline policies in place, both of your existing policies will be applied to the SSO permission set, and users assigned to that permission set will be subject to the restrictions defined in both policies.
CodePudding user response:
You can have only one inline policy. So in your case the policies overwrite each other, and you end up with only one. So you either create a single inline policy combining the two that you have, or create two managed policies (not inline).