Skip to content

Change an SSO Policy

Jason Williscroft edited this page Aug 14, 2024 · 1 revision

In Metastructure, custom SSO policies have to parts:

  • The policy's entry at sso.policies in the project config.

  • The related policy document (often generated by a template) in the project repository.

Remember, under the hood we have a Terraform aws_iam_policy resource. Changed to some properties force the creation of a new resource. The include name and description.

An AWS policy can't be deleted if it is attached to some other entity. Your SSO related policies are all attached to your SSO permission sets. Therefore, while you can make any changes you like to the related policy document, changes to an SSO policy's name or description will fail if the policy is still attached to a permission set.

Fortunately, with Metastructure this is easy to manage. Follow these steps:

  1. In your project config, for all accounts that have the SSO policy, set the action property to detach.

  2. Run metastructure -w <workspace> -g terraform apply. This will detach all account SSO policies from their permission sets.

  3. Make the name and description changes to your policies in your project config and remove the action property from all affacted accounts.

  4. Run metastructure -w <workspace> -g terraform apply again. This make the appropriate policy changes & reattach the policies to their permission sets.