Skip to content

Change an SSO Policy

Jump to bottom
Jason Williscroft edited this page Aug 14, 2024 · 1 revision

In Metastructure, custom SSO policies have to parts:

  • The policy's entry at sso.policies in the project config.

  • The related policy document (often generated by a template) in the project repository.

Remember, under the hood we have a Terraform aws_iam_policy resource. Changed to some properties force the creation of a new resource. The include name and description.

An AWS policy can't be deleted if it is attached to some other entity. Your SSO related policies are all attached to your SSO permission sets. Therefore, while you can make any changes you like to the related policy document, changes to an SSO policy's name or description will fail if the policy is still attached to a permission set.

Fortunately, with Metastructure this is easy to manage. Follow these steps:

  1. In your project config, for all accounts that have the SSO policy, set the action property to detach.

  2. Run metastructure -w <workspace> -g terraform apply. This will detach all account SSO policies from their permission sets.

  3. Make the name and description changes to your policies in your project config and remove the action property from all affacted accounts.

  4. Run metastructure -w <workspace> -g terraform apply again. This make the appropriate policy changes & reattach the policies to their permission sets.

Clone the Metastructure Template Repo to get started!

Built with ❤️ on Bali! Find more great tools & templates on my GitHub Profile.

Home  ●  FAQ  ●  Help

Metastructure

The Trouble With Terraform

Getting Started

Running Metastructure

Metastructure Config

Handlebars Templates

How To Contribute

Project

Template Repo

Get It Now!

About the Template Repo

A Guided Tour

Setting Up Your Dev Environment

Hello, Enterprise!

How To...

Create a New Template

Create a New Account

Remove or Delete an Account

Change an SSO Policy

Clone this wiki locally