-
-
Notifications
You must be signed in to change notification settings - Fork 0
Change an SSO Policy
In Metastructure, custom SSO policies have to parts:
-
The policy's entry at
sso.policies
in the project config. -
The related policy document (often generated by a template) in the project repository.
Remember, under the hood we have a Terraform aws_iam_policy
resource. Changed to some properties force the creation of a new resource. The include name
and description
.
An AWS policy can't be deleted if it is attached to some other entity. Your SSO related policies are all attached to your SSO permission sets. Therefore, while you can make any changes you like to the related policy document, changes to an SSO policy's name
or description
will fail if the policy is still attached to a permission set.
Fortunately, with Metastructure this is easy to manage. Follow these steps:
-
In your project config, for all accounts that have the SSO policy, set the
action
property todetach
. -
Run
metastructure -w <workspace> -g terraform apply
. This will detach all account SSO policies from their permission sets. -
Make the
name
anddescription
changes to your policies in your project config and remove theaction
property from all affacted accounts. -
Run
metastructure -w <workspace> -g terraform apply
again. This make the appropriate policy changes & reattach the policies to their permission sets.
Clone the Metastructure Template Repo to get started!
Built for you with ❤️ on Bali! Find more great tools & templates on my GitHub Profile.