Terraform AWS sso_admin Dependency Issue

Hello,

I am newish to terraform and am attempting to setup an AWS SSO permission set, account assignment and attach managed policy. This is only for testing purposes and for understanding how this would function. Prepping for use in production.

I have three modules:

add_permission_set.tf:

data "aws_ssoadmin_instances" "[Redacted]" {}

resource "aws_ssoadmin_permission_set" "Accounting" {
  name             = "Accounting"
  description      = "Accounting Permission Set"
  instance_arn     = tolist(data.aws_ssoadmin_instances.[redacted].arns)[0]
  session_duration = "PT2H"
}

The above creates the Permission set called “Accounting”.

add_account_assignment.tf:

data "aws_ssoadmin_permission_set" "Accounting" {
  instance_arn = tolist(data.aws_ssoadmin_instances.[Redacted].arns)[0]
  name         = "Accounting"
}

data "aws_identitystore_group" "Finance" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.[redacted].identity_store_ids)[0]

  filter {
    attribute_path  = "DisplayName"
    attribute_value = "Finance"
  }
}

resource "aws_ssoadmin_account_assignment" "Accounting" {
  instance_arn       = data.aws_ssoadmin_permission_set.Accounting.instance_arn
  permission_set_arn = data.aws_ssoadmin_permission_set.Accounting.arn
  
  principal_id   = data.aws_identitystore_group.Finance.group_id
  principal_type = "GROUP"

  target_id   = "AccountIDRedacted"
  target_type = "AWS_ACCOUNT"
}

The above add the Account Permission set to the Finance group.

add policy_to_permission_set.tf:

data "aws_iam_policy_document" "Accounting" {
  statement {

    actions = [
      "s3:ListBucket",
      "s3:GetBucketLocation",
      "s3:GetBucketVersioning",
      "s3:GetObjectVersionTagging",
      "s3:ListBucketMultipartUploads",
      "s3:ListBucketVersions"
    ]

    resources = [
      "arn:aws:s3:::accounting",
    ]
  }
}

resource "aws_ssoadmin_permission_set_inline_policy" "Accounting" {
  inline_policy      = data.aws_iam_policy_document.Accounting.json
  instance_arn       = data.aws_ssoadmin_permission_set.Accounting.instance_arn
  permission_set_arn = data.aws_ssoadmin_permission_set.Accounting.arn
}

resource "aws_ssoadmin_managed_policy_attachment" "Accounting" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.[REDACTED].arns)[0]
  managed_policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
  permission_set_arn = data.aws_ssoadmin_permission_set.Accounting.arn
}

And lastly the above adds the line policy and a managed policy to the Account Permission set.

When I run each individually, in the order listed above, everything gets created and works.

When I add all three at the same time, I get an error: Error: error reading SSO Permission Set: not found in the add_account_assignment.tf.

│ Error: error reading SSO Permission Set: not found
│
│ with module.add_permission_set.data.aws_ssoadmin_permission_set.Accounting,
│ on modules/add-account_assignment.tf line 3, in data “aws_ssoadmin_permission_set” “Accounting”:
│ 3: data “aws_ssoadmin_permission_set” “Accounting” {

I have tried to put module dependency and it does not help. I get the same error. Any help would be appreciated.

Thank you,
Akash

Getting the same issue here. Were you able to resolve this?
The aws_ssoadmin_permission_set data object doesn’t work with permission set name. Works fine when I use an ARN.
Does someone have a solution for this?

Don’t know if you still have the issue but if you authorize this in your iam policy first it will work:

• sso:DescribePermissionSet
• sso:ListTagsForResource

At least for me that was the problem.

In my main.tf, I ended up adding dependencies to get it to work:

module “create_permission_set” {
source = “./create_permission_sets”
}

module “assign_group_to_permission_set” {
source = “./assign_group_to_permission_set”
depends_on = [
module.create_permission_set
]
}

module “add_policy_to_permission_set” {
source = “./add_policy_to_permission_set”
depends_on = [
module.create_permission_set
]
}