Terraform AWS sso_admin Dependency Issue


I am newish to terraform and am attempting to setup an AWS SSO permission set, account assignment and attach managed policy. This is only for testing purposes and for understanding how this would function. Prepping for use in production.

I have three modules:


data "aws_ssoadmin_instances" "[Redacted]" {}

resource "aws_ssoadmin_permission_set" "Accounting" {
  name             = "Accounting"
  description      = "Accounting Permission Set"
  instance_arn     = tolist(data.aws_ssoadmin_instances.[redacted].arns)[0]
  session_duration = "PT2H"

The above creates the Permission set called “Accounting”.


data "aws_ssoadmin_permission_set" "Accounting" {
  instance_arn = tolist(data.aws_ssoadmin_instances.[Redacted].arns)[0]
  name         = "Accounting"

data "aws_identitystore_group" "Finance" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.[redacted].identity_store_ids)[0]

  filter {
    attribute_path  = "DisplayName"
    attribute_value = "Finance"

resource "aws_ssoadmin_account_assignment" "Accounting" {
  instance_arn       = data.aws_ssoadmin_permission_set.Accounting.instance_arn
  permission_set_arn = data.aws_ssoadmin_permission_set.Accounting.arn
  principal_id   = data.aws_identitystore_group.Finance.group_id
  principal_type = "GROUP"

  target_id   = "AccountIDRedacted"
  target_type = "AWS_ACCOUNT"

The above add the Account Permission set to the Finance group.

add policy_to_permission_set.tf:

data "aws_iam_policy_document" "Accounting" {
  statement {

    actions = [

    resources = [

resource "aws_ssoadmin_permission_set_inline_policy" "Accounting" {
  inline_policy      = data.aws_iam_policy_document.Accounting.json
  instance_arn       = data.aws_ssoadmin_permission_set.Accounting.instance_arn
  permission_set_arn = data.aws_ssoadmin_permission_set.Accounting.arn

resource "aws_ssoadmin_managed_policy_attachment" "Accounting" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.[REDACTED].arns)[0]
  managed_policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
  permission_set_arn = data.aws_ssoadmin_permission_set.Accounting.arn

And lastly the above adds the line policy and a managed policy to the Account Permission set.

When I run each individually, in the order listed above, everything gets created and works.

When I add all three at the same time, I get an error: Error: error reading SSO Permission Set: not found in the add_account_assignment.tf.

│ Error: error reading SSO Permission Set: not found

│ with module.add_permission_set.data.aws_ssoadmin_permission_set.Accounting,
│ on modules/add-account_assignment.tf line 3, in data “aws_ssoadmin_permission_set” “Accounting”:
│ 3: data “aws_ssoadmin_permission_set” “Accounting” {

I have tried to put module dependency and it does not help. I get the same error. Any help would be appreciated.

Thank you,