I am working on integrating OKTA SSO with AWS.
We have multiple AWS accounts that could potentially have different permission sets at the account level, but also have some “global” permission sets that we want applied to all. However, those account-level permission sets need to me managed by the same “global” account.
In other words, AWS Account A is the one that has our Organization across all accounts. I have a Terraform module that creates the SSO resources just fine for Aws Account A, e.g.
account_a/modules.tf:
module "okta" {
source = "../modules/okta"
}
modules/okta/aws_ssoadmin.tf
resource "aws_ssoadmin_permission_set" "okta" {
provider = aws.account_a
for_each = toset(keys(local.permission_sets))
instance_arn = tolist(data.aws_ssoadmin_instances.okta.arns)[0]
name = each.value
... snip
}
That works as expected and creates all of the proper permission sets.
However, if I run the module in Account B, terraform tries to recreate the same permission sets, but throws a duplicate error when I apply.
So its like when I run the apply from Account B, the plan checks the Account B state, sees it isn’t there, then tries to apply, looks as the Account A provider, then sees it exists and then fails on a duplicate error.
What I would expect to happen is the terraform plan from Account B is “smart” enough to see the resources already exist for the Account A provider and not determine there needs to be a change.
Is this even possible?