search

avlcloudtechnologies / terraform-aws-sso

Terraform module to manage AWS Single Sign-On (SSO) resources.
Apache License 2.0
37 stars 33 forks source link

PermissionSet import is failing with blocks of type "alternate_identifier" are not expected here #12

Closed nickhuuzing closed 1 year ago

nickhuuzing commented 1 year ago

I got an error when trying to import an existing permission set into our state.

╷
│ Error: Insufficient filter blocks
│ 
│   on .terraform/modules/sso_permissions_and_assignments/main.tf line 39, in data "aws_identitystore_group" "this":
│   39: data "aws_identitystore_group" "this" {
│ 
│ At least 1 "filter" blocks are required.
╵
╷
│ Error: Unsupported block type
│ 
│   on .terraform/modules/sso_permissions_and_assignments/main.tf line 42, in data "aws_identitystore_group" "this":
│   42:   alternate_identifier {
│ 
│ Blocks of type "alternate_identifier" are not expected here.

This is the configured module reference in the .tf file:

module "sso_permissions_and_assignments" {
  providers = {
    aws = aws.sso
  }

  source = "avlcloudtechnologies/sso/aws"

  permission_sets = {
    AdministratorAccess = {
      description      = "Provides full access to AWS services and resources.",
      session_duration = "PT8H",
      managed_policies = [
        "arn:aws:iam::aws:policy/xyz",
      ]
    },
    AdministratorNoBilling = {
      description      = "Provides full access to AWS services and resources, but not to billing.",
      session_duration = "PT12H",
      managed_policies = [
        "arn:aws:iam::aws:policy/xyz",
      ]
    },
    ViewOnlyAccess = {
      description      = "Provides read-only access to AWS services and resources.",
      session_duration = "PT12H",
      managed_policies = [
        "arn:aws:iam::aws:policy/xyz",
      ]
    },
  }
  account_assignments = [
    {
      principal_name = "Administrators"
      principal_type = "GROUP"
      permission_set = "AdministratorAccess"
      account_ids    = [
        aws_organizations_account.xyz.id,
      ]
    },
    {
      principal_name = "Platform Team"
      principal_type = "GROUP"
      permission_set = "AdministratorNoBilling"
      account_ids    = [
        aws_organizations_account.xyz.id,
      ]
    },
    {
      principal_name = "Developers"
      principal_type = "GROUP"
      permission_set = "ViewOnlyAccess"
      account_ids    = [
        aws_organizations_account.xyz.id,
      ]
    },
    {
      principal_name = "Clients - TopID - Developers"
      principal_type = "GROUP"
      permission_set = "ViewOnlyAccess"
      account_ids    = [
        aws_organizations_account.xyz.id,
      ]
    },
  ]
}

Is there something I configured wrong, since alternate_identifier should exist following the documentation (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group)? The principle names are the one as shown in the webconsole.