Permission sets aren't provisioning in 3.1.7

[allquixotic]

I notice in 3.1.7 that none of my permission sets are getting provisioned into the account using SSO Extensions. These are valid permission sets, which do not throw an error in any of the Lambda processors. The permissionSetTopicProcessor gives log messages that indicate a status of "SUCCESS" on the waiter that requests provisioning, but the provisioning operation doesn't happen.

When I go into the permission set and manually click the "Update" button to provision it, it works. And all the permissions I asked for in the permission set JSON are reflected in the live permission set.

[leelalagudu]

Hey @allquixotic , please help me understand the correct flow here:

• you had a permission set created through the solution interface, and then also provisioned this to some accounts as well through the solution interface
• Now, you are triggering an update of the permission set through the solution interface.
• The permission set chanages (for ex, managed policies, permission set attributes) etc are propagated to the permission set object
• However, you are noticing that the reprovisioning of the permission set into the accounts it's provisioned already is not happening, and you needed to do this manually from the console?

[allquixotic]

Leela,

That is correct.

We are able to reproduce this over and over with many permission sets. It seems the trigger to provision the updates is not working, or isn't firing. As I noted in a different issue, the second to last step in the code pipeline failed during the SSOEx update from 3.1.5 to 3.1.7, so maybe that has something to do with it? I gave the error for that in the other issue.

[leelalagudu]

Hi @allquixotic ,

After some debugging, I now understood the root cause of the issue. I am still trying to figure out a clean solution to handle this, and will update you when done. For context, here's where the issue is

• When a permisison set is udpated, not all the changes are syncrhonous, specifically the change handling for both AWS and customer managed policies are asynchronous and the permissionSetTopicProcessor does not currently have control/visibility into when the asynchronous processes are completed.
• Additionally, the code syncrhonously triggers a re-provisioning operation as well. This is referred in this section of the code
• When this provision call is triggered, it could either be when all the permission set changes are fully complete and therefore the most up-to-date copy is being reprovisioned (correct scenario), or it could be when the changes are still ongoing, and the reprovision call is triggered on a stale copy of the permission set (buggy scenario).
• I need to figure out a way to make the code wait until the asyncrhonous calls are complete, so that a reprovisioning call is always done on a valid PS copy instead of a stale one.