Closed rodriguez-matias closed 9 months ago
💰 Infracost estimate: monthly cost will not change
This comment will be updated when the cost estimate changes.
After updating the module to the new version, "terraform plan" needs to replace all account assignments already created.
# module.account_assignments.aws_ssoadmin_account_assignment.this["52XXXXXXXX4-G-DevOps-DevOps"] must be replaced
-/+ resource "aws_ssoadmin_account_assignment" "this" {
~ id = "64b83338-2021-7077-f761-xxxxxx,GROUP,52XXXXXXXX4,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-7223a666c4aaf/ps-5ce39144a479,arn:aws
:sso:::instance/ssoins-7223a666c4aaf" -> (known after apply)
~ principal_id = "64b8e33333321-7077-f761-7e9cb2c9b7ea" -> (known after apply) # forces replacement
# (5 unchanged attributes hidden)
}
# module.account_assignments.aws_ssoadmin_account_assignment.this["52XXXXXXXX4-G-ReadOnly-ReadOnly"] must be replaced
-/+ resource "aws_ssoadmin_account_assignment" "this" {
~ id = "0448a468-40006-7853-88485ab0c559,GROUP,52XXXXXXXX4,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-7223a666c4aaf/ps-e435e2bb49065235,arn:aws
:sso:::instance/ssoins-7223a666c4aaf" -> (known after apply)
~ principal_id = "0448a468-40006-7853-88485ab0c559" -> (known after apply) # forces replacement
# (5 unchanged attributes hidden)
}
# module.account_assignments.aws_ssoadmin_account_assignment.this["52XXXXXXXX4-G-SecurityAuditor-SecurityAuditor"] must be replaced
-/+ resource "aws_ssoadmin_account_assignment" "this" {
~ id = "24f82448-40a1-7080-7aed-4202ccd0a6d2,GROUP,52XXXXXXXX4,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-7223a666c4aaf/ps-5ee005c164ced9c3,arn:aws
:sso:::instance/ssoins-7223a666c4aaf" -> (known after apply)
~ principal_id = "24f82448-40-7aed-4202ccd0a6d2" -> (known after apply) # forces replacement
# (5 unchanged attributes hidden)
}
.
.
.
# module.account_assignments.aws_ssoadmin_account_assignment.this["754XXXXXXXX50-G-Administrators-Administrator"] must be replaced
-/+ resource "aws_ssoadmin_account_assignment" "this" {
~ id = "742666d8-80c1-7029-ac73-9fce6c8ca9e1,GROUP,754XXXXXXXX50,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-7223a666c4aaf/ps-b96e27376a27,arn:aws
:sso:::instance/ssoins-7223a666c4aaf" -> (known after apply)
~ principal_id = "742666d8-80c1-7029-ac73-9fce6c8ca9e1" -> (known after apply) # forces replacement
# (5 unchanged attributes hidden)
}
Two permissions set related to the DevOps group would also be modified:
# module.permission_sets.aws_ssoadmin_permission_set_inline_policy.this["DevOps"] will be updated in-place
~ resource "aws_ssoadmin_permission_set_inline_policy" "this" {
id = "arn:aws:sso:::permissionSet/ssoins-72c4aaf/ps-5ce391474f44a479,arn:aws:sso:::instance/ssoins-7223a666c4aaf"
~ inline_policy = jsonencode(
~ {
~ Statement = [
~ {
~ Action = [
# (21 unchanged elements hidden)
"resource-explorer:*",
- "resource-explorer-2:*",
"redshift:*",
# (23 unchanged elements hidden)
"ec2:*",
- "ec2-instance-connect:*",
"dynamodb:*",
# (21 unchanged elements hidden)
]
# (4 unchanged elements hidden)
},
So, when modifying the version of the module, it is necessary to replace the permission assignments again.
The "terrform apply" command has not been executed yet for the management account.
I understand that it would not be a problem to do this since it is the assignment of permissions to groups, so it seems to me that there would not be much risk.
@exequielrafaela , @juanmatias @Franr . What do you think? Should I continue runing tf apply to the new version?
tf configuration now match correctly with aws account.
What?
Environment Versions
References