github-actions[bot]
commented
10 months ago 💰 Infracost estimate: monthly cost will not change
This comment will be updated when the cost estimate changes.
Closed rodriguez-matias closed 9 months ago
github-actions[bot]
commented
10 months ago 💰 Infracost estimate: monthly cost will not change
This comment will be updated when the cost estimate changes.
rodriguez-matias
commented
10 months ago After updating the module to the new version, "terraform plan" needs to replace all account assignments already created.
# module.account_assignments.aws_ssoadmin_account_assignment.this["52XXXXXXXX4-G-DevOps-DevOps"] must be replaced
-/+ resource "aws_ssoadmin_account_assignment" "this" {
~ id = "64b83338-2021-7077-f761-xxxxxx,GROUP,52XXXXXXXX4,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-7223a666c4aaf/ps-5ce39144a479,arn:aws
:sso:::instance/ssoins-7223a666c4aaf" -> (known after apply)
~ principal_id = "64b8e33333321-7077-f761-7e9cb2c9b7ea" -> (known after apply) # forces replacement
# (5 unchanged attributes hidden)
}
# module.account_assignments.aws_ssoadmin_account_assignment.this["52XXXXXXXX4-G-ReadOnly-ReadOnly"] must be replaced
-/+ resource "aws_ssoadmin_account_assignment" "this" {
~ id = "0448a468-40006-7853-88485ab0c559,GROUP,52XXXXXXXX4,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-7223a666c4aaf/ps-e435e2bb49065235,arn:aws
:sso:::instance/ssoins-7223a666c4aaf" -> (known after apply)
~ principal_id = "0448a468-40006-7853-88485ab0c559" -> (known after apply) # forces replacement
# (5 unchanged attributes hidden)
}
# module.account_assignments.aws_ssoadmin_account_assignment.this["52XXXXXXXX4-G-SecurityAuditor-SecurityAuditor"] must be replaced
-/+ resource "aws_ssoadmin_account_assignment" "this" {
~ id = "24f82448-40a1-7080-7aed-4202ccd0a6d2,GROUP,52XXXXXXXX4,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-7223a666c4aaf/ps-5ee005c164ced9c3,arn:aws
:sso:::instance/ssoins-7223a666c4aaf" -> (known after apply)
~ principal_id = "24f82448-40-7aed-4202ccd0a6d2" -> (known after apply) # forces replacement
# (5 unchanged attributes hidden)
}
.
.
.
# module.account_assignments.aws_ssoadmin_account_assignment.this["754XXXXXXXX50-G-Administrators-Administrator"] must be replaced
-/+ resource "aws_ssoadmin_account_assignment" "this" {
~ id = "742666d8-80c1-7029-ac73-9fce6c8ca9e1,GROUP,754XXXXXXXX50,AWS_ACCOUNT,arn:aws:sso:::permissionSet/ssoins-7223a666c4aaf/ps-b96e27376a27,arn:aws
:sso:::instance/ssoins-7223a666c4aaf" -> (known after apply)
~ principal_id = "742666d8-80c1-7029-ac73-9fce6c8ca9e1" -> (known after apply) # forces replacement
# (5 unchanged attributes hidden)
}
Two permissions set related to the DevOps group would also be modified:
# module.permission_sets.aws_ssoadmin_permission_set_inline_policy.this["DevOps"] will be updated in-place
~ resource "aws_ssoadmin_permission_set_inline_policy" "this" {
id = "arn:aws:sso:::permissionSet/ssoins-72c4aaf/ps-5ce391474f44a479,arn:aws:sso:::instance/ssoins-7223a666c4aaf"
~ inline_policy = jsonencode(
~ {
~ Statement = [
~ {
~ Action = [
# (21 unchanged elements hidden)
"resource-explorer:*",
- "resource-explorer-2:*",
"redshift:*",
# (23 unchanged elements hidden)
"ec2:*",
- "ec2-instance-connect:*",
"dynamodb:*",
# (21 unchanged elements hidden)
]
# (4 unchanged elements hidden)
},So, when modifying the version of the module, it is necessary to replace the permission assignments again.
The "terrform apply" command has not been executed yet for the management account.
I understand that it would not be a problem to do this since it is the assignment of permissions to groups, so it seems to me that there would not be much risk.
@exequielrafaela , @juanmatias @Franr . What do you think? Should I continue runing tf apply to the new version?
rodriguez-matias
commented
9 months ago tf configuration now match correctly with aws account.
What?
Environment Versions
References