Unable to Delete Permission Set due to ConflictException thrown for account assignment

[frankpengau]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

• aws_ssoadmin_permission_set

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

error deleting SSO Permission Set (arn:aws:sso:::permissionSet/ssoins-xxxxxxxxxxxxxxxx/ps-xxxxxxxxxxxxxxxx): ConflictException: Could not delete because PermissionSet has ApplicationProfile associated with it.

Panic Output

Expected Behavior

• Removed aws_ssoadmin_permission_set from .tf file.
• Corresponding permission set is deleted/destroyed.

Actual Behavior

• Conflict Exception, due to the account assignment still being attached to the permission set.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• 0000

[frankpengau]

Note for future work:

• Need to find the existing account assignments for the permission set
• Delete/Deassign the account assignments for all the accounts, for the specific permission set
• Delete permission set

[haarchri]

we hit the same issue - any progress here ?

[patrickmoore-nc]

Had the same issue. In my case it was a sneaky manual assignment that had been made in the Console. You can view all current assignments by selecting a permission set in the IAM Identity Centre Console, so it's easy to check.