If you have the management account as your target, the following error happens in Community::SSO::AssignmentGroup resource type v0.3.1:
Error: Received a 403 status error: Access denied by IAM. Please check your policy, or wait for role propagation to complete. IAM Error: User: arn:aws:sts::123456789012:assumed-role/community-sso-assignmentgroup-resour-ExecutionRole/1111 is not authorized to perform: iam:ListRolePolicies on resource: role AWSReservedSSO_Viewer_1111 (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: 1111; Proxy: null): 1111, 123456789012 arn:aws:sso:::permissionSet/ssoins-1111/ps-1111
I gave the resource type execution role with full permission to account and that still did not work.
As a workaround, I used the native type AWS::SSO::Assignment just for the management account.
If you have the management account as your target, the following error happens in
Community::SSO::AssignmentGroupresource type v0.3.1:I gave the resource type execution role with full permission to account and that still did not work.
As a workaround, I used the native type
AWS::SSO::Assignmentjust for the management account.