remove sagemaker, consolidate statements #10

morga471 · 2026-06-10T23:41:49Z

Description

Remove sagemaker:* from sc-developer

Purpose

remove sagemaker perms from sc-developer

Add tf-plan output Here

Terraform will perform the following actions:

  # module.pset_sc-developer.aws_ssoadmin_permission_set_inline_policy.pset[0] will be updated in-place
  ~ resource "aws_ssoadmin_permission_set_inline_policy" "pset" {
        id                 = "arn:aws-us-gov:sso:::permissionSet/ssoins-7857864625123d75/ps-bbf9e57e852c8c4d,arn:aws-us-gov:sso:::instance/ssoins-7857864625123d75"
      ~ inline_policy      = jsonencode(
          ~ {
              ~ Statement = [
                    # (2 unchanged elements hidden)
                    {
                        Action   = [
                            "acm:UpdateCertificateOptions",
                            "acm:RequestCertificate",
                            "acm:RenewCertificate",
                            "acm:RemoveTagsFromCertificate",
                            "acm:ListTagsForCertificate",
                            "acm:ListCertificates",
                            "acm:ImportCertificate",
                            "acm:GetCertificate",
                            "acm:ExportCertificate",
                            "acm:DescribeCertificate",
                            "acm:DeleteCertificate",
                            "acm:AddTagsToCertificate",
                            "acm-pca:RevokeCertificate",
                            "acm-pca:ListTags",
                            "acm-pca:IssueCertificate",
                            "acm-pca:GetCertificateAuthorityCsr",
                            "acm-pca:GetCertificateAuthorityCertificate",
                            "acm-pca:GetCertificate",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "CetificateResources"
                    },
                  ~ {
                      ~ Action   = [
                            # (2 unchanged elements hidden)
                            "sqs:*",
                          + "sns:*",
                            "secretsmanager:*",
                          - "sagemaker:*",
                          + "s3files:*",
                            "s3:*",
                            # (11 unchanged elements hidden)
                            "firehose:*",
                          + "events:*",
                            "es:*",
                            # (9 unchanged elements hidden)
                            "dms:*",
                          + "cognito-sync:*",
                          + "cognito-idp:*",
                          + "cognito-identity:*",
                            "codepipeline:*",
                            # (5 unchanged elements hidden)
                            "bedrock:*",
                          + "batch:*",
                            "athena:*",
                          + "appconfig:*",
                            "apigateway:*",
                            # (1 unchanged element hidden)
                        ]
                        # (3 unchanged attributes hidden)
                    },
                    {
                        Action   = [
                            "application-autoscaling:RegisterScalableTarget",
                            "application-autoscaling:PutScheduledAction",
                            "application-autoscaling:PutScalingPolicy",
                            "application-autoscaling:Describe*",
                            "application-autoscaling:DeregisterScalableTarget",
                            "application-autoscaling:DeleteScheduledAction",
                            "application-autoscaling:DeleteScalingPolicy",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "AllowAutoScaling"
                    },
                  - {
                      - Action   = [
                          - "cognito-sync:*",
                          - "cognito-idp:*",
                          - "cognito-identity:*",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "AllowCognito"
                    },
                    {
                        Action   = [
                            "route53:list*",
                            "route53:get*",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "AllowRoute53"
                    },
                    # (2 unchanged elements hidden)
                    {
                        Action   = [
                            "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                            "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                            "ec2:St*Instances",
                            "ec2:RevokeSecurityGroupIngress",
                            "ec2:RevokeSecurityGroupEgress",
                            "ec2:ResetNetworkInterfaceAttribute",
                            "ec2:RequestSpotInstances",
                            "ec2:ModifySecurityGroupRules",
                            "ec2:ModifyNetworkInterfaceAttribute",
                            "ec2:ModifyInstanceAttribute",
                            "ec2:ModifyImageAttribute",
                            "ec2:List*",
                            "ec2:GetCoipPoolUsage",
                            "ec2:Get*",
                            "ec2:Describe*",
                            "ec2:DeleteTags",
                            "ec2:DeleteSnapshot",
                            "ec2:CreateTags",
                            "ec2:CreateSnapshot*",
                            "ec2:CreateSecurityGroup",
                            "ec2:CreateNetworkInterface",
                            "ec2:CreateKeyPair",
                            "ec2:CancelSpotInstanceRequests",
                            "ec2:AuthorizeSecurityGroupIngress",
                            "ec2:AuthorizeSecurityGroupEgress",
                            "ec2:AttachNetworkInterface",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "AllowEC2Actions"
                    },
                  - {
                      - Action   = "elasticmapreduce:*"
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "AllowEMR"
                    },
                  - {
                      - Action   = "es:*"
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "AllowOpenSearch"
                    },
                  - {
                      - Action   = [
                          - "events:PutTargets",
                          - "events:PutRule",
                          - "events:List*",
                          - "events:DescribeRule",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "AllowEventBusEvents"
                    },
                    {
                        Action   = [
                            "iam:ListRole*",
                            "iam:ListAttached*",
                            "iam:GetRolePolicy",
                            "iam:GetRole",
                            "iam:GetPolicyVersion",
                            "iam:GetPolicy",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "AllowIAMActions"
                    },
                  ~ {
                      ~ Resource = [
                          - "arn:aws-us-gov:iam::*:role/service-role/AmazonBedrockExecutionRoleForKnowledgeBase*",
                          - "arn:aws-us-gov:iam::*:role/service-role/AmazonBedrockExecutionRoleForAgents*",
                            "arn:aws-us-gov:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS*",
                            # (4 unchanged elements hidden)
                        ]
                        # (3 unchanged attributes hidden)
                    },
                  ~ {
                      ~ Action    = [
                          - "iam:CreateRole",
                          - "iam:AttachRolePolicy",
                        ] -> "iam:PassRole"
                      + Condition = {
                          + StringEquals = {
                              + "iam:PassedToService" = [
                                  + "apigateway.amazonaws.com",
                                  + "ecs-tasks.amazonaws.com",
                                  + "ecs.amazonaws.com",
                                  + "firehose.amazonaws.com",
                                  + "glue.amazonaws.com",
                                  + "lambda.amazonaws.com",
                                  + "rds.amazonaws.com",
                                  + "s3.amazonaws.com",
                                  + "states.amazonaws.com",
                                ]
                            }
                        }
                      ~ Resource  = [
                          - "arn:aws-us-gov:iam::*:role/service-role/agentChatFunction-role-*",
                          - "arn:aws-us-gov:iam::*:role/service-role/action_group_quick_start*",
                          - "arn:aws-us-gov:iam::*:role/service-role/AmazonBedrockExecutionRoleForKnowledgeBase*",
                          - "arn:aws-us-gov:iam::*:role/service-role/AmazonBedrockExecutionRoleForFlows*",
                          - "arn:aws-us-gov:iam::*:role/service-role/AmazonBedrockExecutionRoleForAgents*",
                          - "arn:aws-us-gov:iam::*:role/service-role/*write_to_s3*",
                          - "arn:aws-us-gov:iam::*:role/service-role/*write-to-s3*",
                          - "arn:aws-us-gov:iam::*:role/service-role/*documentWriteToS3*",
                          - "arn:aws-us-gov:iam::*:role/service-role/*SurveyScaleLookup*",
                          - "arn:aws-us-gov:iam::*:role/service-role/*AgentFunction-role-*",
                        ] -> "*"
                      ~ Sid       = "AllowIAMRoleRead" -> "AllowIamPassRole"
                        # (1 unchanged attribute hidden)
                    },
                  - {
                      - Action   = [
                          - "iam:DeletePolicyVersion",
                          - "iam:CreatePolicyVersion",
                          - "iam:CreatePolicy",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockS3PolicyForKnowledgeBase*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockOSSPolicyForKnowledgeBase*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockInferenceProfilePolicyForKnowledgeBase*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockFoundationModelPolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockFoundationModelPolicyForKnowledgeBase*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockAgentsMultiAgentsPolicies*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockAgentS3Policy*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockAgentRetrieveKnowledgeBasePolicy*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockAgentQuickCreateLambdaPolicy*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*",
                          - "arn:aws-us-gov:iam::*:policy/*AmazonBedrockAgentBedrockFoundationModelPolicy*",
                          - "arn:aws-us-gov:iam::*:policy/*AWSLambdaBasicExecutionRole*",
                        ]
                      - Sid      = "AllowIAMPolicyCreate"
                    },
                  - {
                      - Action    = "iam:PassRole"
                      - Condition = {
                          - StringEquals = {
                              - "iam:PassedToService" = [
                                  - "apigateway.amazonaws.com",
                                  - "bedrock.amazonaws.com",
                                  - "ecs-tasks.amazonaws.com",
                                  - "ecs.amazonaws.com",
                                  - "firehose.amazonaws.com",
                                  - "glue.amazonaws.com",
                                  - "lambda.amazonaws.com",
                                  - "rds.amazonaws.com",
                                  - "s3.amazonaws.com",
                                  - "states.amazonaws.com",
                                ]
                            }
                        }
                      - Effect    = "Allow"
                      - Resource  = "*"
                      - Sid       = "AllowIamPassRole"
                    },
                    {
                        Action   = [
                            "kms:ListResourceTags",
                            "kms:ListKeys",
                            "kms:ListKeyPolicies",
                            "kms:ListAliases",
                            "kms:GetKeyRotationStatus",
                            "kms:GetKeyPolicy",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "AllowKMSList"
                    },
                    # (3 unchanged elements hidden)
                    {
                        Action   = [
                            "ssm:UpdateInstance*",
                            "ssm:UpdateDocument*",
                            "ssm:UpdateAssocitationStatus",
                            "ssm:UpdateAssocitation",
                            "ssm:StartAutomationExecution",
                            "ssm:SendCommand",
                            "ssm:PutParameter",
                            "ssm:PutInventory",
                            "ssm:ModifyDocumentPermission",
                            "ssm:List*",
                            "ssm:Get*",
                            "ssm:Describe*",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "AllowSSMActions"
                    },
                  - {
                      - Action   = "sns:*"
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "AllowSNS"
                    },
                    {
                        Action   = [
                            "states:ValidateStateMachineDefinition",
                            "states:UpdateStateMachine",
                            "states:StopExecution",
                            "states:StartExecution",
                            "states:List*",
                            "states:Get*",
                            "states:DescribeStateMachine",
                            "states:DescribeExecution",
                            "states:DeleteStateMachine",
                            "states:CreateStateMachine",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "AllowStepFunctionExecution"
                    },
                    # (2 unchanged elements hidden)
                    {
                        Action   = "sts:assumeRole"
                        Effect   = "Allow"
                        Resource = [
                            "arn:aws-us-gov:iam::*:role/r-inf-terraform-route53",
                            "arn:aws-us-gov:iam::*:role/r-eks-*-cluster-admin",
                        ]
                        Sid      = "Assumerole"
                    },
                  - {
                      - Action   = "batch:*"
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "AllowBatch"
                    },
                    {
                        Action      = "events:*"
                        Effect      = "Allow"
                        NotResource = "arn:aws-us-gov:events:*:*:rule/DO_NOT_TELETE*"
                        Sid         = "AllowEvents"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (3 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Summary:

* tf-plan summary from log logs/plan.20260610.1781134762.log
> to-be created (0)

> to-be updated (1)
  # module.pset_sc-developer.aws_ssoadmin_permission_set_inline_policy.pset[0] will be updated in-place

> to-be replaced (0)

> to-be destroyed (0)

> has changed (0)

> has moved (0)

Plan: 0 to add, 1 to change, 0 to destroy.

Plan generated by using ?ref= on existing sc-developer PS.

run.plan.20260610.1781134751.log

badra001 · 2026-06-11T01:11:06Z

Why?

morga471 · 2026-06-11T16:02:36Z

Per Manuel Andrade:
There are currently no open source model that are approved for use in SageMaker. There are also no current use cases for development of custom LLM development. We are removing the ability to access SageMaker until open source models are approved for use or the start of a new custom development effort.

I confirmed with Rodney that Census access to Hugging Face is restricted. He agreed that we should remove permission to SageMaker permissions

remove sagemaker, consolidate statements

9702ecf

morga471 self-assigned this Jun 10, 2026

remove sagemaker, consolidate statements #10

remove sagemaker, consolidate statements #10

morga471 commented Jun 10, 2026

badra001 commented Jun 11, 2026

morga471 commented Jun 11, 2026

remove sagemaker, consolidate statements #10

Are you sure you want to change the base?

remove sagemaker, consolidate statements #10

Conversation

morga471 commented Jun 10, 2026

Description

Purpose

Add tf-plan output Here

badra001 commented Jun 11, 2026

morga471 commented Jun 11, 2026