Skip to content
Jump to bottom

add deny product updates to sc-servicecatalog t1 and t2 #9

Merged
merged 3 commits into from
May 28, 2026
Merged

add deny product updates to sc-servicecatalog t1 and t2 #9

merged 3 commits into from
May 28, 2026
+22 −1

Conversation

morga471
Copy link
Contributor

@morga471 morga471 commented May 28, 2026
edited

adds statements to deny the update of provisioned products.
2 reasons -

  1. we haven't trained end users or created documentation to describe how to update products without breaking them
  2. we don't currently have any products which would benefit from an update cycle, the better path if that is needed is to destroy and recreate the provisioned product.

This does not remove the capability from t3, as that is reserved for internal service catalog admins whom are the ones that would do this type of operation.

[morga471@iebcloud aws-sso]$ tf validate
Success! The configuration is valid.


real    0m0.040s
user    0m0.034s
sys     0m0.021s

PLANS:
sc-servicecatalog-t1 ->

Terraform will perform the following actions:

  # module.pset_sc-servicecatalog-t1.aws_ssoadmin_permission_set.pset will be updated in-place
  ~ resource "aws_ssoadmin_permission_set" "pset" {
        id               = "arn:aws-us-gov:sso:::permissionSet/ssoins-7857864625123d75/ps-d095ebb5c79d8221,arn:aws-us-gov:sso:::instance/ssoins-7857864625123d75"
        name             = "sc-servicecatalog-t1"
      ~ tags             = {
            "CostAllocation"        = "csvd:lab:management"
            "Environment"           = "infrastructure"
            "boc:created_by"        = "terraform"
            "boc:tf_module_name"    = "aws-sso/permissionset"
          ~ "boc:tf_module_version" = "1.4.0" -> "1.8.0"
            "finops_project_name"   = "inf_lab_idc"
            "finops_project_number" = "fs0000000002"
            "finops_project_role"   = "inf_lab_idc_permissionset"
        }
      ~ tags_all         = {
          ~ "boc:tf_module_version" = "1.4.0" -> "1.8.0"
            # (7 unchanged elements hidden)
        }
        # (7 unchanged attributes hidden)
    }

  # module.pset_sc-servicecatalog-t1.aws_ssoadmin_permission_set_inline_policy.pset[0] will be updated in-place
  ~ resource "aws_ssoadmin_permission_set_inline_policy" "pset" {
        id                 = "arn:aws-us-gov:sso:::permissionSet/ssoins-7857864625123d75/ps-d095ebb5c79d8221,arn:aws-us-gov:sso:::instance/ssoins-7857864625123d75"
      ~ inline_policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action   = [
                          - "servicecatalog:UpdateProvisionedProduct",
                          - "servicecatalog:UpdateProvisionedProductProperties",
                          + "organizations:List*",
                          + "organizations:Describe*",
                          + "account:List*",
                          + "account:Get*",
                        ]
                      ~ Effect   = "Deny" -> "Allow"
                      + Sid      = "OnlyReadOperationsOnOrganizations"
                        # (1 unchanged attribute hidden)
                    },
                  + {
                      + Action   = [
                          + "servicecatalog:UpdateProvisionedProductProperties",
                          + "servicecatalog:UpdateProvisionedProduct",
                        ]
                      + Effect   = "Deny"
                      + Resource = "*"
                      + Sid      = "DenyProductUpdates"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (3 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

sc-servicecatalog-t2 ->

Terraform will perform the following actions:

  # module.pset_sc-servicecatalog-t2.aws_ssoadmin_permission_set.pset will be updated in-place
  ~ resource "aws_ssoadmin_permission_set" "pset" {
        id               = "arn:aws-us-gov:sso:::permissionSet/ssoins-7857864625123d75/ps-fa6aa376db2e7a15,arn:aws-us-gov:sso:::instance/ssoins-7857864625123d75"
        name             = "sc-servicecatalog-t2"
      ~ tags             = {
            "CostAllocation"        = "csvd:lab:management"
            "Environment"           = "infrastructure"
            "boc:created_by"        = "terraform"
            "boc:tf_module_name"    = "aws-sso/permissionset"
          ~ "boc:tf_module_version" = "1.6.1" -> "1.8.0"
            "finops_project_name"   = "inf_lab_idc"
            "finops_project_number" = "fs0000000002"
            "finops_project_role"   = "inf_lab_idc_permissionset"
        }
      ~ tags_all         = {
          ~ "boc:tf_module_version" = "1.6.1" -> "1.8.0"
            # (7 unchanged elements hidden)
        }
        # (7 unchanged attributes hidden)
    }

  # module.pset_sc-servicecatalog-t2.aws_ssoadmin_permission_set_inline_policy.pset[0] will be updated in-place
  ~ resource "aws_ssoadmin_permission_set_inline_policy" "pset" {
        id                 = "arn:aws-us-gov:sso:::permissionSet/ssoins-7857864625123d75/ps-fa6aa376db2e7a15,arn:aws-us-gov:sso:::instance/ssoins-7857864625123d75"
      ~ inline_policy      = jsonencode(
          ~ {
              ~ Statement = [
                    # (1 unchanged element hidden)
                    {
                        Action   = [
                            "ec2:StopInstances",
                            "ec2:StartInstances",
                            "ec2:RunInstances",
                            "ec2:RebootInstances",
                            "ec2:ModifyInstanceAttribute",
                            "ec2:GetSecurityGroupsForVpc",
                            "ec2:DescribeVolumesModifications",
                            "ec2:DescribeVolumes",
                            "ec2:DescribeVolumeStatus",
                            "ec2:DescribeVolumeAttribute",
                            "ec2:DescribeTags",
                            "ec2:DescribeSecurityGroups",
                            "ec2:DescribeSecurityGroupRules",
                            "ec2:AssociateSecurityGroupVpc",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "EC2Actions"
                    },
                  + {
                      + Action   = [
                          + "servicecatalog:UpdateProvisionedProductProperties",
                          + "servicecatalog:UpdateProvisionedProduct",
                        ]
                      + Effect   = "Deny"
                      + Resource = "*"
                      + Sid      = "DenyProductUpdates"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (3 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

plan.20260528.1779986743.log
plan.20260528.1779986987.log

@morga471 morga471 requested a review from badra001 May 28, 2026 16:19
@morga471 morga471 self-assigned this May 28, 2026
badra001
badra001 approved these changes May 28, 2026
View reviewed changes
Copy link
Contributor

@badra001 badra001 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@badra001 badra001 merged commit 7d2c84f into master May 28, 2026
@morga471 morga471 deleted the svc-cat-deny branch May 28, 2026 16:59
Sign in to join this conversation on GitHub.
Reviewers

@badra001 badra001 badra001 approved these changes

Assignees

@morga471 morga471

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@morga471 @badra001