title Permission Set Life cycle

actor Solution User

Solution User->User Interface Handler: Post permission set operation
note over User Interface Handler: API / S3 based interfaces
User Interface Handler->User Interface Handler: validatePayloadSchema()
alt valid payload:
activate User Interface Handler
User Interface Handler->Solution Persistence(DynamoDB): Create/Update/Delete payload
User Interface Handler->Solution Persistence(S3): Create/Update/Delete payload
User Interface Handler->Topic Processor: Post payload and action
User Interface Handler->Solution User: return success with requestId for tracing
deactivate User Interface Handler
activate Topic Processor
Topic Processor->Topic Processor: determineActionType()
alt create:
Topic Processor->Solution Persistence(DynamoDB): fetch permission set object
Topic Processor->AWS IAM Identity Center Admin API: create permission set operation
Topic Processor->Topic Processor: parse permissionSetArn from the result
Topic Processor->Solution Persistence(DynamoDB): persist permissionSetArn
Topic Processor->Topic Processor: determine if the permission set object has other attributes
alt permission set has non-empty managed policies/inline policy document/tags
Topic Processor->AWS IAM Identity Center Admin API: update permission set object
end
Topic Processor->Permission Set Sync processor: Post permission set sync notification
Permission Set Sync processor->Solution Persistence(DynamoDB): check if there are related account assignments for this permission set
Permission Set Sync processor->Permission Set Sync processor: check resultSet
alt if resultSet.length > 0
Permission Set Sync processor->Permission Set Sync processor: loop through the result set
activate Permission Set Sync processor
Permission Set Sync processor->AWS IAM Identity Center Identity Store: doesPrincipalExist() ?
AWS IAM Identity Center Identity Store->Permission Set Sync processor: return principal list result
alt Principal exists
Permission Set Sync processor->Permission Set Sync processor: checkScopeType?
alt scopeType=account
Permission Set Sync processor->Account assignment FIFO queue: Post account assignment creation/deletion payload
note over Account assignment FIFO queue: from this point, the solution follows\nsame sequence as account assignment\n life cycle
else scopeType=root/ou_id/account_tag
Permission Set Sync processor->Org entities State Machine(Org account): Post account assignment operation details
note over Org entities State Machine(Org account): from this point, the solution\nfollows same sequence as\naccount assignment life cycle
end
else Principal does not exist
Permission Set Sync processor->Permission Set Sync processor: log and complete the process
end
deactivate Permission Set Sync processor
else resultSet.length = 0
Permission Set Sync processor->Permission Set Sync processor: log and complete the process
end
else update:
Topic Processor->Topic Processor: calculateDelta()
alt deltaExists:
Topic Processor->Topic Processor: Parse out the invididual delta elements
Topic Processor->AWS IAM Identity Center Admin API: update permission set object with the individual delta elements
Topic Processor->AWS IAM Identity Center Admin API: trigger re-provisioning of permission set to ALL_PROVISIONED_ACCOUNTS
Topic Processor->Permission Set Sync processor: Post permission set sync notification
note over Permission Set Sync processor: from this point, the solution\n follows same sequence as\n create operation
else deltaDoesNotExist:
Topic Processor->Topic Processor: log and complete the operation
end
else delete:
Topic Processor->Solution Persistence(DynamoDB): fetch permissionSetArn value
Topic Processor->AWS IAM Identity Center Admin API: delete permission set object
Topic Processor->Solution Persistence(DynamoDB): delete permissionSetArn value
end
deactivate Topic Processor
else invalid payload:
User Interface Handler->Solution User: Return validation error
end