Skip to content

r/aws_sagemaker_domain: add trusted_identity_propagation_enabled argument #44965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

r/aws_sagemaker_domain: add trusted_identity_propagation_enabled argument #44965

wants to merge 1 commit into from
+94 −4

Conversation

@psantus
Copy link
Contributor

@psantus psantus commented Nov 6, 2025

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

No changes to security controls. This PR adds a new optional configuration field that enables Trusted Identity Propagation, which enhances access control and auditing capabilities when used with SSO authentication.

Description

Adds support for enabling Trusted Identity Propagation (TIP) in SageMaker domains through the trusted_identity_propagation_enabled argument in the domain_settings block.

When enabled, user identities from IAM Identity Center are propagated through the domain to TIP enabled AWS services, providing enhanced access control and auditing capabilities.

Changes:

  • Add trusted_identity_propagation_enabled boolean field to domain_settings schema (defaults to false)
  • Implement API integration for Create, Update, and Read operations
  • Add validation requiring auth_mode = "SSO" when field is true
  • Update documentation with field description and constraints
  • Add acceptance test with SSO authentication

Relations

Closes #44962

References

Output from Acceptance Testing

%TF_ACC=1 go test -v ./internal/service/sagemaker -run TestAccSageMaker_serial/Domain/trustedIdentityPropagation -timeout 60m                        
 
2025/11/06 16:38:58 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/06 16:38:58 Initializing Terraform AWS Provider (SDKv2-style)...
=== RUN   TestAccSageMaker_serial
=== PAUSE TestAccSageMaker_serial
=== CONT  TestAccSageMaker_serial
=== RUN   TestAccSageMaker_serial/Domain
=== RUN   TestAccSageMaker_serial/Domain/trustedIdentityPropagation
--- PASS: TestAccSageMaker_serial (826.14s)
    --- PASS: TestAccSageMaker_serial/Domain (826.14s)
        --- PASS: TestAccSageMaker_serial/Domain/trustedIdentityPropagation (826.14s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/sagemaker  830.931s

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. documentation Introduces or discusses updates to documentation. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/sagemaker Issues and PRs that pertain to the sagemaker service. size/M Managed by automation to categorize the size of a PR. labels Nov 6, 2025
@psantus psantus marked this pull request as ready for review November 6, 2025 17:54
@psantus psantus requested a review from a team as a code owner November 6, 2025 17:54
@psantus
resource/aws_sagemaker_domain: add trusted_identity_propagation_enabl…
78da38e 
…ed argument

Adds support for enabling Trusted Identity Propagation (TIP) in SageMaker domains.
When enabled, user identities from IAM Identity Center are propagated through
the domain to TIP enabled AWS services.

The trusted_identity_propagation_enabled argument is:
- Located in the domain_settings block
- Boolean type with default value false
- Only valid when auth_mode is SSO
- Includes validation to enforce the SSO requirement
@psantus psantus force-pushed the f/aws_sagemaker_domain-add-tip branch from 7abab1d to 78da38e Compare November 6, 2025 17:57
@justinretzolk justinretzolk added enhancement Requests to existing resources that expand the functionality or scope. and removed needs-triage Waiting for first response or review from a maintainer. labels Nov 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. service/sagemaker Issues and PRs that pertain to the sagemaker service. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws_sagemaker_domain : add support for Trusted Identity Propagation

2 participants

@psantus @justinretzolk