Add access policy documentation (#1527)

.docs/access-policies.md

@@ -0,0 +1,48 @@
+# Access policies and account settings
+
+
+## Account settings
+The following account settings should be enabled:
+- Manage -> Account Settings
+    - Activate Financial Services Validated
+    - Activate EU Supported
+    - Activate Virtual routing and forwarding
+    - Service endpoints
+
+## Access policies
+The API key used for the `ibmcloud_api_key` variable during Terraform or Schematics `apply` must have the necessary access to create and manage the resources in the project. The following steps list how to create and access group with the required access.
+- Create Access Group
+    - Manage -> Access (IAM) -> Access Groups -> Create +
+    - Name the access group "base-infrastructure"
+    - Add users +
+    - Navigate to Access tab -> Assign access +
+    - Create access for each of the following below
+        - Resource group only, All, Editor
+        - All Identity and Access enabled services, All, Writer, Editor, Operator, Administrator
+        - All IAM Account Management services, All, UserApiKeyCreator
+        - All Account Management services, All, Editor
+        - VPC Infrastructure Services, All, Administrator, Manager, IP Spoofing Operator
+        - Workspace for Power Systems Virtual Server, All, Manager, Editor
+        - Transit Gateway, All, Editor
+        - Cloud Object Storage, All, Administrator
+        - Internet Services, All, Manager
+        - Key Protect, All, Manager and Administrator
+        - Secrets Manager, All, Manager and Administrator
+        - Hyper Protect Crypto Services, All, Manager, Vault Administrator, Key Custodian - Deployer, KMS Key Purge Role, Certificate Manager, Administrator
+        - Direct Link, All, Editor
+        - IBM Cloud Monitoring, All, Editor
+
+## Authorization Policies
+The following authorization policies should be created.
+
+  1. Schematics, All resources, Key Protect, Reader
+  2. Schematics, All resources, HPCS, Reader
+  3. The following authorization is needed when running code for Schematics until fix is pushed (End of March 2024)
+      - Source: VPC Infrastructure Services, Specific Resources, Resource type, File Storage for VPC
+      - Target: HPCS, All Resources, Enable authorizations to be delegated..., Reader
+
+How to create Authorization policy
+- Manage -> Access (IAM) -> Authorizations -> Create +
+- Select This account
+- Specify source and target
+- Click Authorize

.docs/powervs-poc.md

@@ -117,7 +117,7 @@ Resources can also be provisioned using a local Terraform install. The downloade
 
 ### Inputs Required at Deployment Time
 >**Note:** The following input fields (Terraform values) must be set in IBM Schematics or Terraform at Generate Plan / Apply Plan time.
->* `ibmcloud_api_key`: The IBM Cloud platform API key that will be used to deploy the project resources.
+>* `ibmcloud_api_key`: The IBM Cloud platform API key that will be used to deploy the project resources. See [Access Policies](access-policies.md) for access policies and account settings required for creating and managing resources created in CRAIG projects.
 >* `dal10gw_on_prem_connection_preshared_key`: This is the preshared key for the VPN Gateway connection (site-to-site VPN). The variable name will be different if you change the name of the VPN gateway or the connection. This variable will also not be present if the VPN Gateway is removed from the project.
 
 ### Cost estimation

.docs/running-terraform-files.md

@@ -6,7 +6,7 @@ After creating a deployment using the GUI, users can download a file called `cra
 
 - Terraform v1.3 or higher
 - Terraform CLI
-- IBM Cloud Platform API Key
+- IBM Cloud Platform API Key. See [Access Policies](access-policies.md) for access policies and account settings required for creating and managing resources created in CRAIG projects.
 
 ### 1. Initializing the Directory
 

.docs/schematics-how-to.md

@@ -6,7 +6,7 @@ Using [IBM Cloud Schematics](https://cloud.ibm.com/docs/schematics?topic=schemat
 ### API_KEY set in CRAIG's environment
 The `API_KEY` variable must be set in the `.env`. If CRAIG is deployed in IBM Code Engine, the API key will automatically be set in CRAIG's environment. The user or service ID owning the API key must have the following authorization policies.
 
-### Authorization Policy
+### Access Policy
 In order to allow Schematics integration, users should make sure they have the following access policy roles for the Schematics service:
 >* `Editor` or greater Platform access
 >* `Writer` or greater Service access
@@ -34,7 +34,7 @@ To upload the project to Schematics in your cloud account, click the `Upload to
 4) Click on `Launch workspace in new Tab`. This will take you to the workspace where Terraform project has been uploaded. 
 
 ## Working with Schematics in IBM Cloud
-On Schematics Workspace console, Click on `Settings` menu item on left. You will see there are list of variables listed. You need to edit the `ibmcloud_api_key` variable using the 3 dots on the right. Set the API key that will be used for creation of the PoC resources and mark it as Sensitive. The API key can be different from the API key that is used for CRAIG to Schematics integration. The API key used set in this variable must have the IAM access policies to allow it to create and manage the resources in the template.
+On Schematics Workspace console, Click on `Settings` menu item on left. You will see there are list of variables listed. You need to edit the `ibmcloud_api_key` variable using the 3 dots on the right. Set the API key that will be used for creation of the PoC resources and mark it as Sensitive. The API key can be different from the API key that is used for CRAIG to Schematics integration. The API key used set in this variable must have the IAM access policies to allow it to create and manage the resources in the template. See [Access Policies](access-policies.md) for access policies and account settings required for creating and managing resources created in CRAIG projects.
 
 ![Schematics Settings page](images/schematics-setting-page.png)