HashiCorp Cloud Platform IAM Terraform Module
Ensure the service prinicipal has the role/Admin permissions at the organization level to add users to groups.
The input users_to_groups_yaml_path is required and must be a yaml formatted file. The file must contain a map of groups to users like so:
Vault-Admin:
users:
- [email protected]
Vault-Writer:
users:
- [email protected]
Vault-Reader:
users:
- [email protected]
- [email protected]Ensure that the group names in the .yaml file provided by the input users_to_groups_yaml_path are formatted to match the last part of the resource name once the group is created in HCP.
Group resource names in HCP are created from the display_name of a group and spaces are replaced with - hyphens in the process. Example: display_name = Vault Reader means the group resource name in HCP will be iam/organization/<org_id>/group/Vault-Reader. So put Vault-Reader in the .yaml file.
| Name | Version |
|---|---|
| hcp | n/a |
| Name | Type |
|---|---|
| hcp_group.group | resource |
| hcp_group_members.group_members | resource |
| hcp_project_iam_binding.project_binding | resource |
| hcp_user_principal.users | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| groups | A map of groups to create in HCP IAM. Each group should have a display_name, description, project_id, and role. | map(object({ |
n/a | yes |
| organization_id | HCP Organization ID | string |
n/a | yes |
| users_to_groups_yaml_path | Path to YAML file with mapping of user emails to group names | string |
n/a | yes |