From 4854242e9ebe679dabb2ac0023c5fe90c52fe35a Mon Sep 17 00:00:00 2001 From: pooraniss-ibm <71089502+pooraniss-ibm@users.noreply.github.com> Date: Mon, 25 Nov 2024 14:05:43 +0000 Subject: [PATCH] IAM Identity: Effective account settings (#5583) --- .../README.md | 67 ++ .../main.tf | 14 + .../outputs.tf | 0 .../variables.tf | 21 + .../versions.tf | 9 + ibm/provider/provider.go | 1 + ...urce_ibm_iam_effective_account_settings.go | 753 ++++++++++++++++++ ...ibm_iam_effective_account_settings_test.go | 313 ++++++++ ...m_effective_account_settings.html.markdown | 142 ++++ 9 files changed, 1320 insertions(+) create mode 100644 examples/ibm-iam-identity-effective-account-settings/README.md create mode 100644 examples/ibm-iam-identity-effective-account-settings/main.tf create mode 100644 examples/ibm-iam-identity-effective-account-settings/outputs.tf create mode 100644 examples/ibm-iam-identity-effective-account-settings/variables.tf create mode 100644 examples/ibm-iam-identity-effective-account-settings/versions.tf create mode 100644 ibm/service/iamidentity/data_source_ibm_iam_effective_account_settings.go create mode 100644 ibm/service/iamidentity/data_source_ibm_iam_effective_account_settings_test.go create mode 100644 website/docs/d/iam_effective_account_settings.html.markdown diff --git a/examples/ibm-iam-identity-effective-account-settings/README.md b/examples/ibm-iam-identity-effective-account-settings/README.md new file mode 100644 index 0000000000..4ce0655b0c --- /dev/null +++ b/examples/ibm-iam-identity-effective-account-settings/README.md @@ -0,0 +1,67 @@ +# Examples for IAM Identity Services + +These examples illustrate how to use the resources and data sources associated with IAM Identity Services. + +The following data sources are supported: +* ibm_iam_effective_account_settings + +## Usage + +To run this example, execute the following commands: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Run `terraform destroy` when you don't need these resources. + +## IAM Identity Services data sources + +### Data source: ibm_iam_effective_account_settings + +```hcl +data "ibm_iam_effective_account_settings" "iam_effective_account_settings_instance" { + account_id = var.iam_effective_account_settings_account_id + include_history = var.iam_effective_account_settings_include_history + resolve_user_mfa = var.iam_effective_account_settings_resolve_user_mfa +} +``` + +#### Inputs + +| Name | Description | Type | Required | +|------|-------------|------|---------| +| account_id | Unique ID of the account. | `string` | true | +| include_history | Defines if the entity history is included in the response. | `bool` | false | +| resolve_user_mfa | Enrich MFA exemptions with user information. | `bool` | false | + +#### Outputs + +| Name | Description | +|------|-------------| +| context | Context with key properties for problem determination. | +| effective | | +| account | | +| assigned_templates | assigned template section. | + +## Assumptions + +1. TODO + +## Notes + +1. TODO + +## Requirements + +| Name | Version | +|------|---------| +| terraform | ~> 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| ibm | 1.13.1 | diff --git a/examples/ibm-iam-identity-effective-account-settings/main.tf b/examples/ibm-iam-identity-effective-account-settings/main.tf new file mode 100644 index 0000000000..8ab985681d --- /dev/null +++ b/examples/ibm-iam-identity-effective-account-settings/main.tf @@ -0,0 +1,14 @@ +provider "ibm" { + ibmcloud_api_key = var.ibmcloud_api_key +} + +// Data source is not linked to a resource instance +// Uncomment if an existing data source instance exists +/* +// Create iam_effective_account_settings data source +data "ibm_iam_effective_account_settings" "iam_effective_account_settings_instance" { + account_id = var.iam_effective_account_settings_account_id + include_history = var.iam_effective_account_settings_include_history + resolve_user_mfa = var.iam_effective_account_settings_resolve_user_mfa +} +*/ diff --git a/examples/ibm-iam-identity-effective-account-settings/outputs.tf b/examples/ibm-iam-identity-effective-account-settings/outputs.tf new file mode 100644 index 0000000000..e69de29bb2 diff --git a/examples/ibm-iam-identity-effective-account-settings/variables.tf b/examples/ibm-iam-identity-effective-account-settings/variables.tf new file mode 100644 index 0000000000..e4d649688a --- /dev/null +++ b/examples/ibm-iam-identity-effective-account-settings/variables.tf @@ -0,0 +1,21 @@ +variable "ibmcloud_api_key" { + description = "IBM Cloud API key" + type = string +} + +// Data source arguments for iam_effective_account_settings +variable "iam_effective_account_settings_account_id" { + description = "Unique ID of the account." + type = string + default = "account_id" +} +variable "iam_effective_account_settings_include_history" { + description = "Defines if the entity history is included in the response." + type = bool + default = false +} +variable "iam_effective_account_settings_resolve_user_mfa" { + description = "Enrich MFA exemptions with user information." + type = bool + default = false +} diff --git a/examples/ibm-iam-identity-effective-account-settings/versions.tf b/examples/ibm-iam-identity-effective-account-settings/versions.tf new file mode 100644 index 0000000000..54c9d03e8d --- /dev/null +++ b/examples/ibm-iam-identity-effective-account-settings/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.0" + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + version = "1.52.0-beta0" + } + } +} diff --git a/ibm/provider/provider.go b/ibm/provider/provider.go index 03b4a25972..7e30cd4daa 100644 --- a/ibm/provider/provider.go +++ b/ibm/provider/provider.go @@ -373,6 +373,7 @@ func Provider() *schema.Provider { "ibm_iam_access_group_template_versions": iamaccessgroup.DataSourceIBMIAMAccessGroupTemplateVersions(), "ibm_iam_access_group_template_assignment": iamaccessgroup.DataSourceIBMIAMAccessGroupTemplateAssignment(), "ibm_iam_account_settings": iamidentity.DataSourceIBMIAMAccountSettings(), + "ibm_iam_effective_account_settings": iamidentity.DataSourceIBMIamEffectiveAccountSettings(), "ibm_iam_auth_token": iamidentity.DataSourceIBMIAMAuthToken(), "ibm_iam_role_actions": iampolicy.DataSourceIBMIAMRoleAction(), "ibm_iam_users": iamidentity.DataSourceIBMIAMUsers(), diff --git a/ibm/service/iamidentity/data_source_ibm_iam_effective_account_settings.go b/ibm/service/iamidentity/data_source_ibm_iam_effective_account_settings.go new file mode 100644 index 0000000000..d87cc17805 --- /dev/null +++ b/ibm/service/iamidentity/data_source_ibm_iam_effective_account_settings.go @@ -0,0 +1,753 @@ +// Copyright IBM Corp. 2024 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +/* + * IBM OpenAPI Terraform Generator Version: 3.93.0-c40121e6-20240729-182103 + */ + +package iamidentity + +import ( + "context" + "fmt" + "log" + "time" + + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex" + "github.com/IBM/go-sdk-core/v5/core" + "github.com/IBM/platform-services-go-sdk/iamidentityv1" +) + +func DataSourceIBMIamEffectiveAccountSettings() *schema.Resource { + return &schema.Resource{ + ReadContext: dataSourceIBMIamEffectiveAccountSettingsRead, + + Schema: map[string]*schema.Schema{ + "account_id": &schema.Schema{ + Type: schema.TypeString, + Required: true, + Description: "Unique ID of the account.", + }, + "include_history": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Defines if the entity history is included in the response.", + }, + "resolve_user_mfa": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Enrich MFA exemptions with user information.", + }, + "context": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "Context with key properties for problem determination.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "transaction_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The transaction ID of the inbound REST request.", + }, + "operation": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The operation of the inbound REST request.", + }, + "user_agent": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The user agent of the inbound REST request.", + }, + "url": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The URL of that cluster.", + }, + "instance_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The instance ID of the server instance processing the request.", + }, + "thread_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The thread ID of the server instance processing the request.", + }, + "host": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The host of the server instance processing the request.", + }, + "start_time": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The start time of the request.", + }, + "end_time": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The finish time of the request.", + }, + "elapsed_time": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The elapsed time in msec.", + }, + "cluster_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The cluster name.", + }, + }, + }, + }, + "effective": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "restrict_create_service_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines whether or not creating a service ID is access controlled. Valid values: * RESTRICTED - only users assigned the 'Service ID creator' role on the IAM Identity Service can create service IDs, including the account owner * NOT_RESTRICTED - all members of an account can create service IDs * NOT_SET - to 'unset' a previous set value.", + }, + "restrict_create_platform_apikey": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines whether or not creating platform API keys is access controlled. Valid values: * RESTRICTED - to apply access control * NOT_RESTRICTED - to remove access control * NOT_SET - to 'unset' a previous set value.", + }, + "allowed_ip_addresses": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the IP addresses and subnets from which IAM tokens can be created for the account.", + }, + "mfa": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users.", + }, + "user_mfa": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "List of users that are exempted from the MFA requirement of the account.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "iam_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The iam_id of the user.", + }, + "mfa": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "name of the user account.", + }, + "user_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "userName of the user.", + }, + "email": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "email of the user.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "optional description.", + }, + }, + }, + }, + "session_expiration_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default.", + }, + "session_invalidation_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the period of time in seconds in which a session will be invalidated due to inactivity. Valid values: * Any whole number between '900' and '7200' * NOT_SET - To unset account setting and use service default.", + }, + "max_sessions_per_identity": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default.", + }, + "system_access_token_expiration_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default.", + }, + "system_refresh_token_expiration_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default.", + }, + }, + }, + }, + "account": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "account_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Unique ID of the account.", + }, + "restrict_create_service_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines whether or not creating a service ID is access controlled. Valid values: * RESTRICTED - only users assigned the 'Service ID creator' role on the IAM Identity Service can create service IDs, including the account owner * NOT_RESTRICTED - all members of an account can create service IDs * NOT_SET - to 'unset' a previous set value.", + }, + "restrict_create_platform_apikey": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines whether or not creating platform API keys is access controlled. Valid values: * RESTRICTED - to apply access control * NOT_RESTRICTED - to remove access control * NOT_SET - to 'unset' a previous set value.", + }, + "allowed_ip_addresses": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the IP addresses and subnets from which IAM tokens can be created for the account.", + }, + "mfa": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users.", + }, + "user_mfa": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "List of users that are exempted from the MFA requirement of the account.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "iam_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The iam_id of the user.", + }, + "mfa": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "name of the user account.", + }, + "user_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "userName of the user.", + }, + "email": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "email of the user.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "optional description.", + }, + }, + }, + }, + "history": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "History of the Account Settings.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "timestamp": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Timestamp when the action was triggered.", + }, + "iam_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "IAM ID of the identity which triggered the action.", + }, + "iam_id_account": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Account of the identity which triggered the action.", + }, + "action": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Action of the history entry.", + }, + "params": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "Params of the history entry.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "message": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Message which summarizes the executed action.", + }, + }, + }, + }, + "session_expiration_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default.", + }, + "session_invalidation_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the period of time in seconds in which a session will be invalidated due to inactivity. Valid values: * Any whole number between '900' and '7200' * NOT_SET - To unset account setting and use service default.", + }, + "max_sessions_per_identity": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default.", + }, + "system_access_token_expiration_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default.", + }, + "system_refresh_token_expiration_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default.", + }, + }, + }, + }, + "assigned_templates": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "assigned template section.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "template_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Template Id.", + }, + "template_version": &schema.Schema{ + Type: schema.TypeInt, + Computed: true, + Description: "Template version.", + }, + "template_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Template name.", + }, + "restrict_create_service_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines whether or not creating a service ID is access controlled. Valid values: * RESTRICTED - only users assigned the 'Service ID creator' role on the IAM Identity Service can create service IDs, including the account owner * NOT_RESTRICTED - all members of an account can create service IDs * NOT_SET - to 'unset' a previous set value.", + }, + "restrict_create_platform_apikey": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines whether or not creating platform API keys is access controlled. Valid values: * RESTRICTED - to apply access control * NOT_RESTRICTED - to remove access control * NOT_SET - to 'unset' a previous set value.", + }, + "allowed_ip_addresses": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the IP addresses and subnets from which IAM tokens can be created for the account.", + }, + "mfa": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users.", + }, + "user_mfa": &schema.Schema{ + Type: schema.TypeList, + Computed: true, + Description: "List of users that are exempted from the MFA requirement of the account.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "iam_id": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "The iam_id of the user.", + }, + "mfa": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users.", + }, + "name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "name of the user account.", + }, + "user_name": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "userName of the user.", + }, + "email": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "email of the user.", + }, + "description": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "optional description.", + }, + }, + }, + }, + "session_expiration_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default.", + }, + "session_invalidation_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the period of time in seconds in which a session will be invalidated due to inactivity. Valid values: * Any whole number between '900' and '7200' * NOT_SET - To unset account setting and use service default.", + }, + "max_sessions_per_identity": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default.", + }, + "system_access_token_expiration_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default.", + }, + "system_refresh_token_expiration_in_seconds": &schema.Schema{ + Type: schema.TypeString, + Computed: true, + Description: "Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default.", + }, + }, + }, + }, + }, + } +} + +func dataSourceIBMIamEffectiveAccountSettingsRead(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + iamIdentityClient, err := meta.(conns.ClientSession).IAMIdentityV1API() + if err != nil { + tfErr := flex.DiscriminatedTerraformErrorf(err, err.Error(), "(Data) ibm_iam_effective_account_settings", "read", "initialize-client") + log.Printf("[DEBUG]\n%s", tfErr.GetDebugMessage()) + return tfErr.GetDiag() + } + + getEffectiveAccountSettingsOptions := &iamidentityv1.GetEffectiveAccountSettingsOptions{} + + getEffectiveAccountSettingsOptions.SetAccountID(d.Get("account_id").(string)) + if _, ok := d.GetOk("include_history"); ok { + getEffectiveAccountSettingsOptions.SetIncludeHistory(d.Get("include_history").(bool)) + } + if _, ok := d.GetOk("resolve_user_mfa"); ok { + getEffectiveAccountSettingsOptions.SetResolveUserMfa(d.Get("resolve_user_mfa").(bool)) + } + + effectiveAccountSettingsResponse, _, err := iamIdentityClient.GetEffectiveAccountSettingsWithContext(context, getEffectiveAccountSettingsOptions) + if err != nil { + tfErr := flex.TerraformErrorf(err, fmt.Sprintf("GetEffectiveAccountSettingsWithContext failed: %s", err.Error()), "(Data) ibm_iam_effective_account_settings", "read") + log.Printf("[DEBUG]\n%s", tfErr.GetDebugMessage()) + return tfErr.GetDiag() + } + + d.SetId(dataSourceIBMIamEffectiveAccountSettingsID(d)) + + if !core.IsNil(effectiveAccountSettingsResponse.Context) { + context := []map[string]interface{}{} + contextMap, err := DataSourceIBMIamEffectiveAccountSettingsResponseContextToMap(effectiveAccountSettingsResponse.Context) + if err != nil { + return flex.DiscriminatedTerraformErrorf(err, err.Error(), "(Data) ibm_iam_effective_account_settings", "read", "context-to-map").GetDiag() + } + context = append(context, contextMap) + if err = d.Set("context", context); err != nil { + return flex.DiscriminatedTerraformErrorf(err, fmt.Sprintf("Error setting context: %s", err), "(Data) ibm_iam_effective_account_settings", "read", "set-context").GetDiag() + } + } + + effective := []map[string]interface{}{} + effectiveMap, err := DataSourceIBMIamEffectiveAccountSettingsAccountSettingsEffectiveSectionToMap(effectiveAccountSettingsResponse.Effective) + if err != nil { + return flex.DiscriminatedTerraformErrorf(err, err.Error(), "(Data) ibm_iam_effective_account_settings", "read", "effective-to-map").GetDiag() + } + effective = append(effective, effectiveMap) + if err = d.Set("effective", effective); err != nil { + return flex.DiscriminatedTerraformErrorf(err, fmt.Sprintf("Error setting effective: %s", err), "(Data) ibm_iam_effective_account_settings", "read", "set-effective").GetDiag() + } + + account := []map[string]interface{}{} + accountMap, err := DataSourceIBMIamEffectiveAccountSettingsAccountSettingsAccountSectionToMap(effectiveAccountSettingsResponse.Account) + if err != nil { + return flex.DiscriminatedTerraformErrorf(err, err.Error(), "(Data) ibm_iam_effective_account_settings", "read", "account-to-map").GetDiag() + } + account = append(account, accountMap) + if err = d.Set("account", account); err != nil { + return flex.DiscriminatedTerraformErrorf(err, fmt.Sprintf("Error setting account: %s", err), "(Data) ibm_iam_effective_account_settings", "read", "set-account").GetDiag() + } + + if !core.IsNil(effectiveAccountSettingsResponse.AssignedTemplates) { + assignedTemplates := []map[string]interface{}{} + for _, assignedTemplatesItem := range effectiveAccountSettingsResponse.AssignedTemplates { + assignedTemplatesItemMap, err := DataSourceIBMIamEffectiveAccountSettingsAccountSettingsAssignedTemplatesSectionToMap(&assignedTemplatesItem) + if err != nil { + return flex.DiscriminatedTerraformErrorf(err, err.Error(), "(Data) ibm_iam_effective_account_settings", "read", "assigned_templates-to-map").GetDiag() + } + assignedTemplates = append(assignedTemplates, assignedTemplatesItemMap) + } + if err = d.Set("assigned_templates", assignedTemplates); err != nil { + return flex.DiscriminatedTerraformErrorf(err, fmt.Sprintf("Error setting assigned_templates: %s", err), "(Data) ibm_iam_effective_account_settings", "read", "set-assigned_templates").GetDiag() + } + } + + return nil +} + +// dataSourceIBMIamEffectiveAccountSettingsID returns a reasonable ID for the list. +func dataSourceIBMIamEffectiveAccountSettingsID(d *schema.ResourceData) string { + return time.Now().UTC().String() +} + +func DataSourceIBMIamEffectiveAccountSettingsResponseContextToMap(model *iamidentityv1.ResponseContext) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if model.TransactionID != nil { + modelMap["transaction_id"] = *model.TransactionID + } + if model.Operation != nil { + modelMap["operation"] = *model.Operation + } + if model.UserAgent != nil { + modelMap["user_agent"] = *model.UserAgent + } + if model.URL != nil { + modelMap["url"] = *model.URL + } + if model.InstanceID != nil { + modelMap["instance_id"] = *model.InstanceID + } + if model.ThreadID != nil { + modelMap["thread_id"] = *model.ThreadID + } + if model.Host != nil { + modelMap["host"] = *model.Host + } + if model.StartTime != nil { + modelMap["start_time"] = *model.StartTime + } + if model.EndTime != nil { + modelMap["end_time"] = *model.EndTime + } + if model.ElapsedTime != nil { + modelMap["elapsed_time"] = *model.ElapsedTime + } + if model.ClusterName != nil { + modelMap["cluster_name"] = *model.ClusterName + } + return modelMap, nil +} + +func DataSourceIBMIamEffectiveAccountSettingsAccountSettingsEffectiveSectionToMap(model *iamidentityv1.AccountSettingsEffectiveSection) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if model.RestrictCreateServiceID != nil { + modelMap["restrict_create_service_id"] = *model.RestrictCreateServiceID + } + if model.RestrictCreatePlatformApikey != nil { + modelMap["restrict_create_platform_apikey"] = *model.RestrictCreatePlatformApikey + } + if model.AllowedIPAddresses != nil { + modelMap["allowed_ip_addresses"] = *model.AllowedIPAddresses + } + if model.Mfa != nil { + modelMap["mfa"] = *model.Mfa + } + if model.UserMfa != nil { + userMfa := []map[string]interface{}{} + for _, userMfaItem := range model.UserMfa { + userMfaItemMap, err := DataSourceIBMIamEffectiveAccountSettingsEffectiveAccountSettingsUserMfaToMap(&userMfaItem) + if err != nil { + return modelMap, err + } + userMfa = append(userMfa, userMfaItemMap) + } + modelMap["user_mfa"] = userMfa + } + if model.SessionExpirationInSeconds != nil { + modelMap["session_expiration_in_seconds"] = *model.SessionExpirationInSeconds + } + if model.SessionInvalidationInSeconds != nil { + modelMap["session_invalidation_in_seconds"] = *model.SessionInvalidationInSeconds + } + if model.MaxSessionsPerIdentity != nil { + modelMap["max_sessions_per_identity"] = *model.MaxSessionsPerIdentity + } + if model.SystemAccessTokenExpirationInSeconds != nil { + modelMap["system_access_token_expiration_in_seconds"] = *model.SystemAccessTokenExpirationInSeconds + } + if model.SystemRefreshTokenExpirationInSeconds != nil { + modelMap["system_refresh_token_expiration_in_seconds"] = *model.SystemRefreshTokenExpirationInSeconds + } + return modelMap, nil +} + +func DataSourceIBMIamEffectiveAccountSettingsEffectiveAccountSettingsUserMfaToMap(model *iamidentityv1.EffectiveAccountSettingsUserMfa) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + modelMap["iam_id"] = *model.IamID + modelMap["mfa"] = *model.Mfa + if model.Name != nil { + modelMap["name"] = *model.Name + } + if model.UserName != nil { + modelMap["user_name"] = *model.UserName + } + if model.Email != nil { + modelMap["email"] = *model.Email + } + if model.Description != nil { + modelMap["description"] = *model.Description + } + return modelMap, nil +} + +func DataSourceIBMIamEffectiveAccountSettingsAccountSettingsAccountSectionToMap(model *iamidentityv1.AccountSettingsAccountSection) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if model.AccountID != nil { + modelMap["account_id"] = *model.AccountID + } + if model.RestrictCreateServiceID != nil { + modelMap["restrict_create_service_id"] = *model.RestrictCreateServiceID + } + if model.RestrictCreatePlatformApikey != nil { + modelMap["restrict_create_platform_apikey"] = *model.RestrictCreatePlatformApikey + } + if model.AllowedIPAddresses != nil { + modelMap["allowed_ip_addresses"] = *model.AllowedIPAddresses + } + if model.Mfa != nil { + modelMap["mfa"] = *model.Mfa + } + if model.UserMfa != nil { + userMfa := []map[string]interface{}{} + for _, userMfaItem := range model.UserMfa { + userMfaItemMap, err := DataSourceIBMIamEffectiveAccountSettingsEffectiveAccountSettingsUserMfaToMap(&userMfaItem) + if err != nil { + return modelMap, err + } + userMfa = append(userMfa, userMfaItemMap) + } + modelMap["user_mfa"] = userMfa + } + if model.History != nil { + history := []map[string]interface{}{} + for _, historyItem := range model.History { + historyItemMap, err := DataSourceIBMIamEffectiveAccountSettingsEnityHistoryRecordToMap(&historyItem) + if err != nil { + return modelMap, err + } + history = append(history, historyItemMap) + } + modelMap["history"] = history + } + if model.SessionExpirationInSeconds != nil { + modelMap["session_expiration_in_seconds"] = *model.SessionExpirationInSeconds + } + if model.SessionInvalidationInSeconds != nil { + modelMap["session_invalidation_in_seconds"] = *model.SessionInvalidationInSeconds + } + if model.MaxSessionsPerIdentity != nil { + modelMap["max_sessions_per_identity"] = *model.MaxSessionsPerIdentity + } + if model.SystemAccessTokenExpirationInSeconds != nil { + modelMap["system_access_token_expiration_in_seconds"] = *model.SystemAccessTokenExpirationInSeconds + } + if model.SystemRefreshTokenExpirationInSeconds != nil { + modelMap["system_refresh_token_expiration_in_seconds"] = *model.SystemRefreshTokenExpirationInSeconds + } + return modelMap, nil +} + +func DataSourceIBMIamEffectiveAccountSettingsEnityHistoryRecordToMap(model *iamidentityv1.EnityHistoryRecord) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + modelMap["timestamp"] = *model.Timestamp + modelMap["iam_id"] = *model.IamID + modelMap["iam_id_account"] = *model.IamIDAccount + modelMap["action"] = *model.Action + modelMap["params"] = model.Params + modelMap["message"] = *model.Message + return modelMap, nil +} + +func DataSourceIBMIamEffectiveAccountSettingsAccountSettingsAssignedTemplatesSectionToMap(model *iamidentityv1.AccountSettingsAssignedTemplatesSection) (map[string]interface{}, error) { + modelMap := make(map[string]interface{}) + if model.TemplateID != nil { + modelMap["template_id"] = *model.TemplateID + } + if model.TemplateVersion != nil { + modelMap["template_version"] = flex.IntValue(model.TemplateVersion) + } + if model.TemplateName != nil { + modelMap["template_name"] = *model.TemplateName + } + if model.RestrictCreateServiceID != nil { + modelMap["restrict_create_service_id"] = *model.RestrictCreateServiceID + } + if model.RestrictCreatePlatformApikey != nil { + modelMap["restrict_create_platform_apikey"] = *model.RestrictCreatePlatformApikey + } + if model.AllowedIPAddresses != nil { + modelMap["allowed_ip_addresses"] = *model.AllowedIPAddresses + } + if model.Mfa != nil { + modelMap["mfa"] = *model.Mfa + } + if model.UserMfa != nil { + userMfa := []map[string]interface{}{} + for _, userMfaItem := range model.UserMfa { + userMfaItemMap, err := DataSourceIBMIamEffectiveAccountSettingsEffectiveAccountSettingsUserMfaToMap(&userMfaItem) + if err != nil { + return modelMap, err + } + userMfa = append(userMfa, userMfaItemMap) + } + modelMap["user_mfa"] = userMfa + } + if model.SessionExpirationInSeconds != nil { + modelMap["session_expiration_in_seconds"] = *model.SessionExpirationInSeconds + } + if model.SessionInvalidationInSeconds != nil { + modelMap["session_invalidation_in_seconds"] = *model.SessionInvalidationInSeconds + } + if model.MaxSessionsPerIdentity != nil { + modelMap["max_sessions_per_identity"] = *model.MaxSessionsPerIdentity + } + if model.SystemAccessTokenExpirationInSeconds != nil { + modelMap["system_access_token_expiration_in_seconds"] = *model.SystemAccessTokenExpirationInSeconds + } + if model.SystemRefreshTokenExpirationInSeconds != nil { + modelMap["system_refresh_token_expiration_in_seconds"] = *model.SystemRefreshTokenExpirationInSeconds + } + return modelMap, nil +} diff --git a/ibm/service/iamidentity/data_source_ibm_iam_effective_account_settings_test.go b/ibm/service/iamidentity/data_source_ibm_iam_effective_account_settings_test.go new file mode 100644 index 0000000000..6ad2a6ecc9 --- /dev/null +++ b/ibm/service/iamidentity/data_source_ibm_iam_effective_account_settings_test.go @@ -0,0 +1,313 @@ +// Copyright IBM Corp. 2024 All Rights Reserved. +// Licensed under the Mozilla Public License v2.0 + +/* + * IBM OpenAPI Terraform Generator Version: 3.93.0-c40121e6-20240729-182103 + */ + +package iamidentity_test + +import ( + "fmt" + "testing" + + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + + acc "github.com/IBM-Cloud/terraform-provider-ibm/ibm/acctest" + "github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/iamidentity" + "github.com/IBM/go-sdk-core/v5/core" + "github.com/IBM/platform-services-go-sdk/iamidentityv1" + "github.com/stretchr/testify/assert" +) + +func TestAccIBMIamEffectiveAccountSettingsDataSourceBasic(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + Providers: acc.TestAccProviders, + Steps: []resource.TestStep{ + resource.TestStep{ + Config: testAccCheckIBMIamEffectiveAccountSettingsDataSourceConfigBasic(), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrSet("data.ibm_iam_effective_account_settings.iam_effective_account_settings_instance", "id"), + resource.TestCheckResourceAttrSet("data.ibm_iam_effective_account_settings.iam_effective_account_settings_instance", "account_id"), + resource.TestCheckResourceAttrSet("data.ibm_iam_effective_account_settings.iam_effective_account_settings_instance", "effective.#"), + resource.TestCheckResourceAttrSet("data.ibm_iam_effective_account_settings.iam_effective_account_settings_instance", "account.#"), + ), + }, + }, + }) +} + +func testAccCheckIBMIamEffectiveAccountSettingsDataSourceConfigBasic() string { + return fmt.Sprintf(` + data "ibm_iam_effective_account_settings" "iam_effective_account_settings_instance" { + account_id = "account_id" + include_history = true + resolve_user_mfa = true + } + `) +} + +func TestDataSourceIBMIamEffectiveAccountSettingsResponseContextToMap(t *testing.T) { + checkResult := func(result map[string]interface{}) { + model := make(map[string]interface{}) + model["transaction_id"] = "testString" + model["operation"] = "testString" + model["user_agent"] = "testString" + model["url"] = "testString" + model["instance_id"] = "testString" + model["thread_id"] = "testString" + model["host"] = "testString" + model["start_time"] = "testString" + model["end_time"] = "testString" + model["elapsed_time"] = "testString" + model["cluster_name"] = "testString" + + assert.Equal(t, result, model) + } + + model := new(iamidentityv1.ResponseContext) + model.TransactionID = core.StringPtr("testString") + model.Operation = core.StringPtr("testString") + model.UserAgent = core.StringPtr("testString") + model.URL = core.StringPtr("testString") + model.InstanceID = core.StringPtr("testString") + model.ThreadID = core.StringPtr("testString") + model.Host = core.StringPtr("testString") + model.StartTime = core.StringPtr("testString") + model.EndTime = core.StringPtr("testString") + model.ElapsedTime = core.StringPtr("testString") + model.ClusterName = core.StringPtr("testString") + + result, err := iamidentity.DataSourceIBMIamEffectiveAccountSettingsResponseContextToMap(model) + assert.Nil(t, err) + checkResult(result) +} + +func TestDataSourceIBMIamEffectiveAccountSettingsAccountSettingsEffectiveSectionToMap(t *testing.T) { + checkResult := func(result map[string]interface{}) { + effectiveAccountSettingsUserMfaModel := make(map[string]interface{}) + effectiveAccountSettingsUserMfaModel["iam_id"] = "testString" + effectiveAccountSettingsUserMfaModel["mfa"] = "NONE" + effectiveAccountSettingsUserMfaModel["name"] = "testString" + effectiveAccountSettingsUserMfaModel["user_name"] = "testString" + effectiveAccountSettingsUserMfaModel["email"] = "testString" + effectiveAccountSettingsUserMfaModel["description"] = "testString" + + model := make(map[string]interface{}) + model["restrict_create_service_id"] = "NOT_SET" + model["restrict_create_platform_apikey"] = "NOT_SET" + model["allowed_ip_addresses"] = "testString" + model["mfa"] = "NONE" + model["user_mfa"] = []map[string]interface{}{effectiveAccountSettingsUserMfaModel} + model["session_expiration_in_seconds"] = "86400" + model["session_invalidation_in_seconds"] = "7200" + model["max_sessions_per_identity"] = "testString" + model["system_access_token_expiration_in_seconds"] = "3600" + model["system_refresh_token_expiration_in_seconds"] = "259200" + + assert.Equal(t, result, model) + } + + effectiveAccountSettingsUserMfaModel := new(iamidentityv1.EffectiveAccountSettingsUserMfa) + effectiveAccountSettingsUserMfaModel.IamID = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.Mfa = core.StringPtr("NONE") + effectiveAccountSettingsUserMfaModel.Name = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.UserName = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.Email = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.Description = core.StringPtr("testString") + + model := new(iamidentityv1.AccountSettingsEffectiveSection) + model.RestrictCreateServiceID = core.StringPtr("NOT_SET") + model.RestrictCreatePlatformApikey = core.StringPtr("NOT_SET") + model.AllowedIPAddresses = core.StringPtr("testString") + model.Mfa = core.StringPtr("NONE") + model.UserMfa = []iamidentityv1.EffectiveAccountSettingsUserMfa{*effectiveAccountSettingsUserMfaModel} + model.SessionExpirationInSeconds = core.StringPtr("86400") + model.SessionInvalidationInSeconds = core.StringPtr("7200") + model.MaxSessionsPerIdentity = core.StringPtr("testString") + model.SystemAccessTokenExpirationInSeconds = core.StringPtr("3600") + model.SystemRefreshTokenExpirationInSeconds = core.StringPtr("259200") + + result, err := iamidentity.DataSourceIBMIamEffectiveAccountSettingsAccountSettingsEffectiveSectionToMap(model) + assert.Nil(t, err) + checkResult(result) +} + +func TestDataSourceIBMIamEffectiveAccountSettingsEffectiveAccountSettingsUserMfaToMap(t *testing.T) { + checkResult := func(result map[string]interface{}) { + model := make(map[string]interface{}) + model["iam_id"] = "testString" + model["mfa"] = "NONE" + model["name"] = "testString" + model["user_name"] = "testString" + model["email"] = "testString" + model["description"] = "testString" + + assert.Equal(t, result, model) + } + + model := new(iamidentityv1.EffectiveAccountSettingsUserMfa) + model.IamID = core.StringPtr("testString") + model.Mfa = core.StringPtr("NONE") + model.Name = core.StringPtr("testString") + model.UserName = core.StringPtr("testString") + model.Email = core.StringPtr("testString") + model.Description = core.StringPtr("testString") + + result, err := iamidentity.DataSourceIBMIamEffectiveAccountSettingsEffectiveAccountSettingsUserMfaToMap(model) + assert.Nil(t, err) + checkResult(result) +} + +func TestDataSourceIBMIamEffectiveAccountSettingsAccountSettingsAccountSectionToMap(t *testing.T) { + checkResult := func(result map[string]interface{}) { + effectiveAccountSettingsUserMfaModel := make(map[string]interface{}) + effectiveAccountSettingsUserMfaModel["iam_id"] = "testString" + effectiveAccountSettingsUserMfaModel["mfa"] = "NONE" + effectiveAccountSettingsUserMfaModel["name"] = "testString" + effectiveAccountSettingsUserMfaModel["user_name"] = "testString" + effectiveAccountSettingsUserMfaModel["email"] = "testString" + effectiveAccountSettingsUserMfaModel["description"] = "testString" + + enityHistoryRecordModel := make(map[string]interface{}) + enityHistoryRecordModel["timestamp"] = "testString" + enityHistoryRecordModel["iam_id"] = "testString" + enityHistoryRecordModel["iam_id_account"] = "testString" + enityHistoryRecordModel["action"] = "testString" + enityHistoryRecordModel["params"] = []string{"testString"} + enityHistoryRecordModel["message"] = "testString" + + model := make(map[string]interface{}) + model["account_id"] = "testString" + model["restrict_create_service_id"] = "NOT_SET" + model["restrict_create_platform_apikey"] = "NOT_SET" + model["allowed_ip_addresses"] = "testString" + model["mfa"] = "NONE" + model["user_mfa"] = []map[string]interface{}{effectiveAccountSettingsUserMfaModel} + model["history"] = []map[string]interface{}{enityHistoryRecordModel} + model["session_expiration_in_seconds"] = "86400" + model["session_invalidation_in_seconds"] = "7200" + model["max_sessions_per_identity"] = "testString" + model["system_access_token_expiration_in_seconds"] = "3600" + model["system_refresh_token_expiration_in_seconds"] = "259200" + + assert.Equal(t, result, model) + } + + effectiveAccountSettingsUserMfaModel := new(iamidentityv1.EffectiveAccountSettingsUserMfa) + effectiveAccountSettingsUserMfaModel.IamID = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.Mfa = core.StringPtr("NONE") + effectiveAccountSettingsUserMfaModel.Name = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.UserName = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.Email = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.Description = core.StringPtr("testString") + + enityHistoryRecordModel := new(iamidentityv1.EnityHistoryRecord) + enityHistoryRecordModel.Timestamp = core.StringPtr("testString") + enityHistoryRecordModel.IamID = core.StringPtr("testString") + enityHistoryRecordModel.IamIDAccount = core.StringPtr("testString") + enityHistoryRecordModel.Action = core.StringPtr("testString") + enityHistoryRecordModel.Params = []string{"testString"} + enityHistoryRecordModel.Message = core.StringPtr("testString") + + model := new(iamidentityv1.AccountSettingsAccountSection) + model.AccountID = core.StringPtr("testString") + model.RestrictCreateServiceID = core.StringPtr("NOT_SET") + model.RestrictCreatePlatformApikey = core.StringPtr("NOT_SET") + model.AllowedIPAddresses = core.StringPtr("testString") + model.Mfa = core.StringPtr("NONE") + model.UserMfa = []iamidentityv1.EffectiveAccountSettingsUserMfa{*effectiveAccountSettingsUserMfaModel} + model.History = []iamidentityv1.EnityHistoryRecord{*enityHistoryRecordModel} + model.SessionExpirationInSeconds = core.StringPtr("86400") + model.SessionInvalidationInSeconds = core.StringPtr("7200") + model.MaxSessionsPerIdentity = core.StringPtr("testString") + model.SystemAccessTokenExpirationInSeconds = core.StringPtr("3600") + model.SystemRefreshTokenExpirationInSeconds = core.StringPtr("259200") + + result, err := iamidentity.DataSourceIBMIamEffectiveAccountSettingsAccountSettingsAccountSectionToMap(model) + assert.Nil(t, err) + checkResult(result) +} + +func TestDataSourceIBMIamEffectiveAccountSettingsEnityHistoryRecordToMap(t *testing.T) { + checkResult := func(result map[string]interface{}) { + model := make(map[string]interface{}) + model["timestamp"] = "testString" + model["iam_id"] = "testString" + model["iam_id_account"] = "testString" + model["action"] = "testString" + model["params"] = []string{"testString"} + model["message"] = "testString" + + assert.Equal(t, result, model) + } + + model := new(iamidentityv1.EnityHistoryRecord) + model.Timestamp = core.StringPtr("testString") + model.IamID = core.StringPtr("testString") + model.IamIDAccount = core.StringPtr("testString") + model.Action = core.StringPtr("testString") + model.Params = []string{"testString"} + model.Message = core.StringPtr("testString") + + result, err := iamidentity.DataSourceIBMIamEffectiveAccountSettingsEnityHistoryRecordToMap(model) + assert.Nil(t, err) + checkResult(result) +} + +func TestDataSourceIBMIamEffectiveAccountSettingsAccountSettingsAssignedTemplatesSectionToMap(t *testing.T) { + checkResult := func(result map[string]interface{}) { + effectiveAccountSettingsUserMfaModel := make(map[string]interface{}) + effectiveAccountSettingsUserMfaModel["iam_id"] = "testString" + effectiveAccountSettingsUserMfaModel["mfa"] = "NONE" + effectiveAccountSettingsUserMfaModel["name"] = "testString" + effectiveAccountSettingsUserMfaModel["user_name"] = "testString" + effectiveAccountSettingsUserMfaModel["email"] = "testString" + effectiveAccountSettingsUserMfaModel["description"] = "testString" + + model := make(map[string]interface{}) + model["template_id"] = "testString" + model["template_version"] = int(26) + model["template_name"] = "testString" + model["restrict_create_service_id"] = "NOT_SET" + model["restrict_create_platform_apikey"] = "NOT_SET" + model["allowed_ip_addresses"] = "testString" + model["mfa"] = "NONE" + model["user_mfa"] = []map[string]interface{}{effectiveAccountSettingsUserMfaModel} + model["session_expiration_in_seconds"] = "86400" + model["session_invalidation_in_seconds"] = "7200" + model["max_sessions_per_identity"] = "testString" + model["system_access_token_expiration_in_seconds"] = "3600" + model["system_refresh_token_expiration_in_seconds"] = "259200" + + assert.Equal(t, result, model) + } + + effectiveAccountSettingsUserMfaModel := new(iamidentityv1.EffectiveAccountSettingsUserMfa) + effectiveAccountSettingsUserMfaModel.IamID = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.Mfa = core.StringPtr("NONE") + effectiveAccountSettingsUserMfaModel.Name = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.UserName = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.Email = core.StringPtr("testString") + effectiveAccountSettingsUserMfaModel.Description = core.StringPtr("testString") + + model := new(iamidentityv1.AccountSettingsAssignedTemplatesSection) + model.TemplateID = core.StringPtr("testString") + model.TemplateVersion = core.Int64Ptr(int64(26)) + model.TemplateName = core.StringPtr("testString") + model.RestrictCreateServiceID = core.StringPtr("NOT_SET") + model.RestrictCreatePlatformApikey = core.StringPtr("NOT_SET") + model.AllowedIPAddresses = core.StringPtr("testString") + model.Mfa = core.StringPtr("NONE") + model.UserMfa = []iamidentityv1.EffectiveAccountSettingsUserMfa{*effectiveAccountSettingsUserMfaModel} + model.SessionExpirationInSeconds = core.StringPtr("86400") + model.SessionInvalidationInSeconds = core.StringPtr("7200") + model.MaxSessionsPerIdentity = core.StringPtr("testString") + model.SystemAccessTokenExpirationInSeconds = core.StringPtr("3600") + model.SystemRefreshTokenExpirationInSeconds = core.StringPtr("259200") + + result, err := iamidentity.DataSourceIBMIamEffectiveAccountSettingsAccountSettingsAssignedTemplatesSectionToMap(model) + assert.Nil(t, err) + checkResult(result) +} diff --git a/website/docs/d/iam_effective_account_settings.html.markdown b/website/docs/d/iam_effective_account_settings.html.markdown new file mode 100644 index 0000000000..03c39018f4 --- /dev/null +++ b/website/docs/d/iam_effective_account_settings.html.markdown @@ -0,0 +1,142 @@ +--- +layout: "ibm" +page_title: "IBM : ibm_iam_effective_account_settings" +description: |- + Get information about iam_effective_account_settings +subcategory: "IAM Identity Services" +--- + +# ibm_iam_effective_account_settings + +Provides a read-only data source to retrieve information about iam_effective_account_settings. You can then reference the fields of the data source in other resources within the same configuration by using interpolation syntax. + +## Example Usage + +```hcl +data "ibm_iam_effective_account_settings" "iam_effective_account_settings" { + account_id = "account_id" +} +``` + +## Argument Reference + +You can specify the following arguments for this data source. + +* `account_id` - (Required, Forces new resource, String) Unique ID of the account. +* `include_history` - (Optional, Boolean) Defines if the entity history is included in the response. + * Constraints: The default value is `false`. +* `resolve_user_mfa` - (Optional, Boolean) Enrich MFA exemptions with user information. + * Constraints: The default value is `false`. + +## Attribute Reference + +After your data source is created, you can read values from the following attributes. + +* `id` - The unique identifier of the iam_effective_account_settings. +* `account` - (List) +Nested schema for **account**: + * `account_id` - (String) Unique ID of the account. + * `allowed_ip_addresses` - (String) Defines the IP addresses and subnets from which IAM tokens can be created for the account. + * `history` - (List) History of the Account Settings. + Nested schema for **history**: + * `action` - (String) Action of the history entry. + * `iam_id` - (String) IAM ID of the identity which triggered the action. + * `iam_id_account` - (String) Account of the identity which triggered the action. + * `message` - (String) Message which summarizes the executed action. + * `params` - (List) Params of the history entry. + * `timestamp` - (String) Timestamp when the action was triggered. + * `max_sessions_per_identity` - (String) Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default. + * `mfa` - (String) Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users. + * Constraints: Allowable values are: `NONE`, `NONE_NO_ROPC`, `TOTP`, `TOTP4ALL`, `LEVEL1`, `LEVEL2`, `LEVEL3`. + * `restrict_create_platform_apikey` - (String) Defines whether or not creating platform API keys is access controlled. Valid values: * RESTRICTED - to apply access control * NOT_RESTRICTED - to remove access control * NOT_SET - to 'unset' a previous set value. + * Constraints: The default value is `NOT_SET`. Allowable values are: `RESTRICTED`, `NOT_RESTRICTED`, `NOT_SET`. + * `restrict_create_service_id` - (String) Defines whether or not creating a service ID is access controlled. Valid values: * RESTRICTED - only users assigned the 'Service ID creator' role on the IAM Identity Service can create service IDs, including the account owner * NOT_RESTRICTED - all members of an account can create service IDs * NOT_SET - to 'unset' a previous set value. + * Constraints: The default value is `NOT_SET`. Allowable values are: `RESTRICTED`, `NOT_RESTRICTED`, `NOT_SET`. + * `session_expiration_in_seconds` - (String) Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `86400`. + * `session_invalidation_in_seconds` - (String) Defines the period of time in seconds in which a session will be invalidated due to inactivity. Valid values: * Any whole number between '900' and '7200' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `7200`. + * `system_access_token_expiration_in_seconds` - (String) Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `3600`. + * `system_refresh_token_expiration_in_seconds` - (String) Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `259200`. + * `user_mfa` - (List) List of users that are exempted from the MFA requirement of the account. + Nested schema for **user_mfa**: + * `description` - (String) optional description. + * `email` - (String) email of the user. + * `iam_id` - (String) The iam_id of the user. + * `mfa` - (String) Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users. + * Constraints: Allowable values are: `NONE`, `NONE_NO_ROPC`, `TOTP`, `TOTP4ALL`, `LEVEL1`, `LEVEL2`, `LEVEL3`. + * `name` - (String) name of the user account. + * `user_name` - (String) userName of the user. +* `assigned_templates` - (List) assigned template section. +Nested schema for **assigned_templates**: + * `allowed_ip_addresses` - (String) Defines the IP addresses and subnets from which IAM tokens can be created for the account. + * `max_sessions_per_identity` - (String) Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default. + * `mfa` - (String) Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users. + * Constraints: Allowable values are: `NONE`, `NONE_NO_ROPC`, `TOTP`, `TOTP4ALL`, `LEVEL1`, `LEVEL2`, `LEVEL3`. + * `restrict_create_platform_apikey` - (String) Defines whether or not creating platform API keys is access controlled. Valid values: * RESTRICTED - to apply access control * NOT_RESTRICTED - to remove access control * NOT_SET - to 'unset' a previous set value. + * Constraints: The default value is `NOT_SET`. Allowable values are: `RESTRICTED`, `NOT_RESTRICTED`, `NOT_SET`. + * `restrict_create_service_id` - (String) Defines whether or not creating a service ID is access controlled. Valid values: * RESTRICTED - only users assigned the 'Service ID creator' role on the IAM Identity Service can create service IDs, including the account owner * NOT_RESTRICTED - all members of an account can create service IDs * NOT_SET - to 'unset' a previous set value. + * Constraints: The default value is `NOT_SET`. Allowable values are: `RESTRICTED`, `NOT_RESTRICTED`, `NOT_SET`. + * `session_expiration_in_seconds` - (String) Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `86400`. + * `session_invalidation_in_seconds` - (String) Defines the period of time in seconds in which a session will be invalidated due to inactivity. Valid values: * Any whole number between '900' and '7200' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `7200`. + * `system_access_token_expiration_in_seconds` - (String) Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `3600`. + * `system_refresh_token_expiration_in_seconds` - (String) Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `259200`. + * `template_id` - (String) Template Id. + * `template_name` - (String) Template name. + * `template_version` - (Integer) Template version. + * `user_mfa` - (List) List of users that are exempted from the MFA requirement of the account. + Nested schema for **user_mfa**: + * `description` - (String) optional description. + * `email` - (String) email of the user. + * `iam_id` - (String) The iam_id of the user. + * `mfa` - (String) Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users. + * Constraints: Allowable values are: `NONE`, `NONE_NO_ROPC`, `TOTP`, `TOTP4ALL`, `LEVEL1`, `LEVEL2`, `LEVEL3`. + * `name` - (String) name of the user account. + * `user_name` - (String) userName of the user. +* `context` - (List) Context with key properties for problem determination. +Nested schema for **context**: + * `cluster_name` - (String) The cluster name. + * `elapsed_time` - (String) The elapsed time in msec. + * `end_time` - (String) The finish time of the request. + * `host` - (String) The host of the server instance processing the request. + * `instance_id` - (String) The instance ID of the server instance processing the request. + * `operation` - (String) The operation of the inbound REST request. + * `start_time` - (String) The start time of the request. + * `thread_id` - (String) The thread ID of the server instance processing the request. + * `transaction_id` - (String) The transaction ID of the inbound REST request. + * `url` - (String) The URL of that cluster. + * `user_agent` - (String) The user agent of the inbound REST request. +* `effective` - (List) +Nested schema for **effective**: + * `allowed_ip_addresses` - (String) Defines the IP addresses and subnets from which IAM tokens can be created for the account. + * `max_sessions_per_identity` - (String) Defines the max allowed sessions per identity required by the account. Valid values: * Any whole number greater than 0 * NOT_SET - To unset account setting and use service default. + * `mfa` - (String) Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users. + * Constraints: Allowable values are: `NONE`, `NONE_NO_ROPC`, `TOTP`, `TOTP4ALL`, `LEVEL1`, `LEVEL2`, `LEVEL3`. + * `restrict_create_platform_apikey` - (String) Defines whether or not creating platform API keys is access controlled. Valid values: * RESTRICTED - to apply access control * NOT_RESTRICTED - to remove access control * NOT_SET - to 'unset' a previous set value. + * Constraints: The default value is `NOT_SET`. Allowable values are: `RESTRICTED`, `NOT_RESTRICTED`, `NOT_SET`. + * `restrict_create_service_id` - (String) Defines whether or not creating a service ID is access controlled. Valid values: * RESTRICTED - only users assigned the 'Service ID creator' role on the IAM Identity Service can create service IDs, including the account owner * NOT_RESTRICTED - all members of an account can create service IDs * NOT_SET - to 'unset' a previous set value. + * Constraints: The default value is `NOT_SET`. Allowable values are: `RESTRICTED`, `NOT_RESTRICTED`, `NOT_SET`. + * `session_expiration_in_seconds` - (String) Defines the session expiration in seconds for the account. Valid values: * Any whole number between between '900' and '86400' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `86400`. + * `session_invalidation_in_seconds` - (String) Defines the period of time in seconds in which a session will be invalidated due to inactivity. Valid values: * Any whole number between '900' and '7200' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `7200`. + * `system_access_token_expiration_in_seconds` - (String) Defines the access token expiration in seconds. Valid values: * Any whole number between '900' and '3600' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `3600`. + * `system_refresh_token_expiration_in_seconds` - (String) Defines the refresh token expiration in seconds. Valid values: * Any whole number between '900' and '259200' * NOT_SET - To unset account setting and use service default. + * Constraints: The default value is `259200`. + * `user_mfa` - (List) List of users that are exempted from the MFA requirement of the account. + Nested schema for **user_mfa**: + * `description` - (String) optional description. + * `email` - (String) email of the user. + * `iam_id` - (String) The iam_id of the user. + * `mfa` - (String) Defines the MFA requirement for the user. Valid values: * NONE - No MFA trait set * NONE_NO_ROPC- No MFA, disable CLI logins with only a password * TOTP - For all non-federated IBMId users * TOTP4ALL - For all users * LEVEL1 - Email-based MFA for all users * LEVEL2 - TOTP-based MFA for all users * LEVEL3 - U2F MFA for all users. + * Constraints: Allowable values are: `NONE`, `NONE_NO_ROPC`, `TOTP`, `TOTP4ALL`, `LEVEL1`, `LEVEL2`, `LEVEL3`. + * `name` - (String) name of the user account. + * `user_name` - (String) userName of the user. +