diff --git a/terraform/iam/account-rg.tf b/terraform/iam/account-rg.tf index 3b58798..11627ec 100644 --- a/terraform/iam/account-rg.tf +++ b/terraform/iam/account-rg.tf @@ -10,4 +10,9 @@ resource "ibm_resource_group" "group" { output "resource_group_name" { value = ibm_resource_group.group.name -} \ No newline at end of file +} + +resource "ibm_resource_group" "rg-vmware-lab" { + name = "vmware-lab" + tags = var.tags +} diff --git a/terraform/iam/iam-ag-vmware-lab.tf b/terraform/iam/iam-ag-vmware-lab.tf new file mode 100644 index 0000000..fba845b --- /dev/null +++ b/terraform/iam/iam-ag-vmware-lab.tf @@ -0,0 +1,67 @@ +resource "ibm_iam_access_group" "ag-vmware-lab" { + name = "ag-vmware-lab" + tags = var.tags +} + +# Add visibility to the Resource Group +resource "ibm_iam_access_group_policy" "rg-vmware-lab-visibility" { + access_group_id = ibm_iam_access_group.ag-vmware-lab.id + roles = ["Viewer"] + resources { + resource_type = "resource-group" + resource = ibm_resource_group.rg-vmware-lab.id + } +} + +# Service: VCF as a Service +# +# Platform Roles: Viewer +# Service Roles: Reader, Viewer, VCFaaS Director Console User, +# VCFaaS Director Backup User, VCFaaS Director Security Admin, +# VCFaaS Director Network Admin, VCFaaS Director Catalog Author, +# VCFaaS Director vApp User, VCFaaS Director vApp Author, +# VCFaaS Director Full Viewer +resource "ibm_iam_access_group_policy" "policy-vcf-vmware-all" { + access_group_id = ibm_iam_access_group.ag-vmware-lab.id + resource_attributes { + name = "serviceName" + operator = "stringEquals" + value = "vmware" + } + roles = ["Reader", "Viewer", "VCFaaS Director Console User", "VCFaaS Director Backup User", "VCFaaS Director Security Admin", "VCFaaS Director Network Admin", "VCFaaS Director Catalog Author", "VCFaaS Director vApp User", "VCFaaS Director vApp Author", "VCFaaS Director Full Viewer"] +} + +# Service: VCF as a Service +resource "ibm_iam_access_group_policy" "policy-vcf-vmware-rg" { + access_group_id = ibm_iam_access_group.ag-vmware-lab.id + resource_attributes { + name = "serviceName" + operator = "stringEquals" + value = "vmware" + } + resource_attributes { + name = "resourceGroupId" + operator = "stringEquals" + value = ibm_resource_group.rg-vmware-lab.id + } + roles = ["Viewer", "Administrator", "Editor", "Operator", "Service Configuration Reader", "Key Manager"] +} + +# Service: VMware Solutions +# +# Platform Roles: Viewer +# Service Roles: Reader +resource "ibm_iam_access_group_policy" "policy-vmware-solutions" { + access_group_id = ibm_iam_access_group.ag-vmware-lab.id + resource_attributes { + name = "serviceName" + operator = "stringEquals" + value = "vmware-solutions" + } + resource_attributes { + name = "resourceGroupId" + operator = "stringEquals" + value = ibm_resource_group.rg-vmware-lab.id + } + roles = ["Viewer", "Reader"] +} diff --git a/terraform/iam/iam-users.tf b/terraform/iam/iam-users.tf index 79ee65c..ec01448 100644 --- a/terraform/iam/iam-users.tf +++ b/terraform/iam/iam-users.tf @@ -1,6 +1,31 @@ # invite the users in the account and attach them to their access group -# resource "ibm_iam_user_invite" "invite_user" { -# users = ["lionel.mace@gmail.com"] -# access_groups = [ibm_iam_access_group.ag-test.id] +resource "ibm_iam_user_invite" "invite_user" { + users = ["first.last@gmail.com"] + access_groups = [ibm_iam_access_group.ag-vmware-lab.id] +} + + +# Update the policies of existing users +# Assign Access Group to an existing user +resource "ibm_iam_access_group_members" "assign-vmware-ag-to-user" { + access_group_id = ibm_iam_access_group.ag-vmware-lab.id + ibm_ids = ["first.last@gmail.com"] +} + +resource "ibm_iam_user_invite" "assign-existing-user-to-classic-infra" { + users = ["first.last@gmail.com"] + classic_infra_roles { + # permission_set = "superuser" + permission_set = "noacess" + } +} + +# Not supported by Terraform yet +# resource "ibm_iam_user_policy" "policy" { +# ibm_ids = ["lionel.mace@gmail.com"] +# classic_infra_roles { +# # permission_set = "superuser" +# permission_set = "noacess" +# } # } \ No newline at end of file diff --git a/terraform/iam/provider.tf b/terraform/iam/provider.tf index 645a50e..4b50c52 100644 --- a/terraform/iam/provider.tf +++ b/terraform/iam/provider.tf @@ -3,11 +3,11 @@ ############################################################################## terraform { - required_version = ">=1.5, < 1.6" + required_version = ">=1.6" required_providers { ibm = { source = "IBM-Cloud/ibm" - version = "1.66.0" + version = "1.67.1" } } }