add optional service_group_id param support to policies and roles API

[Rajesh-Pirati]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes https://github.ibm.com/IAM/AM-issues/issues/645

Output from acceptance testing:

IAMUserPolicy with service_group_id

=== RUN   TestAccIBMIAMUSerPolicy_With_ServiceGroupID
--- PASS: TestAccIBMIAMUSerPolicy_With_ServiceGroupID (34.53s)
PASS

IAMServicePolicy

IAMAccessGroupPolicy

IAMTrustedPolicy

Tested from terraform CLI:
HTTP error 400 when service/serviceName and service_group_id passed.
configuration:

resource "ibm_iam_access_group_policy" "policy" {
    access_group_id = "AccessGroupId-c976b4a9-fdc9-4076-a553-e4afac9bd926"
    roles           = ["Service ID creator", "User API key creator", "VPN Administrator"]
    resource_attributes {
         name     = "service_group_id"
         operator = "stringEquals"
         value    = "IAM"
     }
    resource_attributes {
         name     = "serviceName"
         operator = "stringEquals"
         value    = "messagehub"
}
}

output:

ibm_iam_access_group_policy.policy: Creating...
╷
│ Error: The following params are mutually exclusive: service_name, service_group_id

policy with service/serviceName:

resource "ibm_iam_access_group_policy" "policy" {
    access_group_id    = "AccessGroupId-xxx-xxx-xxx-xxxxx-xxxxxx"
    account_management = false
    id                 = "AccessGroupId-xxx-xxx-xxx-xxxxx-xxxxxx/23557585-488a-4424-8223-19c97fbf0961"
    roles              = [
        "Service ID creator",
        "User API key creator",
    ]
    transaction_id     = "331bc3f19c324f0d8de63ade7e6c32d1"
    version            = "1-49276954966d549552c0f4dbd9208456"

    resources {
        service = "iam-identity"
    }
}

policy with service/serviceName and service specific roles

resource "ibm_iam_access_group_policy" "policy" {
    access_group_id    = "AccessGroupId-xxx-xxx-xxx-xxxxx-xxxxxx"
    account_management = false
    id                 = "AccessGroupId-xxx-xxx-xxx-xxxxx-xxxxxx/fb6f555a-225e-4b79-803e-648d04a707ce"
    roles              = [
        "KeyPurge",
        "ReaderPlus",
    ]
    transaction_id     = "bbe68039caea41399c480ca1c421d606"
    version            = "1-1f55ade8a5da1c4f9370130866f35b57"

    resource_attributes {
        name     = "serviceName"
        operator = "stringEquals"
        value    = "kms"
    }
}

policy with service_group_id

resource "ibm_iam_access_group_policy" "policy" {
    access_group_id    = "AccessGroupId-xxx-xxx-xxx-xxxxx-xxxxxx"
    account_management = false
    id                 = "AccessGroupId-xxx-xxx-xxx-xxxxx-xxxxxx/80d432f7-bb96-4001-a362-ccbcaf46176e"
    roles              = [
        "User API key creator",
        "Service ID creator",
    ]
    transaction_id     = "a1c8156298c9479da2b5c812da8a030e"
    version            = "1-4fd40f8a8d10620f3253963a39f2c2e9"

    resource_attributes {
        name     = "service_group_id"
        operator = "stringEquals"
        value    = "IAM"
    }
}

[swcolley]

This looks good to me.

[hkantare]

why we changed exisiting testcase can we add new testcase for "service_group_id" for this new feature.
Don't modify exisitng testcases we will not have testcase support for old features

[Rajesh-Pirati]

DataSource testcases results :
User Policy

AccessGroup

ServiceID

TrustedProfileID