add optional service_group_id param support to policies and roles API

ibm/flex/structures.go

@@ -1385,6 +1385,7 @@ func GetV2PolicyCustomAttributes(r iampolicymanagementv1.V2PolicyResource) []iam
 		case "serviceType":
 		case "serviceName":
 		case "serviceInstance":
+		case "service_group_id":
 		default:
 			attributes = append(attributes, a)
 		}
@@ -1463,6 +1464,7 @@ func FlattenV2PolicyResource(resource iampolicymanagementv1.V2PolicyResource) []
 		"resource":             GetV2PolicyResourceAttribute("resource", resource),
 		"resource_group_id":    GetV2PolicyResourceAttribute("resourceGroupId", resource),
 		"service_type":         GetV2PolicyResourceAttribute("serviceType", resource),
+		"service_group_id":     GetV2PolicyResourceAttribute("service_group_id", resource),
 	}
 	customAttributes := GetV2PolicyCustomAttributes(resource)
 
@@ -3461,35 +3463,51 @@ func GetRoleNamesFromPolicyResponse(policy iampolicymanagementv1.V2Policy, d *sc
 		return []string{}, err
 	}
 
-	var serviceToQuery string
-	var resourceType string
+	var (
+		serviceName    string
+		resourceType   string
+		serviceGroupID string
+	)
 
 	for _, a := range resourceAttributes {
 		if *a.Key == "serviceName" &&
 			(*a.Operator == "stringMatch" ||
 				*a.Operator == "stringEquals") {
-			serviceToQuery = a.Value.(string)
+			serviceName = a.Value.(string)
 		}
 		if *a.Key == "resourceType" &&
 			(*a.Operator == "stringMatch" ||
 				*a.Operator == "stringEquals") {
 			resourceType = a.Value.(string)
 		}
+		if *a.Key == "service_group_id" &&
+			(*a.Operator == "stringMatch" ||
+				*a.Operator == "stringEquals") {
+			serviceGroupID = a.Value.(string)
+		}
+	}
+
+	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
+		AccountID: &userDetails.UserAccount,
 	}
 
 	var isAccountManagementPolicy bool
 	if accountManagement, ok := d.GetOk("account_management"); ok {
 		isAccountManagementPolicy = accountManagement.(bool)
 	}
-	if serviceToQuery == "" && // no specific service specified
+	if serviceName == "" && // no specific service specified
 		!isAccountManagementPolicy && // not all account management services
-		resourceType != "resource-group" { // not to a resource group
-		serviceToQuery = "alliamserviceroles"
+		resourceType != "resource-group" && // not to a resource group
+		serviceGroupID == "" {
+		listRoleOptions.ServiceName = core.StringPtr("alliamserviceroles")
 	}
 
-	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
-		AccountID:   &userDetails.UserAccount,
-		ServiceName: &serviceToQuery,
+	if serviceName != "" {
+		listRoleOptions.ServiceName = &serviceName
+	}
+
+	if serviceGroupID != "" {
+		listRoleOptions.ServiceGroupID = &serviceGroupID
 	}
 
 	roleList, _, err := iamPolicyManagementClient.ListRoles(listRoleOptions)
@@ -3514,6 +3532,7 @@ func GeneratePolicyOptions(d *schema.ResourceData, meta interface{}) (iampolicym
 
 	var serviceName string
 	var resourceType string
+	var serviceGroupID string
 	resourceAttributes := []iampolicymanagementv1.ResourceAttribute{}
 
 	if res, ok := d.GetOk("resources"); ok {
@@ -3533,6 +3552,18 @@ func GeneratePolicyOptions(d *schema.ResourceData, meta interface{}) (iampolicym
 				}
 			}
 
+			if r, ok := r["service_group_id"]; ok && r != nil {
+				serviceGroupID = r.(string)
+				if r.(string) != "" {
+					resourceAttr := iampolicymanagementv1.ResourceAttribute{
+						Name:     core.StringPtr("service_group_id"),
+						Value:    core.StringPtr(r.(string)),
+						Operator: core.StringPtr("stringEquals"),
+					}
+					resourceAttributes = append(resourceAttributes, resourceAttr)
+				}
+			}
+
 			if r, ok := r["resource_instance_id"]; ok {
 				if r.(string) != "" {
 					resourceAttr := iampolicymanagementv1.ResourceAttribute{
@@ -3615,6 +3646,9 @@ func GeneratePolicyOptions(d *schema.ResourceData, meta interface{}) (iampolicym
 			if name == "serviceName" {
 				serviceName = value
 			}
+			if name == "service_group_id" {
+				serviceGroupID = value
+			}
 			at := iampolicymanagementv1.ResourceAttribute{
 				Name:     &name,
 				Value:    &value,
@@ -3659,17 +3693,20 @@ func GeneratePolicyOptions(d *schema.ResourceData, meta interface{}) (iampolicym
 		return iampolicymanagementv1.CreatePolicyOptions{}, err
 	}
 
-	serviceToQuery := serviceName
-
+	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
+		AccountID: &userDetails.UserAccount,
+	}
 	if serviceName == "" && // no specific service specified
 		!d.Get("account_management").(bool) && // not all account management services
-		resourceType != "resource-group" { // not to a resource group
-		serviceToQuery = "alliamserviceroles"
+		resourceType != "resource-group" && // not to a resource group
+		serviceGroupID == "" { // service_group_id and service is mutually exclusive
+		listRoleOptions.ServiceName = core.StringPtr("alliamserviceroles")
 	}
-
-	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
-		AccountID:   &userDetails.UserAccount,
-		ServiceName: &serviceToQuery,
+	if serviceName != "" {
+		listRoleOptions.ServiceName = &serviceName
+	}
+	if serviceGroupID != "" {
+		listRoleOptions.ServiceGroupID = &serviceGroupID
 	}
 
 	roleList, _, err := iamPolicyManagementClient.ListRoles(listRoleOptions)
@@ -3690,6 +3727,7 @@ func GenerateV2PolicyOptions(d *schema.ResourceData, meta interface{}) (iampolic
 
 	var serviceName string
 	var resourceType string
+	var serviceGroupID string
 	resourceAttributes := []iampolicymanagementv1.V2PolicyResourceAttribute{}
 
 	if res, ok := d.GetOk("resources"); ok {
@@ -3709,6 +3747,18 @@ func GenerateV2PolicyOptions(d *schema.ResourceData, meta interface{}) (iampolic
 				}
 			}
 
+			if r, ok := r["service_group_id"]; ok && r != nil {
+				serviceGroupID = r.(string)
+				if r.(string) != "" {
+					resourceAttr := iampolicymanagementv1.V2PolicyResourceAttribute{
+						Key:      core.StringPtr("service_group_id"),
+						Value:    core.StringPtr(r.(string)),
+						Operator: core.StringPtr("stringEquals"),
+					}
+					resourceAttributes = append(resourceAttributes, resourceAttr)
+				}
+			}
+
 			if r, ok := r["resource_instance_id"]; ok {
 				if r.(string) != "" {
 					resourceAttr := iampolicymanagementv1.V2PolicyResourceAttribute{
@@ -3791,6 +3841,9 @@ func GenerateV2PolicyOptions(d *schema.ResourceData, meta interface{}) (iampolic
 			if name == "serviceName" {
 				serviceName = value
 			}
+			if name == "service_group_id" {
+				serviceGroupID = value
+			}
 			at := iampolicymanagementv1.V2PolicyResourceAttribute{
 				Key:      &name,
 				Value:    &value,
@@ -3835,17 +3888,23 @@ func GenerateV2PolicyOptions(d *schema.ResourceData, meta interface{}) (iampolic
 		return iampolicymanagementv1.CreateV2PolicyOptions{}, err
 	}
 
-	serviceToQuery := serviceName
+	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
+		AccountID: &userDetails.UserAccount,
+	}
 
 	if serviceName == "" && // no specific service specified
 		!d.Get("account_management").(bool) && // not all account management services
-		resourceType != "resource-group" { // not to a resource group
-		serviceToQuery = "alliamserviceroles"
+		resourceType != "resource-group" && // not to a resource group
+		serviceGroupID == "" {
+		listRoleOptions.ServiceName = core.StringPtr("alliamserviceroles")
 	}
 
-	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
-		AccountID:   &userDetails.UserAccount,
-		ServiceName: &serviceToQuery,
+	if serviceName != "" {
+		listRoleOptions.ServiceName = &serviceName
+	}
+
+	if serviceGroupID != "" {
+		listRoleOptions.ServiceGroupID = &serviceGroupID
 	}
 
 	roleList, _, err := iamPolicyManagementClient.ListRoles(listRoleOptions)

ibm/service/iampolicy/data_source_ibm_iam_access_group_policy.go

@@ -94,6 +94,11 @@ func DataSourceIBMIAMAccessGroupPolicy() *schema.Resource {
 										Computed:    true,
 										Description: "Service type of the policy definition",
 									},
+									"service_group_id": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "Service group id of the policy definition",
+									},
 									"attributes": {
 										Type:        schema.TypeMap,
 										Computed:    true,

ibm/service/iampolicy/data_source_ibm_iam_access_group_policy_test.go

@@ -98,6 +98,23 @@ func TestAccIBMIAMAccessGroupPolicyDataSource_Time_Based_Conditions_Custom(t *te
 	})
 }
 
+func TestAccIBMIAMAccessGroupPolicyDataSource_ServiceGroupID(t *testing.T) {
+	name := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { acc.TestAccPreCheck(t) },
+		Providers: acc.TestAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMIAMAccessGroupPolicyDataSourceServiceGroupID(name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.ibm_iam_access_group_policy.testacc_ds_access_group_policy", "policies.#", "1"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckIBMIAMAccessGroupPolicyDataSourceConfig(name string) string {
 	return fmt.Sprintf(`
 
@@ -269,3 +286,42 @@ func testAccCheckIBMIAMAccessGroupPolicyDataSourceTimeBasedCustom(name string) s
 	}
 	`, name)
 }
+
+func testAccCheckIBMIAMAccessGroupPolicyDataSourceServiceGroupID(name string) string {
+	return fmt.Sprintf(`
+
+
+	resource "ibm_iam_access_group" "accgrp" {
+		name = "%s"
+	}
+
+	resource "ibm_iam_access_group_policy" "policy" {
+		access_group_id = ibm_iam_access_group.accgrp.id
+		roles  = ["Service ID creator", "User API key creator", "Viewer"]
+		resources {
+			service_group_id = "IAM"
+		}
+		rule_conditions {
+			key = "{{environment.attributes.day_of_week}}"
+			operator = "dayOfWeekAnyOf"
+			value = ["1+00:00","2+00:00","3+00:00","4+00:00"]
+		}
+		rule_conditions {
+			key = "{{environment.attributes.current_time}}"
+			operator = "timeGreaterThanOrEquals"
+			value = ["09:00:00+00:00"]
+		}
+		rule_conditions {
+			key = "{{environment.attributes.current_time}}"
+			operator = "timeLessThanOrEquals"
+			value = ["17:00:00+00:00"]
+		}
+		rule_operator = "and"
+		pattern = "time-based-conditions:weekly:custom-hours"
+		}
+
+	data "ibm_iam_access_group_policy" "testacc_ds_access_group_policy" {
+		access_group_id = ibm_iam_access_group_policy.policy.access_group_id
+	}
+	`, name)
+}

ibm/service/iampolicy/data_source_ibm_iam_service_policy.go

@@ -103,6 +103,11 @@ func DataSourceIBMIAMServicePolicy() *schema.Resource {
 										Computed:    true,
 										Description: "Service type of the policy definition",
 									},
+									"service_group_id": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "Service group id of the policy definition",
+									},
 									"attributes": {
 										Type:        schema.TypeMap,
 										Computed:    true,

ibm/service/iampolicy/data_source_ibm_iam_service_policy_test.go

@@ -98,6 +98,23 @@ func TestAccIBMIAMServicePolicyDataSource_Time_Based_Conditions_Custom(t *testin
 	})
 }
 
+func TestAccIBMIAMServicePolicyDataSource_ServiceGroupID(t *testing.T) {
+	name := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { acc.TestAccPreCheck(t) },
+		Providers: acc.TestAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMIAMServicePolicyDataSourceServiceGroupID(name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.ibm_iam_service_policy.testacc_ds_service_policy", "policies.#", "1"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckIBMIAMServicePolicyDataSourceConfig(name string) string {
 	return fmt.Sprintf(`
 
@@ -273,3 +290,43 @@ func testAccCheckIBMIAMServicePolicyDataSourceTimeBasedCustom(name string) strin
 	}
 	`, name)
 }
+
+func testAccCheckIBMIAMServicePolicyDataSourceServiceGroupID(name string) string {
+	return fmt.Sprintf(`
+
+
+	resource "ibm_iam_service_id" "serviceID" {
+		name        = "%s"
+		description = "Service ID for test"
+	}
+
+	resource "ibm_iam_service_policy" "policy" {
+		iam_service_id = ibm_iam_service_id.serviceID.id
+		roles  = ["Viewer"]
+		resources {
+			service_group_id = "IAM"
+		}
+		rule_conditions {
+			key = "{{environment.attributes.day_of_week}}"
+			operator = "dayOfWeekAnyOf"
+			value = ["1+00:00","2+00:00","3+00:00","4+00:00"]
+		}
+		rule_conditions {
+			key = "{{environment.attributes.current_time}}"
+			operator = "timeGreaterThanOrEquals"
+			value = ["09:00:00+00:00"]
+		}
+		rule_conditions {
+			key = "{{environment.attributes.current_time}}"
+			operator = "timeLessThanOrEquals"
+			value = ["17:00:00+00:00"]
+		}
+		rule_operator = "and"
+		pattern = "time-based-conditions:weekly:custom-hours"
+		}
+
+	data "ibm_iam_service_policy" "testacc_ds_service_policy" {
+		iam_service_id = ibm_iam_service_policy.policy.iam_service_id
+	}
+	`, name)
+}

ibm/service/iampolicy/data_source_ibm_iam_trusted_profile_policy.go

@@ -103,6 +103,11 @@ func DataSourceIBMIAMTrustedProfilePolicy() *schema.Resource {
 										Computed:    true,
 										Description: "Service type of the policy definition",
 									},
+									"service_group_id": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "Service group id of the policy definition",
+									},
 									"attributes": {
 										Type:        schema.TypeMap,
 										Computed:    true,