IBM-Cloud · hkantare · Apr 10, 2023 · Mar 30, 2023 · Apr 5, 2023 · Apr 7, 2023
diff --git a/ibm/flex/structures.go b/ibm/flex/structures.go
@@ -1385,6 +1385,7 @@ func GetV2PolicyCustomAttributes(r iampolicymanagementv1.V2PolicyResource) []iam
 		case "serviceType":
 		case "serviceName":
 		case "serviceInstance":
+		case "service_group_id":
 		default:
 			attributes = append(attributes, a)
 		}
@@ -1463,6 +1464,7 @@ func FlattenV2PolicyResource(resource iampolicymanagementv1.V2PolicyResource) []
 		"resource":             GetV2PolicyResourceAttribute("resource", resource),
 		"resource_group_id":    GetV2PolicyResourceAttribute("resourceGroupId", resource),
 		"service_type":         GetV2PolicyResourceAttribute("serviceType", resource),
+		"service_group_id":     GetV2PolicyResourceAttribute("service_group_id", resource),
 	}
 	customAttributes := GetV2PolicyCustomAttributes(resource)
 
@@ -3461,35 +3463,51 @@ func GetRoleNamesFromPolicyResponse(policy iampolicymanagementv1.V2Policy, d *sc
 		return []string{}, err
 	}
 
-	var serviceToQuery string
-	var resourceType string
+	var (
+		serviceName    string
+		resourceType   string
+		serviceGroupID string
+	)
 
 	for _, a := range resourceAttributes {
 		if *a.Key == "serviceName" &&
 			(*a.Operator == "stringMatch" ||
 				*a.Operator == "stringEquals") {
-			serviceToQuery = a.Value.(string)
+			serviceName = a.Value.(string)
 		}
 		if *a.Key == "resourceType" &&
 			(*a.Operator == "stringMatch" ||
 				*a.Operator == "stringEquals") {
 			resourceType = a.Value.(string)
 		}
+		if *a.Key == "service_group_id" &&
+			(*a.Operator == "stringMatch" ||
+				*a.Operator == "stringEquals") {
+			serviceGroupID = a.Value.(string)
+		}
+	}
+
+	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
+		AccountID: &userDetails.UserAccount,
 	}
 
 	var isAccountManagementPolicy bool
 	if accountManagement, ok := d.GetOk("account_management"); ok {
 		isAccountManagementPolicy = accountManagement.(bool)
 	}
-	if serviceToQuery == "" && // no specific service specified
+	if serviceName == "" && // no specific service specified
 		!isAccountManagementPolicy && // not all account management services
-		resourceType != "resource-group" { // not to a resource group
-		serviceToQuery = "alliamserviceroles"
+		resourceType != "resource-group" && // not to a resource group
+		serviceGroupID == "" {
+		listRoleOptions.ServiceName = core.StringPtr("alliamserviceroles")
 	}
 
-	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
-		AccountID:   &userDetails.UserAccount,
-		ServiceName: &serviceToQuery,
+	if serviceName != "" {
+		listRoleOptions.ServiceName = &serviceName
+	}
+
+	if serviceGroupID != "" {
+		listRoleOptions.ServiceGroupID = &serviceGroupID
 	}
 
 	roleList, _, err := iamPolicyManagementClient.ListRoles(listRoleOptions)
@@ -3514,6 +3532,7 @@ func GeneratePolicyOptions(d *schema.ResourceData, meta interface{}) (iampolicym
 
 	var serviceName string
 	var resourceType string
+	var serviceGroupID string
 	resourceAttributes := []iampolicymanagementv1.ResourceAttribute{}
 
 	if res, ok := d.GetOk("resources"); ok {
@@ -3533,6 +3552,18 @@ func GeneratePolicyOptions(d *schema.ResourceData, meta interface{}) (iampolicym
 				}
 			}
 
+			if r, ok := r["service_group_id"]; ok && r != nil {
+				serviceGroupID = r.(string)
+				if r.(string) != "" {
+					resourceAttr := iampolicymanagementv1.ResourceAttribute{
+						Name:     core.StringPtr("service_group_id"),
+						Value:    core.StringPtr(r.(string)),
+						Operator: core.StringPtr("stringEquals"),
+					}
+					resourceAttributes = append(resourceAttributes, resourceAttr)
+				}
+			}
+
 			if r, ok := r["resource_instance_id"]; ok {
 				if r.(string) != "" {
 					resourceAttr := iampolicymanagementv1.ResourceAttribute{
@@ -3615,6 +3646,9 @@ func GeneratePolicyOptions(d *schema.ResourceData, meta interface{}) (iampolicym
 			if name == "serviceName" {
 				serviceName = value
 			}
+			if name == "service_group_id" {
+				serviceGroupID = value
+			}
 			at := iampolicymanagementv1.ResourceAttribute{
 				Name:     &name,
 				Value:    &value,
@@ -3659,17 +3693,20 @@ func GeneratePolicyOptions(d *schema.ResourceData, meta interface{}) (iampolicym
 		return iampolicymanagementv1.CreatePolicyOptions{}, err
 	}
 
-	serviceToQuery := serviceName
-
+	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
+		AccountID: &userDetails.UserAccount,
+	}
 	if serviceName == "" && // no specific service specified
 		!d.Get("account_management").(bool) && // not all account management services
-		resourceType != "resource-group" { // not to a resource group
-		serviceToQuery = "alliamserviceroles"
+		resourceType != "resource-group" && // not to a resource group
+		serviceGroupID == "" { // service_group_id and service is mutually exclusive
+		listRoleOptions.ServiceName = core.StringPtr("alliamserviceroles")
 	}
-
-	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
-		AccountID:   &userDetails.UserAccount,
-		ServiceName: &serviceToQuery,
+	if serviceName != "" {
+		listRoleOptions.ServiceName = &serviceName
+	}
+	if serviceGroupID != "" {
+		listRoleOptions.ServiceGroupID = &serviceGroupID
 	}
 
 	roleList, _, err := iamPolicyManagementClient.ListRoles(listRoleOptions)
@@ -3690,6 +3727,7 @@ func GenerateV2PolicyOptions(d *schema.ResourceData, meta interface{}) (iampolic
 
 	var serviceName string
 	var resourceType string
+	var serviceGroupID string
 	resourceAttributes := []iampolicymanagementv1.V2PolicyResourceAttribute{}
 
 	if res, ok := d.GetOk("resources"); ok {
@@ -3709,6 +3747,18 @@ func GenerateV2PolicyOptions(d *schema.ResourceData, meta interface{}) (iampolic
 				}
 			}
 
+			if r, ok := r["service_group_id"]; ok && r != nil {
+				serviceGroupID = r.(string)
+				if r.(string) != "" {
+					resourceAttr := iampolicymanagementv1.V2PolicyResourceAttribute{
+						Key:      core.StringPtr("service_group_id"),
+						Value:    core.StringPtr(r.(string)),
+						Operator: core.StringPtr("stringEquals"),
+					}
+					resourceAttributes = append(resourceAttributes, resourceAttr)
+				}
+			}
+
 			if r, ok := r["resource_instance_id"]; ok {
 				if r.(string) != "" {
 					resourceAttr := iampolicymanagementv1.V2PolicyResourceAttribute{
@@ -3791,6 +3841,9 @@ func GenerateV2PolicyOptions(d *schema.ResourceData, meta interface{}) (iampolic
 			if name == "serviceName" {
 				serviceName = value
 			}
+			if name == "service_group_id" {
+				serviceGroupID = value
+			}
 			at := iampolicymanagementv1.V2PolicyResourceAttribute{
 				Key:      &name,
 				Value:    &value,
@@ -3835,17 +3888,23 @@ func GenerateV2PolicyOptions(d *schema.ResourceData, meta interface{}) (iampolic
 		return iampolicymanagementv1.CreateV2PolicyOptions{}, err
 	}
 
-	serviceToQuery := serviceName
+	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
+		AccountID: &userDetails.UserAccount,
+	}
 
 	if serviceName == "" && // no specific service specified
 		!d.Get("account_management").(bool) && // not all account management services
-		resourceType != "resource-group" { // not to a resource group
-		serviceToQuery = "alliamserviceroles"
+		resourceType != "resource-group" && // not to a resource group
+		serviceGroupID == "" {
+		listRoleOptions.ServiceName = core.StringPtr("alliamserviceroles")
 	}
 
-	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
-		AccountID:   &userDetails.UserAccount,
-		ServiceName: &serviceToQuery,
+	if serviceName != "" {
+		listRoleOptions.ServiceName = &serviceName
+	}
+
+	if serviceGroupID != "" {
+		listRoleOptions.ServiceGroupID = &serviceGroupID
 	}
 
 	roleList, _, err := iamPolicyManagementClient.ListRoles(listRoleOptions)

diff --git a/ibm/service/iampolicy/data_source_ibm_iam_access_group_policy.go b/ibm/service/iampolicy/data_source_ibm_iam_access_group_policy.go
@@ -94,6 +94,11 @@ func DataSourceIBMIAMAccessGroupPolicy() *schema.Resource {
 										Computed:    true,
 										Description: "Service type of the policy definition",
 									},
+									"service_group_id": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "Service group id of the policy definition",
+									},
 									"attributes": {
 										Type:        schema.TypeMap,
 										Computed:    true,

diff --git a/ibm/service/iampolicy/data_source_ibm_iam_access_group_policy_test.go b/ibm/service/iampolicy/data_source_ibm_iam_access_group_policy_test.go
@@ -243,7 +243,7 @@ func testAccCheckIBMIAMAccessGroupPolicyDataSourceTimeBasedCustom(name string) s
 		access_group_id = ibm_iam_access_group.accgrp.id
 		roles  = ["Viewer"]
 		resources {
-			service = "kms"
+			service_group_id = "IAM"
 		}
 		rule_conditions {
 			key = "{{environment.attributes.day_of_week}}"

diff --git a/ibm/service/iampolicy/data_source_ibm_iam_service_policy.go b/ibm/service/iampolicy/data_source_ibm_iam_service_policy.go
@@ -103,6 +103,11 @@ func DataSourceIBMIAMServicePolicy() *schema.Resource {
 										Computed:    true,
 										Description: "Service type of the policy definition",
 									},
+									"service_group_id": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "Service group id of the policy definition",
+									},
 									"attributes": {
 										Type:        schema.TypeMap,
 										Computed:    true,

diff --git a/ibm/service/iampolicy/data_source_ibm_iam_service_policy_test.go b/ibm/service/iampolicy/data_source_ibm_iam_service_policy_test.go
@@ -247,7 +247,7 @@ func testAccCheckIBMIAMServicePolicyDataSourceTimeBasedCustom(name string) strin
 		iam_service_id = ibm_iam_service_id.serviceID.id
 		roles  = ["Viewer"]
 		resources {
-			service = "kms"
+			service_group_id = "IAM"
 		}
 		rule_conditions {
 			key = "{{environment.attributes.day_of_week}}"

diff --git a/ibm/service/iampolicy/data_source_ibm_iam_trusted_profile_policy.go b/ibm/service/iampolicy/data_source_ibm_iam_trusted_profile_policy.go
@@ -103,6 +103,11 @@ func DataSourceIBMIAMTrustedProfilePolicy() *schema.Resource {
 										Computed:    true,
 										Description: "Service type of the policy definition",
 									},
+									"service_group_id": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "Service group id of the policy definition",
+									},
 									"attributes": {
 										Type:        schema.TypeMap,
 										Computed:    true,

diff --git a/ibm/service/iampolicy/data_source_ibm_iam_trusted_profile_policy_test.go b/ibm/service/iampolicy/data_source_ibm_iam_trusted_profile_policy_test.go
@@ -244,7 +244,7 @@ func testAccCheckIBMIAMTrustedProfilePolicyDataSourceTimeBasedCustom(name string
 		profile_id = ibm_iam_trusted_profile.profileID.id
 		roles  = ["Viewer"]
 		resources {
-			service = "kms"
+			service_group_id = "IAM"
 		}
 		rule_conditions {
 			key = "{{environment.attributes.day_of_week}}"

diff --git a/ibm/service/iampolicy/data_source_ibm_iam_user_policy.go b/ibm/service/iampolicy/data_source_ibm_iam_user_policy.go
@@ -91,6 +91,11 @@ func DataSourceIBMIAMUserPolicy() *schema.Resource {
 										Computed:    true,
 										Description: "Service type of the policy definition",
 									},
+									"service_group_id": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "Service group id of the policy definition",
+									},
 									"attributes": {
 										Type:        schema.TypeMap,
 										Computed:    true,

diff --git a/ibm/service/iampolicy/data_source_ibm_iam_user_policy_test.go b/ibm/service/iampolicy/data_source_ibm_iam_user_policy_test.go
@@ -215,9 +215,9 @@ func testAccCheckIBMIAMUserPolicyDataSourceTimeBasedCustom() string {
 
 	resource "ibm_iam_user_policy" "policy" {
 		ibm_id = "%s"
-		roles  = ["Viewer"]
+		roles  = ["Service ID creator", "User API key creator", "Viewer"]
 		resources {
-			service = "kms"
+			service_group_id = "IAM"
 		}
 		rule_conditions {
 			key = "{{environment.attributes.day_of_week}}"

diff --git a/ibm/service/iampolicy/resource_ibm_iam_access_group_policy.go b/ibm/service/iampolicy/resource_ibm_iam_access_group_policy.go
@@ -102,6 +102,12 @@ func ResourceIBMIAMAccessGroupPolicy() *schema.Resource {
 							Description: "Service type of the policy definition",
 						},
 
+						"service_group_id": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "Service group id of the policy definition",
+						},
+
 						"attributes": {
 							Type:        schema.TypeMap,
 							Optional:    true,

diff --git a/ibm/service/iampolicy/resource_ibm_iam_access_group_policy_test.go b/ibm/service/iampolicy/resource_ibm_iam_access_group_policy_test.go
@@ -484,6 +484,35 @@ func TestAccIBMIAMAccessGroupPolicy_With_Update_To_Time_Based_Conditions(t *test
 	})
 }
 
+func TestAccIBMIAMAccessGroupPolicy_With_ServiceGroupID(t *testing.T) {
+	var conf iampolicymanagementv1.V2Policy
+	name := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acc.TestAccPreCheck(t) },
+		Providers:    acc.TestAccProviders,
+		CheckDestroy: testAccCheckIBMIAMAccessGroupPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMIAMAccessGroupPolicyWithServiceGroupId(name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMIAMAccessGroupPolicyExists("ibm_iam_access_group_policy.policy", conf),
+					resource.TestCheckResourceAttr("ibm_iam_access_group.accgrp", "name", name),
+					resource.TestCheckResourceAttr("ibm_iam_access_group_policy.policy", "resource_attributes.0.value", "IAM"),
+					resource.TestCheckResourceAttr("ibm_iam_access_group_policy.policy", "roles.#", "1"),
+				),
+			},
+			{
+				Config: testAccCheckIBMIAMAccessGroupPolicyUpdateWithServiceGroupId(name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("ibm_iam_access_group.accgrp", "name", name),
+					resource.TestCheckResourceAttr("ibm_iam_access_group_policy.policy", "roles.#", "2"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckIBMIAMAccessGroupPolicyDestroy(s *terraform.State) error {
 	iamPolicyManagementClient, err := acc.TestAccProvider.Meta().(conns.ClientSession).IAMPolicyManagementV1API()
 	if err != nil {
@@ -1061,3 +1090,39 @@ func testAccCheckIBMIAMAccessGroupPolicyTimeBasedOnce(name string) string {
 		}
 	`, name)
 }
+
+func testAccCheckIBMIAMAccessGroupPolicyWithServiceGroupId(name string) string {
+	return fmt.Sprintf(`
+		resource "ibm_iam_access_group" "accgrp"  {
+			name = "%s"
+			}
+
+			resource "ibm_iam_access_group_policy" "policy" {
+			access_group_id = ibm_iam_access_group.accgrp.id
+			roles           = ["Service ID creator"]
+    		resource_attributes {
+         		name     = "service_group_id"
+         		operator = "stringEquals"
+         		value    = "IAM"
+			}
+		}
+	`, name)
+}
+
+func testAccCheckIBMIAMAccessGroupPolicyUpdateWithServiceGroupId(name string) string {
+	return fmt.Sprintf(`
+		resource "ibm_iam_access_group" "accgrp"  {
+			name = "%s"
+			}
+
+			resource "ibm_iam_access_group_policy" "policy" {
+			access_group_id = ibm_iam_access_group.accgrp.id
+			roles           = ["Service ID creator", "User API key creator"]
+    		resource_attributes {
+         		name     = "service_group_id"
+         		operator = "stringEquals"
+         		value    = "IAM"
+			}
+		}
+	`, name)
+}
diff --git a/ibm/service/iampolicy/resource_ibm_iam_service_policy.go b/ibm/service/iampolicy/resource_ibm_iam_service_policy.go
@@ -110,6 +110,12 @@ func ResourceIBMIAMServicePolicy() *schema.Resource {
 							Description: "Service type of the policy definition",
 						},
 
+						"service_group_id": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "Service group id of the policy definition",
+						},
+
 						"attributes": {
 							Type:        schema.TypeMap,
 							Optional:    true,