Skip to content

Latest commit

 

History

History
129 lines (106 loc) · 8.26 KB

README.md

File metadata and controls

129 lines (106 loc) · 8.26 KB

IAM Access Group Module

Graduated (Supported) pre-commit latest release Renovate enabled semantic-release

This module is used to create an acess group, adding members to access group, defining the acces group policy and adding dynamic rules to access group. Access groups can be used to define a set of permissions that you want to grant to a group of users.

Overview

Usage

provider "ibm" {
  ibmcloud_api_key = "XXXXXXXXXX" # pragma: allowlist secret
  region           = "us-south"
}

module "iam_service_access_group" {
  source            = "terraform-ibm-modules/terraform-ibm-iam-access-group"
  version           = "latest" # Replace "latest" with a release version to lock into a specific release
  access_group_name = "my-iam-access-group"
  dynamic_rules     = {
                        rule-name = {
                        expiration        = 3
                        identity_provider = "https://idp-test.example.org/SAML2"
                        conditions = [{
                            claim    = "my_claim"
                            operator = "CONTAINS"
                            value    = "my_test_value"
                        }]
                        }
                    }
  policies          = {
                        my_policy_1 = {
                            roles = ["Viewer"]
                            tags  = ["iam-service-policy-1"]
                        }
                        my_policy_2 = {
                            roles = ["Viewer"]
                            tags  = ["iam-service-policy-2"]
                        }
                    }
  ibm_ids           = ["your_ibm_id_email"]
}

Required IAM access policies

If an account has service ID creation blocked (which an fscloud compliant account will), you need to explicitly grant “Service ID creator” to users in order to be able to grant access. For more information, see Creating and working with service IDs.

Requirements

Name Version
terraform >= 1.3.0
ibm >= 1.51.0, < 2.0.0

Modules

No modules.

Resources

Name Type
ibm_iam_access_group.access_group resource
ibm_iam_access_group_dynamic_rule.access_group_dynamic_rule resource
ibm_iam_access_group_members.access_group_members resource
ibm_iam_access_group_policy.policy resource
ibm_iam_access_group.access_group_data data source

Inputs

Name Description Type Default Required
access_group_name Name of the access group string n/a yes
add_members Enable this to add members to access group bool true no
description Description to access group string null no
dynamic_rules list of dynamic rules
map(object({
expiration = number
identity_provider = string
conditions = list(object({
claim = string
operator = string
value = string
}))
}))
n/a yes
ibm_ids A list of IBM IDs that you want to add to the access group. list(string) [] no
policies list of policies
map(object({
roles = list(string)
account_management = optional(bool)
tags = set(string)
resources = optional(list(object({
region = optional(string)
attributes = optional(map(string))
service = optional(string)
resource_instance_id = optional(string)
resource_type = optional(string)
resource = optional(string)
resource_group_id = optional(string)
})))
resource_attributes = optional(list(object({
name = string
value = string
operator = optional(string)
})))
}))
n/a yes
provision Would you like to provision a new access group (true/false) bool true no
service_ids A list of service IDS that you want to add to the access group. list(string) [] no
tags Tags that should be applied to the service list(string) [] no
trusted_profile_ids A list of trusted profile IDS that you want to add to the access group. list(string) [] no

Outputs

Name Description
dynamic_rule_ids List of access group dynamic rule IDs
id The ID of the access group
member_id The unique identifier of the access group members.
policy_ids List of access group policy IDs

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.