feat: Changed the policy_templates schema to allow user to choose exact attributes<br>- Removed the boolean onboard_all_account_groups and replaced it with account_group_ids_to_assign which allows consumers to pass a list of account IDs (or pass "all" for all account groups)<br>- Added workaround for IBM terraform provider bugs (#171)

Author: ocofaigh

examples/tp-template/main.tf

@@ -39,8 +39,17 @@ module "trusted_profile_template" {
       name        = "${var.prefix}-cos-reader-access"
       description = "COS reader access"
       roles       = ["Reader"]
-      service     = "service"
+      attributes = [{
+        key      = "serviceName"
+        value    = "cloud-object-storage"
+        operator = "stringEquals"
+        },
+        {
+          key      = "serviceInstance"
+          value    = module.cos.cos_instance_guid
+          operator = "stringEquals"
+      }]
     }
   ]
-  onboard_all_account_groups = false # Set this to true to add the template to all account groups. Support for selecting specific groups is coming in https://github.com/terraform-ibm-modules/terraform-ibm-trusted-profile/issues/163
+  account_group_ids_to_assign = var.account_group_ids_to_assign
 }

examples/tp-template/variables.tf

@@ -20,3 +20,10 @@ variable "resource_group" {
   description = "An existing resource group name to use for this example, if unset a new resource group will be created"
   default     = null
 }
+
+variable "account_group_ids_to_assign" {
+  type        = list(string)
+  default     = ["all"]
+  description = "A list of account group IDs to assign the template to. Support passing the string 'all' in the list to assign to all account groups."
+  nullable    = false
+}

modules/trusted-profile-template/README.md

@@ -21,13 +21,26 @@ module "trusted_profile_template" {
       name        = "identity-access"
       description = "Policy template for identity services"
       roles       = ["Viewer", "Reader"]
-      service     = "service"
+      attributes = [{
+        key      = "serviceName"
+        value    = "cloud-object-storage"
+        operator = "stringEquals"
+        },
+        {
+          key      = "serviceInstance"
+          value    = "xxxXXXxxxXXXxxxXXX"
+          operator = "stringEquals"
+      }]
     },
     {
       name        = "platform-access"
       description = "Policy template for platform services"
       roles       = ["Viewer", "Service Configuration Reader"]
-      service     = "platform_service"
+      attributes  = [{
+        key      = "serviceType"
+        value    = "platform_service"
+        operator = "stringEquals"
+      }]
     }
   ]
 }
@@ -62,16 +75,17 @@ No modules.
 | [ibm_iam_policy_template.profile_template_policies](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_policy_template) | resource |
 | [ibm_iam_trusted_profile_template.trusted_profile_template_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_trusted_profile_template) | resource |
 | [ibm_iam_trusted_profile_template_assignment.account_settings_template_assignment_instance](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_trusted_profile_template_assignment) | resource |
+| [terraform_data.iam_policy_template_replacement](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [ibm_enterprise_account_groups.all_groups](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/enterprise_account_groups) | data source |
 | [ibm_enterprise_accounts.all_accounts](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/enterprise_accounts) | data source |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_account_group_ids_to_assign"></a> [account\_group\_ids\_to\_assign](#input\_account\_group\_ids\_to\_assign) | A list of account group IDs to assign the template to. Support passing the string 'all' in the list to assign to all account groups. | `list(string)` | <pre>[<br/>  "all"<br/>]</pre> | no |
 | <a name="input_identity_crn"></a> [identity\_crn](#input\_identity\_crn) | CRN of the identity | `string` | n/a | yes |
-| <a name="input_onboard_all_account_groups"></a> [onboard\_all\_account\_groups](#input\_onboard\_all\_account\_groups) | Whether to onboard all account groups to the template. | `bool` | `true` | no |
-| <a name="input_policy_templates"></a> [policy\_templates](#input\_policy\_templates) | List of IAM policy templates to create | <pre>list(object({<br/>    name        = string<br/>    description = string<br/>    roles       = list(string)<br/>    service     = string<br/>  }))</pre> | n/a | yes |
+| <a name="input_policy_templates"></a> [policy\_templates](#input\_policy\_templates) | List of IAM policy templates to create | <pre>list(object({<br/>    name        = string<br/>    description = string<br/>    roles       = list(string)<br/>    attributes = list(object({<br/>      key      = string<br/>      value    = string<br/>      operator = string<br/>    }))<br/>  }))</pre> | n/a | yes |
 | <a name="input_profile_description"></a> [profile\_description](#input\_profile\_description) | Description of the trusted profile inside the template | `string` | `null` | no |
 | <a name="input_profile_name"></a> [profile\_name](#input\_profile\_name) | Name of the trusted profile inside the template | `string` | n/a | yes |
 | <a name="input_template_description"></a> [template\_description](#input\_template\_description) | Description of the trusted profile template | `string` | `null` | no |

modules/trusted-profile-template/main.tf

@@ -3,7 +3,6 @@ resource "ibm_iam_policy_template" "profile_template_policies" {
     for pt in var.policy_templates :
     pt.name => pt
   }
-
   name      = each.value.name
   committed = true
 
@@ -12,15 +11,26 @@ resource "ibm_iam_policy_template" "profile_template_policies" {
     description = each.value.description
 
     resource {
-      attributes {
-        key      = "serviceType"
-        value    = each.value.service
-        operator = "stringEquals"
+      dynamic "attributes" {
+        for_each = each.value.attributes
+        content {
+          key      = attributes.value.key
+          value    = attributes.value.value
+          operator = attributes.value.operator
+        }
       }
     }
-
+    # TODO support tags (https://github.com/terraform-ibm-modules/terraform-ibm-trusted-profile/issues/164)
     roles = each.value.roles
   }
+  # Temp workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6213
+  lifecycle {
+    replace_triggered_by = [terraform_data.iam_policy_template_replacement]
+  }
+}
+
+resource "terraform_data" "iam_policy_template_replacement" {
+  input = var.policy_templates
 }
 
 resource "ibm_iam_trusted_profile_template" "trusted_profile_template_instance" {
@@ -49,6 +59,11 @@ resource "ibm_iam_trusted_profile_template" "trusted_profile_template_instance"
   }
 
   committed = true
+
+  # Temp workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6214
+  lifecycle {
+    replace_triggered_by = [terraform_data.iam_policy_template_replacement]
+  }
 }
 
 data "ibm_enterprise_accounts" "all_accounts" {}
@@ -65,14 +80,32 @@ locals {
     }
   ]
 
-  combined_targets = {
+  compared_list = flatten(
+    [
+      for group in local.group_targets :
+      [
+        for provided_group in var.account_group_ids_to_assign :
+        provided_group if group.id == provided_group
+      ]
+    ]
+  )
+
+  all_groups = length(var.account_group_ids_to_assign) > 0 ? var.account_group_ids_to_assign[0] == "all" ? true : false : false
+  # tflint-ignore: terraform_unused_declarations
+  validate_group_ids = !local.all_groups ? length(local.compared_list) != length(var.account_group_ids_to_assign) ? tobool("Could not find all of the groups listed in the 'account_group_ids_to_assign' value. Please verify all values are correct") : true : true
+
+  combined_targets = local.all_groups ? {
     for target in local.group_targets :
     "${target.type}-${target.id}" => target
+    } : {
+    for target in local.group_targets :
+    "${target.type}-${target.id}" => target if contains(var.account_group_ids_to_assign, target.id)
   }
+
 }
 
 resource "ibm_iam_trusted_profile_template_assignment" "account_settings_template_assignment_instance" {
-  for_each = var.onboard_all_account_groups ? local.combined_targets : {}
+  for_each = local.combined_targets
 
   template_id      = split("/", ibm_iam_trusted_profile_template.trusted_profile_template_instance.id)[0]
   template_version = ibm_iam_trusted_profile_template.trusted_profile_template_instance.version

modules/trusted-profile-template/variables.tf

@@ -16,16 +16,24 @@ variable "policy_templates" {
     name        = string
     description = string
     roles       = list(string)
-    service     = string
+    attributes = list(object({
+      key      = string
+      value    = string
+      operator = string
+    }))
   }))
 }
 
-# TODO: Add support to select which account groups to add trusted profile template to:
-#       https://github.com/terraform-ibm-modules/terraform-ibm-trusted-profile/issues/163
-variable "onboard_all_account_groups" {
-  type        = bool
-  default     = true
-  description = "Whether to onboard all account groups to the template."
+variable "account_group_ids_to_assign" {
+  type        = list(string)
+  default     = ["all"]
+  description = "A list of account group IDs to assign the template to. Support passing the string 'all' in the list to assign to all account groups."
+  nullable    = false
+
+  validation {
+    condition     = contains(var.account_group_ids_to_assign, "all") ? length(var.account_group_ids_to_assign) == 1 : true
+    error_message = "When specifying 'all' in the list, you cannot add any other values to the list"
+  }
 }
 
 variable "profile_name" {

tests/pr_test.go

@@ -29,6 +29,8 @@ func setupTemplateOptions(t *testing.T, prefix string, dir string) *testhelper.T
 	})
 	terraformVars := map[string]interface{}{
 		"prefix": options.Prefix,
+		// Workaround for provider bug https://github.com/IBM-Cloud/terraform-provider-ibm/issues/6216
+		"account_group_ids_to_assign": []string{},
 	}
 	options.TerraformVars = terraformVars
 	return options