IAM Identity: account settings

IBM-Cloud · Dec 13, 2022 · 4279736 · 4279736
1 parent 8c6a9ab
commit 4279736
Show file tree

Hide file tree

Showing 9 changed files with 277 additions and 28 deletions.
diff --git a/examples/ibm-iam_identity/main.tf b/examples/ibm-iam_identity/main.tf
@@ -2,12 +2,12 @@ provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
 }
 
-// Read iam_account_settings data source
-data "ibm_iam_account_settings" "iam_account_settings_source" {
-}
-
 // Provision iam_account_settings resource instance
 resource "ibm_iam_account_settings" "iam_account_settings_instance" {
-  mfa = "LEVEL3"
+  mfa = "NONE"
   restrict_create_service_id = "NOT_RESTRICTED"
+  user_mfa {
+    iam_id = "IBMid-123456789"
+    mfa = "NONE"
+  }
 }
diff --git a/examples/ibm-iam_identity/versions.tf b/examples/ibm-iam_identity/versions.tf
@@ -1,3 +1,8 @@
 terraform {
-  required_version = ">= 0.12"
+  required_providers {
+    ibm = {
+      source = "IBM-Cloud/ibm"
+      version = "1.47.1"
+    }
+  }
 }
diff --git a/go.sum b/go.sum
@@ -90,12 +90,8 @@ github.com/IBM/ibm-hpcs-uko-sdk v0.0.4 h1:B3FEq830k/B7HjQqvQubxmz8PxOUvKYD2ZypDq
 github.com/IBM/ibm-hpcs-uko-sdk v0.0.4/go.mod h1:MLVNHMYoKsvovJZ4v1gQCpIYtRDHTtoIHK6XztDZGsU=
 github.com/IBM/keyprotect-go-client v0.9.0 h1:UwbyEHcaGlmLNK7PW0qo9VlxneN+0/2zoGBubHzbtro=
 github.com/IBM/keyprotect-go-client v0.9.0/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM=
-github.com/IBM/networking-go-sdk v0.35.0 h1:K7LCXKVF+GhmF2EUaL3vfOvrR2FADb6tv3affXrlPbU=
-github.com/IBM/networking-go-sdk v0.35.0/go.mod h1:tDJtlySQC/txyejU9KeQ27Amc6xKH0MwHFE/B2+Sn5w=
 github.com/IBM/networking-go-sdk v0.36.0 h1:ADntTsRM8DMZOxS9TYGTAL6i0zw9V2L7OeLFd9Czntk=
 github.com/IBM/networking-go-sdk v0.36.0/go.mod h1:tDJtlySQC/txyejU9KeQ27Amc6xKH0MwHFE/B2+Sn5w=
-github.com/IBM/platform-services-go-sdk v0.29.2 h1:eZ5hFVQrVDUxiGztsX7Cz2DmiF3tFSqTe1Ew/lkCSOM=
-github.com/IBM/platform-services-go-sdk v0.29.2/go.mod h1:jy0Ahvj5Gkkua3Gd7t22bo0GfmHRQaPZcaqwfVgEY7k=
 github.com/IBM/platform-services-go-sdk v0.31.0 h1:XRSGejb/uMqNi2C5F28Q8x4jmVyXlRRE8cJCSwXBsPU=
 github.com/IBM/platform-services-go-sdk v0.31.0/go.mod h1:jy0Ahvj5Gkkua3Gd7t22bo0GfmHRQaPZcaqwfVgEY7k=
 github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5 h1:NPUhkoOCRuv3OFWt19PmwjXGGTKlvmbuPg9fUrBUNe4=

diff --git a/ibm/service/iamidentity/data_source_ibm_iam_account_settings.go b/ibm/service/iamidentity/data_source_ibm_iam_account_settings.go
@@ -1,4 +1,4 @@
-// Copyright IBM Corp. 2017, 2021 All Rights Reserved.
+// Copyright IBM Corp. 2022 All Rights Reserved.
 // Licensed under the Mozilla Public License v2.0
 
 package iamidentity
@@ -56,6 +56,25 @@ func DataSourceIBMIAMAccountSettings() *schema.Resource {
 				Computed:    true,
 				Description: "Defines the MFA trait for the account. Valid values:  * NONE - No MFA trait set  * TOTP - For all non-federated IBMId users  * TOTP4ALL - For all users  * LEVEL1 - Email-based MFA for all users  * LEVEL2 - TOTP-based MFA for all users  * LEVEL3 - U2F MFA for all users.",
 			},
+			"user_mfa": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "List of users that are exempted from the MFA requirement of the account.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"iam_id": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The iam_id of the user.",
+						},
+						"mfa": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "Defines the MFA requirement for the user. Valid values:  * NONE - No MFA trait set  * TOTP - For all non-federated IBMId users  * TOTP4ALL - For all users  * LEVEL1 - Email-based MFA for all users  * LEVEL2 - TOTP-based MFA for all users  * LEVEL3 - U2F MFA for all users.",
+						},
+					},
+				},
+			},
 			"history": {
 				Type:        schema.TypeList,
 				Computed:    true,
@@ -106,12 +125,22 @@ func DataSourceIBMIAMAccountSettings() *schema.Resource {
 			"session_invalidation_in_seconds": {
 				Type:        schema.TypeString,
 				Computed:    true,
-				Description: "Defines the period of time in seconds in which a session will be invalidated due  to inactivity. Valid values:   * Any whole number between '900' and '7200'   * NOT_SET - To unset account setting and use service default.",
+				Description: "Defines the period of time in seconds in which a session will be invalidated due to inactivity. Valid values:  * Any whole number between '900' and '7200'  * NOT_SET - To unset account setting and use service default.",
 			},
 			"max_sessions_per_identity": {
 				Type:        schema.TypeString,
 				Computed:    true,
-				Description: "Defines the max allowed sessions per identity required by the account. Value values: * Any whole number greater than '0'   * NOT_SET - To unset account setting and use service default.",
+				Description: "Defines the max allowed sessions per identity required by the account. Valid values:  * Any whole number greater than 0  * NOT_SET - To unset account setting and use service default.",
+			},
+			"system_access_token_expiration_in_seconds": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Defines the access token expiration in seconds. Valid values:  * Any whole number between '900' and '3600'  * NOT_SET - To unset account setting and use service default.",
+			},
+			"system_refresh_token_expiration_in_seconds": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Defines the refresh token expiration in seconds. Valid values:  * Any whole number between '900' and '2592000'  * NOT_SET - To unset account setting and use service default.",
 			},
 		},
 	}
@@ -159,7 +188,19 @@ func dataSourceIbmIamAccountSettingsRead(context context.Context, d *schema.Reso
 	if err = d.Set("mfa", accountSettingsResponse.Mfa); err != nil {
 		return diag.FromErr(fmt.Errorf("[ERROR] Error setting mfa: %s", err))
 	}
-
+	userMfa := []map[string]interface{}{}
+	if accountSettingsResponse.UserMfa != nil {
+		for _, modelItem := range accountSettingsResponse.UserMfa {
+			modelMap, err := dataSourceIBMIamAccountSettingsAccountSettingsUserMfaToMap(&modelItem)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+			userMfa = append(userMfa, modelMap)
+		}
+	}
+	if err = d.Set("user_mfa", userMfa); err != nil {
+		return diag.FromErr(fmt.Errorf("Error setting user_mfa %s", err))
+	}
 	if accountSettingsResponse.History != nil {
 		err = d.Set("history", dataSourceAccountSettingsResponseFlattenHistory(accountSettingsResponse.History))
 		if err != nil {
@@ -175,6 +216,12 @@ func dataSourceIbmIamAccountSettingsRead(context context.Context, d *schema.Reso
 	if err = d.Set("max_sessions_per_identity", accountSettingsResponse.MaxSessionsPerIdentity); err != nil {
 		return diag.FromErr(fmt.Errorf("[ERROR] Error setting max_sessions_per_identity: %s", err))
 	}
+	if err = d.Set("system_access_token_expiration_in_seconds", accountSettingsResponse.SystemAccessTokenExpirationInSeconds); err != nil {
+		return diag.FromErr(fmt.Errorf("Error setting system_access_token_expiration_in_seconds: %s", err))
+	}
+	if err = d.Set("system_refresh_token_expiration_in_seconds", accountSettingsResponse.SystemRefreshTokenExpirationInSeconds); err != nil {
+		return diag.FromErr(fmt.Errorf("Error setting system_refresh_token_expiration_in_seconds: %s", err))
+	}
 
 	return nil
 }
@@ -187,6 +234,17 @@ func dataSourceAccountSettingsResponseFlattenHistory(result []iamidentityv1.Enit
 	return history
 }
 
+func dataSourceIBMIamAccountSettingsAccountSettingsUserMfaToMap(model *iamidentityv1.AccountSettingsUserMfa) (map[string]interface{}, error) {
+	modelMap := make(map[string]interface{})
+	if model.IamID != nil {
+		modelMap["iam_id"] = *model.IamID
+	}
+	if model.Mfa != nil {
+		modelMap["mfa"] = *model.Mfa
+	}
+	return modelMap, nil
+}
+
 func dataSourceAccountSettingsResponseHistoryToMap(historyItem iamidentityv1.EnityHistoryRecord) (historyMap map[string]interface{}) {
 	historyMap = map[string]interface{}{}
 

diff --git a/ibm/service/iamidentity/data_source_ibm_iam_account_settings_test.go b/ibm/service/iamidentity/data_source_ibm_iam_account_settings_test.go
@@ -1,4 +1,4 @@
-// Copyright IBM Corp. 2017, 2021 All Rights Reserved.
+// Copyright IBM Corp. 2022 All Rights Reserved.
 // Licensed under the Mozilla Public License v2.0
 
 package iamidentity_test
@@ -26,10 +26,13 @@ func TestAccIBMIAMAccountSettingsDataSourceBasic(t *testing.T) {
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings.iam_account_settings", "restrict_create_platform_apikey"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings.iam_account_settings", "entity_tag"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings.iam_account_settings", "mfa"),
+					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings.iam_account_settings", "user_mfa.#"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings.iam_account_settings", "history.#"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings.iam_account_settings", "session_expiration_in_seconds"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings.iam_account_settings", "session_invalidation_in_seconds"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings.iam_account_settings", "max_sessions_per_identity"),
+					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings.iam_account_settings", "system_access_token_expiration_in_seconds"),
+					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings.iam_account_settings", "system_refresh_token_expiration_in_seconds"),
 				),
 			},
 		},

diff --git a/ibm/service/iamidentity/resource_ibm_iam_account_settings.go b/ibm/service/iamidentity/resource_ibm_iam_account_settings.go
@@ -1,4 +1,4 @@
-// Copyright IBM Corp. 2021 All Rights Reserved.
+// Copyright IBM Corp. 2022 All Rights Reserved.
 // Licensed under the Mozilla Public License v2.0
 
 package iamidentity
@@ -13,6 +13,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
+	"github.com/IBM/go-sdk-core/v5/core"
 	"github.com/IBM/platform-services-go-sdk/iamidentityv1"
 )
 
@@ -76,6 +77,25 @@ func ResourceIBMIAMAccountSettings() *schema.Resource {
 				Default:     "*",
 				Description: "Version of the account settings to be updated. Specify the version that you retrieved as entity_tag (ETag header) when reading the account. This value helps identifying parallel usage of this API. Pass * to indicate to update any version available. This might result in stale updates.",
 			},
+			"user_mfa": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "List of users that are exempted from the MFA requirement of the account.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"iam_id": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Description: "The iam_id of the user.",
+						},
+						"mfa": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Description: "Defines the MFA requirement for the user. Valid values:  * NONE - No MFA trait set  * TOTP - For all non-federated IBMId users  * TOTP4ALL - For all users  * LEVEL1 - Email-based MFA for all users  * LEVEL2 - TOTP-based MFA for all users  * LEVEL3 - U2F MFA for all users.",
+						},
+					},
+				},
+			},
 			"history": {
 				Type:        schema.TypeList,
 				Computed:    true,
@@ -126,13 +146,25 @@ func ResourceIBMIAMAccountSettings() *schema.Resource {
 				Type:        schema.TypeString,
 				Optional:    true,
 				Computed:    true,
-				Description: "Defines the period of time in seconds in which a session will be invalidated due  to inactivity. Valid values:   * Any whole number between '900' and '7200'   * NOT_SET - To unset account setting and use service default.",
+				Description: "Defines the period of time in seconds in which a session will be invalidated due to inactivity. Valid values:  * Any whole number between '900' and '7200'  * NOT_SET - To unset account setting and use service default.",
 			},
 			"max_sessions_per_identity": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				Computed:    true,
-				Description: "Defines the max allowed sessions per identity required by the account. Value values: * Any whole number greater than '0'   * NOT_SET - To unset account setting and use service default.",
+				Description: "Defines the max allowed sessions per identity required by the account. Value values:  * Any whole number greater than 0  * NOT_SET - To unset account setting and use service default.",
+			},
+			"system_access_token_expiration_in_seconds": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Computed:    true,
+				Description: "Defines the access token expiration in seconds. Valid values:  * Any whole number between '900' and '3600'  * NOT_SET - To unset account setting and use service default.",
+			},
+			"system_refresh_token_expiration_in_seconds": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Computed:    true,
+				Description: "Defines the refresh token expiration in seconds. Valid values:  * Any whole number between '900' and '2592000'  * NOT_SET - To unset account setting and use service default.",
 			},
 		},
 	}
@@ -244,6 +276,19 @@ func resourceIbmIamAccountSettingsRead(context context.Context, d *schema.Resour
 			return diag.FromErr(fmt.Errorf("[ERROR] Error setting history: %s", err))
 		}
 	}
+	userMfa := []map[string]interface{}{}
+	if accountSettingsResponse.UserMfa != nil {
+		for _, userMfaItem := range accountSettingsResponse.UserMfa {
+			userMfaItemMap, err := resourceIBMIamAccountSettingsAccountSettingsUserMfaToMap(&userMfaItem)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+			userMfa = append(userMfa, userMfaItemMap)
+		}
+	}
+	if err = d.Set("user_mfa", userMfa); err != nil {
+		return diag.FromErr(fmt.Errorf("Error setting user_mfa: %s", err))
+	}
 	if err = d.Set("session_expiration_in_seconds", accountSettingsResponse.SessionExpirationInSeconds); err != nil {
 		return diag.FromErr(fmt.Errorf("[ERROR] Error setting session_expiration_in_seconds: %s", err))
 	}
@@ -253,6 +298,12 @@ func resourceIbmIamAccountSettingsRead(context context.Context, d *schema.Resour
 	if err = d.Set("max_sessions_per_identity", accountSettingsResponse.MaxSessionsPerIdentity); err != nil {
 		return diag.FromErr(fmt.Errorf("[ERROR] Error setting max_sessions_per_identity: %s", err))
 	}
+	if err = d.Set("system_access_token_expiration_in_seconds", accountSettingsResponse.SystemAccessTokenExpirationInSeconds); err != nil {
+		return diag.FromErr(fmt.Errorf("Error setting system_access_token_expiration_in_seconds: %s", err))
+	}
+	if err = d.Set("system_refresh_token_expiration_in_seconds", accountSettingsResponse.SystemRefreshTokenExpirationInSeconds); err != nil {
+		return diag.FromErr(fmt.Errorf("Error setting system_refresh_token_expiration_in_seconds: %s", err))
+	}
 
 	return nil
 }
@@ -306,7 +357,16 @@ func resourceIbmIamAccountSettingsUpdate(context context.Context, d *schema.Reso
 		updateAccountSettingsOptions.SetMfa(mfa_str)
 		hasChange = true
 	}
-
+	var user_mfa []iamidentityv1.AccountSettingsUserMfa
+	if d.HasChange("user_mfa") {
+		for _, e := range d.Get("user_mfa").([]interface{}) {
+			value := e.(map[string]interface{})
+			userMfaItem := resourceIBMIamAccountSettingsMapToAccountSettingsUserMfa(value)
+			user_mfa = append(user_mfa, userMfaItem)
+		}
+		updateAccountSettingsOptions.SetUserMfa(user_mfa)
+		hasChange = true
+	}
 	if d.HasChange("session_expiration_in_seconds") {
 		session_expiration_in_seconds_str := d.Get("session_expiration_in_seconds").(string)
 		updateAccountSettingsOptions.SetSessionExpirationInSeconds(session_expiration_in_seconds_str)
@@ -324,6 +384,14 @@ func resourceIbmIamAccountSettingsUpdate(context context.Context, d *schema.Reso
 		updateAccountSettingsOptions.SetMaxSessionsPerIdentity(max_sessions_per_identity_str)
 		hasChange = true
 	}
+	if d.HasChange("system_access_token_expiration_in_seconds") {
+		updateAccountSettingsOptions.SetSystemAccessTokenExpirationInSeconds(d.Get("system_access_token_expiration_in_seconds").(string))
+		hasChange = true
+	}
+	if d.HasChange("system_refresh_token_expiration_in_seconds") {
+		updateAccountSettingsOptions.SetSystemRefreshTokenExpirationInSeconds(d.Get("system_refresh_token_expiration_in_seconds").(string))
+		hasChange = true
+	}
 
 	if hasChange {
 		_, response, err := iamIdentityClient.UpdateAccountSettings(updateAccountSettingsOptions)
@@ -336,6 +404,20 @@ func resourceIbmIamAccountSettingsUpdate(context context.Context, d *schema.Reso
 	return resourceIbmIamAccountSettingsRead(context, d, meta)
 }
 
+func resourceIBMIamAccountSettingsMapToAccountSettingsUserMfa(userMfaMap map[string]interface{}) iamidentityv1.AccountSettingsUserMfa {
+	userMfa := iamidentityv1.AccountSettingsUserMfa{}
+	userMfa.IamID = core.StringPtr(userMfaMap["iam_id"].(string))
+	userMfa.Mfa = core.StringPtr(userMfaMap["mfa"].(string))
+	return userMfa
+}
+
+func resourceIBMIamAccountSettingsAccountSettingsUserMfaToMap(model *iamidentityv1.AccountSettingsUserMfa) (map[string]interface{}, error) {
+	modelMap := make(map[string]interface{})
+	modelMap["iam_id"] = model.IamID
+	modelMap["mfa"] = model.Mfa
+	return modelMap, nil
+}
+
 func resourceIbmIamAccountSettingsDelete(context context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 
 	// DELETE NOT SUPPORTED