Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for IAM policies (beta) #424

Merged
merged 3 commits into from
Jun 29, 2023
Merged

Add support for IAM policies (beta) #424

merged 3 commits into from
Jun 29, 2023

Conversation

fehrnah
Copy link
Contributor

@fehrnah fehrnah commented Jun 1, 2023

Description

This adds support for IAM policies, which are currently in private beta.

Type of change

Please delete options that are not relevant.

  • New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Since the IAM is currently in beta, test must be performed on an account which is participating in the beta.

  • Test A: make testacc TESTARGS="-run TestAccDataSourceXxxxYyyyZzzzz_basic"

Test Configuration:

  • Terraform version: terraform version: Terraform v1.4.6
  • Existing HCL configuration you used:
# Create a user group and give it the permissions required to connect to the manager 
data "ovh_me" "account" {}

resource "ovh_me_identity_group" "my_group" {
  name         = "my_group"
  description = "Terraform created group"
}

resource "ovh_iam_policy" "manager" {
  name         = "manager"
  description = "Members of my_group can connect to the manager"
  identities    = [ovh_me_identity_group.my_group.urn]
  resources   = [data.ovh_me.account.urn]
  allow = [
    "account:apiovh:me/get",
    "account:apiovh:me/supportLevel/get",
    "account:apiovh:me/certificates/get",
    "account:apiovh:me/tag/get",
    "account:apiovh:services/get",
    "account:apiovh:*",
  ]
}

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings or issues
  • I have added acceptance tests that prove my fix is effective or that my feature works
  • New and existing acceptance tests pass locally with my changes
  • I ran successfully go mod vendor if I added or modify go.mod file

fehrnah
fehrnah commented Jun 5, 2023
View reviewed changes
ovh/types_iam.go Outdated Show resolved Hide resolved
ovh/data_iam_policies.go Show resolved Hide resolved
ovh/data_iam_reference_action.go Show resolved Hide resolved
scraly
scraly requested changes Jun 5, 2023
View reviewed changes
website/docs/r/dbaas_logs_cluster.html.markdown Outdated Show resolved Hide resolved
website/docs/d/iam_policy.html.markdown Outdated
* `name` - Name of the policy.
* `description` - Group description.
* `identities` - List of identities affected by the policy.
* `resources` - List of resources the policy.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `resources` - List of resources the policy.
* `resources` - List of resources affected by the policy.

website/docs/d/iam_reference_action.markdown Outdated Show resolved Hide resolved
website/docs/d/iam_reference_action.markdown Outdated Show resolved Hide resolved
website/docs/d/iam_reference_action.markdown Outdated Show resolved Hide resolved
website/docs/d/me_identity_group.markdown Outdated Show resolved Hide resolved
website/docs/r/dbaas_logs_cluster.html.markdown Outdated Show resolved Hide resolved
website/docs/r/dbaas_logs_cluster.html.markdown Outdated Show resolved Hide resolved
website/docs/r/dbaas_logs_cluster.html.markdown Outdated Show resolved Hide resolved
website/docs/d/iam_reference_action.markdown Outdated Show resolved Hide resolved
scraly
scraly requested changes Jun 7, 2023
View reviewed changes
Copy link
Collaborator

@scraly scraly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

several remarks, questions and suggestions :)

ovh/config.go Outdated Show resolved Hide resolved
ovh/data_iam_policies.go Show resolved Hide resolved
website/docs/r/dbaas_logs_cluster.html.markdown Outdated Show resolved Hide resolved
website/docs/d/iam_reference_resource_type.markdown
## Argument Reference

## Attributes Reference

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here an example of how an ID of a data source that list registry capabilities is setted:
https://github.com/ovh/terraform-provider-ovh/blob/master/ovh/data_cloud_project_capabilities_containerregistry.go

just a hash generated with the string in input

and here you can find what to say for the ID in the doc:
https://registry.terraform.io/providers/ovh/ovh/latest/docs/data-sources/cloud_project_capabilities_containerregistry

For this kind of ID is not easy and suepr useful but I think we need to documente very fields :)

@fehrnah fehrnah force-pushed the nfournie/iam branch 2 times, most recently from b7c5526 to ac827bb Compare June 13, 2023 08:37
rbeuque74
rbeuque74 requested changes Jun 14, 2023
View reviewed changes
Copy link
Member

@rbeuque74 rbeuque74 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello,

I found some flaws that we would have to address before merging this one.
Let's talk about it if you think I'm in the wrong :)

Romain

ovh/data_iam_policy.go Outdated Show resolved Hide resolved
ovh/config.go Outdated Show resolved Hide resolved
ovh/resource_vrack.go Outdated Show resolved Hide resolved
ovh/resource_domain_zone.go Outdated Show resolved Hide resolved
ovh/resource_iam_policy.go Outdated Show resolved Hide resolved
ovh/resource_iam_policy.go Outdated Show resolved Hide resolved
ovh/resource_iam_policy.go Outdated Show resolved Hide resolved
@fehrnah fehrnah marked this pull request as draft June 19, 2023 08:23
rbeuque74
rbeuque74 reviewed Jun 19, 2023
View reviewed changes
ovh/data_domain_zone.go Outdated Show resolved Hide resolved
@fehrnah
fix: set user default group
77cde4c 
Signed-off-by: Nicolas FOURNIER <nicolas.fournier@ovhcloud.com>
@fehrnah fehrnah force-pushed the nfournie/iam branch 2 times, most recently from 957b487 to 8e678cb Compare June 23, 2023 08:21
@fehrnah fehrnah marked this pull request as ready for review June 23, 2023 08:31
scraly
scraly requested changes Jun 28, 2023
View reviewed changes
website/docs/r/iam_policy.html.markdown Outdated Show resolved Hide resolved
@fehrnah
feat: support IAM policies
4e06748 
Signed-off-by: Nicolas FOURNIER <nicolas.fournier@ovhcloud.com>
scraly
scraly requested changes Jun 28, 2023
View reviewed changes
website/docs/r/iam_policy.html.markdown Outdated Show resolved Hide resolved
scraly
scraly requested changes Jun 28, 2023
View reviewed changes
website/docs/r/iam_policy.html.markdown Outdated Show resolved Hide resolved
website/docs/r/iam_policy.html.markdown Outdated Show resolved Hide resolved
@fehrnah
doc: IAM resources require beta enrolment
db811d9 
At the time of this commit, as a prerequisite to using the IAM,
the accounts must be part of the feature beta.

This adds a banner on affected resources and data sources.
@scraly scraly merged commit 6058688 into ovh:master Jun 29, 2023
@scraly scraly added the 0.32.0 label Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scraly scraly scraly approved these changes

@rbeuque74 rbeuque74 rbeuque74 approved these changes

Assignees
No one assigned
Labels
0.32.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fehrnah @rbeuque74 @scraly