Feature Request: IAM resources support

[laurent-perrin]

Hello,

It could be great to be able to manage IAM resources with Terraform:

• Creating groups and users

• Creating policies

• Assigning policies to groups to manage users permission

• Managing Federated Identity Authentication

[antonin-a]

Hello @chewdevs , I agree with you. @niuzhenguo as it is already available on Huawei Cloud provider (https://www.terraform.io/docs/providers/huaweicloud/r/identity_project_v3.html) did you know if we can add it to the FE one ? It seems that keystone is v3 on both platform but I can remember that there is some differences on APIs side (Huawei Cloud seems to use EPS) and I face different behavior between FE and HC with Openstack CLI. Please let me know if it is ok regarding APIs, if not I will investigate on platform side. REgards,

[niuzhenguo]

@antonin-a will test the API soon and give feedbacks here.

[niuzhenguo]

@chewdevs Regarding Federated Identity Authentication, do you mean to add support for passing security_token?

[laurent-perrin]

I was thinking about registering and configuring an Identity Provider

[niuzhenguo]

@chewdevs You need to configure the Identity Provider manually and fetch the security token. We can provide a way to use that security token + ak/sk to manage resources with terraform.

[laurent-perrin]

For Identity provider, an API is available: https://docs.prod-cloud-ocb.orange-business.com/en-us/api/iam/en-us_topic_0057845606.html It's not possible to manage it with Terraform ?

But for us, managing users, groups, policies and polcies assigment are more important than identity provider.

[niuzhenguo]

@chewdevs Will start to test the IAM resources when my account got admin permissions. We can discuss IDP after users, groups, policies and policies assignment finished.

[laurent-perrin]

Great !, thanks @niuzhenguo

[antonin-a]

hello @niuzhenguo , any updates on this one since July ? It's seems to duplicate this one : https://github.com/terraform-providers/terraform-provider-flexibleengine/issues/256

[niuzhenguo]

@antonin-a Sorry for the delay. @DafuSHI need your help to get admin permission for my testing account.

[niuzhenguo]

@antonin-a @DafuSHI I still got denied when accessing IAM API with admin permission account :(

[antonin-a]

@DafuSHI can you help here please?

[antonin-a]

@niuzhenguo I've send you an invitation to join our Dev&Test domain. Feel free to reach me if you face any issue. The idea is to have at least the IAM ressources available on Huawei cloud provider.

[DafuSHI]

I think we can satisfy most of the resources in IAM except for users. https://docs.prod-cloud-ocb.orange-business.com/iam/doc/download/pdf/iam-api.pdf

[qukuijin1989]

hi @chewdevs can we close this issues?

[antonin-a]

@qukuijin1989 the IDP management is still not available. Can we please try to finish this part ? (requested by several users)

[DafuSHI]

Creating groups and users https://registry.terraform.io/providers/FlexibleEngineCloud/flexibleengine/latest/docs/resources/identity_group_membership_v3 https://registry.terraform.io/providers/FlexibleEngineCloud/flexibleengine/latest/docs/resources/identity_group_v3

Creating policies https://registry.terraform.io/providers/FlexibleEngineCloud/flexibleengine/latest/docs/resources/identity_role_v3

Assigning policies to groups to manage users permission https://registry.terraform.io/providers/FlexibleEngineCloud/flexibleengine/latest/docs/resources/identity_role_assignment_v3

Managing Federated Identity Authentication Missing here: PUT /v3/OS-FEDERATION/identity_providers/{id} from https://docs.prod-cloud-ocb.orange-business.com/iam/doc/download/pdf/iam-api.pdf page 199 @niuzhenguo @ShiChangkuo

[antonin-a]

Hello @niuzhenguo @ShiChangkuo gentle reminder here. Is there ongoing actions for this one ?

[antonin-a]

Hello @niuzhenguo @ShiChangkuo this requirement is still existing. Do you please have updates ? Especially for the federation part.

[ShiChangkuo]

@antonin-a I will try to develop the IDP resources before July 31st.

[But4ler]

Hello,thank you for these advances ! To be able to use these modules with users created by the CloudStore, it is absolutely necessary to have data sources on the IAM modules.

Especially on the "flexibleengine_identity_user_v3" module

Thanks !