Include `ibm_iam_access_group_policy` attribute in the `ibm_iam_access_group` data source

monil-panchal commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The ibm_iam_access_group data source is missing the capability to retrieve the list of ibm_access_group_policy defined within it. Currently, it provides access to only the iam_service_ids, ibm_ids, and Dynamic rules attributes.

Though there is an ibm_access_group_policy Resource to Create, update, or delete an IAM policy for a given IAM Access group, there is no data source to access the ibm_access_group_policy directly or within the existing ibm_iam_access_group data source.

Having access to the Access Policies could be an essential/must-have attribute for certain use cases when using the IAM Access Group data source.

New or Affected Resource(s)

Existing data source: iam_access_group
Requested data source: iam_access_group_policy
Requested attribute in the existing data source: iam_access_group_policy (list) in the iam_access_group

References

kavya498 commented 2 years ago

We ll be creating a new datasource for access_group_policy.. This cannot be included in the access_group datasource..

We have a open issue for this feature already https://github.com/IBM-Cloud/terraform-provider-ibm/issues/2633

monil-panchal commented 2 years ago

Okay to let me rephrase my requirements -

Having a new ibm_iam_access_group_policy data source
Including the ibm_iam_access_group_policy as a list attribute in the ibm_iam_access_group data source.

monil-panchal commented 2 years ago

This cannot be included in the access_group datasource..

@kavya498 - Is there any specific reason for not including the ibm_iam_access_group_policy attribute in the existing ibm_iam_access_group data source?

Out of four list attributes (refer to the above screenshot of IAM access group), only iam_service_ids, ibm_ids, and rules are currently fetched in the ibm_access_group_policy data source?

Here's a sample response

 + access_group = {
      + access_group_name = "dev-reader-test"
      + groups            = [
          + {
              + description     = "Read access to all dev resources"
              + iam_service_ids = []
              + ibm_ids         = [
                  + "Monil.Panchal@ibm.com",
                ]
              + id              = "AccessGroupId-******"
              + name            = "cd-dev-reader"
              + rules           = []
            },
        ]
      + id                = "************"
    }

One of the use cases that I can think of is accessing ibm_iam_access_group_policy as an attribute along with the iam_service_ids, ibm_ids, and rules for all of my IAM access groups using the ibm_iam_access_group data source.

Even if there is a new separate ibm_iam_access_group_policy data source, without accessing theibm_iam_access_group_policy attribute inside the ibm_iam_access_group data source, I'll be obligated to write extra LOC to address my use case.

IBM-Cloud / terraform-provider-ibm