Role for access group in tf

chechuironman commented 1 year ago

Im trying to create a VPN Client role on the access tab of the Access Group with this

resource "ibm_iam_access_group_policy" "policy" { access_group_id = ibm_iam_access_group.access_group.id roles = ["VPN Client"]

resources { service = "is"

attributes = {
  "vpcId" = "*"
}

resource_group_id = data.ibm_resource_group.group.id

} }

But get this error... \"message\": \"Invalid role(s): crn:v1:bluemix:public:is::::serviceRole:VPNClient\"",

What should be the role to use within TF?

jarrodu commented 1 year ago

I think I found a solution. The documentation is not correct, but this seems to work.

resource "ibm_iam_access_group" "vpn_client" {
  name        = "vpn-client"
  description = "VPN client access group"
}

resource "ibm_iam_access_group_policy" "vpn_client_policy" {
  access_group_id = ibm_iam_access_group.vpn_client.id
  roles           = ["VPN Client"]
  resources {
    service = "is"
  }
}

It creates this JSON:

{
    "type": "access",
    "roles": [
        {
            "role_id": "crn:v1:bluemix:public:is::::serviceRole:VPNClient"
        }
    ],
    "resources": [
        {
            "attributes": [
                {
                    "name": "accountId",
                    "value": "XXX"
                },
                {
                    "name": "serviceName",
                    "value": "is"
                }
            ]
        }
    ],
    "subjects": [
        {
            "attributes": [
                {
                    "name": "access_group_id",
                    "value": "AccessGroupId-XXX"
                }
            ]
        }
    ]
}

jarrodu commented 1 year ago

This is the documentation I was referring to.

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_access_group_policy#roles

VPN Client is not in the list of roles.

IBM-Cloud / terraform-provider-ibm

Role for access group in tf #4709