search

IBM-Cloud / terraform-provider-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
339 stars 663 forks source link

Attach an IBM Cloud Service to a Trusted Profile #4768

Open pauljegouic opened 1 year ago

pauljegouic commented 1 year ago

We need a way to attach an IBM Cloud Service to an IAM Trusted Profile to automate the integration between, for example a Project or a Catalog to credentials.

Example of how we did now

We are using Schematics, and we are tweaking it in order to reuse the current embedded credentials.

data "external" "env" {
  program = ["${path.module}/modules/extract_env_vars.sh"]
}

content of ${path.module}/modules/extract_env_vars.sh :

#!/bin/sh

# env.sh

# Change the contents of this output to get the environment variables
# of interest. The output must be valid JSON, with strings for both
# keys and values.
cat <<EOF
{
  "token": "$IC_IAM_TOKEN",
  "api_key": "$IC_API_KEY"
}
EOF

Here is how do today : Attach the Catalog instance (or Project) to Trusted Profile

resource "null_resource" "attach_catalog_id" {

  triggers = {
    always_run = "${timestamp()}"
  }

  provisioner "local-exec" {
    command = <<EOT
      if [ ! -z ${data.external.env.result.token} ]
      then
        # Schematics user-credentials case
        TOKEN=${data.external.env.result.token}
      else
       # Schematics Trusted-Profile case
        TOKEN=$(curl -X POST   "https://iam.cloud.ibm.com/identity/token"   --header 'Content-Type: application/x-www-form-urlencoded'   --header 'Accept: application/json'   --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey'   --data-urlencode "apikey=${data.external.env.result.api_key}" | jq -r .access_token)
      fi
      res=$(curl -X POST 'https://iam.cloud.ibm.com/v1/profiles/${ibm_iam_trusted_profile.iam_trusted_profile.id}/identities/crn' -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{ "identifier": "${ibm_cm_catalog.squad_catalog.crn}", "type": "crn", "description": "${ibm_cm_catalog.squad_catalog.label}" }')
      echo $res
    EOT
  }
}

We would like to achieve this by using a Terraform resource

hkantare commented 1 year ago

@Daniel-Byrne Can you look into this requirement

pradeep-b commented 1 year ago

@Daniel-Byrne Any thoughts on this request and the expected timeline?

Daniel-Byrne commented 1 year ago

@pradeep-b @pauljegouic

The resource ibm_iam_trusted_profile_identity is what I believe you're looking for. It has been added since the last released, so should be included in the next.