Need to be able to pass the accountId in the provider block

[lionelmace]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Context: I create child cloud account under an Enterprise account.

The challenge is to specify in which account a resource should be created. Today, the provider block does not provide the ability to pass the accountId.

Example:

• With the enterprise account API key xxx_api_key I have access to account A and account B (as well as to the enterprise account E).
• Now I want to create a COS in account A.
• I create a provider block where I specify the xxx_api_key.

How can I tell Terraform now that the COS should be created in account A and not in account B? Because the API key xxx_api_key has access to both accounts. For me it seems that in this case the resource is always deployed in the enterprise account E, but we also need to deploy resources in the child accounts directly after we created them to set up the landing zones.

[stevestrutt]

Internal discussion https://ibm-cloudplatform.slack.com/archives/C53NF5MB4/p1700583212171669

[lionelmace]

Internal idea https://internal-ibmcloud.ideas.aha.io/ideas/IDEAINT-I-8282

[lionelmace]

Here is the current workaround:

1. Create a child account via TF. Set the child account owner id with the same enterprise account owner id.
2. Wrapped in terraform a call to create an API Key for the Child Account Owner using the API https://cloud.ibm.com/apidocs/iam-identity-token-api#create-api-key.
3. Set this newly created API Key in the Cloud Provider
4. Store the child account API Key in a Secrets Manager (Vault) instance in the Enterprise Account for further use

[lionelmace]

The approach described above is not working

When I generate a token using an enterprise level API key, I cannot use this token to create an API key in a child account, as the token is bound to the enterprise account and does not allow to create an API key in another account (even if the user would be allowed).