search

gomorpheus / terraform-provider-morpheus

Terraform Morpheus provider
MIT License
17 stars 21 forks source link

[Feature Request] Add Morpheus Role Terraform resource #114

Closed modemers closed 1 year ago

modemers commented 1 year ago

We use terraform to manage Morpheus and to promote catalog items to Production via CI\CD. Could we please add a terraform resource for Morpheus roles? I know there are a lot of settings for role permissions but it would be nice if we could manage those with code instead of the GUI. Maybe the Morpheus role resource could reference a .CSV file with a list of permission names and values? Being able to control role permissions for groups, workflows, and tasks would be nice also!

martezr commented 1 year ago

It's great to hear that the provider has been useful for you. Work has begun on adding support for managing user roles with the Terraform provider, at the moment there are some API changes that are being made to allow this functionality to work properly.

I'm interested in any feedback on a proposed permission design (pasted below) that decouples the definition of the permissions from the user role definition. This provides a way to more easily manage role permissions with the possibility in the future to allow permission sets to be merged and overridden. This would allow a base role to be defined and simplify the creation of roles that add additional permissions or override them.

Additionally, the role permission design does allow for the possibility of the permissions being defined in a JSON file that is then sourced using the Terraform file function.

data "morpheus_task" "demo" {
  name = "Demo"
}

data "morpheus_workflow" "demo" {
  name = "Demo"
}

data "morpheus_permission_set" "base_permissions" {
  default_persona = "serviceCatalog"
  default_group_permission             = "full"
  default_instance_type_permission     = "full"
  default_blueprint_permission         = "full"
  default_report_type_permission       = "full"
  default_catalog_item_type_permission = "full"
  default_vdi_pool_permission          = "full"
  default_workflow_permission          = "full"
  default_task_permission              = "full"

  feature_permission {
    code   = "provisioning-admin"
    access = "full"
  }

  feature_permission {
    code   = "admin-plugins"
    access = "none"
  }

  feature_permission {
    code   = "admin-guidanceSettings"
    access = "full"
  }

  feature_permission {
    code = "admin-global-policies"
    access = "full"
  }

  persona_permission {
    code = "standard"
    access = "none"
  }

  persona_permission {
    code = "serviceCatalog"
    access = "full"
  }

  persona_permission {
    code = "vdi"
    access = "full"
  }

  group_permission {
    id     = 1
    access = "full"
  }

  instance_type_permission {
    code   = "demo-web"
    access = "full"
  }

  workflow_permission {
    id     = data.morpheus_workflow.demo.id
    access = "full"
  }

  task_permission {
    id     = data.morpheus_task.demo.id
    access = "none"
  }

}

resource "morpheus_user_role" "tfexample_resource_user_role" {
  name               = "tf-example-user-role"
  description        = "Terraform provider example user role"
  multitenant_role   = false
  multitenant_locked = false
  permission_set     = data.morpheus_permission_set.base_permissions.json
}
modemers commented 1 year ago

That looks good, thank you! I like the idea of using JSON files to help manage the permission sets. Managing which role has permissions to which catalog item or workflow is nice to have in terraform code also!

Dave-Snigier commented 1 year ago

Looks good to me too. Perhaps consider changing the default permissions into dictionaries like the others for consistency and to keep from being boxed in the corner if you need to evolve the schema in the future.

Could you please create a role-mapping resource along with the role resource so the roles can be mapped to objects in an identity provider?

martezr commented 1 year ago

Looks good to me too. Perhaps consider changing the default permissions into dictionaries like the others for consistency and to keep from being boxed in the corner if you need to evolve the schema in the future.

Could you please create a role-mapping resource along with the role resource so the roles can be mapped to objects in an identity provider?

I'm assuming for the default permissions you'd be referring to something like the following:

  default_permission {
    code   = "instance_type"
    access = "full"
  }

I'm curious what the role-mapping resource would look like. As support for additional identity providers are add they'll have role mappings as part of the resource similar to the Active Directory provider. https://github.com/gomorpheus/terraform-provider-morpheus/blob/bbabbdd827ddec8fc0c310532ea26640285b06dd/morpheus/resource_active_directory_identity_source.go#L102

martezr commented 1 year ago

This resource has been added in the latest release (v0.9.4) of the provider (https://registry.terraform.io/providers/gomorpheus/morpheus/latest/docs/resources/user_role) along with a permission set data source (https://registry.terraform.io/providers/gomorpheus/morpheus/latest/docs/data-sources/permission_set) for defining the permissions to allow them to easily be reused and decoupled from the role itself.