search

ibm-cloud-docs / vpc

Documentation repository for vpc
7 stars 50 forks source link

The Terraform IAM policies are not correct for VPC Backups #205

Closed rmey closed 5 months ago

rmey commented 5 months ago

The sample in the Terraform TAB don't work: https://cloud.ibm.com/docs/vpc?topic=vpc-backup-s2s-auth&interface=terraform The UI description works: https://cloud.ibm.com/docs/vpc?topic=vpc-backup-s2s-auth&interface=ui Both descriptions lead to different resulting IAM service authorisations.

vickmuir commented 5 months ago

Transferred work item to JIRA: CFD-6863. Reached out to the development team to get an updated example.

swcolley commented 5 months ago

Correct Terraform should be:

resource "ibm_iam_authorization_policy" "policy1" {
  subject_attributes {
    name = "accountId"
    value  = data.ibm_iam_account_settings.iam.account_id
  }
  subject_attributes {
    name = "serviceName"
    value = "is"
  }
  subject_attributes {
    name = "resourceType"
    value = "backup-policy"
  }
  resource_attributes {
    name   = "accountId"
    operator = "stringEquals"
    value  = data.ibm_iam_account_settings.iam.account_id
  }
  resource_attributes {
    name   = "serviceName"
    operator = "stringEquals"
    value  = "is"
  }
  resource_attributes {
    name   = "volumeId"
    operator = "stringExists"
    value  = "true"
  }
  roles                = ["Operator"]
}

resource "ibm_iam_authorization_policy" "policy2" {
  subject_attributes {
    name = "accountId"
    value  = data.ibm_iam_account_settings.iam.account_id
  }
  subject_attributes {
    name = "serviceName"
    value = "is"
  }
  subject_attributes {
    name = "resourceType"
    value = "backup-policy"
  }
  resource_attributes {
    name   = "accountId"
    operator = "stringEquals"
    value  = data.ibm_iam_account_settings.iam.account_id
  }
  resource_attributes {
    name   = "serviceName"
    operator = "stringEquals"
    value  = "is"
  }
  resource_attributes {
    name   = "snapshotId"
    operator = "stringExists"
    value  = "true"
  }
  roles                = ["Editor"]
}

resource "ibm_iam_authorization_policy" "policy3" {
  subject_attributes {
    name = "accountId"
    value  = data.ibm_iam_account_settings.iam.account_id
  }
  subject_attributes {
    name = "serviceName"
    value = "is"
  }
  subject_attributes {
    name = "resourceType"
    value = "backup-policy"
  }
  resource_attributes {
    name   = "accountId"
    operator = "stringEquals"
    value  = data.ibm_iam_account_settings.iam.account_id
  }
  resource_attributes {
    name   = "serviceName"
    operator = "stringEquals"
    value  = "is"
  }
  resource_attributes {
    name   = "snapshotConsistencyGroupId"
    operator = "stringExists"
    value  = "true"
  }
  roles                = ["Editor"]
}

resource "ibm_iam_authorization_policy" "policy4" {
  subject_attributes {
    name = "accountId"
    value  = data.ibm_iam_account_settings.iam.account_id
  }
  subject_attributes {
    name = "serviceName"
    value = "is"
  }
  subject_attributes {
    name = "resourceType"
    value = "backup-policy"
  }
  resource_attributes {
    name   = "accountId"
    operator = "stringEquals"
    value  = data.ibm_iam_account_settings.iam.account_id
  }
  resource_attributes {
    name   = "serviceName"
    operator = "stringEquals"
    value  = "is"
  }
  resource_attributes {
    name   = "instanceId"
    operator = "stringExists"
    value  = "true"
  }
  roles                = ["Operator"]
}
swcolley commented 5 months ago

@vickmuir Please see above to share with development team (I'm on IAM team).

vickmuir commented 5 months ago

Thank you, @swcolley! I updated the docs in Staging with your example and sent it to our VPC Client SDK and Terraform team for review.