Add resources for managing group access, custom roles

[tpansino]

Feature Description

As an account admin I would like to be able to manage custom roles and the groups they are attached to via Terraform So that my permissions models can be captured as code, and any drift easily detected.

I have an organization with a large number of sub-accounts, which are used to organize resources and create access control boundaries. My company is already using AUM and SCIM to automate managing user creation and user group membership, but the roles and their attachment to groups is managed by hand.

I would like to be able to manage custom roles and their attachment to groups via Terraform.

Describe Alternatives

None that I can think of, other than to keep managing it by hand.

Additional context

It looks like attachment of roles to groups is possible via the NerdGraph API, so that should be straightforward to add to the Terraform provider.

I don't see support for creating custom roles via NerdGraph though. Can someone confirm whether an API for custom roles exists, and if not, could I put in a feature request for it?

Even if the second piece can't be implemented because there's no API yet, the first piece by itself would be valuable to me.

[kidk]

We've been asked to hold off on this work until the team feels confident the API is in a stable state as they're still going through a couple of feedback rounds. We currently have the work planned for Q4.

Thanks all for your patience.

[robgott]

Hi @kidk, just wanted to check in if this work is still planned for Q4.

Thanks!

[kidk]

@robgott This is indeed planned for Q4 (our financial year), which is Q1 in calendar year. Apologies for the confusion.

[samantha-millar]

Hi @kidk , I just want to double check this will include management of administration settings through terraform? For example setting Organization settings to manage, Read only and disabling on each Group.

[A30006569]

Hi @kidk - hope you are well. Just wondering if this feature is still on track to be released this quarter? Thanks.

[noahtrilling]

My organization is interested in this as well. Can we get an update on the status of this feature?

[sturdek]

My organization is also interested in this as well and would like to get an update on this feature.

[shanemacphillamy]

My organization is also very interested in this feature. Without it, managing Roles, Grants and Access is extremely error prone.

[pranav-new-relic]

Hi everyone, just wanted to drop by to share an update. As previously stated by @kidk in the first few comments in this thread, after the API was found to be stable, we had work planned for a key prerequisite of the ask in this thread - enabling the management of users and groups via the Terraform Provider. Resources and dats sources to facilitate these have recently been released (in the last month) - creating/updating/deleting/querying for users and groups within an authentication domain is now possible.

However, given the existence of structural differences between the queries/mutations used to handle users/groups and those of roles, the unavailability of mutations that help create roles (they can only be queried and/or linked to groups at the moment) and similar other unknowns around this, we're trying to actively work through the available possibilities of extending access management provisions in the Terraform Provider and achieve certainty (based on technical feasibility of what all can be done in this space), so we're exploring doable things, after which we shall be able to keep you posted on what's part of the plan to add to the Terraform Provider to facilitate access management (i.e. roles). You shall hear from us on this in the upcoming months, while in the interim, you might want to check out group and user management resources I've linked above. Thank you for understanding :)

[A30006569]

Hi @pranav-new-relic - I can't seem to find the resource to for role/group mapping. Can you please share?

[pranav-new-relic]

@A30006569 the 'role' part of this is still a work in progress is what I meant to explain in my previous comment - we plan to give you an update in the upcoming months on being able to link roles to groups via the Terraform Provider. Thanks for checking.

[ijin]

@pranav-new-relic waiting for this feature! any progress?

[pranav-new-relic]

Hey @ijin and others, while there isn't a lot of news on this front, we have teams at New Relic fixing a few glitches in the APIs handling access management, which are needed to make APIs fully compatible with an upcoming resource in Terraform for the same. We're all juggling through a bunch of priorities to get to these items :) I'll keep you posted when we have an update on the Terraform side of things on this. Thanks for reaching out!