Add support for organization roles and service roles

[VickyWinner]

vRA version vRealize Automation 8.3.0.15014 (17551690)

Terraform version Terraform v0.13.3

terraform-provider-vra plugin version v0.3.4

Is your feature request related to a problem? Please describe. Before I create a new project using terraform, I need to grant the access using Identity & Access Management at Organization Roles and Service Roles. I am not finding an example for that. if this feature isn't available, then I will have to do it manually.

Describe the solution you'd like set of data sources and resources to retrieve data and create resources for managing Organization Roles and Service Roles.

Describe alternatives you've considered I see there are API's available. However, it will make my terraform code more complex and can't accomplish as IaC.

Additional context Add any other context or screenshots about the feature request here.

[VickyWinner]

appreciate if someone could respond. Its been a while I opened this.

[wilsonandvmware]

Hey @VickyWinner Could you elaborate how to grant the access manually using Identity & Access Management at Organization Roles and Service Roles ? I see you mentioned there are available APIs, could you post the API please ?

Thank you

[tenthirtyam]

Hi, @wilsonandvmware.

vRealize Automation APIs for Identity and Access Management are at {vrahost}/identity/doc/webjars/swagger-ui/index.html?configUrl=/identity/doc/v3/api-docs/swagger-config under UserController orUserV3Controller.

For UI-based example, see the VMware Validated Design example for Assign Organization and Service Roles to User Groups for vRealize Automation.

Ryan Johnson Staff Architect, VMware

[VickyWinner]

@tenthirtyam this is where I found one API https://developer.vmware.com/docs/csep/csp-iam/latest/csp/gateway/am/api/orgs/orgId/clients/post/

[tenthirtyam]

Your link above would be only applicable, to VMware Cloud Service Portal (CSP), and thus vRealize Automation Cloud.

[VickyWinner]

@tenthirtyam so you mean there is no API available for assigning org roles and service roles?

[tenthirtyam]

For vRA8 on-premises the APIs for Identity and Access Management are at {vrahost}/identity/doc/webjars/swagger-ui/index.html?configUrl=/identity/doc/v3/api-docs/swagger-config under UserController or UserV3Controller. I confirmed this with the engineering team yesterday.

Ryan

[VickyWinner]

@tenthirtyam Thank you for the link. So, are you considering for this enhancement in the provider?

[tenthirtyam]

I would need to defer to the PMs and engineers for the Terraform Provider for vRealize Automation and suggest labels for under-review, planned, deferred, rejected be applied to enhancement issues. I just happen to use our providers quite a bit. cc @Prativa20

Ryan Johnson Staff Architect, VMware

[rnelson0]

We are coming up on a year since this was submitted and I don't see any provider resources for this yet, but please correct me if I missed something. If it is not present, are there any plans for this? I just had to add 24 groups 3 vRA instances and can say I'm extremely interested in such a feature, but unfortunately I don't know enough go or terraform code at this point to submit any PRs myself. It's going on the list of things to learn. In the meantime, if I can help in any way, please let me know.

[frodenas]

@rnelson0 this feature is under consideration, and we'd like to address it as soon as possible. The complexity here is that the identity service is exposing their API in OpenApi Specification v3 (unlike other services which are using v2), and the way we generate the API SDK client does not support yet this format. We are currently evaluating how to address this constraint, so we can implement the feature requested in this issue. Unfortunately, I cannot provide yet estimation of when we will be able to deliver this.

[VickyWinner]

Thanks @rnelson0 for the update. My request is to keep this enhancement open so I can check back when there is an update.

[VickyWinner]

@frodenas Any new update on this issue?

[Arderos]

Any updates?

[rnelson0]

AFAIK there's still no solution in this provider. In the meantime I've used PowerValidatedSolutions, specifically New-VraGroup and New-VraUser, to automate the creation of IAM entries. I'd still love to see it in terraform because changes and deletions remain a problem!

[cathode911]

@frodenas Did you have a chance to address this issue? It's been over 20 months since your last comment

[ykezlya]

Very useful thing, look forward to the implementation!