Revert authorisation policy role migration

IBM-Cloud · Sep 30, 2021 · 66d090b · 66d090b
1 parent 3e85433
commit 66d090b
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 18 deletions.
diff --git a/ibm/config.go b/ibm/config.go
@@ -83,6 +83,7 @@ import (
 	"github.com/IBM-Cloud/bluemix-go/api/globalsearch/globalsearchv2"
 	"github.com/IBM-Cloud/bluemix-go/api/globaltagging/globaltaggingv3"
 	"github.com/IBM-Cloud/bluemix-go/api/hpcs"
+	"github.com/IBM-Cloud/bluemix-go/api/iam/iamv1"
 	"github.com/IBM-Cloud/bluemix-go/api/icd/icdv4"
 	"github.com/IBM-Cloud/bluemix-go/api/mccp/mccpv2"
 	"github.com/IBM-Cloud/bluemix-go/api/resource/resourcev1/catalog"
@@ -199,6 +200,7 @@ type ClientSession interface {
 	GlobalTaggingAPI() (globaltaggingv3.GlobalTaggingServiceAPI, error)
 	GlobalTaggingAPIv1() (globaltaggingv1.GlobalTaggingV1, error)
 	ICDAPI() (icdv4.ICDServiceAPI, error)
+	IAMAPI() (iamv1.IAMServiceAPI, error)
 	IAMPolicyManagementV1API() (*iampolicymanagement.IamPolicyManagementV1, error)
 	IAMAccessGroupsV2() (*iamaccessgroups.IamAccessGroupsV2, error)
 	MccpAPI() (mccpv2.MccpServiceAPI, error)
@@ -317,6 +319,9 @@ type clientSession struct {
 	userManagementErr error
 	userManagementAPI usermanagementv2.UserManagementAPI
 
+	iamConfigErr  error
+	iamServiceAPI iamv1.IAMServiceAPI
+
 	icdConfigErr  error
 	icdServiceAPI icdv4.ICDServiceAPI
 
@@ -604,6 +609,11 @@ func (sess clientSession) UserManagementAPI() (usermanagementv2.UserManagementAP
 	return sess.userManagementAPI, sess.userManagementErr
 }
 
+// IAMAPI provides IAM PAP APIs ...
+func (sess clientSession) IAMAPI() (iamv1.IAMServiceAPI, error) {
+	return sess.iamServiceAPI, sess.iamConfigErr
+}
+
 // IAM Policy Management
 func (sess clientSession) IAMPolicyManagementV1API() (*iampolicymanagement.IamPolicyManagementV1, error) {
 	return sess.iamPolicyManagementAPI, sess.iamPolicyManagementErr
@@ -1012,6 +1022,7 @@ func (c *Config) ClientSession() (interface{}, error) {
 		session.catalogManagementClientErr = errEmptyBluemixCredentials
 		session.powerConfigErr = errEmptyBluemixCredentials
 		session.ibmpiConfigErr = errEmptyBluemixCredentials
+		session.iamConfigErr = errEmptyBluemixCredentials
 		session.userManagementErr = errEmptyBluemixCredentials
 		session.certManagementErr = errEmptyBluemixCredentials
 		session.vpcErr = errEmptyBluemixCredentials
@@ -1530,6 +1541,12 @@ func (c *Config) ClientSession() (interface{}, error) {
 	}
 	session.resourceControllerServiceAPIv2 = ResourceControllerAPIv2
 
+	iam, err := iamv1.New(sess.BluemixSession)
+	if err != nil {
+		session.iamConfigErr = fmt.Errorf("Error occured while configuring Bluemix IAM Service: %q", err)
+	}
+	session.iamServiceAPI = iam
+
 	userManagementAPI, err := usermanagementv2.New(sess.BluemixSession)
 	if err != nil {
 		session.userManagementErr = fmt.Errorf("Error occured while configuring user management service: %q", err)

diff --git a/ibm/resource_ibm_iam_authorization.policy_test.go b/ibm/resource_ibm_iam_authorization.policy_test.go
@@ -109,6 +109,25 @@ func TestAccIBMIAMAuthorizationPolicy_ResourceType(t *testing.T) {
 		},
 	})
 }
+func TestAccIBMIAMAuthorizationPolicyDelegatorRole(t *testing.T) {
+	var conf iampolicymanagementv1.Policy
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIBMIAMAuthorizationPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMIAMAuthorizationPolicyDelegatorRole(),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMIAMAuthorizationPolicyExists("ibm_iam_authorization_policy.policy", conf),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "source_service_name", "databases-for-redis"),
+					resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "target_service_name", "kms"),
+				),
+			},
+		},
+	})
+}
 
 func testAccCheckIBMIAMAuthorizationPolicyDestroy(s *terraform.State) error {
 	iamPolicyManagementClient, err := testAccProvider.Meta().(ClientSession).IAMPolicyManagementV1API()
@@ -214,6 +233,15 @@ func testAccCheckIBMIAMAuthorizationPolicyResourceType() string {
 	  }
 	`
 }
+func testAccCheckIBMIAMAuthorizationPolicyDelegatorRole() string {
+	return `
+	resource "ibm_iam_authorization_policy" "policy" {
+		source_service_name         = "databases-for-redis"
+		target_service_name         = "kms"
+		roles                       = ["Reader", "AuthorizationDelegator"]
+	  }
+	`
+}
 
 func testAccCheckIBMIAMAuthorizationPolicyResourceGroup(sResourceGroup, tResourceGroup string) string {
 	return fmt.Sprintf(`

diff --git a/ibm/resource_ibm_iam_authorization_policy.go b/ibm/resource_ibm_iam_authorization_policy.go
@@ -10,6 +10,7 @@ import (
 	"github.com/IBM/go-sdk-core/v5/core"
 	"github.com/IBM/platform-services-go-sdk/iampolicymanagementv1"
 
+	"github.com/IBM-Cloud/bluemix-go/models"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
@@ -322,38 +323,31 @@ func resourceIBMIAMAuthorizationPolicyExists(d *schema.ResourceData, meta interf
 
 func getAuthorizationRolesByName(roleNames []string, sourceServiceName string, targetServiceName string, meta interface{}) ([]iampolicymanagementv1.PolicyRole, error) {
 
-	iamPolicyManagementClient, err := meta.(ClientSession).IAMPolicyManagementV1API()
+	iamClient, err := meta.(ClientSession).IAMAPI()
 	if err != nil {
 		return []iampolicymanagementv1.PolicyRole{}, err
 	}
-	userDetails, err := meta.(ClientSession).BluemixUserDetails()
+	iamRepo := iamClient.ServiceRoles()
+	roles, err := iamRepo.ListAuthorizationRoles(sourceServiceName, targetServiceName)
+	convertedRoles := convertRoleModels(roles)
 	if err != nil {
 		return []iampolicymanagementv1.PolicyRole{}, err
 	}
-	listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
-		AccountID:   &userDetails.userAccount,
-		ServiceName: &targetServiceName,
-	}
-	roleList, resp, err := iamPolicyManagementClient.ListRoles(listRoleOptions)
-	if err != nil || roleList == nil {
-		return []iampolicymanagementv1.PolicyRole{}, fmt.Errorf("[ERROR] Error in listing roles %s, %s", err, resp)
-	}
-	serviceRoles := roleList.ServiceRoles
-	convertedRoles := convertRoleModels(serviceRoles)
-	filteredRoles, err := getRolesFromRoleNames(roleNames, convertedRoles)
+	filteredRoles := []iampolicymanagementv1.PolicyRole{}
+	filteredRoles, err = getRolesFromRoleNames(roleNames, convertedRoles)
 	if err != nil {
 		return []iampolicymanagementv1.PolicyRole{}, err
 	}
 	return filteredRoles, nil
 }
 
 // ConvertRoleModels will transform role models returned from "/v1/roles" to the model used by policy
-func convertRoleModels(serviceRoles []iampolicymanagementv1.Role) []iampolicymanagementv1.PolicyRole {
-	results := make([]iampolicymanagementv1.PolicyRole, len(serviceRoles))
-	for i, r := range serviceRoles {
+func convertRoleModels(roles []models.PolicyRole) []iampolicymanagementv1.PolicyRole {
+	results := make([]iampolicymanagementv1.PolicyRole, len(roles))
+	for i, r := range roles {
 		results[i] = iampolicymanagementv1.PolicyRole{
-			RoleID:      r.CRN,
-			DisplayName: r.DisplayName,
+			RoleID:      core.StringPtr(r.ID.String()),
+			DisplayName: core.StringPtr(r.DisplayName),
 		}
 	}
 	return results