Feature Request: data_ibm_iam_access_group

[jamestalton]

I have a use case where when running against different regions I need access to an existing ibm_iam_access_group. There is currently no data provider for accessing an existing ibm_iam_access_group.

[data-henrik]

is this addressed now?

[jkayani]

I believe this is broken currently based on this TF plan output:

# ibm_iam_access_group_members.conductor-members will be created
  + resource "ibm_iam_access_group_members" "conductor-members" {
      + access_group_id = "ACCOUNT-ID"
      + ibm_ids         = [
         + REDACTED
        ]
      + id              = (known after apply)
      + members         = (known after apply)
    }
  # ibm_iam_access_group_policy.conductor-policy will be created
  + resource "ibm_iam_access_group_policy" "conductor-policy" {
      + access_group_id    = "ACCOUNT-ID"
      + account_management = false
      + id                 = (known after apply)
      + roles              = [
          + "Viewer",
          + "Reader",
          + "Writer",
        ]
      + version            = (known after apply)
      + resources {
          + attributes           = {
              + "namespace" = "conductor"
            }
          + resource_group_id    = "REDACTED"
          + resource_instance_id = "REDACTED"
          + service              = "containers-kubernetes"
        }
    }

Basically everywhere it says ACCOUNT-ID it fills in the actual ID of the IBM Cloud account you're using with Terraform, when it really should be the ID of the actual access group. Everything else seems right. Looking at the UI, access group ID's are of the form: AccessGroupId-<some-string>

[jkayani]

Actually I figured it out: the docs are correct though the behavior is a bit confusing. When passing an access group name as a parameter to the AG data source, you will still be returned a list containing the single matching access group.

So do this:

data "ibm_iam_access_group" "<thing>" {
  access_group_name = "Conductor"
}

resource "ibm_iam_access_group_members" "conductor-members" {
  access_group_id = data.ibm_iam_access_group.<thing>.groups[0].id
  ...
}

to get this output from TF plan:

  # ibm_iam_access_group_members.conductor-members will be created
  + resource "ibm_iam_access_group_members" "conductor-members" {
      + access_group_id = "AccessGroupId-REDACTED"
      + ibm_ids         = [
         REDACTED
        ]
      + id              = (known after apply)
      + members         = (known after apply)
    }
  # ibm_iam_access_group_policy.conductor-policy will be created
  + resource "ibm_iam_access_group_policy" "conductor-policy" {
      + access_group_id    = "AccessGroupId-REDACTED"
      + account_management = false
      + id                 = (known after apply)
      + roles              = [
          + "Viewer",
          + "Reader",
          + "Writer",
        ]
      + version            = (known after apply)
      + resources {
          + attributes           = {
              + "namespace" = "conductor"
            }
          + resource_group_id    = "REDACTED"
          + resource_instance_id = "REDACTED"
          + service              = "containers-kubernetes"
        }
    }

The reason the account ID can be obtained as data.ibm_iam_access_group.<thing>.id is because of this: https://github.com/IBM-Cloud/terraform-provider-ibm/blob/master/ibm/data_source_ibm_iam_access_group.go#L194

[hkantare]

Yes the output from the ibm_iam_access_group is a list of groups..because we can have multiple access groups with same name so we are listing back all the grps...