Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert authorisation policy role migration #3161

Merged
merged 1 commit into from
Oct 1, 2021
+57 −18
Merged

Revert authorisation policy role migration #3161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions ibm/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ import (
"github.com/IBM-Cloud/bluemix-go/api/globalsearch/globalsearchv2"
"github.com/IBM-Cloud/bluemix-go/api/globaltagging/globaltaggingv3"
"github.com/IBM-Cloud/bluemix-go/api/hpcs"
"github.com/IBM-Cloud/bluemix-go/api/iam/iamv1"
"github.com/IBM-Cloud/bluemix-go/api/icd/icdv4"
"github.com/IBM-Cloud/bluemix-go/api/mccp/mccpv2"
"github.com/IBM-Cloud/bluemix-go/api/resource/resourcev1/catalog"
Expand Down Expand Up @@ -199,6 +200,7 @@ type ClientSession interface {
GlobalTaggingAPI() (globaltaggingv3.GlobalTaggingServiceAPI, error)
GlobalTaggingAPIv1() (globaltaggingv1.GlobalTaggingV1, error)
ICDAPI() (icdv4.ICDServiceAPI, error)
IAMAPI() (iamv1.IAMServiceAPI, error)
IAMPolicyManagementV1API() (*iampolicymanagement.IamPolicyManagementV1, error)
IAMAccessGroupsV2() (*iamaccessgroups.IamAccessGroupsV2, error)
MccpAPI() (mccpv2.MccpServiceAPI, error)
Expand Down Expand Up @@ -317,6 +319,9 @@ type clientSession struct {
userManagementErr error
userManagementAPI usermanagementv2.UserManagementAPI

iamConfigErr error
iamServiceAPI iamv1.IAMServiceAPI

icdConfigErr error
icdServiceAPI icdv4.ICDServiceAPI

Expand Down Expand Up @@ -604,6 +609,11 @@ func (sess clientSession) UserManagementAPI() (usermanagementv2.UserManagementAP
return sess.userManagementAPI, sess.userManagementErr
}

// IAMAPI provides IAM PAP APIs ...
func (sess clientSession) IAMAPI() (iamv1.IAMServiceAPI, error) {
return sess.iamServiceAPI, sess.iamConfigErr
}

// IAM Policy Management
func (sess clientSession) IAMPolicyManagementV1API() (*iampolicymanagement.IamPolicyManagementV1, error) {
return sess.iamPolicyManagementAPI, sess.iamPolicyManagementErr
Expand Down Expand Up @@ -1012,6 +1022,7 @@ func (c *Config) ClientSession() (interface{}, error) {
session.catalogManagementClientErr = errEmptyBluemixCredentials
session.powerConfigErr = errEmptyBluemixCredentials
session.ibmpiConfigErr = errEmptyBluemixCredentials
session.iamConfigErr = errEmptyBluemixCredentials
session.userManagementErr = errEmptyBluemixCredentials
session.certManagementErr = errEmptyBluemixCredentials
session.vpcErr = errEmptyBluemixCredentials
Expand Down Expand Up @@ -1530,6 +1541,12 @@ func (c *Config) ClientSession() (interface{}, error) {
}
session.resourceControllerServiceAPIv2 = ResourceControllerAPIv2

iam, err := iamv1.New(sess.BluemixSession)
if err != nil {
session.iamConfigErr = fmt.Errorf("Error occured while configuring Bluemix IAM Service: %q", err)
}
session.iamServiceAPI = iam

userManagementAPI, err := usermanagementv2.New(sess.BluemixSession)
if err != nil {
session.userManagementErr = fmt.Errorf("Error occured while configuring user management service: %q", err)
Expand Down
28 changes: 28 additions & 0 deletions ibm/resource_ibm_iam_authorization.policy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,25 @@ func TestAccIBMIAMAuthorizationPolicy_ResourceType(t *testing.T) {
},
})
}
func TestAccIBMIAMAuthorizationPolicyDelegatorRole(t *testing.T) {
var conf iampolicymanagementv1.Policy

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckIBMIAMAuthorizationPolicyDestroy,
Steps: []resource.TestStep{
{
Config: testAccCheckIBMIAMAuthorizationPolicyDelegatorRole(),
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckIBMIAMAuthorizationPolicyExists("ibm_iam_authorization_policy.policy", conf),
resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "source_service_name", "databases-for-redis"),
resource.TestCheckResourceAttr("ibm_iam_authorization_policy.policy", "target_service_name", "kms"),
),
},
},
})
}

func testAccCheckIBMIAMAuthorizationPolicyDestroy(s *terraform.State) error {
iamPolicyManagementClient, err := testAccProvider.Meta().(ClientSession).IAMPolicyManagementV1API()
Expand Down Expand Up @@ -214,6 +233,15 @@ func testAccCheckIBMIAMAuthorizationPolicyResourceType() string {
}
`
}
func testAccCheckIBMIAMAuthorizationPolicyDelegatorRole() string {
return `
resource "ibm_iam_authorization_policy" "policy" {
source_service_name = "databases-for-redis"
target_service_name = "kms"
roles = ["Reader", "AuthorizationDelegator"]
}
`
}

func testAccCheckIBMIAMAuthorizationPolicyResourceGroup(sResourceGroup, tResourceGroup string) string {
return fmt.Sprintf(`
Expand Down
30 changes: 12 additions & 18 deletions ibm/resource_ibm_iam_authorization_policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/IBM/go-sdk-core/v5/core"
"github.com/IBM/platform-services-go-sdk/iampolicymanagementv1"

"github.com/IBM-Cloud/bluemix-go/models"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
)

Expand Down Expand Up @@ -322,38 +323,31 @@ func resourceIBMIAMAuthorizationPolicyExists(d *schema.ResourceData, meta interf

func getAuthorizationRolesByName(roleNames []string, sourceServiceName string, targetServiceName string, meta interface{}) ([]iampolicymanagementv1.PolicyRole, error) {

iamPolicyManagementClient, err := meta.(ClientSession).IAMPolicyManagementV1API()
iamClient, err := meta.(ClientSession).IAMAPI()
if err != nil {
return []iampolicymanagementv1.PolicyRole{}, err
}
userDetails, err := meta.(ClientSession).BluemixUserDetails()
iamRepo := iamClient.ServiceRoles()
roles, err := iamRepo.ListAuthorizationRoles(sourceServiceName, targetServiceName)
convertedRoles := convertRoleModels(roles)
if err != nil {
return []iampolicymanagementv1.PolicyRole{}, err
}
listRoleOptions := &iampolicymanagementv1.ListRolesOptions{
AccountID: &userDetails.userAccount,
ServiceName: &targetServiceName,
}
roleList, resp, err := iamPolicyManagementClient.ListRoles(listRoleOptions)
if err != nil || roleList == nil {
return []iampolicymanagementv1.PolicyRole{}, fmt.Errorf("[ERROR] Error in listing roles %s, %s", err, resp)
}
serviceRoles := roleList.ServiceRoles
convertedRoles := convertRoleModels(serviceRoles)
filteredRoles, err := getRolesFromRoleNames(roleNames, convertedRoles)
filteredRoles := []iampolicymanagementv1.PolicyRole{}
filteredRoles, err = getRolesFromRoleNames(roleNames, convertedRoles)
if err != nil {
return []iampolicymanagementv1.PolicyRole{}, err
}
return filteredRoles, nil
}

// ConvertRoleModels will transform role models returned from "/v1/roles" to the model used by policy
func convertRoleModels(serviceRoles []iampolicymanagementv1.Role) []iampolicymanagementv1.PolicyRole {
results := make([]iampolicymanagementv1.PolicyRole, len(serviceRoles))
for i, r := range serviceRoles {
func convertRoleModels(roles []models.PolicyRole) []iampolicymanagementv1.PolicyRole {
results := make([]iampolicymanagementv1.PolicyRole, len(roles))
for i, r := range roles {
results[i] = iampolicymanagementv1.PolicyRole{
RoleID: r.CRN,
DisplayName: r.DisplayName,
RoleID: core.StringPtr(r.ID.String()),
DisplayName: core.StringPtr(r.DisplayName),
}
}
return results
Expand Down