Added new resource attribute service_type for access policies

ibm/data_source_ibm_iam_service_policy.go

@@ -87,6 +87,11 @@ func dataSourceIBMIAMServicePolicy() *schema.Resource {
 										Computed:    true,
 										Description: "ID of the resource group.",
 									},
+									"service_type": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "Service type of the policy definition",
+									},
 								},
 							},
 						},

ibm/data_source_ibm_iam_trusted_profile_policy.go

@@ -87,6 +87,11 @@ func dataSourceIBMIAMTrustedProfilePolicy() *schema.Resource {
 										Computed:    true,
 										Description: "ID of the resource group.",
 									},
+									"service_type": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "Service type of the policy definition",
+									},
 								},
 							},
 						},

ibm/data_source_ibm_iam_user_policy.go

@@ -78,6 +78,11 @@ func dataSourceIBMIAMUserPolicy() *schema.Resource {
 										Computed:    true,
 										Description: "ID of the resource group.",
 									},
+									"service_type": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: "Service type of the policy definition",
+									},
 								},
 							},
 						},

ibm/resource_ibm_iam_access_group_policy.go

@@ -90,6 +90,12 @@ func resourceIBMIAMAccessGroupPolicy() *schema.Resource {
 							Description: "ID of the resource group.",
 						},
 
+						"service_type": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "Service type of the policy definition",
+						},
+
 						"attributes": {
 							Type:        schema.TypeMap,
 							Optional:    true,

ibm/resource_ibm_iam_access_group_policy_test.go

@@ -73,6 +73,28 @@ func TestAccIBMIAMAccessGroupPolicy_With_Service(t *testing.T) {
 	})
 }
 
+func TestAccIBMIAMAccessGroupPolicy_With_ServiceType(t *testing.T) {
+	var conf iampolicymanagementv1.Policy
+	name := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIBMIAMAccessGroupPolicyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccCheckIBMIAMAccessGroupPolicyServiceType(name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMIAMAccessGroupPolicyExists("ibm_iam_access_group_policy.policy", conf),
+					resource.TestCheckResourceAttr("ibm_iam_access_group.accgrp", "name", name),
+					resource.TestCheckResourceAttr("ibm_iam_access_group_policy.policy", "resources.0.service_type", "service"),
+					resource.TestCheckResourceAttr("ibm_iam_access_group_policy.policy", "roles.#", "1"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccIBMIAMAccessGroupPolicy_With_ResourceInstance(t *testing.T) {
 	var conf iampolicymanagementv1.Policy
 	name := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
@@ -381,6 +403,26 @@ func testAccCheckIBMIAMAccessGroupPolicyService(name string) string {
 	`, name)
 }
 
+func testAccCheckIBMIAMAccessGroupPolicyServiceType(name string) string {
+	return fmt.Sprintf(`
+
+		resource "ibm_iam_access_group" "accgrp" {
+			name = "%s"
+  		}
+
+		resource "ibm_iam_access_group_policy" "policy" {
+			access_group_id = ibm_iam_access_group.accgrp.id
+			roles        = ["Viewer"]
+
+			resources {
+				service_type = "service"
+				region = "us-south"
+			}
+		  }
+
+	`, name)
+}
+
 func testAccCheckIBMIAMAccessGroupPolicyUpdateServiceAndRegion(name string) string {
 	return fmt.Sprintf(`
 

ibm/resource_ibm_iam_service_policy.go

@@ -99,6 +99,12 @@ func resourceIBMIAMServicePolicy() *schema.Resource {
 							Description: "ID of the resource group.",
 						},
 
+						"service_type": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "Service type of the policy definition",
+						},
+
 						"attributes": {
 							Type:        schema.TypeMap,
 							Optional:    true,

ibm/resource_ibm_iam_service_policy_test.go

@@ -76,6 +76,28 @@ func TestAccIBMIAMServicePolicy_With_Service(t *testing.T) {
 	})
 }
 
+func TestAccIBMIAMServicePolicy_With_ServiceType(t *testing.T) {
+	var conf iampolicymanagementv1.Policy
+	name := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIBMIAMServicePolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMIAMServicePolicyServiceType(name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMIAMServicePolicyExists("ibm_iam_service_policy.policy", conf),
+					resource.TestCheckResourceAttr("ibm_iam_service_id.serviceID", "name", name),
+					resource.TestCheckResourceAttr("ibm_iam_service_policy.policy", "resources.0.service_type", "service"),
+					resource.TestCheckResourceAttr("ibm_iam_service_policy.policy", "roles.#", "1"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccIBMIAMServicePolicy_With_ResourceInstance(t *testing.T) {
 	var conf iampolicymanagementv1.Policy
 	name := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
@@ -362,6 +384,25 @@ func testAccCheckIBMIAMServicePolicyService(name string) string {
 	`, name)
 }
 
+func testAccCheckIBMIAMServicePolicyServiceType(name string) string {
+	return fmt.Sprintf(`
+
+		resource "ibm_iam_service_id" "serviceID" {
+			name = "%s"
+	  	}
+
+	  	resource "ibm_iam_service_policy" "policy" {
+			iam_service_id = ibm_iam_service_id.serviceID.id
+			roles          = ["Viewer"]
+
+			resources {
+				service_type = "service"
+				region = "us-south"
+			}
+	  	}
+	`, name)
+}
+
 func testAccCheckIBMIAMServicePolicyUpdateServiceAndRegion(name string) string {
 	return fmt.Sprintf(`
 

ibm/resource_ibm_iam_trusted_profile_policy.go

@@ -99,6 +99,12 @@ func resourceIBMIAMTrustedProfilePolicy() *schema.Resource {
 							Description: "ID of the resource group.",
 						},
 
+						"service_type": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "Service type of the policy definition",
+						},
+
 						"attributes": {
 							Type:        schema.TypeMap,
 							Optional:    true,

ibm/resource_ibm_iam_trusted_profile_policy_test.go

@@ -76,6 +76,28 @@ func TestAccIBMIAMTrustedProfilePolicy_With_Service(t *testing.T) {
 	})
 }
 
+func TestAccIBMIAMTrustedProfilePolicy_With_ServiceType(t *testing.T) {
+	var conf iampolicymanagementv1.Policy
+	name := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIBMIAMTrustedProfilePolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMIAMTrustedProfilePolicyServiceType(name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMIAMTrustedProfilePolicyExists("ibm_iam_trusted_profile_policy.policy", conf),
+					resource.TestCheckResourceAttr("ibm_iam_trusted_profile.profileID", "name", name),
+					resource.TestCheckResourceAttr("ibm_iam_trusted_profile_policy.policy", "resources.0.service_type", "service"),
+					resource.TestCheckResourceAttr("ibm_iam_trusted_profile_policy.policy", "roles.#", "1"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccIBMIAMTrustedProfilePolicy_With_ResourceInstance(t *testing.T) {
 	var conf iampolicymanagementv1.Policy
 	name := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
@@ -362,6 +384,25 @@ func testAccCheckIBMIAMTrustedProfilePolicyService(name string) string {
 	`, name)
 }
 
+func testAccCheckIBMIAMTrustedProfilePolicyServiceType(name string) string {
+	return fmt.Sprintf(`
+
+		resource "ibm_iam_trusted_profile" "profileID" {
+			name = "%s"
+	  	}
+
+	  	resource "ibm_iam_trusted_profile_policy" "policy" {
+			profile_id = ibm_iam_trusted_profile.profileID.id
+			roles          = ["Viewer"]
+
+			resources {
+				service_type = "service"
+				region = "us-south"
+			}
+	  	}
+	`, name)
+}
+
 func testAccCheckIBMIAMTrustedProfilePolicyUpdateServiceAndRegion(name string) string {
 	return fmt.Sprintf(`
 

ibm/resource_ibm_iam_user_policy.go

@@ -89,6 +89,12 @@ func resourceIBMIAMUserPolicy() *schema.Resource {
 							Description: "ID of the resource group.",
 						},
 
+						"service_type": {
+							Type:        schema.TypeString,
+							Optional:    true,
+							Description: "Service type of the policy definition",
+						},
+
 						"attributes": {
 							Type:        schema.TypeMap,
 							Optional:    true,

ibm/resource_ibm_iam_user_policy_test.go

@@ -70,6 +70,26 @@ func TestAccIBMIAMUserPolicy_With_Service(t *testing.T) {
 	})
 }
 
+func TestAccIBMIAMUserPolicy_With_ServiceType(t *testing.T) {
+	var conf iampolicymanagementv1.Policy
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckIBMIAMUserPolicyDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccCheckIBMIAMUserPolicyServiceType(),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMIAMUserPolicyExists("ibm_iam_user_policy.policy", conf),
+					resource.TestCheckResourceAttr("ibm_iam_user_policy.policy", "resources.0.service_type", "service"),
+					resource.TestCheckResourceAttr("ibm_iam_user_policy.policy", "roles.#", "1"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccIBMIAMUserPolicy_With_ResourceInstance(t *testing.T) {
 	var conf iampolicymanagementv1.Policy
 	name := fmt.Sprintf("terraform_%d", acctest.RandIntRange(10, 100))
@@ -348,6 +368,23 @@ func testAccCheckIBMIAMUserPolicyService() string {
 	`, IAMUser)
 }
 
+func testAccCheckIBMIAMUserPolicyServiceType() string {
+	return fmt.Sprintf(`
+
+
+		resource "ibm_iam_user_policy" "policy" {
+			ibm_id = "%s"
+			roles  = ["Viewer"]
+
+			resources {
+				service_type = "service"
+				region = "us-south"
+			}
+	  	}
+
+	`, IAMUser)
+}
+
 func testAccCheckIBMIAMUserPolicyUpdateServiceAndRegion() string {
 	return fmt.Sprintf(`
 

ibm/structures.go

@@ -1213,6 +1213,7 @@ func flattenPolicyResource(list []iampolicymanagementv1.PolicyResource) []map[st
 			"resource_type":        getResourceAttribute("resourceType", i),
 			"resource":             getResourceAttribute("resource", i),
 			"resource_group_id":    getResourceAttribute("resourceGroupId", i),
+			"service_type":         getResourceAttribute("serviceType", i),
 		}
 		customAttributes := getCustomAttributes(i)
 		if len(customAttributes) > 0 {
@@ -2652,6 +2653,18 @@ func generatePolicyOptions(d *schema.ResourceData, meta interface{}) (iampolicym
 				}
 			}
 
+			if r, ok := r["service_type"]; ok && r != nil {
+				serviceName = r.(string)
+				if r.(string) != "" {
+					resourceAttr := iampolicymanagementv1.ResourceAttribute{
+						Name:     core.StringPtr("serviceType"),
+						Value:    core.StringPtr(r.(string)),
+						Operator: core.StringPtr("stringEquals"),
+					}
+					resourceAttributes = append(resourceAttributes, resourceAttr)
+				}
+			}
+
 			if r, ok := r["attributes"]; ok {
 				for k, v := range r.(map[string]interface{}) {
 					resourceAttributes = setResourceAttribute(core.StringPtr(k), core.StringPtr(v.(string)), resourceAttributes)

website/docs/r/iam_access_group_policy.html.markdown

@@ -69,6 +69,25 @@ resource "ibm_iam_access_group_policy" "policy" {
 
 ```
 
+### Access group policy using service_type with region
+
+```terraform
+resource "ibm_iam_access_group" "accgrp" {
+  name = "test"
+}
+
+resource "ibm_iam_access_group_policy" "policy" {
+  access_group_id = ibm_iam_access_group.accgrp.id
+  roles           = ["Viewer"]
+
+  resources {
+    service_type = "service"
+    region = "us-south"
+  }
+}
+
+```
+
 ### Access group policy using resource instance 
 The following example creates an IAM policy that grants members of the access group the IAM `Viewer` and `Administrator` platform role, and the `Manager` service access role to a single service instance. 
 
@@ -208,7 +227,8 @@ Review the argument references that you can specify for your resource.
   - `resource_type`  (Optional, String) The resource type of the policy definition.
   - `resource`  (Optional, String) The resource of the policy definition.
   - `resources.resource_group_id` - (Optional, String) The ID of the resource group. To retrieve the ID, run `ibmcloud resource groups` or use the `ibm_resource_group` data source.
-  - `service` - (Optional, String) The service name that you want to include in your policy definition. For account management services, you can find supported values in the [documentation](https://cloud.ibm.com/docs/account?topic=account-account-services#api-acct-mgmt). For other services, run the `ibmcloud catalog service-marketplace` command and retrieve the value from the **Name** column of your command line output.
+  - `service` - (Optional, String) The service name that you want to include in your policy definition. For account management services, you can find supported values in the [documentation](https://cloud.ibm.com/docs/account?topic=account-account-services#api-acct-mgmt). For other services, run the `ibmcloud catalog service-marketplace` command and retrieve the value from the **Name** column of your command line output. Attributes service, service_type are mutually exclusive.
+  - `service_type`  (Optional, String) The service type of the policy definition. **Note** Attributes service, service_type are mutually exclusive.
 
 - `resource_attributes` - (Optional, List) A nested block describing the resource of this policy. **Note** Conflicts with `account_management` and `resources`.