Support to filter system-defined IAM role by display_name (#1105)

docs/data-sources/identity_custom_role.md

@@ -4,11 +4,9 @@ subcategory: "Identity and Access Management (IAM)"
 
 # huaweicloud\_identity\_custom\_role
 
-Use this data source to get the ID of an HuaweiCloud custom role.
+Use this data source to get the ID of an IAM **custom policy**.
 
-The Role in Terraform is the same as Policy on console. however,
-The policy name is the display name of Role, the Role name cannot
-be found on Console. 
+## Example Usage
 
 ```hcl
 data "huaweicloud_identity_custom_role" "role" {

docs/data-sources/identity_role.md

@@ -4,90 +4,102 @@ subcategory: "Identity and Access Management (IAM)"
 
 # huaweicloud\_identity\_role
 
-Use this data source to get the ID of an HuaweiCloud role.
+Use this data source to get the ID of an IAM **system-defined** role or policy.
 
-The Role in Terraform is the same as Policy on console. however,
-The policy name is the display name of Role, the Role name cannot
-be found on Console. please refer to the following table to configuration
-Role:
+The Role in Terraform is the same as Policy. We can get all **System-Defined Policies** form
+[HuaweiCloud](https://support.huaweicloud.com/intl/en-us/usermanual-permissions/iam_01_0001.html).
+Please refer to the following table to configuration:
 
-Role Name | Policy Name
----- | ---
-system_all_0 | All permissions of ECS service
-system_all_1 | Common permissions of ECS service, except installation, delete, reinstallation and so on
-system_all_2 | The read-only permissions to all ECS resources, which can be used for statistics and survey
-system_all_3 | The read-only permissions to all EVS resources, which can be used for statistics and survey
-system_all_4 | All permissions of EVS service
-system_all_5 | All permissions of VPC service
-system_all_6 | The read-only permissions to all VPC resources, which can be used for statistics and survey
-system_all_7 | The read-only permissions to all Document Database Service resources, which can be used for statistics and survey
-system_all_8 | DBA permissions of Document Database Service, except delete
-system_all_9 | All permissions of Document Database Service
-system_all_10 | DBA permissions of Relational Database Service, except delete
-system_all_11 | All permissions of Relational Database Service
-system_all_12 | The read-only permissions to all Relational Database Service resources, which can be used for statistics and survey
-system_all_13 | Cloud Container Engine Cluster Viewer
-system_all_14 | Cloud Container Engine Cluster Admin
-system_all_1001 | Full access to all resources
-secu_admin | Security Administrator
-te_admin | Tenant Administrator
-te_agency | Agent Operator
-readonly | Guest
-server_adm | Server Administrator
-as_adm | AutoScaling Administrator
-aos_adm | Application Orchestration Service Admin
-aos_dev | Application Orchestration Service Developer
-vbs_adm | Volume Backup Service Administrator
-tms_adm | Tag Management Service Administrator
-dcs_admin | Distributed Cache Service Administrator
-swr_adm | Software Repository Admin
-elb_adm | ELB Service Administrator
-dss_adm | Dedicated Storage Service Administrator
-dws_adm | Data Warehouse Service Administrator
-kms_adm | KMS Administrator
-ims_adm | IMS Administrator
-ddos_adm | Anti-DDoS Administrator
-dns_adm | DNS Administrator
-wks_adm | Workspace Administrator
-nat_adm | NAT Gateway Administrator
-cse_adm | Cloud Service Engine Admin
-rds_adm | RDS Administrator
-dis_adm | DIS Administrator
-sfs_adm | Scalable File Service Administrator
-smn_adm | SMN Administrator
-cts_adm | CTS Administrator
-apm_adm | Application Performance Monitor Admin
-mrs_adm | MRS Administrator
-ces_adm | CES Administrator
-rts_adm | RTS Service Administrator
-cce_adm | CCE Administrator
-cs_adm | Cloud Stream Service Tenant Administrator, can manage multiple CS users
-cs_user | Cloud Stream Service User
-dms_adm | DMS Administrator
-dps_adm | DPS Administrator
-mls_adm | Machine Learning Service Administrator
-css_adm | Cloud Search Service Administrator
-dds_adm | Document Database Service Administrator
-csbs_adm | Cloud Server Backup Service Administrator
-sdrs_adm | Storage Disaster Recovery Service Administrator
-svcstg_adm | ServiceStage Admin
-svcstg_dev | ServiceStage Developer
-svcstg_opr | ServiceStage Operator
-vpc_netadm | VPC Administrator
-vpcep_adm | VPCEndpoint service enables you to privately connect your VPC to supported services
+Display Name | Role/Policy Name | Description
+---- | --- | ---
+Server Administrator | server_adm | Server Administrator
+ECS FullAccess | system_all_3 | All permissions of ECS service
+ECS CommonOperations | system_all_1 | Permissions for basic ECS operations,such as start,stop restart a ECS,query ECS details,automatic recovery of ECSs and so on
+ECS ReadOnlyAccess | system_all_8 | The read-only permissions to all ECS resources, which can be used for statistics and survey
+IMS Administrator | ims_adm | IMS Administrator
+IMS FullAccess | system_all_16 | All permissions of Image Management Service
+IMS ReadOnlyAccess | system_all_22 | The read-only permissions to all IMS resources, which can be used for statistics and survey
+AutoScaling Administrator | as_adm | Auto Scaling administrator with full permissions
+AutoScaling FullAccess | system_all_23 | Full permissions for Auto Scaling
+AutoScaling ReadOnlyAccess | system_all_13 | Read-only permissions for Auto Scaling
+EVS FullAccess | system_all_6 | Full permissions for Elastic Volume Service, including creating, expanding, attaching, detaching, querying, and deleting EVS disks
+EVS ReadOnlyAccess | system_all_2 | Read-only permissions for Elastic Volume Service
+SFS Administrator | sfs_adm | Scalable File Service Administrator
+SFS FullAccess | system_all_58 | All permissions of SFS service
+SFS ReadOnlyAccess | system_all_57 | The read-only permissions to all SFS resources
+SFS Turbo FullAccess | system_all_99 | All permissions of SFS Turbo resources
+SFS Turbo ReadOnlyAccess | system_all_98 | The read-only permissions to all SFS Turbo resources
+OBS Administrator | system_all_159 | Object Storage Service Administrator
+OBS OperateAccess | system_all_72 | Basic operation permissions to view the bucket list, obtain bucket metadata, list objects in a bucket, query bucket location, upload objects, download objects, delete objects, and obtain object ACLs
+OBS ReadOnlyAccess | system_all_64 | Permissions to view the bucket list, obtain bucket metadata, list objects in a bucket, and query bucket location
+OBS Buckets Viewer | obs_b_list | Permissions to view the bucket list, obtain bucket metadata, and query bucket location
+CSBS Administrator | csbs_adm | Cloud Server Backup Service Administrator
+SDRS Administrator | sdrs_adm | Storage Disaster Recovery Service Administrator
+VPC Administrator | vpc_netadm | VPC Administrator
+VPC FullAccess | system_all_7 | All permissions of VPC service
+VPC ReadOnlyAccess | system_all_5 | The read-only permissions to all VPC resources, which can be used for statistics and survey
+ELB Administrator | elb_adm | Elastic Load Balance administrator with full permissions for this service
+ELB FullAccess | system_all_56 | All permissions of ELB service
+ELB ReadOnlyAccess | system_all_55 | Read-only permissions for Elastic Load Balance
+DNS Administrator | dns_adm | DNS Administrator
+DNS FullAccess | system_all_102 | Allow users to perform all operations, including creating, deleting, querying, and modifying DNS resources
+DNS ReadOnlyAccess | system_all_103 | Read-only permissions, which only allow users to query DNS resources
+NAT Administrator | nat_adm | NAT Gateway administrator with full permissions for this service
+NAT FullAccess | system_all_75 | All permissions of NAT Gateway service
+NAT ReadOnlyAccess | system_all_76 | The read-only permissions to all NAT Gateway resources
+VPCEndpoint Administrator | vpcep_adm | VPCEndpoint service enables you to privately connect your VPC to supported services
+RDS Administrator | rds_adm | RDS Administrator
+RDS FullAccess | system_all_14 | Full permissions for Relational Database Service
+RDS ReadOnlyAccess | system_all_12 | Read-only permissions for Relational Database Service
+DDS Administrator | dds_adm | Document Database Service Administrator
+CCE Administrator | cce_adm | CCE Administrator
+CCE FullAccess | system_all_32 | Common operation permissions on CCE cluster resources
+CCE ReadOnlyAccess | system_all_31 | Permissions to view CCE cluster resources, excluding the namespace-level permissions of the clusters (with Kubernetes RBAC enabled)
+CSS FullAccess | system_all_153 | All permissions for Cloud Search Service
+CSS ReadOnlyAccess | system_all_154 | Read-only permissions for viewing Cloud Search Service
+ServiceStage Administrator | svcstg_adm | ServiceStage administrator, who has full permissions for this service
+ServiceStage Developer | svcstg_dev | ServiceStage developer, who has full permissions for this service but does not have the permission for creating infrastructure
+ServiceStage Operator | svcstg_opr | ServiceStage operator, who has the read-only permission for this service
+Anti-DDoS Administrator | ddos_adm | Anti-DDoS Administrator
+APM Administrator | apm_adm | Application Performance Monitor Admin
+BCS Administrator | bcs_adm | BlockChain Service Administrator
+CES Administrator | ces_adm | CES Administrator
+CS Tenant Admin | cs_adm | Cloud Stream Service Tenant Administrator, can manage multiple CS users
+CS Tenant User | cs_user | Cloud Stream Service User
+CTS Administrator | cts_adm | CTS Administrator
+DCS Administrator | dcs_admin | Distributed Cache Service Administrator
+DIS Administrator | dis_adm | DIS Administrator
+KMS Administrator | kms_adm | KMS Administrator
+MRS Administrator | mrs_adm | MRS Administrator
+SWR Admin | swr_adm | Software Repository Admin
+SMN Administrator | smn_adm | SMN Administrator
+TMS Administrator | tms_adm | Tag Management Service Administrator
+Security Administrator | secu_admin | Full permissions for Identity and Access Management
+Tenant Administrator | te_admin | Tenant Administrator (Exclude IAM)
+Tenant Guest | readonly | Tenant Guest (Exclude IAM)
+EPS FullAccess | system_all_10 | All operations on the Enterprise Project Management service
+FullAccess | system_all_1001 | Full permissions for all services that support policy-based authorization
+
+## Example Usage
 
 ```hcl
-data "huaweicloud_identity_role" "auth_admin" {
-  name = "secu_admin"
+data "huaweicloud_identity_role" "kms_adm" {
+  display_name = "KMS Administrator"
 }
 ```
 
 ## Argument Reference
 
-* `name` - (Required, String) The name of the role.
+* `display_name` - (Optional, String; Required if `name` is empty) Specifies the display name of the role displayed on the console.
+
+* `name` - (Optional, String; Required if `display_name` is empty) Specifies the name of the role for internal use.
 
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:
 
-* `id` - Specifies a data source ID in UUID format.
+* `id` - The data source ID in UUID format.
+* `description` - The description of the policy.
+* `catalog` - The service catalog of the policy.
+* `type` - The display mode of the policy.
+* `policy` - The content of the policy.

docs/resources/identity_role.md

@@ -4,7 +4,7 @@ subcategory: "Identity and Access Management (IAM)"
 
 # huaweicloud\_identity\_role
 
-Manages a Custom Policy resource within HuaweiCloud IAM service.
+Manages a **Custom Policy** resource within HuaweiCloud IAM service.
 
 Note: You _must_ have admin privileges in your HuaweiCloud cloud to use
 this resource.

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/hashicorp/errwrap v1.0.0
 	github.com/hashicorp/go-multierror v1.0.0
 	github.com/hashicorp/terraform-plugin-sdk v1.16.0
-	github.com/huaweicloud/golangsdk v0.0.0-20210429115535-b33d1a7b88e5
+	github.com/huaweicloud/golangsdk v0.0.0-20210507120834-b552827e340b
 	github.com/jen20/awspolicyequivalence v1.1.0
 	github.com/smartystreets/goconvey v0.0.0-20190222223459-a17d461953aa // indirect
 	github.com/stretchr/testify v1.4.0

go.sum

@@ -206,6 +206,8 @@ github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/huaweicloud/golangsdk v0.0.0-20210429115535-b33d1a7b88e5 h1:dTowzMwLUi1BmweYzwLUsgvU+zrCCWt5oQa0ky55e8g=
 github.com/huaweicloud/golangsdk v0.0.0-20210429115535-b33d1a7b88e5/go.mod h1:fcOI5u+0f62JtJd7zkCch/Z57BNC6bhqb32TKuiF4r0=
+github.com/huaweicloud/golangsdk v0.0.0-20210507120834-b552827e340b h1:OeZOWN5e0rgLXwu+4x9NHFVzyO5eI87oTzOWWoZ6Nx4=
+github.com/huaweicloud/golangsdk v0.0.0-20210507120834-b552827e340b/go.mod h1:fcOI5u+0f62JtJd7zkCch/Z57BNC6bhqb32TKuiF4r0=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.9 h1:UauaLniWCFHWd+Jp9oCEkTBj8VO/9DKg3PV3VCNMDIg=
 github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=

huaweicloud/data_source_huaweicloud_identity_custom_role.go

@@ -103,8 +103,8 @@ func dataSourceIdentityCustomRoleRead(d *schema.ResourceData, meta interface{})
 
 	if len(allRoles) > 1 {
 		log.Printf("[DEBUG] Multiple results found: %#v", allRoles)
-		return fmt.Errorf("Your query returned more than one result. Please try a more " +
-			"specific search criteria.")
+		return fmt.Errorf("Your query returned more than one result. " +
+			"Please try a more specific search criteria.")
 	}
 	role := allRoles[0]
 

huaweicloud/data_source_huaweicloud_identity_role.go

@@ -1,6 +1,7 @@
 package huaweicloud
 
 import (
+	"encoding/json"
 	"fmt"
 	"log"
 
@@ -15,8 +16,30 @@ func DataSourceIdentityRoleV3() *schema.Resource {
 
 		Schema: map[string]*schema.Schema{
 			"name": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				AtLeastOneOf: []string{"name", "display_name"},
+			},
+			"display_name": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				AtLeastOneOf: []string{"name", "display_name"},
+			},
+			"description": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"catalog": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"type": {
 				Type:     schema.TypeString,
-				Required: true,
+				Computed: true,
+			},
+			"policy": {
+				Type:     schema.TypeString,
+				Computed: true,
 			},
 		},
 	}
@@ -31,7 +54,8 @@ func dataSourceIdentityRoleV3Read(d *schema.ResourceData, meta interface{}) erro
 	}
 
 	listOpts := roles.ListOpts{
-		Name: d.Get("name").(string),
+		Name:        d.Get("name").(string),
+		DisplayName: d.Get("display_name").(string),
 	}
 
 	log.Printf("[DEBUG] List Options: %#v", listOpts)
@@ -54,8 +78,8 @@ func dataSourceIdentityRoleV3Read(d *schema.ResourceData, meta interface{}) erro
 
 	if len(allRoles) > 1 {
 		log.Printf("[DEBUG] Multiple results found: %#v", allRoles)
-		return fmt.Errorf("Your query returned more than one result. Please try a more " +
-			"specific search criteria, or set `most_recent` attribute to true.")
+		return fmt.Errorf("Your query returned more than one result. " +
+			"Please try a more specific search criteria.")
 	}
 	role = allRoles[0]
 
@@ -69,6 +93,16 @@ func dataSourceIdentityRoleV3Attributes(d *schema.ResourceData, config *config.C
 
 	d.SetId(role.ID)
 	d.Set("name", role.Name)
+	d.Set("description", role.Description)
+	d.Set("display_name", role.DisplayName)
+	d.Set("catalog", role.Catalog)
+	d.Set("type", role.Type)
+
+	policy, err := json.Marshal(role.Policy)
+	if err != nil {
+		return fmt.Errorf("Error marshalling policy: %s", err)
+	}
+	d.Set("policy", string(policy))
 
 	return nil
 }

huaweicloud/data_source_huaweicloud_identity_role_test.go

@@ -19,10 +19,19 @@ func TestAccIdentityRoleDataSource_basic(t *testing.T) {
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccIdentityRoleDataSource_basic,
+				Config: testAccIdentityRoleDataSource_by_name,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckIdentityDataSourceID(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "name", "secu_admin"),
+					resource.TestCheckResourceAttr(resourceName, "name", "system_all_64"),
+					resource.TestCheckResourceAttr(resourceName, "display_name", "OBS ReadOnlyAccess"),
+				),
+			},
+			{
+				Config: testAccIdentityRoleDataSource_by_displayname,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIdentityDataSourceID(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "name", "kms_adm"),
+					resource.TestCheckResourceAttr(resourceName, "display_name", "KMS Administrator"),
 				),
 			},
 		},
@@ -44,8 +53,14 @@ func testAccCheckIdentityDataSourceID(n string) resource.TestCheckFunc {
 	}
 }
 
-const testAccIdentityRoleDataSource_basic = `
+const testAccIdentityRoleDataSource_by_name = `
+data "huaweicloud_identity_role" "role_1" {
+  # OBS ReadOnlyAccess
+  name = "system_all_64"
+}
+`
+const testAccIdentityRoleDataSource_by_displayname = `
 data "huaweicloud_identity_role" "role_1" {
-  name = "secu_admin"
+  display_name = "KMS Administrator"
 }
 `