feat: add new iam access group module

.github/settings.yml

@@ -7,23 +7,11 @@
 #
 _extends: repo-settings:.github/common-settings-v2.yml
 
-# repo-specific settings
-#
 repository:
-  # See https://terraform-ibm-modules.github.io/documentation/#/implementation-guidelines?id=module-names-and-descriptions
-
   # By changing this field, you rename the repository.
-
-  # Uncomment this name property and set the name to the current repo name.
-  # name: ""
+  name: "terraform-ibm-iam-access-group"
 
   # The description is displayed under the repository name on the
   # organization page and in the 'About' section of the repository.
-
-  # Uncomment this description property
-  # and update the description to the current repo description.
-  # description: ""
-
-  # Uncomment this topics property
-  # and add a comma-separated list of topics to set on the repo.
-  # topics: terraform, ibm-cloud, terraform-module
+  description: "This module is used to create an acess group, adding members to access group, defining the acces group policy and adding dynamic rules to access group."
+  topics: terraform, ibm-cloud, terraform-module, iam, access-group, core-team

README.md

@@ -1,107 +1,26 @@
 <!-- BEGIN MODULE HOOK -->
 
-<!-- Update the title to match the module name and add a description -->
-# Terraform Modules Template Project
+# IAM Access Group Module
 <!-- UPDATE BADGE: Update the link for the following badge-->
-[![Incubating (Not yet consumable)](https://img.shields.io/badge/status-Incubating%20(Not%20yet%20consumable)-red)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
+[![Stable (With quality checks)](https://img.shields.io/badge/Status-Stable%20(With%20quality%20checks)-green)](https://terraform-ibm-modules.github.io/documentation/#/badge-status)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
-[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-module-template?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-module-template/releases/latest)
+[![latest release](https://img.shields.io/github/v/release/terraform-ibm-modules/terraform-ibm-iam-access-group?logo=GitHub&sort=semver)](https://github.com/terraform-ibm-modules/terraform-ibm-iam-access-group/releases/latest)
 [![Renovate enabled](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com/)
 [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
 
-<!-- BEGIN TOC HOOK -->
-Table of Contents
-====================
 
-* [Terraform modules](#Terraform-modules)
-    * [Terraform Modules Template Project](#Terraform-Modules-Template-Project)
-* [Examples](#Examples)
-* [Contributing](#Contributing)
-<!-- END TOC HOOK -->
+This module is used to create an acess group, adding members to access group, defining the acces group policy and adding dynamic rules to access group. Access groups can be used to define a set of permissions that you want to grant to a group of users.
+<!-- BEGIN OVERVIEW HOOK -->
+## Overview
+* [terraform-ibm-iam-access-group](#terraform-ibm-iam-access-group)
+* [Examples](./examples)
+    * [Basic example](./examples/basic)
+* [Contributing](#contributing)
 
-<!-- Remove the content in this H2 heading after completing the steps -->
+## terraform-ibm-iam-access-group
+<!-- END OVERVIEW HOOK -->
 
-## Submit a new module
-
-:+1::tada: Thank you for taking the time to contribute! :tada::+1:
-
-This template repository exists to help you create Terraform modules for IBM Cloud.
-
-The default structure includes the following files:
-
-- `README.md`: A description of the module
-- `main.tf`: The logic for the module
-- `version.tf`: The required terraform and provider versions
-- `variables.tf`: The input variables for the module
-- `outputs.tf`: The values that are output from the module
-
-Use nested modules to split complex behavior into smaller modules that advanced users can choose from. Put nested modules under a `/modules` subdirectory. If you include more than one nested module, make the submodules [composable](https://developer.hashicorp.com/terraform/language/modules/develop/composition) by the caller. In other words, don't embed calls between submodules to create a deeply nested tree of modules.
-For more information, see [Module structure](https://terraform-ibm-modules.github.io/documentation/#/module-structure) in the project documentation.
-
-You can add other content to support what your module does and how it works. For example, you might add a `scripts/` directory that contains shell scripts that are run by a `local-exec` `null_resource` in the Terraform module.
-
-Follow this process to create and submit a Terraform module.
-
-### Create a repo from this repo template
-
-1.  Create a repository from this repository template by clicking `Use this template` in the upper right of the GitHub UI.
-&emsp;&emsp;&emsp;&emsp;<br>For more information about creating a repository from a template, see the [GitHub docs](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-repository-from-a-template).
-1.  Select `terraform-ibm-modules` as the owner.
-1.  Enter a name for the module in format `terraform-ibm-<name>`, where `<name>` reflects the type of infrastructure that the module manages.
-&emsp;&emsp;&emsp;&emsp;<br>Use hyphens as delimiters for names with multiple words (for example, terraform-ibm-`activity-tracker`).
-1.  Provide a short description of the module.
-&emsp;&emsp;&emsp;&emsp;<br>The description is displayed under the repository name on the [organization page](https://github.com/terraform-ibm-modules) and in the **About** section of the repository. Use the description to help users understand the purpose of your module. For more information, see [module names and descriptions](https://terraform-ibm-modules.github.io/documentation/#/implementation-guidelines?id=module-names-and-descriptions) in the docs.
-
-### Clone the repo and set up your development environment
-
-Locally clone the new repository and set up your development environment by completing the tasks in [Local development setup](https://terraform-ibm-modules.github.io/documentation/#/local-dev-setup) in the project documentation.
-
-### Update the repo name and description in source control
-
-To help make sure that the repo name and description are not changed except through pull requests, they are defined in the `settings.yml` file.
-
-Check to make sure that values are uncommented and correct:
-
-1.  Open the [settings.yml](.github/settings.yml) file.
-1.  If not already updated, uncomment the `name` and `description` properties and set the values to what you specified when you requested the repo.
-
-### Update the Terraform files
-
-Implement the logic for your module by updating the `main.tf`, `version.tf`, `variables.tf`, and `outputs.tf` Terraform files. For more information, see [Creating Terraform on IBM Cloud templates](https://cloud.ibm.com/docs/ibm-cloud-provider-for-terraform?topic=ibm-cloud-provider-for-terraform-create-tf-config).
-
-### Create examples and tests
-
-Add one or more examples in the `examples` directory that consume your new module, and configure tests for them in the `tests` directory. For more information about tests, see [Tests](https://terraform-ibm-modules.github.io/documentation/#/tests).
-
-### Update the content in the readme file
-
-After you implement the logic for your module and create examples and tests, update this readme file in your repository by following these steps:
-
-1.  Update the title heading and add a description about your module.
-1.  Update the badge links.
-1.  Remove all the content in this H2 heading section.
-1.  Complete the [Usage](#usage) and [Required IAM access policies](#required-iam-access-policies) sections. The [Examples](#examples) and [Requirements](#requirements) section are populated by a pre-commit hook.
-
-### Commit your code and submit your module for review
-
-1.  Before you commit any code, review [Contributing to the IBM Cloud Terraform modules project](https://terraform-ibm-modules.github.io/documentation/#/contribute-module) in the project documentation.
-1.  Create a pull request for review.
-
-### Post-merge steps
-
-After the first PR for your module is merged, follow these post-merge steps:
-
-<!-- Remove the content in this previous H2 heading -->
-## Reference architectures
-
-<!--
-Add links to any reference architectures for this module.
-(Usually in the `/reference-architectures` directory.)
-See "Reference architecture" in Authoring Guidelines in the public documentation at
-https://terraform-ibm-modules.github.io/documentation/#/implementation-guidelines?id=reference-architecture
--->
-
-## Usage
+### Usage
 
 <!--
 Add an example of the use of the module in the following code block.
@@ -111,69 +30,91 @@ unless real values don't help users know what to change.
 -->
 
 ```hcl
-
+provider "ibm" {
+  ibmcloud_api_key = "XXXXXXXXXX" # pragma: allowlist secret
+  region           = "us-south"
+}
+
+module "iam_service_access_group" {
+  source            = "terraform-ibm-modules/terraform-ibm-iam-access-group"
+  version           = "latest" # Replace "latest" with a release version to lock into a specific release
+  access_group_name = "my-iam-access-group"
+  dynamic_rules     = {
+                        rule-name = {
+                        expiration        = 3
+                        identity_provider = "https://idp-test.example.org/SAML2"
+                        conditions = [{
+                            claim    = "my_claim"
+                            operator = "CONTAINS"
+                            value    = "my_test_value"
+                        }]
+                        }
+                    }
+  policies          = {
+                        my_policy_1 = {
+                            roles = ["Viewer"]
+                            tags  = ["iam-service-policy-1"]
+                        }
+                        my_policy_2 = {
+                            roles = ["Viewer"]
+                            tags  = ["iam-service-policy-2"]
+                        }
+                    }
+  ibm_ids           = ["your_ibm_id_email"]
+}
 ```
 
-## Required IAM access policies
+### Required IAM access policies
 
-<!-- PERMISSIONS REQUIRED TO RUN MODULE
-If this module requires permissions, uncomment the following block and update
-the sample permissions, following the format.
-Replace the sample Account and IBM Cloud service names and roles with the
-information in the console at
-Manage > Access (IAM) > Access groups > Access policies.
--->
-
-<!--
-You need the following permissions to run this module.
-
-- Account Management
-    - **Sample Account Service** service
-        - `Editor` platform access
-        - `Manager` service access
-    - IAM Services
-        - **Sample Cloud Service** service
-            - `Administrator` platform access
--->
-
-<!-- NO PERMISSIONS FOR MODULE
-If no permissions are required for the module, uncomment the following
-statement instead the previous block.
--->
-
-<!-- No permissions are needed to run this module.-->
+If an account has service ID creation blocked (which an fscloud compliant account will), you need to explicitly grant “Service ID creator” to users in order to be able to grant access.
+For more information, see [Creating and working with service IDs](https://cloud.ibm.com/docs/account?topic=account-serviceids&interface=ui).
 <!-- END MODULE HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Requirements
+### Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.51.0 |
 
-## Modules
+### Modules
 
 No modules.
 
-## Resources
-
-No resources.
-
-## Inputs
-
-No inputs.
-
-## Outputs
-
-No outputs.
+### Resources
+
+| Name | Type |
+|------|------|
+| [ibm_iam_access_group.access_group](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_access_group) | resource |
+| [ibm_iam_access_group_dynamic_rule.access_group_dynamic_rule](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_access_group_dynamic_rule) | resource |
+| [ibm_iam_access_group_members.access_group_members](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_access_group_members) | resource |
+| [ibm_iam_access_group_policy.policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_access_group_policy) | resource |
+| [ibm_iam_access_group.access_group_data](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_access_group) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_group_name"></a> [access\_group\_name](#input\_access\_group\_name) | Name of the access group | `string` | n/a | yes |
+| <a name="input_add_members"></a> [add\_members](#input\_add\_members) | Enable this to add members to access group | `bool` | `true` | no |
+| <a name="input_description"></a> [description](#input\_description) | Description to access group | `string` | `null` | no |
+| <a name="input_dynamic_rules"></a> [dynamic\_rules](#input\_dynamic\_rules) | list of dynamic rules | <pre>map(object({<br>    expiration        = number<br>    identity_provider = string<br>    conditions = list(object({<br>      claim    = string<br>      operator = string<br>      value    = string<br>    }))<br>  }))</pre> | n/a | yes |
+| <a name="input_ibm_ids"></a> [ibm\_ids](#input\_ibm\_ids) | A list of IBM IDs that you want to add to the access group. | `list(string)` | `null` | no |
+| <a name="input_policies"></a> [policies](#input\_policies) | list of policies | <pre>map(object({<br>    roles              = list(string)<br>    account_management = optional(bool)<br>    tags               = set(string)<br>    resources = optional(list(object({<br>      region               = optional(string)<br>      attributes           = optional(map(string))<br>      service              = optional(string)<br>      resource_instance_id = optional(string)<br>      resource_type        = optional(string)<br>      resource             = optional(string)<br>      resource_group_id    = optional(string)<br>    })))<br>    resource_attributes = optional(list(object({<br>      name     = string<br>      value    = string<br>      operator = optional(string)<br>    })))<br>  }))</pre> | n/a | yes |
+| <a name="input_provision"></a> [provision](#input\_provision) | Would you like to provision a new access group (true/false) | `bool` | `true` | no |
+| <a name="input_service_ids"></a> [service\_ids](#input\_service\_ids) | A list of service IDS that you want to add to the access group. | `list(string)` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags that should be applied to the service | `list(string)` | `null` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_dynamic_rule_ids"></a> [dynamic\_rule\_ids](#output\_dynamic\_rule\_ids) | List of access group dynamic rule IDs |
+| <a name="output_id"></a> [id](#output\_id) | The ID of the access group |
+| <a name="output_member_id"></a> [member\_id](#output\_member\_id) | The unique identifier of the access group members. |
+| <a name="output_policy_ids"></a> [policy\_ids](#output\_policy\_ids) | List of access group policy IDs |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
-<!-- BEGIN EXAMPLES HOOK -->
-## Examples
-
-- [ Basic example](examples/basic)
-- [ Complete example](examples/complete)
-<!-- END EXAMPLES HOOK -->
-
 <!-- BEGIN CONTRIBUTING HOOK -->
 
 <!-- Leave this section as is so that your module has a link to local development environment set up steps for contributors to follow -->

examples/basic/README.md

@@ -4,5 +4,7 @@
 <!-- The text below should describe exactly what resources are provisioned / configured by the example  -->
 
 An end-to-end basic example that will provision the following:
-- A new resource group if one is not passed in.
-- A new Cloud Object Storage instance.
+- A new IBM IAM access group
+- A new IBM IAM access group members
+- A new IBM IAM access group policy
+- A new IBM IAM access group dynamic rule

examples/basic/main.tf

@@ -1,24 +1,11 @@
 ##############################################################################
-# Resource group
+# IBM IAM Access Group
 ##############################################################################
 
-module "resource_group" {
-  source  = "terraform-ibm-modules/resource-group/ibm"
-  version = "1.0.5"
-  # if an existing resource group is not set (null) create a new one using prefix
-  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
-  existing_resource_group_name = var.resource_group
-}
-
-##############################################################################
-# COS instance
-##############################################################################
-
-resource "ibm_resource_instance" "cos_instance" {
-  name              = "${var.prefix}-cos"
-  resource_group_id = module.resource_group.resource_group_id
-  service           = "cloud-object-storage"
-  plan              = "standard"
-  location          = "global"
-  tags              = var.resource_tags
+module "ibm_iam_access_group" {
+  source            = "../.."
+  policies          = var.policies
+  access_group_name = "${var.prefix}-access-group"
+  dynamic_rules     = var.dynamic_rules
+  ibm_ids           = var.ibm_ids
 }

examples/basic/outputs.tf

@@ -1,18 +1,3 @@
 ##############################################################################
 # Outputs
 ##############################################################################
-
-output "cos_instance_id" {
-  description = "COS instance id"
-  value       = ibm_resource_instance.cos_instance.id
-}
-
-output "resource_group_name" {
-  description = "Resource group name"
-  value       = module.resource_group.resource_group_name
-}
-
-output "resource_group_id" {
-  description = "Resource group ID"
-  value       = module.resource_group.resource_group_id
-}

examples/basic/provider.tf

@@ -4,5 +4,4 @@
 
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
-  region           = var.region
 }