terraform-provider-dynatrace
terraform-provider-dynatrace copied to clipboard
dynatrace-oss
[Feature Request] Create New groups and assign users
Hi, we would like to have the ability to create groups and optionally also assign users. So a self-service based on terraform would be possibe to create a new management zone or environment, create a group for with permissions to that zone or env and assign users (also possible automatically done by mapping the group name to SSO or LDAP groups). Thanks, great work!
Best Joerg
We're planning to add the ability to create Environments by the end of June. For that we'll anyways will be required to target additional REST APIs other than the Config API. I'm going to plan in your suggestions right after Environment Creation.
Would you be able and willing to contribute some samples regarding this feature request, for how the HCL code could look like? It doesn't need to be complete and thoroughly perfect. It would just give me an idea for how users expect the terraform files to look like.
I will keep this issue open for the time being as a way to communicate.
first mockup. Maybe the environments in the list of permissions could also be done by name and the provider gets the GUIDs.
ressource "dynatrace_usergroup" "group"{
name = "dynatrace_users"
isClusterAdminGroup = false
isAccessAccount = true
isManageAccount = true
hasAccessAccountRole = true
hasManageAccountAndViewProductUsageRole = true
ldapGroupNames = {
"dynatrace_user_group",
"dynatrace_admin_group"
}
ssoGroupNames = {
"dynatrace_user_group",
"dynatrace_admin_group"
}
accessRight = {
VIEWER = {
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
}
MANAGE_SETTINGS = {
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
}
AGENT_INSTALL = {
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
}
VIEW_SENSITIVE_REQUEST_DATA = {
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
}
CONFIGURE_REQUEST_CAPTURE_DATA = {
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
}
}
}
You're right, it would be preferrable to work without GUIDs here. I'll try to stick with your proposal for the first version of this feature.
Hi, could you tell when this ressource could be added? We need a automatic way to easily create groups and add users in a managed cluster. Would be nice to do that within our existing config pipeline :)
Best Joerg
Hi, any new updates to this? Could you tell if this is coming in the next versions? Best Joerg
Hello Joerg,
Sorry for the delays here. We're currently busy with preparations for Perform 2022. I'm planning to release a new version in the week of Feb 14th. User Groups will be among the new features.
best regards, Reinhard
Hi, I currently get an error when I create a dynatrace_user_group
╷
│ Error: Post "/api/v1.0/onpremise/groups": unsupported protocol scheme ""
│
│ with module.dev.dynatrace_user_group.user_groups[0],
│ on modules/environment/user-groups.tf line 1, in resource "dynatrace_user_group" "user_groups":
│ 1: resource "dynatrace_user_group" "user_groups" {
│
╵
my code:
resource "dynatrace_user_group" "user_groups" {
count = length(var.user_groups)
name =var.user_groups[count.index].name
permissions{
dynamic "grant"{
for_each = var.user_groups[count.index].permissions
content {
permission = grant.value
environments = [var.stage]
}
}
}
}
my var:
user_groups = [
{
name = "DEV-DT-SRE",
permissions = ["VIEWER", "VIEW_SENSITIVE_REQUEST_DATA"]
},
{
name = "DEV-DT-TSM",
permissions = ["VIEWER", "VIEW_SENSITIVE_REQUEST_DATA"]
}
]
Hello Joerg,
Can you check how the configuration of your provider looks like?
In order to use the resources that target the Cluster REST API you need to specify dt_cluster_url and dt_cluster_api_token, simiarly like this:
dt_cluster_api_token = "dt0c01.###############"
dt_cluster_url = "https://<hostname-or-ip>"
The properties dt_env_url and dt_api_token are still required if you want to configure a specific environment.
I might have mentioned these two additional configuration parameters in previous release notes, but I have to shamefully admit, that they are not yet anywhere to find within the documentation. This will be taken care of with the next bug fix release.
unfortunately there is a new error during terraform apply.
╷
│ Error: invalid character '<' looking for beginning of value
│
│ with module.dev.dynatrace_user_group.user_groups[0],
│ on modules/environment/user-groups.tf line 1, in resource "dynatrace_user_group" "user_groups":
│ 1: resource "dynatrace_user_group" "user_groups" {
│
╵
terraform plan looks okay, I think.
# module.dev.dynatrace_user_group.user_groups[1] will be created
+ resource "dynatrace_user_group" "user_groups" {
+ id = (known after apply)
+ name = "DEV-DT-TSM"
+ permissions {
+ grant {
+ environments = [
+ "gb6aa68e-0670-6h16-8a8e-e51863f68h4k",
]
+ permission = "VIEWER"
}
+ grant {
+ environments = [
+ "gb6aa68e-0670-6h16-8a8e-e51863f68h4k",
]
+ permission = "VIEW_SENSITIVE_REQUEST_DATA"
}
}
}
Do you have any idea?
got the issue... my URL had /e/ at the end because I needed it for the other resources.
now it works.
I was just about to respond with the same assumption. Fixing / allowing for that is on my bucket list for the next bugfix release.
Can you ping me here once you've successfully configured the users using the new version? I'll keep the issue open until then.
Hi, sure, I can. I also found out that setting the permission to a spectic management zone for a group is currently not implemented. Are you implementing this in the next release?
You are correct - that's not yet implemented. As far as the REST API is concerned, this is an additional endpoint. I'm at the moment still unsure whether to simply implement it as a separate resource (with a foreign key to the user group) or whether to embed it as an additional section within dynatrace_user_group. Both approaches come with pros and cons.
I didn't want to push back last weeks release again, just because of that and decided to provide the core functionality first. But yes, you can expect to have it covered by mid March.
What by the way is also not properly covered are policies. They CAN get assigned via Cluster WebUI, but there doesn't exist yet anything within the Cluster REST API for that.
Sorry, I won't be able to get it into todays release anymore, but it's the next task I'm going to focus on.
Hi, I'm also looking forward to have the feature that setting the permission to a specific management zone for a group, gave my thumbs up here.
Hello, Nice work. Could you write a example in documentation for simple usage ? Thanks
Hi, any updates here for management zone permissions?
Best Joerg
Hi @Dynatrace-Reinhard-Pilz the feature of setting permissions on Management zone level is not currently supported am I right? KR Michael
Hi everyone, I will do my best to squeeze that in for v1.23.0. I know that resource is long overdue.
@Dynatrace-Reinhard-Pilz This only works for SaaS installations am I right?
v1.23.0 introduces the resource
dynatrace_iam_permission.
You're right, @mbrunn, my focus was on SaaS, didn't think of the counterpart for managed clusters. I will take care of managed with the next release. You can expect that to happen by the end of next week.
Thank you very much. This will help me tremendously with my current project of migrating hundreds of users and their permissions from two seperate managed installations to one new managed installation.