terraform-provider-sdm
terraform-provider-sdm copied to clipboard
strongdm
Support for mapping sdm_roles with sdm_datasource using "name" as identifier instead of relying on tags or id
[FEATURE REQUEST]
- Support for mapping
sdm_roleswithsdm_resourceusing "name" as identifier instead of relying on tags or id.
Additional Information:
Terraform v1.0.6 on darwin_amd64
- provider registry.terraform.io/strongdm/sdm v2.6.0
We are leveraging access_rules from sdm_roles to map resources. The challenge is,
- We don't proper tags on resources, and ids are not that human understandable to manage and improve role assignment
- Don't want to rely on just type of datasource,
- Relying on just tags to assign datasource to roles has lot of problems like, to many tags to control for product/cross-product team, environment, level of access.
- assigning few datasources to multiple roles
- we need something kind of one to one mapping wherein we pass a list of Datasource NAME to sdm role access rules for resource mapping.
We would like to pass something like below in tfvars to map roles with datasource:
role_assignment = {
"RoleA" = "DatasourceA"
"RoleA" = "DatasourceB"
"RoleA" = "DatasourceC"
"RoleB" = "DatasourceC"
"RoleB" = "DatasourceA"
"RoleC" = "DatasourceC"
}
Hi Brian,
Thanks for providing feedback. This will be reviewed for consideration by our product team. We've logged your request as interest for this feature as a support ticket as well.
Could you share your email address so that it may be associated with that ticket?
Please feel free to reach out for any further questions or concerns.
Thanks,
Marc O'Brien strongDM Support
It feels like this probably could be achieved with the sdm_role_attachment resource. Using for_each terraform loop. But this resource is declared Deprecated
Adding more info:
resource "sdm_role" "role2" {
name = "Test-Brian"
access_rules = jsonencode([
{
"name" : "Test1"
},
{
"name" : "Test2"
}
])
}
resource "sdm_role" "role3" {
name = "Test-Brian1"
access_rules = jsonencode([
{
"name" : ["Test1","Test2"]
}
])
}
Error: cannot create Role: cannot create role: invalid operation: invalid access rules: invalid operation: cannot have duplicate rule criteria for a role │ │ with sdm_role.role2, │ on main.tf line 55, in resource "sdm_role" "role2": │ 55: resource "sdm_role" "role2" { │ ╵ ╷ │ Error: cannot create Role: cannot create role: invalid operation: invalid access rules: invalid operation: must not have empty access rule │ │ with sdm_role.role3, │ on main.tf line 68, in resource "sdm_role" "role3": │ 68: resource "sdm_role" "role3" {
Pls file a Sweeper ticket for this and we can investigate how/when to resolve
