terraform-provider-vra icon indicating copy to clipboard operation
terraform-provider-vra copied to clipboard

Published 20 hours ago verified publisher icon vmware

Add support for organization roles and service roles

Open VickyWinner opened this issue 3 years ago • 17 comments

vRA version vRealize Automation 8.3.0.15014 (17551690)

Terraform version Terraform v0.13.3

terraform-provider-vra plugin version v0.3.4

Is your feature request related to a problem? Please describe. Before I create a new project using terraform, I need to grant the access using Identity & Access Management at Organization Roles and Service Roles. I am not finding an example for that. if this feature isn't available, then I will have to do it manually.

Describe the solution you'd like set of data sources and resources to retrieve data and create resources for managing Organization Roles and Service Roles.

Describe alternatives you've considered I see there are API's available. However, it will make my terraform code more complex and can't accomplish as IaC.

Additional context Add any other context or screenshots about the feature request here.

VickyWinner avatar Mar 15 '21 14:03 VickyWinner

appreciate if someone could respond. Its been a while I opened this.

VickyWinner avatar Jun 10 '21 13:06 VickyWinner

Hey @VickyWinner Could you elaborate how to grant the access manually using Identity & Access Management at Organization Roles and Service Roles ? I see you mentioned there are available APIs, could you post the API please ?

Thank you

wilsonandvmware avatar Jul 19 '21 21:07 wilsonandvmware

Hi, @wilsonandvmware.

vRealize Automation APIs for Identity and Access Management are at {vrahost}/identity/doc/webjars/swagger-ui/index.html?configUrl=/identity/doc/v3/api-docs/swagger-config under UserController or UserV3Controller.

For UI-based example, see the VMware Validated Design example for Assign Organization and Service Roles to User Groups for vRealize Automation.

Ryan Johnson Staff Architect, VMware

tenthirtyam avatar Jul 20 '21 14:07 tenthirtyam

@tenthirtyam this is where I found one API https://developer.vmware.com/docs/csep/csp-iam/latest/csp/gateway/am/api/orgs/orgId/clients/post/

VickyWinner avatar Jul 21 '21 16:07 VickyWinner

Your link above would be only applicable, to VMware Cloud Service Portal (CSP), and thus vRealize Automation Cloud.

tenthirtyam avatar Jul 21 '21 16:07 tenthirtyam

@tenthirtyam so you mean there is no API available for assigning org roles and service roles? image

VickyWinner avatar Jul 21 '21 17:07 VickyWinner

For vRA8 on-premises the APIs for Identity and Access Management are at {vrahost}/identity/doc/webjars/swagger-ui/index.html?configUrl=/identity/doc/v3/api-docs/swagger-config under UserController or UserV3Controller. I confirmed this with the engineering team yesterday.

Ryan

tenthirtyam avatar Jul 21 '21 17:07 tenthirtyam

@tenthirtyam Thank you for the link. So, are you considering for this enhancement in the provider?

VickyWinner avatar Jul 21 '21 17:07 VickyWinner

I would need to defer to the PMs and engineers for the Terraform Provider for vRealize Automation and suggest labels for under-review, planned, deferred, rejected be applied to enhancement issues. I just happen to use our providers quite a bit. cc @Prativa20

Ryan Johnson Staff Architect, VMware

tenthirtyam avatar Jul 21 '21 17:07 tenthirtyam

We are coming up on a year since this was submitted and I don't see any provider resources for this yet, but please correct me if I missed something. If it is not present, are there any plans for this? I just had to add 24 groups 3 vRA instances and can say I'm extremely interested in such a feature, but unfortunately I don't know enough go or terraform code at this point to submit any PRs myself. It's going on the list of things to learn. In the meantime, if I can help in any way, please let me know.

rnelson0 avatar Feb 17 '22 19:02 rnelson0

@rnelson0 this feature is under consideration, and we'd like to address it as soon as possible. The complexity here is that the identity service is exposing their API in OpenApi Specification v3 (unlike other services which are using v2), and the way we generate the API SDK client does not support yet this format. We are currently evaluating how to address this constraint, so we can implement the feature requested in this issue. Unfortunately, I cannot provide yet estimation of when we will be able to deliver this.

frodenas avatar Feb 17 '22 20:02 frodenas

Thanks @rnelson0 for the update. My request is to keep this enhancement open so I can check back when there is an update.

VickyWinner avatar Feb 18 '22 13:02 VickyWinner

@frodenas Any new update on this issue?

VickyWinner avatar Apr 05 '22 12:04 VickyWinner

Any updates?

Arderos avatar Jul 19 '23 21:07 Arderos

AFAIK there's still no solution in this provider. In the meantime I've used PowerValidatedSolutions, specifically New-VraGroup and New-VraUser, to automate the creation of IAM entries. I'd still love to see it in terraform because changes and deletions remain a problem!

rnelson0 avatar Jul 20 '23 13:07 rnelson0

@frodenas Did you have a chance to address this issue? It's been over 20 months since your last comment

cathode911 avatar Nov 30 '23 12:11 cathode911

Very useful thing, look forward to the implementation!

ykezlya avatar Nov 30 '23 13:11 ykezlya