COS access policies interface vs terraform

Question

In interface I can go to COS Bucket Access Policies and easily assign policy that then looks more or less like:

Cloud Object Storage service
serviceInstance string equals foo-bar, resource string equals foo-bar-pcaps, resourceType string equals bucket

I'm struggling to find a way to do the same via terraform because whenever I try with the proper TF code like:

resource "ibm_iam_service_policy" "policy_pcaps" {
  iam_service_id = ibm_iam_service_id.serviceID_pcaps.id
  roles        = ["Writer"]
  resources {
    service = "cloud-object-storage"
    resource = ibm_cos_bucket.pcaps.id
  }
}

I'm ending up with

Cloud Object Storage service
resource string equals crn:v1:bluemix:public:cloud-object-storage:global:a/27beaaea79a<redacted>34dd871b:8b124bc6-147c-47ba-bd47-<redacted>:bucket:foo-bar-pcaps:meta:rl:us-east

The problem is that the Writer policy that is required here does not work properly with that policy details.

How to achieve something similar to the first policy with Terraform?

Thanks

No error, the resulting policy is "wrong" (not working), while the one via iface works fine. — Jedrzej Nowak, Sep 30 '20 at 18:39
Could you provide the actual working policy, redacted in the same way as the non-working policy you posted. — T.H., Oct 01 '20 at 15:47
It's there since beginning. At the start of the post is the working policy created via web interface, the second one is non working one via TF. — Jedrzej Nowak, Oct 02 '20 at 17:52
The working policy example doesn't include enough information to make a comparison. Alternatively, have you tried importing the existing working policy into Terraform state? The definition in the state file, plus the plan output details, might help you figure out how to define it as a resource. — T.H., Oct 05 '20 at 13:10
Then tell me what is needed for the working policy :) Because I provided and can provide whenever is visible in the interface. I thought that providing that string will be enough. Working policy works only via iface, I cannot have working policy via Terraform because it does not want to create one. So the only way is to create it via iface. — Jedrzej Nowak, Oct 05 '20 at 13:45
So just to recap, I cannot have working policy via TF, the fields that are in resulting policy via interface are not exposed via terraform. So my question is like, how to define equivalent policy via Terraform than "that exact one". One of my suspicions is that the `resource string equals` from TF is invalid, but then how to specify working one? — Jedrzej Nowak, Oct 05 '20 at 13:50
Ok found the issue. The issue is partially: ```parameters = { serviceid_crn = ibm_iam_service_id.serviceID_backups[each.key].crn HMAC = true } ``` IBM docs state that changed parameters will force new resource, that's not true. I will proceed with the creation of bug at GH. — Jedrzej Nowak, Oct 07 '20 at 10:47

score 0 · Answer 1 · answered Oct 22 '20 at 12:27

You can achieve this similar to this example Service Policy by using attributes.

I created a policy through the UI for Cloud Object Storage and specified the policy to contain a bucket name. Then I used:

ibmcloud iam access-group-policy GROUP_NAME POLICY_ID --output JSON

to get a better understanding of the policy.

With that I created this sample terraform snippet and tested it. It is creating the IAM access group + policy:

resource "ibm_iam_access_group" "accgrp_cos" {
  name = "test_cos"
}

resource "ibm_iam_access_group_policy" "policy" {
  access_group_id = ibm_iam_access_group.accgrp_cos.id
  roles        = ["Writer"]

  resources {
    service =   "cloud-object-storage"

    attributes = {

    resourceType = "bucket"
    resource = "tf-test-cos"
    }
  }
}

COS access policies interface vs terraform

1 Answers1