Examples and small cleanup

UKHomeOffice · Dec 18, 2024 · 3c51b04 · 3c51b04
1 parent c570670
commit 3c51b04
Show file tree

Hide file tree

Showing 9 changed files with 134 additions and 108 deletions.
diff --git a/README.md b/README.md
@@ -17,4 +17,41 @@ Please refer to the [variables.tf](variables.tf) and [iam\_group\_variable\_type
 
 # Outputs
 
-No outputs
+No outputs
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_dynatrace"></a> [dynatrace](#requirement\_dynatrace) | ~> 1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_dynatrace"></a> [dynatrace](#provider\_dynatrace) | ~> 1.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_groups_and_bindings"></a> [groups\_and\_bindings](#module\_groups\_and\_bindings) | ./groups_and_bindings | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [dynatrace_iam_policy.env_policy](https://registry.terraform.io/providers/dynatrace-oss/dynatrace/latest/docs/resources/iam_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_accountUUID"></a> [accountUUID](#input\_accountUUID) | Root account UUID | `string` | n/a | yes |
+| <a name="input_groups_and_permissions"></a> [groups\_and\_permissions](#input\_groups\_and\_permissions) | Map containing group name, federated values and policy attachment configuration | <pre>map(object({<br/>    # Refer to :<br/>    #   https://registry.terraform.io/providers/dynatrace-oss/dynatrace/latest/docs/resources/iam_group#federated_attribute_values-1<br/>    # and<br/>    #   https://docs.dynatrace.com/docs/manage/identity-access-management/user-and-group-management/access-group-management<br/>    # for more details<br/>    federated_attribute_values = optional(list(string))<br/>    # Refer to https://registry.terraform.io/providers/dynatrace-oss/dynatrace/latest/docs/resources/iam_policy_bindings_v2 and<br/>    # https://registry.terraform.io/providers/dynatrace-oss/dynatrace/latest/docs/resources/iam_policy<br/>    # for more details.<br/>    # Please note that 'environment' is deprecated from the 'iam_policy'<br/>    # resource and therefore not supported here - only 'account' is supported<br/>    # For documentation on parameters refer to:<br/>    #   https://docs.dynatrace.com/docs/manage/identity-access-management/permission-management/manage-user-permissions-policies/advanced/iam-policy-templating<br/>    attached_policies = optional(map(object({<br/>      policy_parameters = optional(map(string), null)<br/>      policy_metadata   = optional(map(string), null)<br/>      environment       = string<br/>    })), {})<br/>  }))</pre> | `{}` | no |
+| <a name="input_iam_policies"></a> [iam\_policies](#input\_iam\_policies) | Map of policy names and their policy query statement. | `map(string)` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/examples/main.tf b/examples/main.tf
@@ -1,46 +1,38 @@
 module "example" {
   source = "../"
   groups_and_permissions = {
-    autogroupasdtwo = {
+    group_one = {
       attached_policies = {
-        anotherautomated = {    # Custom policy
-          policy_parameters = { # Options parameters for the policy binding
-            param1 = "value1"
-          }
-          policy_metadata = { # Options metadata for the policy binding
-            meta1 = "metaval1"
-          }
+        policy_static = {
+          environment = "tvy38111"
         }
       }
     }
-    autogroupasd = {
+    group_two = {
       attached_policies = {
-        anotherautomated = {    # Custom policy
-          policy_parameters = { # Options parameters for the policy binding
-            param1 = "value1"
+        policy_with_param = {
+          environment = "tvy38111"
+          policy_parameters = {
+            zone = "zone1"
+          }
+          policy_metadata = {
+            meta1 = "metaval1"
           }
         }
       }
     }
   }
 
   iam_policies = {
-    testpolicy = { # Created but unused     
-      policy_permissions = [
-        "settings:objects:read",
-        "settings:schemas:read"
-      ]
-      policy_condition = "settings:schemaId = \"string\"" # Can be a complex condition - refer to Dynatrace documentation    
-    }
-    anotherautomated = {
-      policy_permissions = [
-        "settings:objects:read",
-        "settings:schemas:read"
-      ]
-    }
+    policy_with_param = <<EOT
+ALLOW environment:roles:viewer, environment:roles:manage-settings
+WHERE environment:management-zone IN ("zone2", "$${bindParam:my-policy-param}");
+
+EOT
+    policy_static     = "ALLOW settings:objects:read;"
   }
 
-  accountUUID = "1111-1111-1111-1111-1111"
+  accountUUID = "a8c6fb99-cc30-46b5-9306-1111111"
 }
 
 

diff --git a/groups_and_bindings/main.tf b/groups_and_bindings/main.tf
@@ -1,30 +1,17 @@
-terraform {
-  required_providers {
-    dynatrace = {
-      version = "~> 1.0"
-      source  = "dynatrace-oss/dynatrace"
-    }
-  }
-}
-
-locals {
-  group_name = keys(var.groups_and_permissions)[0]
-}
-
 resource "dynatrace_iam_group" "cc-iam-group" {
-  name          = local.group_name
-  federated_attribute_values = toset(var.groups_and_permissions[local.group_name].federated_attribute_values)
+  name                       = var.group_name
+  federated_attribute_values = var.federated_attribute_values
 }
 
 resource "dynatrace_iam_policy_bindings_v2" "cc-policy-bindings" {
-  group = dynatrace_iam_group.cc-iam-group.id
-  account = var.accountUUID
-  dynamic "policy" {
-    for_each = keys(var.groups_and_permissions[local.group_name].attached_policies)
-    content {
-      id = element([for item in var.group_policies : item if item["name"] == policy.value], 0).id
-      parameters = var.groups_and_permissions[local.group_name].attached_policies[policy.value].policy_parameters
-      metadata = var.groups_and_permissions[local.group_name].attached_policies[policy.value].policy_metadata
-    }
+  group    = dynatrace_iam_group.cc-iam-group.id
+  for_each = var.attached_policies
+
+  environment = each.value.environment
+
+  policy {
+    id         = element([for item in var.all_policies : item if item["name"] == each.key], 0).id
+    parameters = each.value.policy_parameters
+    metadata   = each.value.policy_metadata
   }
 }
diff --git a/groups_and_bindings/providers.tf b/groups_and_bindings/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    dynatrace = {
+      version = "~> 1.0"
+      source  = "dynatrace-oss/dynatrace"
+    }
+  }
+}
diff --git a/groups_and_bindings/shared_vars.tf b/groups_and_bindings/shared_vars.tf
diff --git a/groups_and_bindings/variables.tf b/groups_and_bindings/variables.tf
@@ -1,4 +1,23 @@
-variable "group_policies" {
-  type = any
+variable "all_policies" {
+  type        = any
   description = "Combination of list of predefined and custom policies."
-}
+}
+
+variable "group_name" {
+  description = "The name of the group used as an id"
+  type        = string
+}
+
+variable "attached_policies" {
+  description = "A map with the key being the policy name and the value object containing the policy binding configuration"
+  type = map(object({
+    policy_parameters = optional(map(string), null)
+    policy_metadata   = optional(map(string), null)
+    environment       = string
+  }))
+}
+
+variable "federated_attribute_values" {
+  description = "A list of federated attribute values"
+  type        = list(string)
+}
diff --git a/main.tf b/main.tf
@@ -1,26 +1,17 @@
-# Required when creating the groups so we can attach newly created
-# and/or existing policies
-data "dynatrace_iam_policies" "allPolicies" {
-  environments = ["*"]
-  accounts     = ["*"]
-  global       = true
-}
-
 resource "dynatrace_iam_policy" "env_policy" {
   for_each = var.iam_policies
 
   name            = each.key
-  account         = var.accountUUID # Account, until discovered to be otherwise, account id is going to be a constant
+  account         = var.accountUUID
   statement_query = each.value
 }
 
 module "groups_and_bindings" {
-  source = "./groups_and_bindings"
+  source   = "./groups_and_bindings"
   for_each = var.groups_and_permissions
 
-  groups_and_permissions= tomap({"${each.key}"=each.value})
-  # Concatenate the newly created policies with the existing polices
-  # so we can refer to the policies both during plan and apply stages
-  group_policies = concat(data.dynatrace_iam_policies.allPolicies.policies, [for k, v in dynatrace_iam_policy.env_policy : v])
-  accountUUID         = var.accountUUID
+  group_name                 = each.key
+  attached_policies          = each.value.attached_policies
+  federated_attribute_values = each.value.federated_attribute_values
+  all_policies               = [for k, v in dynatrace_iam_policy.env_policy : v]
 }
diff --git a/shared_vars.tf b/shared_vars.tf
diff --git a/variables.tf b/variables.tf
@@ -1,12 +1,36 @@
-# !!!! There are more variable definitions in the file 
-# 'shared_vars.tf' shared between the root and 
-# the sub modules
+variable "groups_and_permissions" {
+  type = map(object({
+    # Refer to :
+    #   https://registry.terraform.io/providers/dynatrace-oss/dynatrace/latest/docs/resources/iam_group#federated_attribute_values-1
+    # and
+    #   https://docs.dynatrace.com/docs/manage/identity-access-management/user-and-group-management/access-group-management
+    # for more details
+    federated_attribute_values = optional(list(string))
+    # Refer to https://registry.terraform.io/providers/dynatrace-oss/dynatrace/latest/docs/resources/iam_policy_bindings_v2 and
+    # https://registry.terraform.io/providers/dynatrace-oss/dynatrace/latest/docs/resources/iam_policy
+    # for more details.
+    # Please note that 'environment' is deprecated from the 'iam_policy'
+    # resource and therefore not supported here - only 'account' is supported
+    # For documentation on parameters refer to:
+    #   https://docs.dynatrace.com/docs/manage/identity-access-management/permission-management/manage-user-permissions-policies/advanced/iam-policy-templating
+    attached_policies = optional(map(object({
+      policy_parameters = optional(map(string), null)
+      policy_metadata   = optional(map(string), null)
+      environment       = string
+    })), {})
+  }))
+  description = "Map containing group name, federated values and policy attachment configuration"
+  default     = {}
+}
+
+variable "accountUUID" {
+  type        = string
+  description = "Root account UUID"
+}
 
 
 # Refer to https://docs.dynatrace.com/docs/manage/identity-access-management/permission-management/manage-user-permissions-policies/advanced/iam-policystatements
 variable "iam_policies" {
-  type = map(string)
-  description = "Dictionary of policies with policy query statement."
-  default = {}
+  type        = map(string)
+  description = "Map of policy names and their policy query statement."
 }
-