Added provision for environment bound policies.

groups_and_bindings/dt_provider.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    dynatrace = {
+      version = "~> 1.0"
+      source  = "dynatrace-oss/dynatrace"
+    }
+  }
+}

groups_and_bindings/environment_policies/dt_provider.tf

@@ -0,0 +1 @@
+../dt_provider.tf

groups_and_bindings/environment_policies/main.tf

@@ -0,0 +1,9 @@
+resource "dynatrace_iam_policy_bindings_v2" "cc-env-policy-bindings" {
+  group = var.group_id
+  environment = var.env_id
+  policy{
+    id = var.policy_id
+    parameters = var.policy_parameters
+    metadata = var.policy_metadata
+  }
+}

groups_and_bindings/environment_policies/variables.tf

@@ -0,0 +1,18 @@
+variable "group_id" {
+  type = string
+}
+variable "env_id" {
+  type = string
+}
+variable "policy_id" {
+  type = string
+}
+variable "policy_parameters" {
+  type = map(string)
+  default = null
+}
+variable "policy_metadata" {
+  type = map(string)
+  default = null
+}
+

groups_and_bindings/main.tf

@@ -1,12 +1,3 @@
-terraform {
-  required_providers {
-    dynatrace = {
-      version = "~> 1.0"
-      source  = "dynatrace-oss/dynatrace"
-    }
-  }
-}
-
 locals {
   group_name = keys(var.groups_and_permissions)[0]
 }
@@ -16,15 +7,26 @@ resource "dynatrace_iam_group" "cc-iam-group" {
   federated_attribute_values = toset(var.groups_and_permissions[local.group_name].federated_attribute_values)
 }
 
-resource "dynatrace_iam_policy_bindings_v2" "cc-policy-bindings" {
+resource "dynatrace_iam_policy_bindings_v2" "cc-acc-policy-bindings" {
   group = dynatrace_iam_group.cc-iam-group.id
   account = var.accountUUID
   dynamic "policy" {
-    for_each = keys(var.groups_and_permissions[local.group_name].attached_policies)
+    for_each = keys(var.groups_and_permissions[local.group_name].account_bound_policies)
     content {
       id = element([for item in var.group_policies : item if item["name"] == policy.value], 0).id
-      parameters = var.groups_and_permissions[local.group_name].attached_policies[policy.value].policy_parameters
-      metadata = var.groups_and_permissions[local.group_name].attached_policies[policy.value].policy_metadata
+      parameters = var.groups_and_permissions[local.group_name].account_bound_policies[policy.value].policy_parameters
+      metadata = var.groups_and_permissions[local.group_name].account_bound_policies[policy.value].policy_metadata
     }
   }
 }
+
+module "environment_policies" {
+  source = "./environment_policies"
+  for_each = var.groups_and_permissions[local.group_name].environment_bound_policies
+
+  group_id = dynatrace_iam_group.cc-iam-group.id
+  env_id = each.value.environment_id
+  policy_id = element([for item in var.group_policies : item if item["name"] == each.key], 0).id
+  policy_parameters = each.value.policy_parameters
+  policy_metadata = each.value.policy_metadata
+}

shared_vars.tf

@@ -15,11 +15,18 @@ variable "groups_and_permissions" {
     # resource and therefore not supported here - only 'account' is supported
     # For documentation on parameters refer to:
     #   https://docs.dynatrace.com/docs/manage/identity-access-management/permission-management/manage-user-permissions-policies/advanced/iam-policy-templating
-    attached_policies = optional(map(object({
+    environment_bound_policies = optional(map(object({
+                          environment_id = string
                           policy_parameters = optional(map(string),null)
                           policy_metadata = optional(map(string),null)
 
     })),{})
+    account_bound_policies = optional(map(object({
+                          policy_parameters = optional(map(string),null)
+                          policy_metadata = optional(map(string),null)
+
+    })),{})
+
   }))
   description = "Map of IAM groups"
   default = {}