From c4f500fee296cbe272cea622cbabd190fbf2a04d Mon Sep 17 00:00:00 2001
From: Srinivasan Sundaram <srinivasan.sundaram1@digital.homeoffice.gov.uk>
Date: Thu, 12 Dec 2024 18:14:28 +0000
Subject: [PATCH] Added provision for environment bound policies.

---
 groups_and_bindings/dt_provider.tf            |  8 ++++++
 .../environment_policies/dt_provider.tf       |  1 +
 .../environment_policies/main.tf              |  9 ++++++
 .../environment_policies/variables.tf         | 18 ++++++++++++
 groups_and_bindings/main.tf                   | 28 ++++++++++---------
 shared_vars.tf                                |  9 +++++-
 6 files changed, 59 insertions(+), 14 deletions(-)
 create mode 100644 groups_and_bindings/dt_provider.tf
 create mode 120000 groups_and_bindings/environment_policies/dt_provider.tf
 create mode 100644 groups_and_bindings/environment_policies/main.tf
 create mode 100644 groups_and_bindings/environment_policies/variables.tf

diff --git a/groups_and_bindings/dt_provider.tf b/groups_and_bindings/dt_provider.tf
new file mode 100644
index 0000000..11d131d
--- /dev/null
+++ b/groups_and_bindings/dt_provider.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    dynatrace = {
+      version = "~> 1.0"
+      source  = "dynatrace-oss/dynatrace"
+    }
+  }
+}
diff --git a/groups_and_bindings/environment_policies/dt_provider.tf b/groups_and_bindings/environment_policies/dt_provider.tf
new file mode 120000
index 0000000..c3ff27b
--- /dev/null
+++ b/groups_and_bindings/environment_policies/dt_provider.tf
@@ -0,0 +1 @@
+../dt_provider.tf
\ No newline at end of file
diff --git a/groups_and_bindings/environment_policies/main.tf b/groups_and_bindings/environment_policies/main.tf
new file mode 100644
index 0000000..8ea5798
--- /dev/null
+++ b/groups_and_bindings/environment_policies/main.tf
@@ -0,0 +1,9 @@
+resource "dynatrace_iam_policy_bindings_v2" "cc-env-policy-bindings" {
+  group = var.group_id
+  environment = var.env_id
+  policy{
+    id = var.policy_id
+    parameters = var.policy_parameters
+    metadata = var.policy_metadata
+  }
+}
diff --git a/groups_and_bindings/environment_policies/variables.tf b/groups_and_bindings/environment_policies/variables.tf
new file mode 100644
index 0000000..64e78c2
--- /dev/null
+++ b/groups_and_bindings/environment_policies/variables.tf
@@ -0,0 +1,18 @@
+variable "group_id" {
+  type = string
+}
+variable "env_id" {
+  type = string
+}
+variable "policy_id" {
+  type = string
+}
+variable "policy_parameters" {
+  type = map(string)
+  default = null
+}
+variable "policy_metadata" {
+  type = map(string)
+  default = null
+}
+
diff --git a/groups_and_bindings/main.tf b/groups_and_bindings/main.tf
index f9c3b9a..274469b 100644
--- a/groups_and_bindings/main.tf
+++ b/groups_and_bindings/main.tf
@@ -1,12 +1,3 @@
-terraform {
-  required_providers {
-    dynatrace = {
-      version = "~> 1.0"
-      source  = "dynatrace-oss/dynatrace"
-    }
-  }
-}
-
 locals {
   group_name = keys(var.groups_and_permissions)[0]
 }
@@ -16,15 +7,26 @@ resource "dynatrace_iam_group" "cc-iam-group" {
   federated_attribute_values = toset(var.groups_and_permissions[local.group_name].federated_attribute_values)
 }
 
-resource "dynatrace_iam_policy_bindings_v2" "cc-policy-bindings" {
+resource "dynatrace_iam_policy_bindings_v2" "cc-acc-policy-bindings" {
   group = dynatrace_iam_group.cc-iam-group.id
   account = var.accountUUID
   dynamic "policy" {
-    for_each = keys(var.groups_and_permissions[local.group_name].attached_policies)
+    for_each = keys(var.groups_and_permissions[local.group_name].account_bound_policies)
     content {
       id = element([for item in var.group_policies : item if item["name"] == policy.value], 0).id
-      parameters = var.groups_and_permissions[local.group_name].attached_policies[policy.value].policy_parameters
-      metadata = var.groups_and_permissions[local.group_name].attached_policies[policy.value].policy_metadata
+      parameters = var.groups_and_permissions[local.group_name].account_bound_policies[policy.value].policy_parameters
+      metadata = var.groups_and_permissions[local.group_name].account_bound_policies[policy.value].policy_metadata
     }
   }
 }
+
+module "environment_policies" {
+  source = "./environment_policies"
+  for_each = var.groups_and_permissions[local.group_name].environment_bound_policies
+
+  group_id = dynatrace_iam_group.cc-iam-group.id
+  env_id = each.value.environment_id
+  policy_id = element([for item in var.group_policies : item if item["name"] == each.key], 0).id
+  policy_parameters = each.value.policy_parameters
+  policy_metadata = each.value.policy_metadata
+}
diff --git a/shared_vars.tf b/shared_vars.tf
index 831d07a..d45825e 100644
--- a/shared_vars.tf
+++ b/shared_vars.tf
@@ -15,11 +15,18 @@ variable "groups_and_permissions" {
     # resource and therefore not supported here - only 'account' is supported
     # For documentation on parameters refer to:
     #   https://docs.dynatrace.com/docs/manage/identity-access-management/permission-management/manage-user-permissions-policies/advanced/iam-policy-templating
-    attached_policies = optional(map(object({
+    environment_bound_policies = optional(map(object({
+                          environment_id = string
                           policy_parameters = optional(map(string),null)
                           policy_metadata = optional(map(string),null)
 
     })),{})
+    account_bound_policies = optional(map(object({
+                          policy_parameters = optional(map(string),null)
+                          policy_metadata = optional(map(string),null)
+
+    })),{})
+
   }))
   description = "Map of IAM groups"
   default = {}