feat(identity): add new account settings

Signed-off-by: Hari K Arla <[email protected]>

Author: hariarla

examples/ibm-iam-identity-account-settings-templates/main.tf

@@ -5,7 +5,28 @@ provider "ibm" {
 resource "ibm_iam_account_settings_template" "account_settings_template_instance" {
   name = var.account_settings_template_name
   account_settings {
-
+    restrict_create_service_id = "RESTRICTED"
+    restrict_create_platform_apikey = "RESTRICTED"
+    allowed_ip_addresses = "allowed_ip_addresses"
+    mfa = "NONE"
+    user_mfa {
+      iam_id = "iam_id"
+      mfa = "NONE"
+    }
+    session_expiration_in_seconds = "session_expiration_in_seconds"
+    session_invalidation_in_seconds = "session_invalidation_in_seconds"
+    max_sessions_per_identity = "max_sessions_per_identity"
+    system_access_token_expiration_in_seconds = "system_access_token_expiration_in_seconds"
+    system_refresh_token_expiration_in_seconds = "system_refresh_token_expiration_in_seconds"
+    restrict_user_list_visibility = "RESTRICTED"
+    restrict_user_domains {
+      account_sufficient = true
+      restrictions {
+        realm_id = "IBMid"
+        invitation_email_allow_patterns = *.*@company.com
+        restrict_invitation = true
+      }
+    }
   }
 }
 

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/IBM/logs-router-go-sdk v1.0.8
 	github.com/IBM/mqcloud-go-sdk v0.4.0
 	github.com/IBM/networking-go-sdk v0.51.12
-	github.com/IBM/platform-services-go-sdk v0.88.0
+	github.com/IBM/platform-services-go-sdk v0.90.0
 	github.com/IBM/project-go-sdk v0.3.9
 	github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5
 	github.com/IBM/sarama v1.45.0

go.sum

@@ -148,8 +148,8 @@ github.com/IBM/mqcloud-go-sdk v0.4.0 h1:BuZNXA6iYEg5OEPr13CMGrhH0ew4rH/4L56b1nFt
 github.com/IBM/mqcloud-go-sdk v0.4.0/go.mod h1:7zigCUz6k3eRrNE8KOcDkY72oPppEmoQifF+SB0NPRM=
 github.com/IBM/networking-go-sdk v0.51.12 h1:2qv6neG8msFR1dtf9v+rbaC2gIkw9HnzohvQpgVye5w=
 github.com/IBM/networking-go-sdk v0.51.12/go.mod h1:TAXWyBUk3C3R7aS1m84EfKdnDcBMZMAClwLfDj/SYZc=
-github.com/IBM/platform-services-go-sdk v0.88.0 h1:PZZYg+6FSvkiyLoRMabGHHzsR9OEwhUuTUsuKs3E4qg=
-github.com/IBM/platform-services-go-sdk v0.88.0/go.mod h1:aGD045m6I8pfcB77wft8w2cHqWOJjcM3YSSV55BX0Js=
+github.com/IBM/platform-services-go-sdk v0.90.0 h1:hsUkgZZBGYK+szFb0tF9Q7uy1VjMY+VlYAPgPwFPMrg=
+github.com/IBM/platform-services-go-sdk v0.90.0/go.mod h1:aGD045m6I8pfcB77wft8w2cHqWOJjcM3YSSV55BX0Js=
 github.com/IBM/project-go-sdk v0.3.9 h1:D/UfMMn+vMQyvYf9EfocV6HrD3HcVpeIVoUSjNKuROo=
 github.com/IBM/project-go-sdk v0.3.9/go.mod h1:FOJM9ihQV3EEAY6YigcWiTNfVCThtdY8bLC/nhQHFvo=
 github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5 h1:NPUhkoOCRuv3OFWt19PmwjXGGTKlvmbuPg9fUrBUNe4=

ibm/service/iamidentity/data_source_ibm_iam_account_settings_template.go

@@ -132,6 +132,50 @@ func DataSourceIBMAccountSettingsTemplate() *schema.Resource {
 							Computed:    true,
 							Description: "Defines the refresh token expiration in seconds. Valid values:  * Any whole number between '900' and '259200'  * NOT_SET - To unset account setting and use service default.",
 						},
+						"restrict_user_list_visibility": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "Defines whether or not user visibility is access controlled. Valid values:  * RESTRICTED - users can view only specific types of users in the account, such as those the user has invited to the account, or descendants of those users based on the classic infrastructure hierarchy  * NOT_RESTRICTED - any user in the account can view other users from the Users page in IBM Cloud console  * NOT_SET - to 'unset' a previous set value.",
+						},
+						"restrict_user_domains": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"account_sufficient": &schema.Schema{
+										Type:     schema.TypeBool,
+										Computed: true,
+									},
+									"restrictions": &schema.Schema{
+										Type:        schema.TypeList,
+										Computed:    true,
+										Description: "Defines if account invitations are restricted to specified domains. To remove an entry for a realm_id, perform an update (PUT) request with only the realm_id set.",
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"realm_id": &schema.Schema{
+													Type:        schema.TypeString,
+													Computed:    true,
+													Description: "The realm that the restrictions apply to.",
+												},
+												"invitation_email_allow_patterns": &schema.Schema{
+													Type:        schema.TypeList,
+													Computed:    true,
+													Description: "The list of allowed email patterns. Wildcard syntax is supported, '*' represents any sequence of zero or more characters in the string, except for '.' and '@'. The sequence ends if a '.' or '@' was found. '**' represents any sequence of zero or more characters in the string - without limit.",
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+												"restrict_invitation": &schema.Schema{
+													Type:        schema.TypeBool,
+													Computed:    true,
+													Description: "When true invites will only be possible to the domain patterns provided, otherwise invites are unrestricted.",
+												},
+											},
+										},
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -323,7 +367,7 @@ func dataSourceIBMAccountSettingsTemplateRead(context context.Context, d *schema
 	return nil
 }
 
-func dataSourceIBMAccountSettingsTemplateAccountSettingsComponentToMap(model *iamidentityv1.AccountSettingsComponent) (map[string]interface{}, error) {
+func dataSourceIBMAccountSettingsTemplateAccountSettingsComponentToMap(model *iamidentityv1.TemplateAccountSettings) (map[string]interface{}, error) {
 	modelMap := make(map[string]interface{})
 	if model.RestrictCreateServiceID != nil {
 		modelMap["restrict_create_service_id"] = model.RestrictCreateServiceID
@@ -363,6 +407,47 @@ func dataSourceIBMAccountSettingsTemplateAccountSettingsComponentToMap(model *ia
 	if model.SystemRefreshTokenExpirationInSeconds != nil {
 		modelMap["system_refresh_token_expiration_in_seconds"] = model.SystemRefreshTokenExpirationInSeconds
 	}
+	if model.RestrictUserListVisibility != nil {
+		modelMap["restrict_user_list_visibility"] = *model.RestrictUserListVisibility
+	}
+	if model.RestrictUserDomains != nil {
+		restrictUserDomainsMap, err := dataSourceIBMAccountSettingsTemplatesTemplateAccountSettingsRestrictUserDomainsToMap(model.RestrictUserDomains)
+		if err != nil {
+			return modelMap, err
+		}
+		modelMap["restrict_user_domains"] = []map[string]interface{}{restrictUserDomainsMap}
+	}
+	return modelMap, nil
+}
+
+func dataSourceIBMAccountSettingsTemplatesTemplateAccountSettingsRestrictUserDomainsToMap(model *iamidentityv1.TemplateAccountSettingsRestrictUserDomains) (map[string]interface{}, error) {
+	modelMap := make(map[string]interface{})
+	if model.AccountSufficient != nil {
+		modelMap["account_sufficient"] = *model.AccountSufficient
+	}
+	if model.Restrictions != nil {
+		restrictions := []map[string]interface{}{}
+		for _, restrictionsItem := range model.Restrictions {
+			restrictionsItemMap, err := dataSourceIBMAccountSettingsTemplatesAccountSettingsUserDomainRestrictionToMap(&restrictionsItem) // #nosec G601
+			if err != nil {
+				return modelMap, err
+			}
+			restrictions = append(restrictions, restrictionsItemMap)
+		}
+		modelMap["restrictions"] = restrictions
+	}
+	return modelMap, nil
+}
+
+func dataSourceIBMAccountSettingsTemplatesAccountSettingsUserDomainRestrictionToMap(model *iamidentityv1.AccountSettingsUserDomainRestriction) (map[string]interface{}, error) {
+	modelMap := make(map[string]interface{})
+	modelMap["realm_id"] = *model.RealmID
+	if model.InvitationEmailAllowPatterns != nil {
+		modelMap["invitation_email_allow_patterns"] = model.InvitationEmailAllowPatterns
+	}
+	if model.RestrictInvitation != nil {
+		modelMap["restrict_invitation"] = *model.RestrictInvitation
+	}
 	return modelMap, nil
 }
 

ibm/service/iamidentity/data_source_ibm_iam_account_settings_template_test.go

@@ -70,6 +70,10 @@ func TestAccIBMAccountSettingsTemplateDataSourceAllArgs(t *testing.T) {
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings_template.account_settings_template", "account_settings.0.max_sessions_per_identity"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings_template.account_settings_template", "account_settings.0.system_access_token_expiration_in_seconds"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings_template.account_settings_template", "account_settings.0.system_refresh_token_expiration_in_seconds"),
+					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings_template.account_settings_template", "account_settings.0.restrict_user_list_visibility"),
+					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings_template.account_settings_template", "account_settings.0.restrict_user_domains.#"),
+					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings_template.account_settings_template", "account_settings.0.restrict_user_domains.0.account_sufficient"),
+					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings_template.account_settings_template", "account_settings.0.restrict_user_domains.0.restrictions.0.realm_id"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings_template.account_settings_template", "entity_tag"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings_template.account_settings_template", "crn"),
 					resource.TestCheckResourceAttrSet("data.ibm_iam_account_settings_template.account_settings_template", "created_at"),
@@ -119,6 +123,15 @@ func testAccCheckIBMAccountSettingsTemplateDataSourceConfig(enterpriseAccountId
 				max_sessions_per_identity = "5"
 				system_access_token_expiration_in_seconds = "NOT_SET"
 				system_refresh_token_expiration_in_seconds = "NOT_SET"
+				restrict_user_list_visibility = "RESTRICTED"
+				restrict_user_domains {
+					account_sufficient = true
+					restrictions {
+						realm_id = "IBMid"
+						invitation_email_allow_patterns = ["*.*@company.com"]
+						restrict_invitation = true
+					}
+				}
 			}
 		}
 

ibm/service/iamidentity/data_source_ibm_iam_effective_account_settings.go

@@ -146,6 +146,11 @@ func DataSourceIBMIamEffectiveAccountSettings() *schema.Resource {
 				Description: "Input body parameters for the Account Settings REST request.",
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"account_id": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "Unique ID of the account.",
+						},
 						"entity_tag": {
 							Type:        schema.TypeString,
 							Computed:    true,
@@ -417,6 +422,45 @@ func DataSourceIBMIamEffectiveAccountSettings() *schema.Resource {
 								},
 							},
 						},
+						"restrict_user_domains": &schema.Schema{
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"account_sufficient": &schema.Schema{
+										Type:     schema.TypeBool,
+										Computed: true,
+									},
+									"restrictions": &schema.Schema{
+										Type:        schema.TypeList,
+										Computed:    true,
+										Description: "Defines if account invitations are restricted to specified domains. To remove an entry for a realm_id, perform an update (PUT) request with only the realm_id set.",
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"realm_id": &schema.Schema{
+													Type:        schema.TypeString,
+													Computed:    true,
+													Description: "The realm that the restrictions apply to.",
+												},
+												"invitation_email_allow_patterns": &schema.Schema{
+													Type:        schema.TypeList,
+													Computed:    true,
+													Description: "The list of allowed email patterns. Wildcard syntax is supported, '*' represents any sequence of zero or more characters in the string, except for '.' and '@'. The sequence ends if a '.' or '@' was found. '**' represents any sequence of zero or more characters in the string - without limit.",
+													Elem: &schema.Schema{
+														Type: schema.TypeString,
+													},
+												},
+												"restrict_invitation": &schema.Schema{
+													Type:        schema.TypeBool,
+													Computed:    true,
+													Description: "When true invites will only be possible to the domain patterns provided, otherwise invites are unrestricted.",
+												},
+											},
+										},
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -536,7 +580,7 @@ func DataSourceIBMIamEffectiveAccountSettingsAccountSettingsEffectiveSectionToMa
 
 func DataSourceIBMIamEffectiveAccountSettingsAccountSettingsAccountSectionToMap(model *iamidentityv1.AccountSettingsResponse) (map[string]interface{}, error) {
 	modelMap := make(map[string]interface{})
-
+	modelMap["account_id"] = "testString"
 	modelMap["entity_tag"] = *model.EntityTag
 	if model.History != nil {
 		var history []map[string]interface{}
@@ -598,15 +642,11 @@ func DataSourceIBMIamEffectiveAccountSettingsAccountSettingsAssignedTemplatesSec
 		modelMap["restrict_user_list_visibility"] = *model.RestrictUserListVisibility
 	}
 	if model.RestrictUserDomains != nil {
-		var restrictUserDomains []map[string]interface{}
-		for _, restrictUserDomainsItem := range model.RestrictUserDomains {
-			restrictUserDomainsItemMap, err := AccountSettingsUserDomainRestrictionToMap(&restrictUserDomainsItem)
-			if err != nil {
-				return modelMap, err
-			}
-			restrictUserDomains = append(restrictUserDomains, restrictUserDomainsItemMap)
+		restrictUserDomainsMap, err := DataSourceIBMEffectiveAccountSettingsAssignedTemplatesAccountSettingsRestrictUserDomainsToMap(model.RestrictUserDomains)
+		if err != nil {
+			return modelMap, err
 		}
-		modelMap["restrict_user_domains"] = restrictUserDomains
+		modelMap["restrict_user_domains"] = []map[string]interface{}{restrictUserDomainsMap}
 	}
 	if model.AllowedIPAddresses != nil {
 		modelMap["allowed_ip_addresses"] = *model.AllowedIPAddresses
@@ -642,3 +682,34 @@ func DataSourceIBMIamEffectiveAccountSettingsAccountSettingsAssignedTemplatesSec
 	}
 	return modelMap, nil
 }
+
+func DataSourceIBMEffectiveAccountSettingsAssignedTemplatesAccountSettingsRestrictUserDomainsToMap(model *iamidentityv1.AssignedTemplatesAccountSettingsRestrictUserDomains) (map[string]interface{}, error) {
+	modelMap := make(map[string]interface{})
+	if model.AccountSufficient != nil {
+		modelMap["account_sufficient"] = *model.AccountSufficient
+	}
+	if model.Restrictions != nil {
+		restrictions := []map[string]interface{}{}
+		for _, restrictionsItem := range model.Restrictions {
+			restrictionsItemMap, err := DataSourceIBMEffectiveAccountSettingsAccountSettingsUserDomainRestrictionToMap(&restrictionsItem) // #nosec G601
+			if err != nil {
+				return modelMap, err
+			}
+			restrictions = append(restrictions, restrictionsItemMap)
+		}
+		modelMap["restrictions"] = restrictions
+	}
+	return modelMap, nil
+}
+
+func DataSourceIBMEffectiveAccountSettingsAccountSettingsUserDomainRestrictionToMap(model *iamidentityv1.AccountSettingsUserDomainRestriction) (map[string]interface{}, error) {
+	modelMap := make(map[string]interface{})
+	modelMap["realm_id"] = *model.RealmID
+	if model.InvitationEmailAllowPatterns != nil {
+		modelMap["invitation_email_allow_patterns"] = model.InvitationEmailAllowPatterns
+	}
+	if model.RestrictInvitation != nil {
+		modelMap["restrict_invitation"] = *model.RestrictInvitation
+	}
+	return modelMap, nil
+}

ibm/service/iamidentity/data_source_ibm_iam_effective_account_settings_test.go

@@ -217,7 +217,19 @@ func TestDataSourceIBMIamEffectiveAccountSettingsAccountSettingsAssignedTemplate
 		model["restrict_create_service_id"] = "NOT_SET"
 		model["restrict_create_platform_apikey"] = "NOT_SET"
 		model["restrict_user_list_visibility"] = "NOT_RESTRICTED"
-		model["restrict_user_domains"] = []map[string]interface{}{accountSettingsUserDomainRestrictionModel}
+		//model["restrict_user_domains"] = []map[string]interface{}{accountSettingsUserDomainRestrictionModel}
+		model["restrict_user_domains"] = []map[string]interface{}{
+			{
+				"account_sufficient": true,
+				"restrictions": []map[string]interface{}{
+					{
+						"realm_id":                        "IBMid",
+						"invitation_email_allow_patterns": []string{"*.*@company.com"},
+						"restrict_invitation":             true,
+					},
+				},
+			},
+		}
 		model["allowed_ip_addresses"] = "testString"
 		model["mfa"] = "NONE"
 		model["session_expiration_in_seconds"] = "86400"
@@ -250,7 +262,13 @@ func TestDataSourceIBMIamEffectiveAccountSettingsAccountSettingsAssignedTemplate
 	model.RestrictCreateServiceID = core.StringPtr("NOT_SET")
 	model.RestrictCreatePlatformApikey = core.StringPtr("NOT_SET")
 	model.RestrictUserListVisibility = core.StringPtr("NOT_RESTRICTED")
-	model.RestrictUserDomains = []iamidentityv1.AccountSettingsUserDomainRestriction{*accountSettingsUserDomainRestrictionModel}
+	restrictUserDomains := &iamidentityv1.AssignedTemplatesAccountSettingsRestrictUserDomains{
+		AccountSufficient: core.BoolPtr(true),
+		Restrictions: []iamidentityv1.AccountSettingsUserDomainRestriction{
+			*accountSettingsUserDomainRestrictionModel,
+		},
+	}
+	model.RestrictUserDomains = restrictUserDomains
 	model.AllowedIPAddresses = core.StringPtr("testString")
 	model.Mfa = core.StringPtr("NONE")
 	model.SessionExpirationInSeconds = core.StringPtr("86400")