Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for mapping sdm_roles with sdm_datasource using "name" as identifier instead of relying on tags or id #35

Open
brian-strata-tripactions-tech opened this issue Jun 27, 2022 · 5 comments
Open

Support for mapping sdm_roles with sdm_datasource using "name" as identifier instead of relying on tags or id #35

brian-strata-tripactions-tech opened this issue Jun 27, 2022 · 5 comments

Comments

@brian-strata-tripactions-tech
Copy link

[FEATURE REQUEST]

  • Support for mapping sdm_roles with sdm_resource using "name" as identifier instead of relying on tags or id.

Additional Information:

Terraform v1.0.6
on darwin_amd64

  • provider registry.terraform.io/strongdm/sdm v2.6.0

We are leveraging access_rules from sdm_roles to map resources. The challenge is,

  1. We don't proper tags on resources, and ids are not that human understandable to manage and improve role assignment
  2. Don't want to rely on just type of datasource,
  3. Relying on just tags to assign datasource to roles has lot of problems like, to many tags to control for product/cross-product team, environment, level of access.
  4. assigning few datasources to multiple roles
  5. we need something kind of one to one mapping wherein we pass a list of Datasource NAME to sdm role access rules for resource mapping.
@brian-strata-tripactions-tech
Copy link
Author

brian-strata-tripactions-tech commented Jun 27, 2022
edited
Loading

We would like to pass something like below in tfvars to map roles with datasource:

role_assignment = {
  "RoleA"  = "DatasourceA"
  "RoleA"  = "DatasourceB"
  "RoleA"   = "DatasourceC"
  "RoleB"  = "DatasourceC"
  "RoleB" = "DatasourceA"
  "RoleC" = "DatasourceC"
}

@WmMarcO
Copy link

WmMarcO commented Jun 27, 2022

Hi Brian,

Thanks for providing feedback. This will be reviewed for consideration by our product team. We've logged your request as interest for this feature as a support ticket as well.

Could you share your email address so that it may be associated with that ticket?

Please feel free to reach out for any further questions or concerns.

Thanks,

Marc O'Brien
strongDM Support

@netflash
Copy link

It feels like this probably could be achieved with the sdm_role_attachment resource. Using for_each terraform loop. But this resource is declared Deprecated

@brian-strata-tripactions-tech
Copy link
Author

Adding more info:

resource "sdm_role" "role2" {

  name = "Test-Brian"
  access_rules = jsonencode([
    {
      "name" : "Test1"
    },
    {
      "name" : "Test2"
    }
  ])
}

resource "sdm_role" "role3" {

  name = "Test-Brian1"
  access_rules = jsonencode([
    {
      "name" : ["Test1","Test2"]
    }
  ])
}

Error: cannot create Role: cannot create role: invalid operation: invalid access rules: invalid operation: cannot have duplicate rule criteria for a role

│ with sdm_role.role2,
│ on main.tf line 55, in resource "sdm_role" "role2":
│ 55: resource "sdm_role" "role2" {



│ Error: cannot create Role: cannot create role: invalid operation: invalid access rules: invalid operation: must not have empty access rule

│ with sdm_role.role3,
│ on main.tf line 68, in resource "sdm_role" "role3":
│ 68: resource "sdm_role" "role3" {

@karimfan
Copy link

karimfan commented Feb 7, 2023

Pls file a Sweeper ticket for this and we can investigate how/when to resolve

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@netflash @karimfan @WmMarcO @brian-strata-tripactions-tech