fix: #7 Fix Upgrade Test (#8)

* fix: #7 Fix Upgrade Test

Signed-off-by: Chris Waddington <104161708+chrisw-ibm@users.noreply.github.com>

Author: chrisw-ibm

README.md

@@ -164,6 +164,7 @@ statement instead the previous block.
 | <a name="input_skip_iam_authorization_policy"></a> [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits the COS instance created to read the encryption key from the KMS instance in `existing_kms_instance_guid`. WARNING: An authorization policy must exist before an encrypted bucket can be created | `bool` | `false` | no |
 | <a name="input_skip_verification"></a> [skip\_verification](#input\_skip\_verification) | whether to verify the account after adding the account to cloudability. Requires cloudability\_auth\_header to be set. | `bool` | `false` | no |
 | <a name="input_sysdig_crn"></a> [sysdig\_crn](#input\_sysdig\_crn) | Cloud Monitoring crn for COS bucket (Optional) | `string` | `null` | no |
+| <a name="input_use_existing_iam_custom_role"></a> [use\_existing\_iam\_custom\_role](#input\_use\_existing\_iam\_custom\_role) | Whether the iam\_custom\_roles should be created or if they already exist and the they should be linked with a datasource | `bool` | `false` | no |
 | <a name="input_use_existing_resource_group"></a> [use\_existing\_resource\_group](#input\_use\_existing\_resource\_group) | Whether the value of `resource_group_name` input should be a new of existing resource\_group | `bool` | `true` | no |
 
 ### Outputs

ibm_catalog.json

@@ -6,7 +6,6 @@
 			"product_kind": "solution",
 			"tags": [
 				"ibm_created",
-				"ibm_beta",
 				"integration"
 			],
 			"keywords": [

main.tf

@@ -70,6 +70,7 @@ module "cloudability_bucket_access" {
   source                        = "./modules/cloudability-bucket-access"
   policy_granularity            = var.policy_granularity
   bucket_crn                    = local.cos_bucket_crn
+  use_existing_iam_custom_role  = var.use_existing_iam_custom_role
   cloudability_custom_role_name = var.cloudability_custom_role_name
   resource_group_id             = module.resource_group.resource_group_id
 }
@@ -79,6 +80,7 @@ module "cloudability_enterprise_access" {
   # if same account then re-use the access group. Otherwise create a new one
   source                        = "./modules/cloudability-enterprise-access"
   enterprise_id                 = local.enterprise_id
+  use_existing_iam_custom_role  = var.use_existing_iam_custom_role
   cloudability_custom_role_name = var.cloudability_enterprise_custom_role_name
 }
 

modules/cloudability-bucket-access/README.md

@@ -81,6 +81,7 @@ No modules.
 | [ibm_iam_service_policy.cos_bucket_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_policy) | resource |
 | [ibm_iam_service_policy.cos_instance_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_policy) | resource |
 | [ibm_iam_service_policy.cos_resource_group_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_policy) | resource |
+| [ibm_iam_roles.cos_custom_role](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_roles) | data source |
 
 ### Inputs
 
@@ -90,6 +91,7 @@ No modules.
 | <a name="input_cloudability_custom_role_name"></a> [cloudability\_custom\_role\_name](#input\_cloudability\_custom\_role\_name) | name of the custom role created access granted to cloudability service id to read from the billing reports cos bucket | `string` | `"CloudabilityStorageCustomRole"` | no |
 | <a name="input_policy_granularity"></a> [policy\_granularity](#input\_policy\_granularity) | Whether access to the cos bucket is controlled at the bucket (resource), cos instance (serviceInstance), or resource-group (resourceGroup). Note: `resource_group_id` is required in the case of the `resourceGroup`. `bucket_crn` is required otherwise. | `string` | `"resource"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group that the cos buckets are deployed in. Required if `policy_granularity` is "resource-group". Not used otherwise. | `string` | `null` | no |
+| <a name="input_use_existing_iam_custom_role"></a> [use\_existing\_iam\_custom\_role](#input\_use\_existing\_iam\_custom\_role) | Whether the iam\_custom\_roles should be created or if they already exist and the they should be linked with a datasource | `bool` | `false` | no |
 
 ### Outputs
 

modules/cloudability-bucket-access/main.tf

@@ -16,6 +16,7 @@ locals {
 
 # Define a custom IAM role for Cloud Storage with specific actions.
 resource "ibm_iam_custom_role" "cos_custom_role" {
+  count        = var.use_existing_iam_custom_role ? 0 : 1
   name         = var.cloudability_custom_role_name
   display_name = var.cloudability_custom_role_name
   description  = "This is a custom role to read Cloud Storage"
@@ -31,10 +32,21 @@ resource "ibm_iam_custom_role" "cos_custom_role" {
   ]
 }
 
+data "ibm_iam_roles" "cos_custom_role" {
+  count   = var.use_existing_iam_custom_role ? 1 : 0
+  service = "cloud-object-storage"
+}
+
+locals {
+  custom_role = var.use_existing_iam_custom_role ? one([for role in data.ibm_iam_roles.cos_custom_role[0].roles : role.name if role.name == var.cloudability_custom_role_name]) : ibm_iam_custom_role.cos_custom_role[0].display_name
+  # tflint-ignore: terraform_unused_declarations
+  validate_custom_role = local.custom_role == null ? (var.use_existing_iam_custom_role ? tobool("Custom role `${var.cloudability_custom_role_name}` not found in a account. Found ${join(",", [for role in data.ibm_iam_roles.cos_custom_role[0].roles : role.name])}") : tobool("Custom role name is not defined")) : null
+}
+
 resource "ibm_iam_service_policy" "cos_bucket_policy" {
   count  = var.policy_granularity == "resource" ? 1 : 0
   iam_id = local.apptio_service_id
-  roles  = [ibm_iam_custom_role.cos_custom_role.display_name]
+  roles  = [local.custom_role]
   resource_attributes {
     name     = "resource"
     value    = local.bucket_name
@@ -49,7 +61,7 @@ resource "ibm_iam_service_policy" "cos_bucket_policy" {
 resource "ibm_iam_service_policy" "cos_instance_policy" {
   count  = var.policy_granularity == "serviceInstance" ? 1 : 0
   iam_id = local.apptio_service_id
-  roles  = [ibm_iam_custom_role.cos_custom_role.display_name]
+  roles  = [local.custom_role]
   resource_attributes {
     name     = "serviceInstance"
     value    = local.cos_instance_id
@@ -64,7 +76,7 @@ resource "ibm_iam_service_policy" "cos_instance_policy" {
 resource "ibm_iam_service_policy" "cos_resource_group_policy" {
   count  = var.policy_granularity == "resourceGroup" ? 1 : 0
   iam_id = local.apptio_service_id
-  roles  = [ibm_iam_custom_role.cos_custom_role.display_name]
+  roles  = [local.custom_role]
   resource_attributes {
     name     = "resourceGroupId"
     value    = local.resource_group_id

modules/cloudability-bucket-access/outputs.tf

@@ -1,6 +1,6 @@
 output "custom_role_display_name" {
   description = "Display name of the cos custom role"
-  value       = ibm_iam_custom_role.cos_custom_role.display_name
+  value       = local.custom_role
 }
 
 output "service_policy" {

modules/cloudability-bucket-access/variables.tf

@@ -20,6 +20,12 @@ variable "policy_granularity" {
   }
 }
 
+variable "use_existing_iam_custom_role" {
+  type        = bool
+  description = "Whether the iam_custom_roles should be created or if they already exist and the they should be linked with a datasource"
+  default     = false
+}
+
 variable "cloudability_custom_role_name" {
   type        = string
   description = "name of the custom role created access granted to cloudability service id to read from the billing reports cos bucket"

modules/cloudability-enterprise-access/README.md

@@ -25,13 +25,15 @@ No modules.
 | [ibm_iam_custom_role.list_enterprise_custom_role](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_custom_role) | resource |
 | [ibm_iam_service_policy.billing_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_policy) | resource |
 | [ibm_iam_service_policy.enterprise_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_service_policy) | resource |
+| [ibm_iam_roles.list_enterprise_custom_role](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/iam_roles) | data source |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cloudability_custom_role_name"></a> [cloudability\_custom\_role\_name](#input\_cloudability\_custom\_role\_name) | name of the custom role to granting access to a cloudability service id to read the enterprise information | `string` | `"CloudabilityListAccCustomRole"` | no |
 | <a name="input_enterprise_id"></a> [enterprise\_id](#input\_enterprise\_id) | Guid for the enterprise account id | `string` | `null` | no |
+| <a name="input_use_existing_iam_custom_role"></a> [use\_existing\_iam\_custom\_role](#input\_use\_existing\_iam\_custom\_role) | Whether the iam\_custom\_roles should be created or if they already exist and the they should be linked with a datasource | `bool` | `false` | no |
 
 ### Outputs
 

modules/cloudability-enterprise-access/main.tf

@@ -3,6 +3,7 @@ locals {
 }
 
 resource "ibm_iam_custom_role" "list_enterprise_custom_role" {
+  count        = var.enterprise_id != null && !var.use_existing_iam_custom_role ? 1 : 0
   name         = var.cloudability_custom_role_name
   display_name = var.cloudability_custom_role_name
   description  = "This is a custom role to list Accounts in Enterprise"
@@ -14,10 +15,19 @@ resource "ibm_iam_custom_role" "list_enterprise_custom_role" {
   ]
 }
 
+data "ibm_iam_roles" "list_enterprise_custom_role" {
+  count   = var.enterprise_id != null && var.use_existing_iam_custom_role ? 1 : 0
+  service = "enterprise"
+}
+
+locals {
+  custom_role = var.enterprise_id != null ? (var.use_existing_iam_custom_role ? one([for role in data.ibm_iam_roles.list_enterprise_custom_role[0].roles : role.name if role.name == var.cloudability_custom_role_name]) : ibm_iam_custom_role.list_enterprise_custom_role[0].display_name) : null
+}
+
 resource "ibm_iam_service_policy" "enterprise_policy" {
   count  = var.enterprise_id != null ? 1 : 0
   iam_id = local.apptio_service_id
-  roles  = [ibm_iam_custom_role.list_enterprise_custom_role.display_name]
+  roles  = [local.custom_role]
   resource_attributes {
     name  = "serviceName"
     value = "enterprise"

modules/cloudability-enterprise-access/outputs.tf

@@ -1,6 +1,6 @@
 output "custom_role_display_name" {
   description = "Display name of the enterprise custom role to read the list of enterprise custom accounts"
-  value       = ibm_iam_custom_role.list_enterprise_custom_role.display_name
+  value       = local.custom_role
 }
 
 output "enterprise_policy" {