Added support for options field in child enterprise account (#5243)

* move trait field from acc import to acc create

Signed-off-by: namratabhadauriya <[email protected]>

* feat(Enterprise):added support for options field in child enterprise account

Signed-off-by: namrata <[email protected]>

* added review changes

Signed-off-by: namrata <[email protected]>

---------

Signed-off-by: namratabhadauriya <[email protected]>
Signed-off-by: namrata <[email protected]>
Co-authored-by: namrata <[email protected]>

examples/ibm-enterprise-management/README.md

@@ -50,6 +50,7 @@ resource "enterprise_account" "enterprise_account_instance" {
   name = var.enterprise_account_name
   owner_iam_id = var.enterprise_account_owner_iam_id
   traits = var.enterprise_account_traits
+  options = var.enterprise_account_options
 }
 ```
 
@@ -116,6 +117,7 @@ data "accounts" "accounts_instance" {
 | name | The name of the account group. | `string` | false |
 | name | The name of the account. | `string` | false |
 | traits | The traits object can be used to opt-out of Multi-Factor Authenticatin '`mfa` or for setting enterprise IAM settings `enterprise_iam_managed` setting when creating a child account in the enterprise. | `set` | false |
+| options | The options object can be used to set properties on child accounts of an enterprise. You can pass a field to to create IAM service id with IAM api key when creating a child account in the enterprise. | `set` | false |
 
 ## Outputs
 

examples/ibm-enterprise-management/main.tf

@@ -31,6 +31,7 @@ resource "ibm_enterprise_account" "enterprise_account_instance" {
   name = var.enterprise_account_name
   owner_iam_id = var.enterprise_account_owner_iam_id
   traits = var.enterprise_account_traits
+  options = var.enterprise_account_options
 }
 
 //Import standalone account into enterprise
@@ -53,6 +54,7 @@ resource "ibm_enterprise_account" "enterprise_account_instance_example_1" {
   name = var.enterprise_account_name
   owner_iam_id = ibm_enterprise_account_group.enterprise_account_group_instance_example_1.primary_contact_iam_id
   traits = var.enterprise_account_traits
+  options = var.enterprise_account_options
 }
 
 //Import standalone account into enterprise using data source

examples/ibm-enterprise-management/variables.tf

@@ -60,8 +60,14 @@ variable "enterprise_account_owner_iam_id" {
 }
 variable "enterprise_account_traits" {
   description = "The traits object can be used to opt-out of Multi-Factor Authenticatin or for setting enterprise IAM settings setting when creating a child account in the enterprise."
-  type   = set()
-  default = { enterprise_iam_managed = false }
+  type        = set()
+  default     = { enterprise_iam_managed = false }
+}
+
+variable "enterprise_account_options" {
+  description = "The options object can be used to set properties on child accounts of an enterprise. You can pass a field to to create IAM service id with IAM api key when creating a child account in the enterprise."
+  type        = set()
+  default     = { create_iam_service_id_with_apikey_and_owner_policies : false }
 }
 
 // Data source arguments for enterprises

examples/test-enterprise/variables.tf

@@ -60,8 +60,14 @@ variable "enterprise_account_owner_iam_id" {
 }
 variable "enterprise_account_traits" {
   description = "The traits object can be used to opt-out of Multi-Factor Authenticatin or for setting enterprise IAM settings setting when creating a child account in the enterprise."
-  type   = set()
-  default = { enterprise_iam_managed = false }
+  type        = set()
+  default     = { enterprise_iam_managed = false }
+}
+
+variable "enterprise_account_options" {
+  description = "The options object can be used to set properties on child accounts of an enterprise. You can pass a field to to create IAM service id with IAM api key when creating a child account in the enterprise."
+  type        = set()
+  default     = { create_iam_service_id_with_apikey_and_owner_policies : false }
 }
 
 // Data source arguments for enterprises

go.mod

@@ -17,14 +17,14 @@ require (
 	github.com/IBM/event-notifications-go-admin-sdk v0.4.0
 	github.com/IBM/eventstreams-go-sdk v1.4.0
 	github.com/IBM/go-sdk-core/v3 v3.2.4
-	github.com/IBM/go-sdk-core/v5 v5.16.1
+	github.com/IBM/go-sdk-core/v5 v5.16.3
 	github.com/IBM/ibm-cos-sdk-go v1.10.1
 	github.com/IBM/ibm-cos-sdk-go-config/v2 v2.0.4
 	github.com/IBM/ibm-hpcs-tke-sdk v0.0.0-20211109141421-a4b61b05f7d1
 	github.com/IBM/ibm-hpcs-uko-sdk v0.0.20-beta
 	github.com/IBM/keyprotect-go-client v0.12.2
 	github.com/IBM/networking-go-sdk v0.45.0
-	github.com/IBM/platform-services-go-sdk v0.61.2
+	github.com/IBM/platform-services-go-sdk v0.62.0
 	github.com/IBM/project-go-sdk v0.2.1
 	github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5
 	github.com/IBM/scc-go-sdk/v5 v5.1.5

go.sum

@@ -145,6 +145,8 @@ github.com/IBM/go-sdk-core/v5 v5.9.5/go.mod h1:YlOwV9LeuclmT/qi/LAK2AsobbAP42veV
 github.com/IBM/go-sdk-core/v5 v5.10.2/go.mod h1:WZPFasUzsKab/2mzt29xPcfruSk5js2ywAPwW4VJjdI=
 github.com/IBM/go-sdk-core/v5 v5.16.1 h1:vAgOxRvaXD5AmgwR7dlstjT1JFE4BA4lPcGsEFZOKGs=
 github.com/IBM/go-sdk-core/v5 v5.16.1/go.mod h1:aojBkkq4HXkOYdn7YZ6ve8cjPWHdcB3tt8v0b9Cbac8=
+github.com/IBM/go-sdk-core/v5 v5.16.3 h1:GJI62GNAagX2xeTMpTACIqki5rDVO3YbxzMuIpAXSrQ=
+github.com/IBM/go-sdk-core/v5 v5.16.3/go.mod h1:aojBkkq4HXkOYdn7YZ6ve8cjPWHdcB3tt8v0b9Cbac8=
 github.com/IBM/ibm-cos-sdk-go v1.10.1 h1:vQCsu61OHRVF2lL6ah+m3AmUlhnYGkI1qogukCEFULs=
 github.com/IBM/ibm-cos-sdk-go v1.10.1/go.mod h1:zhcgfL2YG5DVaI5R2F6oYO2DYnvwW14vpcpFq+ybhXU=
 github.com/IBM/ibm-cos-sdk-go-config/v2 v2.0.4 h1:fvy/cMKn/3BngdxaL5dXaSlUuzTANY42VuVQuW0NEYE=
@@ -162,6 +164,8 @@ github.com/IBM/networking-go-sdk v0.45.0 h1:tYgDhVDpgKvELNY7tcodbZ4ny9fatpEWM6Pw
 github.com/IBM/networking-go-sdk v0.45.0/go.mod h1:NnJPA1e5GWr5opJe+5Hs6e1G6RcBIFz64TrkZsdnSp8=
 github.com/IBM/platform-services-go-sdk v0.61.2 h1:yQ7sBmowpxlyKPRZChFBqlGn1nZO7ScPc6QqjUDdbYA=
 github.com/IBM/platform-services-go-sdk v0.61.2/go.mod h1:fcmUb29QKLjMM0UWrR5bAidC7qfKWrf96H0xxmGJHdE=
+github.com/IBM/platform-services-go-sdk v0.62.0 h1:IA7kerhjqHHCSirXsLveX6Bk6DnUOA7Z9zaMqLZ5iBY=
+github.com/IBM/platform-services-go-sdk v0.62.0/go.mod h1:fd7gUOmsuQYhYLTZVLL+posObT/ISxVV+6JzsfDs5qE=
 github.com/IBM/project-go-sdk v0.2.1 h1:Xo7ITrfyfVm0eCsaC2SADlhcEjqjx9rtU37fwnzGMCI=
 github.com/IBM/project-go-sdk v0.2.1/go.mod h1:lqe0M4cKvABI1iHR1b+KfasVcxQL6nl2VJ8eOyQs8Ig=
 github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5 h1:NPUhkoOCRuv3OFWt19PmwjXGGTKlvmbuPg9fUrBUNe4=
@@ -1528,8 +1532,10 @@ github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs=
 github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
+github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
 github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM=
 github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
+github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=

ibm/service/enterprise/resource_ibm_enterprise.go

@@ -43,9 +43,10 @@ func ResourceIBMEnterprise() *schema.Resource {
 				ValidateFunc: validate.ValidateAllowedEnterpriseNameValue(),
 			},
 			"primary_contact_iam_id": {
-				Type:        schema.TypeString,
-				Required:    true,
-				Description: "The IAM ID of the enterprise primary contact, such as `IBMid-0123ABC`. The IAM ID must already exist.",
+				Type:         schema.TypeString,
+				Required:     true,
+				Description:  "The IAM ID of the enterprise primary contact, such as `IBMid-0123ABC`. The IAM ID must already exist.",
+				ValidateFunc: validate.ValidateRegexps("^IBMid\\-[A-Z,0-9]{10}$"),
 			},
 			"domain": {
 				Type:        schema.TypeString,

ibm/service/enterprise/resource_ibm_enterprise_account.go

@@ -10,6 +10,7 @@ import (
 	"log"
 	"time"
 
+	"github.com/IBM-Cloud/bluemix-go/helpers"
 	"github.com/IBM-Cloud/terraform-provider-ibm/ibm/conns"
 	"github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex"
 	"github.com/IBM-Cloud/terraform-provider-ibm/ibm/validate"
@@ -46,11 +47,12 @@ func ResourceIBMEnterpriseAccount() *schema.Resource {
 				ValidateFunc: validate.ValidateAllowedEnterpriseNameValue(),
 			},
 			"owner_iam_id": {
-				Type:        schema.TypeString,
-				Optional:    true,
-				Computed:    true,
-				Description: "The IAM ID of the account owner, such as `IBMid-0123ABC`. The IAM ID must already exist.",
-				ForceNew:    true,
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				Description:  "The IAM ID of the account owner, such as `IBMid-0123ABC`. The IAM ID must already exist.",
+				ForceNew:     true,
+				ValidateFunc: validate.ValidateRegexps("^IBMid\\-[A-Z,0-9]{10}$"),
 			},
 			"traits": {
 				Type:             schema.TypeSet,
@@ -72,6 +74,22 @@ func ResourceIBMEnterpriseAccount() *schema.Resource {
 					},
 				},
 			},
+			"options": {
+				Type:             schema.TypeSet,
+				Description:      "By default create_iam_service_id_with_apikey_and_owner_policies is turned off for a newly created child account. You can enable this property by passing 'true' in this boolean field. IAM service id has account owner IAM policies and the API key associated with it can generate a token and setup resources in the account.",
+				Optional:         true,
+				DiffSuppressFunc: flex.ApplyOnce,
+				MaxItems:         1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"create_iam_service_id_with_apikey_and_owner_policies": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: "By default this field is turned off for a newly created child account. You can enable this property by passing 'true' in this boolean field. IAM service id has account owner IAM policies and the API key associated with it can generate a token and setup resources in the account.",
+						},
+					},
+				},
+			},
 			"url": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -189,8 +207,16 @@ func resourceIbmEnterpriseAccountCreate(context context.Context, d *schema.Resou
 		createAccountOptions.SetParent(d.Get("parent").(string))
 		createAccountOptions.SetName(d.Get("name").(string))
 		createAccountOptions.SetOwnerIamID(d.Get("owner_iam_id").(string))
-		if _, ok := d.GetOk("Traits"); ok {
-			createAccountOptions.SetTraits(d.Get("traits").(*enterprisemanagementv1.CreateAccountRequestTraits))
+		if _, ok := d.GetOk("traits"); ok {
+			traits := d.Get("traits").(*schema.Set)
+			Traits := expandTraiits(traits.List())
+			createAccountOptions.SetTraits(Traits)
+		}
+
+		if _, ok := d.GetOk("options"); ok {
+			op := d.Get("options").(*schema.Set)
+			Options := expandOptions(op.List())
+			createAccountOptions.SetOptions(Options)
 		}
 		createAccountResponse, response, err := enterpriseManagementClient.CreateAccountWithContext(context, createAccountOptions)
 		if err != nil {
@@ -344,3 +370,48 @@ func resourceIbmEnterpriseAccountDelete(context context.Context, d *schema.Resou
 
 	return nil
 }
+
+func expandTraiits(e []interface{}) *enterprisemanagementv1.CreateAccountRequestTraits {
+	if len(e) == 0 {
+		return nil
+	}
+
+	result := make([]enterprisemanagementv1.CreateAccountRequestTraits, len(e))
+
+	for i, item := range e {
+		eMap := item.(map[string]interface{})
+
+		traits := enterprisemanagementv1.CreateAccountRequestTraits{}
+		if mfa, ok := eMap["mfa"]; ok {
+			traits.Mfa = helpers.String(mfa.(string))
+		}
+		if enterprise_iam_managed, ok := eMap["enterprise_iam_managed"]; ok {
+			traits.EnterpriseIamManaged = helpers.Bool(enterprise_iam_managed.(bool))
+		}
+
+		result[i] = traits
+	}
+
+	return &result[0]
+}
+
+func expandOptions(e []interface{}) *enterprisemanagementv1.CreateAccountRequestOptions {
+	if len(e) == 0 {
+		return nil
+	}
+
+	result := make([]enterprisemanagementv1.CreateAccountRequestOptions, len(e))
+
+	for i, item := range e {
+		eMap := item.(map[string]interface{})
+
+		op := enterprisemanagementv1.CreateAccountRequestOptions{}
+		if create_iam_service_id_with_apikey_and_owner_policies, ok := eMap["create_iam_service_id_with_apikey_and_owner_policies"]; ok {
+			op.CreateIamServiceIDWithApikeyAndOwnerPolicies = helpers.Bool(create_iam_service_id_with_apikey_and_owner_policies.(bool))
+		}
+
+		result[i] = op
+	}
+
+	return &result[0]
+}

ibm/service/enterprise/resource_ibm_enterprise_account_group.go

@@ -42,9 +42,10 @@ func ResourceIBMEnterpriseAccountGroup() *schema.Resource {
 				ValidateFunc: validate.ValidateAllowedEnterpriseNameValue(),
 			},
 			"primary_contact_iam_id": {
-				Type:        schema.TypeString,
-				Required:    true,
-				Description: "The IAM ID of the primary contact for this account group, such as `IBMid-0123ABC`. The IAM ID must already exist.",
+				Type:         schema.TypeString,
+				Required:     true,
+				Description:  "The IAM ID of the primary contact for this account group, such as `IBMid-0123ABC`. The IAM ID must already exist.",
+				ValidateFunc: validate.ValidateRegexps("^IBMid\\-[A-Z,0-9]{10}$"),
 			},
 			"url": {
 				Type:        schema.TypeString,

ibm/service/enterprise/resource_ibm_enterprise_account_test.go

@@ -21,49 +21,59 @@ import (
 func TestAccIbmEnterpriseAccountBasic(t *testing.T) {
 	var conf enterprisemanagementv1.Account
 	//parent := fmt.Sprintf("parent_%d", acctest.RandIntRange(10, 100))
-	name := fmt.Sprintf("tf-gen-account-name_%d", acctest.RandIntRange(10, 100))
+	example1_acc_name := fmt.Sprintf("tf-gen-account-name_%d", acctest.RandIntRange(10, 100))
 	//ownerIamID := fmt.Sprintf("owner_iam_id_%d", acctest.RandIntRange(10, 100))
 	//parentUpdate := fmt.Sprintf("parent_%d", acctest.RandIntRange(10, 100))
-	another_acc_name := fmt.Sprintf("tf-gen-account-name_%d", acctest.RandIntRange(10, 100))
+	example2_acc_name := fmt.Sprintf("tf-gen-account-name_%d", acctest.RandIntRange(10, 100))
+	example3_acc_name := fmt.Sprintf("tf-gen-account-name_%d", acctest.RandIntRange(10, 100))
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { acc.TestAccPreCheckEnterprise(t) },
 		Providers:    acc.TestAccProviders,
 		CheckDestroy: testAccCheckIBMEnterpriseAccountDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccCheckIbmEnterpriseAccountConfigBasic(name),
+				Config: testAccCheckIbmEnterpriseAccountConfigBasic(example1_acc_name),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckIbmEnterpriseAccountExists("ibm_enterprise_account.enterprise_account", conf),
 					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "parent"),
-					resource.TestCheckResourceAttr("ibm_enterprise_account.enterprise_account", "name", name),
+					resource.TestCheckResourceAttr("ibm_enterprise_account.enterprise_account", "name", example1_acc_name),
 					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "owner_iam_id"),
 				),
 			},
 			{
-				Config: testAccCheckIbmEnterpriseAccountConfigUpdateBasic(name),
+				Config: testAccCheckIbmEnterpriseAccountConfigUpdateBasic(example1_acc_name),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "parent"),
 					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "name"),
 					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "owner_iam_id"),
 				),
 			},
 			{
-				Config: testAccCheckForTraitFieldIbmEnterpriseAccountConfigBasic(another_acc_name),
+				Config: testAccCheckForTraitFieldIbmEnterpriseAccountConfigBasic(example2_acc_name),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckIbmEnterpriseAccountExists("ibm_enterprise_account.enterprise_account", conf),
 					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "parent"),
-					resource.TestCheckResourceAttr("ibm_enterprise_account.enterprise_account", "name", another_acc_name),
+					resource.TestCheckResourceAttr("ibm_enterprise_account.enterprise_account", "name", example2_acc_name),
 					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "owner_iam_id"),
 				),
 			},
 			{
-				Config: testAccCheckForTraitFieldIbmEnterpriseAccountConfigUpdateBasic(another_acc_name),
+				Config: testAccCheckForTraitFieldIbmEnterpriseAccountConfigUpdateBasic(example2_acc_name),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "parent"),
 					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "name"),
 					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "owner_iam_id"),
 				),
 			},
+			{
+				Config: testAccCheckForOptionsFieldIbmEnterpriseAccountConfigBasic(example3_acc_name),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIbmEnterpriseAccountExists("ibm_enterprise_account.enterprise_account", conf),
+					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "parent"),
+					resource.TestCheckResourceAttr("ibm_enterprise_account.enterprise_account", "name", example3_acc_name),
+					resource.TestCheckResourceAttrSet("ibm_enterprise_account.enterprise_account", "owner_iam_id"),
+				),
+			},
 		},
 	})
 }
@@ -147,6 +157,21 @@ func testAccCheckForTraitFieldIbmEnterpriseAccountConfigUpdateBasic(name string)
 	`, name)
 }
 
+func testAccCheckForOptionsFieldIbmEnterpriseAccountConfigBasic(name string) string {
+	return fmt.Sprintf(`
+		data "ibm_enterprises" "enterprises_instance" {
+		}
+		resource "ibm_enterprise_account" "enterprise_account" {
+			parent = data.ibm_enterprises.enterprises_instance.enterprises[0].crn
+			name = "%s"
+			owner_iam_id = data.ibm_enterprises.enterprises_instance.enterprises[0].primary_contact_iam_id
+			options {
+				create_iam_service_id_with_apikey_and_owner_policies =  true
+			}
+		}
+	`, name)
+}
+
 func testAccCheckIbmAccountsDataSourceConfigImportBasic(accountToBeImported string) string {
 
 	return fmt.Sprintf(`