Add support for role 'NONE'

IBM-Cloud · May 31, 2024 · 1027986 · 1027986
1 parent a2f99ed
commit 1027986
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 9 deletions.
diff --git a/ibm/flex/structures.go b/ibm/flex/structures.go
@@ -3431,6 +3431,14 @@ func FindRoleByName(supported []iampolicymanagementv1.PolicyRole, name string) (
 			}
 		}
 	}
+	if name == "NONE" {
+		name := "NONE"
+		r := iampolicymanagementv1.PolicyRole{
+			DisplayName: &name,
+			RoleID:      &name,
+		}
+		return r, nil
+	}
 	supportedRoles := getSupportedRolesStr(supported)
 	return iampolicymanagementv1.PolicyRole{}, bmxerror.New("RoleDoesnotExist",
 		fmt.Sprintf("%s was not found. Valid roles are %s", name, supportedRoles))
@@ -3453,7 +3461,7 @@ func FindRoleByCRN(supported []iampolicymanagementv1.PolicyRole, crn string) (ia
 }
 
 func getSupportedRolesStr(supported []iampolicymanagementv1.PolicyRole) string {
-	rolesStr := ""
+	rolesStr := "NONE, "
 	for index, role := range supported {
 		if index != 0 {
 			rolesStr += ", "

diff --git a/ibm/service/resourcecontroller/data_source_ibm_resource_key_test.go b/ibm/service/resourcecontroller/data_source_ibm_resource_key_test.go
@@ -25,10 +25,10 @@ func TestAccIBMResourceKeyDataSource_basic(t *testing.T) {
 				Config: testAccCheckIBMResourceKeyDataSourceConfig(resourceName, resourceKey),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key", "name", resourceKey),
-					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key", "credentials.%", "7"),
+					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key", "credentials.%", "8"),
 					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key", "role", "Writer"),
 					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key1", "name", resourceKey),
-					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key1", "credentials.%", "7"),
+					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key1", "credentials.%", "8"),
 					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key1", "role", "Writer"),
 				),
 			},
@@ -48,9 +48,9 @@ func TestAccIBMResourceKeyDataSource_mostrecent(t *testing.T) {
 				Config: testAccCheckIBMResourceKeyDataSourceConfigRecent(resourceName, resourceKey),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key", "name", resourceKey),
-					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key", "credentials.%", "7"),
+					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key", "credentials.%", "8"),
 					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key1", "name", resourceKey),
-					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key1", "credentials.%", "7"),
+					resource.TestCheckResourceAttr("data.ibm_resource_key.testacc_ds_resource_key1", "credentials.%", "8"),
 				),
 			},
 		},

diff --git a/ibm/service/resourcecontroller/resource_ibm_resource_key.go b/ibm/service/resourcecontroller/resource_ibm_resource_key.go
@@ -45,6 +45,7 @@ func ResourceIBMResourceKey() *schema.Resource {
 			"role": {
 				Type:        schema.TypeString,
 				Optional:    true,
+				Computed:    true,
 				ForceNew:    true,
 				Description: "Name of the user role.Valid roles are Writer, Reader, Manager, Administrator, Operator, Viewer, Editor and Custom Roles.",
 				// ValidateFunc: validateRole,
@@ -270,7 +271,9 @@ func resourceIBMResourceKeyCreate(d *schema.ResourceData, meta interface{}) erro
 		if err != nil {
 			return fmt.Errorf("[ERROR] Error creating resource key when get role: %s", err)
 		}
-		keyParameters.SetProperty("role_crn", serviceRole.RoleID)
+		if role != "NONE" {
+			keyParameters.SetProperty("role_crn", serviceRole.RoleID)
+		}
 		resourceKeyCreate.Role = serviceRole.RoleID
 	}
 

diff --git a/ibm/service/resourcecontroller/resource_ibm_resource_key_test.go b/ibm/service/resourcecontroller/resource_ibm_resource_key_test.go
@@ -31,7 +31,7 @@ func TestAccIBMResourceKey_Basic(t *testing.T) {
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckIBMResourceKeyExists("ibm_resource_key.resourceKey"),
 					resource.TestCheckResourceAttr("ibm_resource_key.resourceKey", "name", resourceKey),
-					resource.TestCheckResourceAttr("ibm_resource_key.resourceKey", "credentials.%", "7"),
+					resource.TestCheckResourceAttr("ibm_resource_key.resourceKey", "credentials.%", "8"),
 					resource.TestCheckResourceAttrSet("ibm_resource_key.resourceKey", "credentials_json"),
 					resource.TestCheckResourceAttr("ibm_resource_key.resourceKey", "role", "Reader"),
 				),
@@ -114,14 +114,43 @@ func TestAccIBMResourceKey_WithCustomRole(t *testing.T) {
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testAccCheckIBMResourceKeyExists("ibm_resource_key.resourceKey"),
 					resource.TestCheckResourceAttr("ibm_resource_key.resourceKey", "name", resourceKey),
-					resource.TestCheckResourceAttr("ibm_resource_key.resourceKey", "credentials.%", "7"),
+					resource.TestCheckResourceAttr("ibm_resource_key.resourceKey", "credentials.%", "8"),
 					resource.TestCheckResourceAttr("ibm_resource_key.resourceKey", "role", displayName),
 				),
 			},
 		},
 	})
 }
 
+func TestAccIBMResourceKeyWithRoleNone(t *testing.T) {
+	resourceName := fmt.Sprintf("tf-cos-%d", acctest.RandIntRange(10, 100))
+	resourceKey := fmt.Sprintf("tf-cos-%d", acctest.RandIntRange(10, 100))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { acc.TestAccPreCheck(t) },
+		Providers:    acc.TestAccProviders,
+		CheckDestroy: testAccCheckIBMResourceKeyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckIBMResourceKeyRoleNone(resourceName, resourceKey),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckIBMResourceKeyExists("ibm_resource_key.resourceKey"),
+					resource.TestCheckResourceAttr("ibm_resource_key.resourceKey", "name", resourceKey),
+					resource.TestCheckResourceAttrSet("ibm_resource_key.resourceKey", "credentials_json"),
+					resource.TestCheckResourceAttr("ibm_resource_key.resourceKey", "role", "NONE"),
+				),
+			},
+			{
+				ResourceName:      "ibm_resource_key.resourceKey",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"resource_instance_id", "resource_alias_id", "role"},
+			},
+		},
+	})
+}
+
 func testAccCheckIBMResourceKeyExists(n string) resource.TestCheckFunc {
 
 	return func(s *terraform.State) error {
@@ -273,3 +302,20 @@ func testAccCheckIBMResourceKeyParameters(resourceName, resourceKey string) stri
 		}
 	`, resourceName, resourceKey)
 }
+
+func testAccCheckIBMResourceKeyRoleNone(resourceName, resourceKey string) string {
+	return fmt.Sprintf(`
+		
+		resource "ibm_resource_instance" "resource" {
+			name              = "%s"
+			service           = "cloud-object-storage"
+			plan              = "standard"
+			location          = "global"
+		}
+		resource "ibm_resource_key" "resourceKey" {
+			name = "%s"
+			resource_instance_id = ibm_resource_instance.resource.id
+			role = "NONE"
+		}
+	`, resourceName, resourceKey)
+}
diff --git a/website/docs/r/resource_key.html.markdown b/website/docs/r/resource_key.html.markdown
@@ -137,7 +137,7 @@ Review the argument references that you can specify for your resource.
 
 - `name` - (Required, Forces new resource, String)  A descriptive name used to identify a resource key.
 - `parameters` (Optional, Map) Arbitrary parameters to pass to the resource in JSON format. If you want to create service credentials by using the private service endpoint, include the `service-endpoints =  "private"` parameter.
-- `role` - (Optional, Forces new resource, String) The name of the user role. Valid roles are `Writer`, `Reader`, `Manager`, `Administrator`, `Operator`, `Viewer`, and `Editor`. This argument is Optional only during creation of service credentials for Cloud Databases and other non-IAM-enabled services and is Required for all other IAM-enabled services.
+- `role` - (Optional, Forces new resource, String) The name of the user role. Valid roles are `NONE`,`Writer`, `Reader`, `Manager`, `Administrator`, `Operator`, `Viewer`, and `Editor`. This argument is Optional only during creation of service credentials for Cloud Databases and other non-IAM-enabled services and is Required for all other IAM-enabled services.
 - `resource_instance_id` - (Optional, Forces new resource, String) The ID of the resource instance associated with the resource key. **Note** Conflicts with `resource_alias_id`.
 - `resource_alias_id` - (Optional, Forces new resource, String) The ID of the resource alias associated with the resource key. **Note** Conflicts with `resource_instance_id`.
 - `tags` (Optional, Array of strings) Tags associated with the resource key instance. **Note** Tags are managed locally and not stored on the IBM Cloud Service Endpoint at this moment.