From 3f576240a7eaaac6e9ad4499f812bb6d811e6ced Mon Sep 17 00:00:00 2001 From: Igor Naumov Date: Thu, 19 Sep 2024 20:45:13 -0500 Subject: [PATCH 1/2] feat: optional Watson assistant access policies --- modules/access-groups/main.tf | 47 ++++++++++++++++++++++++++++++ modules/access-groups/outputs.tf | 9 ++++++ modules/access-groups/variables.tf | 30 +++++++++++++++++++ modules/access-groups/version.tf | 9 ++++++ solutions/banking/main.tf | 18 +++++++++++- solutions/banking/variables.tf | 6 ++++ 6 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 modules/access-groups/main.tf create mode 100644 modules/access-groups/outputs.tf create mode 100644 modules/access-groups/variables.tf create mode 100644 modules/access-groups/version.tf diff --git a/modules/access-groups/main.tf b/modules/access-groups/main.tf new file mode 100644 index 0000000..d2d7f7f --- /dev/null +++ b/modules/access-groups/main.tf @@ -0,0 +1,47 @@ +module "access_group" { + count = var.existing_access_group_name != null ? 1 : 0 + source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-iam-access-group.git/?ref=v1.3.0" + provision = false + access_group_name = var.existing_access_group_name + add_members = false + dynamic_rules = {} + policies = { + watson_assistant_edit = { + roles = ["Reader", "Writer", "Viewer", "Editor"] + tags = [] + resources = [ + { + service = "conversation" + resource = var.watsonx_assistant_id + resource_type = "assistant" + }] + } + watson_assistant_environment_edit = { + roles = ["Reader", "Writer", "Viewer", "Editor"] + tags = [] + resources = [{ + service = "conversation" + resource = var.assistant_environment_id + resource_type = "environment" + }] + } + watson_assistant_search_edit = { + roles = ["Reader", "Writer", "Viewer", "Editor"] + tags = [] + resources = [{ + service = "conversation" + resource = var.assistant_search_skill_id + resource_type = "skill" + }] + } + watson_assistant_action_edit = { + roles = ["Reader", "Writer", "Viewer", "Editor"] + tags = [] + resources = [{ + service = "conversation" + resource = var.assistant_action_skill_id + resource_type = "skill" + }] + } + } +} diff --git a/modules/access-groups/outputs.tf b/modules/access-groups/outputs.tf new file mode 100644 index 0000000..2f50034 --- /dev/null +++ b/modules/access-groups/outputs.tf @@ -0,0 +1,9 @@ +output "access_group_id" { + value = var.existing_access_group_name != null ? module.access_group[0].id : null + description = "Access group ID." +} + +output "access_group_policy_ids" { + value = var.existing_access_group_name != null ? module.access_group[0].policy_ids : null + description = "List of access group policy IDs." +} diff --git a/modules/access-groups/variables.tf b/modules/access-groups/variables.tf new file mode 100644 index 0000000..50954d3 --- /dev/null +++ b/modules/access-groups/variables.tf @@ -0,0 +1,30 @@ +variable "watsonx_assistant_id" { + description = "Watson Assistant instance ID" + type = string + default = null +} + +variable "assistant_environment_id" { + description = "Watson Assistant environment ID" + type = string + default = null +} + +variable "assistant_search_skill_id" { + description = "Search skill configuration ID" + type = string + default = null +} + +variable "assistant_action_skill_id" { + description = "Action skill configuration ID" + type = string + default = null +} + + +variable "existing_access_group_name" { + description = "Access group to add policies to" + type = string + default = null +} diff --git a/modules/access-groups/version.tf b/modules/access-groups/version.tf new file mode 100644 index 0000000..1f50268 --- /dev/null +++ b/modules/access-groups/version.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + version = ">= 1.67.1" + } + } + required_version = ">= 1.3.0" +} diff --git a/solutions/banking/main.tf b/solutions/banking/main.tf index 6fd1a12..eebdf16 100644 --- a/solutions/banking/main.tf +++ b/solutions/banking/main.tf @@ -12,7 +12,8 @@ locals { watson_ml_project_name = var.prefix != null ? "${var.prefix}-${var.watson_project_name}" : var.watson_project_name sensitive_tokendata = sensitive(data.ibm_iam_auth_token.tokendata.iam_access_token) - elastic_index_name = var.prefix != null ? "${var.prefix}-${var.elastic_index_name}" : var.elastic_index_name + # Translate index name to lowercase to avoid Elastic errors + elastic_index_name = lower(var.prefix != null ? "${var.prefix}-${var.elastic_index_name}" : var.elastic_index_name) elastic_credentials_data = local.use_elastic_index ? jsondecode(data.ibm_resource_key.elastic_credentials[0].credentials_json).connection.https : null # Compose the URL without credentials to keep the latter sensitive elastic_service_binding = local.use_elastic_index ? { @@ -207,6 +208,21 @@ moved { to = module.configure_watson_assistant.shell_script.watson_assistant } +### Optionally add access policies for Watson Assistant sub-resources to an existing access group +module "watson_assistant_access_policies" { + count = var.existing_wa_access_group_name != null ? 1 : 0 + source = "../../modules/access-groups" + providers = { + ibm = ibm.ibm_resources + } + existing_access_group_name = var.existing_wa_access_group_name + watsonx_assistant_id = module.configure_watson_assistant.watsonx_assistant_id + assistant_environment_id = module.configure_watson_assistant.watsonx_assistant_environment.environment_id + assistant_action_skill_id = one([for skill in module.configure_watson_assistant.watsonx_assistant_environment.skill_references : skill.skill_id if skill.type == "action"]) + assistant_search_skill_id = one([for skill in module.configure_watson_assistant.watsonx_assistant_environment.skill_references : skill.skill_id if skill.type == "search"]) +} + + ### Make all pipeline properties dependent on CD instance ### to avoid errors when the toolchains are out of grace period diff --git a/solutions/banking/variables.tf b/solutions/banking/variables.tf index 93c5e3f..53d2005 100644 --- a/solutions/banking/variables.tf +++ b/solutions/banking/variables.tf @@ -70,6 +70,12 @@ variable "watson_assistant_region" { type = string } +variable "existing_wa_access_group_name" { + description = "Access group to add policies for new Watson Assistant resources" + type = string + default = null +} + variable "watson_discovery_instance_id" { description = "ID of the WatsonX Discovery instance" type = string From 3423bb9e5172f23e558fcf30e68cc2bb4e1c90cc Mon Sep 17 00:00:00 2001 From: Igor Naumov Date: Thu, 19 Sep 2024 21:06:47 -0500 Subject: [PATCH 2/2] tflint cleanup --- modules/access-groups/main.tf | 39 ++++++++++++++++-------------- modules/access-groups/outputs.tf | 4 +-- modules/access-groups/variables.tf | 2 +- modules/access-groups/version.tf | 4 +-- 4 files changed, 26 insertions(+), 23 deletions(-) diff --git a/modules/access-groups/main.tf b/modules/access-groups/main.tf index d2d7f7f..cfdc499 100644 --- a/modules/access-groups/main.tf +++ b/modules/access-groups/main.tf @@ -1,47 +1,50 @@ module "access_group" { - count = var.existing_access_group_name != null ? 1 : 0 + count = var.existing_access_group_name != null ? 1 : 0 source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-iam-access-group.git/?ref=v1.3.0" - provision = false + providers = { + ibm = ibm + } + provision = false access_group_name = var.existing_access_group_name - add_members = false - dynamic_rules = {} + add_members = false + dynamic_rules = {} policies = { watson_assistant_edit = { roles = ["Reader", "Writer", "Viewer", "Editor"] - tags = [] + tags = [] resources = [ { - service = "conversation" - resource = var.watsonx_assistant_id + service = "conversation" + resource = var.watsonx_assistant_id resource_type = "assistant" - }] + }] } watson_assistant_environment_edit = { roles = ["Reader", "Writer", "Viewer", "Editor"] - tags = [] + tags = [] resources = [{ - service = "conversation" - resource = var.assistant_environment_id + service = "conversation" + resource = var.assistant_environment_id resource_type = "environment" }] } watson_assistant_search_edit = { roles = ["Reader", "Writer", "Viewer", "Editor"] - tags = [] + tags = [] resources = [{ - service = "conversation" - resource = var.assistant_search_skill_id + service = "conversation" + resource = var.assistant_search_skill_id resource_type = "skill" }] } watson_assistant_action_edit = { roles = ["Reader", "Writer", "Viewer", "Editor"] - tags = [] + tags = [] resources = [{ - service = "conversation" - resource = var.assistant_action_skill_id + service = "conversation" + resource = var.assistant_action_skill_id resource_type = "skill" }] - } + } } } diff --git a/modules/access-groups/outputs.tf b/modules/access-groups/outputs.tf index 2f50034..065c9c3 100644 --- a/modules/access-groups/outputs.tf +++ b/modules/access-groups/outputs.tf @@ -1,9 +1,9 @@ output "access_group_id" { - value = var.existing_access_group_name != null ? module.access_group[0].id : null + value = var.existing_access_group_name != null ? module.access_group[0].id : null description = "Access group ID." } output "access_group_policy_ids" { - value = var.existing_access_group_name != null ? module.access_group[0].policy_ids : null + value = var.existing_access_group_name != null ? module.access_group[0].policy_ids : null description = "List of access group policy IDs." } diff --git a/modules/access-groups/variables.tf b/modules/access-groups/variables.tf index 50954d3..619f73a 100644 --- a/modules/access-groups/variables.tf +++ b/modules/access-groups/variables.tf @@ -1,7 +1,7 @@ variable "watsonx_assistant_id" { description = "Watson Assistant instance ID" type = string - default = null + default = null } variable "assistant_environment_id" { diff --git a/modules/access-groups/version.tf b/modules/access-groups/version.tf index 1f50268..cd72b2c 100644 --- a/modules/access-groups/version.tf +++ b/modules/access-groups/version.tf @@ -1,8 +1,8 @@ terraform { required_providers { ibm = { - source = "IBM-Cloud/ibm" - version = ">= 1.67.1" + source = "IBM-Cloud/ibm" + version = ">= 1.67.1" } } required_version = ">= 1.3.0"