terraform-ibm-modules · in-1911 · Sep 20, 2024 · Sep 20, 2024
@@ -0,0 +1,50 @@
+module "access_group" {
+  count  = var.existing_access_group_name != null ? 1 : 0
+  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-iam-access-group.git/?ref=v1.3.0"
+  providers = {
+    ibm = ibm
+  }
+  provision         = false
+  access_group_name = var.existing_access_group_name
+  add_members       = false
+  dynamic_rules     = {}
+  policies = {
+    watson_assistant_edit = {
+      roles = ["Reader", "Writer", "Viewer", "Editor"]
+      tags  = []
+      resources = [
+        {
+          service       = "conversation"
+          resource      = var.watsonx_assistant_id
+          resource_type = "assistant"
+      }]
+    }
+    watson_assistant_environment_edit = {
+      roles = ["Reader", "Writer", "Viewer", "Editor"]
+      tags  = []
+      resources = [{
+        service       = "conversation"
+        resource      = var.assistant_environment_id
+        resource_type = "environment"
+      }]
+    }
+    watson_assistant_search_edit = {
+      roles = ["Reader", "Writer", "Viewer", "Editor"]
+      tags  = []
+      resources = [{
+        service       = "conversation"
+        resource      = var.assistant_search_skill_id
+        resource_type = "skill"
+      }]
+    }
+    watson_assistant_action_edit = {
+      roles = ["Reader", "Writer", "Viewer", "Editor"]
+      tags  = []
+      resources = [{
+        service       = "conversation"
+        resource      = var.assistant_action_skill_id
+        resource_type = "skill"
+      }]
+    }
+  }
+}
@@ -0,0 +1,9 @@
+output "access_group_id" {
+  value       = var.existing_access_group_name != null ? module.access_group[0].id : null
+  description = "Access group ID."
+}
+
+output "access_group_policy_ids" {
+  value       = var.existing_access_group_name != null ? module.access_group[0].policy_ids : null
+  description = "List of access group policy IDs."
+}
@@ -0,0 +1,30 @@
+variable "watsonx_assistant_id" {
+  description = "Watson Assistant instance ID"
+  type        = string
+  default     = null
+}
+
+variable "assistant_environment_id" {
+  description = "Watson Assistant environment ID"
+  type        = string
+  default     = null
+}
+
+variable "assistant_search_skill_id" {
+  description = "Search skill configuration ID"
+  type        = string
+  default     = null
+}
+
+variable "assistant_action_skill_id" {
+  description = "Action skill configuration ID"
+  type        = string
+  default     = null
+}
+
+
+variable "existing_access_group_name" {
+  description = "Access group to add policies to"
+  type        = string
+  default     = null
+}
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    ibm = {
+      source  = "IBM-Cloud/ibm"
+      version = ">= 1.67.1"
+    }
+  }
+  required_version = ">= 1.3.0"
+}
@@ -12,7 +12,8 @@ locals {
   watson_ml_project_name           = var.prefix != null ? "${var.prefix}-${var.watson_project_name}" : var.watson_project_name
   sensitive_tokendata              = sensitive(data.ibm_iam_auth_token.tokendata.iam_access_token)
 
-  elastic_index_name       = var.prefix != null ? "${var.prefix}-${var.elastic_index_name}" : var.elastic_index_name
+  # Translate index name to lowercase to avoid Elastic errors
+  elastic_index_name       = lower(var.prefix != null ? "${var.prefix}-${var.elastic_index_name}" : var.elastic_index_name)
   elastic_credentials_data = local.use_elastic_index ? jsondecode(data.ibm_resource_key.elastic_credentials[0].credentials_json).connection.https : null
   # Compose the URL without credentials to keep the latter sensitive
   elastic_service_binding = local.use_elastic_index ? {
@@ -207,6 +208,21 @@ moved {
   to   = module.configure_watson_assistant.shell_script.watson_assistant
 }
 
+### Optionally add access policies for Watson Assistant sub-resources to an existing access group
+module "watson_assistant_access_policies" {
+  count  = var.existing_wa_access_group_name != null ? 1 : 0
+  source = "../../modules/access-groups"
+  providers = {
+    ibm = ibm.ibm_resources
+  }
+  existing_access_group_name = var.existing_wa_access_group_name
+  watsonx_assistant_id       = module.configure_watson_assistant.watsonx_assistant_id
+  assistant_environment_id   = module.configure_watson_assistant.watsonx_assistant_environment.environment_id
+  assistant_action_skill_id  = one([for skill in module.configure_watson_assistant.watsonx_assistant_environment.skill_references : skill.skill_id if skill.type == "action"])
+  assistant_search_skill_id  = one([for skill in module.configure_watson_assistant.watsonx_assistant_environment.skill_references : skill.skill_id if skill.type == "search"])
+}
+
+
 ### Make all pipeline properties dependent on CD instance
 ### to avoid errors when the toolchains are out of grace period
 

@@ -70,6 +70,12 @@ variable "watson_assistant_region" {
   type        = string
 }
 
+variable "existing_wa_access_group_name" {
+  description = "Access group to add policies for new Watson Assistant resources"
+  type        = string
+  default     = null
+}
+
 variable "watson_discovery_instance_id" {
   description = "ID of the WatsonX Discovery instance"
   type        = string