diff --git a/docs/resources/iam_group.md b/docs/resources/iam_group.md new file mode 100644 index 0000000..b41cc75 --- /dev/null +++ b/docs/resources/iam_group.md @@ -0,0 +1,96 @@ +--- +page_title: "montecarlo_iam_group Resource - terraform-provider-montecarlo" +subcategory: "" +description: |- + A named resource which lets you define Monte Carlo authorization group responsible for assigning roles to the users. +--- + +# montecarlo_iam_group (Resource) + +Represents a named resource which lets you define _Monte Carlo_ **authorization group** responsible for assigning roles to the users. An authorization group policy is made up of three primary parts: + +- a list of permissions +- a list of group members (not set by this resource) +- optionally, one or more Monte Carlo domains to restrict the group to + +The list of permissions/roles specifies **what can be done** (such as access or edit monitors), and the domain restrictions specify what parts of your data/metadata those users **may access under given permissions**. + +To get more information about _Monte Carlo_ **authorization groups**, see: +- [API documentation](https://apidocs.getmontecarlo.com/#definition-AuthorizationGroupOutput) +- How-to Guides + - [Authorization](https://docs.getmontecarlo.com/docs/authorization) + + + +## Example Usage + +```terraform +resource "montecarlo_iam_group" "example" { + name = "name" + description = "description" + role = "mcd/viewer" + domains = ["domainUUID"] # restricting to selected domains + sso_group = "sso_group" # automatical mapping to SSO group +} +``` + + + + +## Schema + +### Required + + +- `name` (String) ID of the authorization group. Must be unique per _Monte Carlo_ account. Authorization group **name within the UI** is not value of this attribute, instead `label` is used ([see bellow](#attr--label)). + +- `role` (String) Used to define the specific role or permissions that are assigned to the _Monte Carlo_ authorization group. +Allowed roles: + + - **mcd/owner** + - **mcd/domains-manager** + - **mcd/responder** + - **mcd/editor** + - **mcd/viewer** + - **mcd/asset-viewer** + - **mcd/asset-editor** + +### Optional + +- `description` (String, _default:_ `""`) Description of the authorization group. Usually can be used to document for what the authorization group is responsible for. + +- `domains` (Set of Strings, _default:_ `[]`) Set of **domain UUIDs** that this authorization group should be restricted to. By default, if this attribute is not set, the authorization group permissions will be applied globally. + +- `sso_group` (String, _default:_ `null`) Automatically assignes all of the users from the provided **SSO group** to the authorization group. + + - if set, users cannot be assigned to the authorization group directly + + - if set, when authorization group already exists, all of the previous user assignments will be destroyed. + +### Read-Only + + +- `label` (String) Authorization group **label/name** as it should be presented in the _Monte Carlo_ UI. Implementation of this resource will always set this attribute to the same value as the `name` attribute ([see above](#attr--name)) to avoid confusion. + + + +## Import + +This resource can be imported using the import ID with following format: + +* `{{group_name}}` + +In **Terraform v1.5.0** and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import a _Transactional Warehouse_ using one of the formats above. For example: + +```terraform +import { + id = "{{group_name}}" + to = montecarlo_iam_group.default +} +``` + +When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), _Authorization Group_ can be imported using one of the formats above. For example: + +``` +$ terraform import montecarlo_iam_group.default {{group_name}} +``` diff --git a/examples/resources/montecarlo_iam_group/resource.tf b/examples/resources/montecarlo_iam_group/resource.tf new file mode 100644 index 0000000..14f7295 --- /dev/null +++ b/examples/resources/montecarlo_iam_group/resource.tf @@ -0,0 +1,21 @@ +## Allowed roles: +## "mcd/owner" +## "mcd/domains-manager" +## "mcd/responder" +## "mcd/editor" +## "mcd/viewer" +## "mcd/asset-viewer" +## "mcd/asset-editor" + +resource "montecarlo_iam_group" "example_thin" { + name = "name" + role = "mcd/viewer" +} + +resource "montecarlo_iam_group" "example_thick" { + name = "name" + description = "description" + role = "mcd/viewer" + domains = ["domainUUID"] # restricting to selecting domains + sso_group = "sso_group" # automatical mapping to SSO group +}