COS access policies interface vs terraform

Question

In interface I can go to COS Bucket Access Policies and easily assign policy that then looks more or less like:

Cloud Object Storage service
serviceInstance string equals foo-bar, resource string equals foo-bar-pcaps, resourceType string equals bucket

I'm struggling to find a way to do the same via terraform because whenever I try with the proper TF code like:

resource "ibm_iam_service_policy" "policy_pcaps" {
  iam_service_id = ibm_iam_service_id.serviceID_pcaps.id
  roles        = ["Writer"]
  resources {
    service = "cloud-object-storage"
    resource = ibm_cos_bucket.pcaps.id
  }
}

I'm ending up with

Cloud Object Storage service
resource string equals crn:v1:bluemix:public:cloud-object-storage:global:a/27beaaea79a<redacted>34dd871b:8b124bc6-147c-47ba-bd47-<redacted>:bucket:foo-bar-pcaps:meta:rl:us-east

The problem is that the Writer policy that is required here does not work properly with that policy details.

How to achieve something similar to the first policy with Terraform?

Thanks

Answer 1

You can achieve this similar to this example Service Policy by using attributes.

I created a policy through the UI for Cloud Object Storage and specified the policy to contain a bucket name. Then I used:

ibmcloud iam access-group-policy GROUP_NAME POLICY_ID --output JSON

to get a better understanding of the policy.

With that I created this sample terraform snippet and tested it. It is creating the IAM access group + policy:

resource "ibm_iam_access_group" "accgrp_cos" {
  name = "test_cos"
}

resource "ibm_iam_access_group_policy" "policy" {
  access_group_id = ibm_iam_access_group.accgrp_cos.id
  roles        = ["Writer"]

  resources {
    service =   "cloud-object-storage"

    attributes = {

    resourceType = "bucket"
    resource = "tf-test-cos"
    }
  }
}