From 7484aa9f1b65bb8e98137e964649b76d111eb2e7 Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Mon, 22 Sep 2025 17:28:19 +0530 Subject: [PATCH 01/11] fixing display messages --- tools/access-management/permissions.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tools/access-management/permissions.sh b/tools/access-management/permissions.sh index 60666e40..4b452b5c 100755 --- a/tools/access-management/permissions.sh +++ b/tools/access-management/permissions.sh @@ -70,7 +70,7 @@ check_policies() { select(any(.resources[].attributes[]?; .name == "serviceType" and .value == "platform_service")) ' >/dev/null 2>&1 && echo "true" || echo "false") - # Return true only if both checks pass + # Return success only if both checks pass [[ "$has_admin" == "true" && "$has_platform_role" == "true" ]] } @@ -160,7 +160,7 @@ policy_exists() { --arg rg_id "$RG_ID" \ --arg account_id "$ACCOUNT_ID" ' .[] | - select(([.roles[].display_name] | sort) == ($roles | split(",") | sort)) | + select(([.roles[].display_name] | sort) | contains($roles | split(",") | sort)) | if $service == "" then select(any(.resources[].attributes[]?; .name == "resourceGroupId" and .value == $rg_id)) | @@ -201,7 +201,7 @@ if [ -n "$ACCESS_GROUP" ] && [ -z "$USER_EMAIL" ]; then echo "Assigning global Administrator,Manager roles to access group: $ACCESS_GROUP" ibmcloud iam access-group-policy-create "$ACCESS_GROUP" \ --roles "Administrator,Manager" \ - --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed for all-service Admin/Manager (access group)" + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign Administrator,Manager roles for All Identity and Access enabled services to access group: $ACCESS_GROUP" else echo "✅ All Identity and Access enabled services Administrator/Manager policy already exists for access group" fi @@ -228,7 +228,7 @@ elif [ -z "$ACCESS_GROUP" ] && [ -n "$USER_EMAIL" ]; then echo "Assigning global Administrator,Manager roles to $USER_EMAIL" ibmcloud iam user-policy-create "$USER_EMAIL" \ --roles "Administrator,Manager" \ - --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed for all-service Admin/Manager" + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign Administrator,Manager roles for All Identity and Access enabled services to user: $USER_EMAIL" else echo "✅ All Identity and Access enabled services Administrator/Manager policy already exists" fi @@ -237,3 +237,4 @@ else echo "❗ Please choose either Access Group or User." exit 1 fi + From abf90df4b337822463787a175edb6c02f6447527 Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Mon, 22 Sep 2025 19:42:35 +0530 Subject: [PATCH 02/11] fixing adding missing permissions if service already exists with different permissions --- tools/access-management/permissions.sh | 175 ++++++++++++++++--------- 1 file changed, 115 insertions(+), 60 deletions(-) diff --git a/tools/access-management/permissions.sh b/tools/access-management/permissions.sh index 4b452b5c..1f3cd657 100755 --- a/tools/access-management/permissions.sh +++ b/tools/access-management/permissions.sh @@ -70,7 +70,6 @@ check_policies() { select(any(.resources[].attributes[]?; .name == "serviceType" and .value == "platform_service")) ' >/dev/null 2>&1 && echo "true" || echo "false") - # Return success only if both checks pass [[ "$has_admin" == "true" && "$has_platform_role" == "true" ]] } @@ -84,13 +83,11 @@ fi if [ "$has_permission" != true ]; then ACCESS_GROUPS_FOR_ADMIN=$(ibmcloud iam access-groups -u "$ADMIN_EMAIL" --output json 2>/dev/null || echo "[]") - # Collect all policies from all access groups into a single array ALL_GROUP_POLICIES="[]" while IFS= read -r GROUP_NAME; do GROUP_POLICIES=$(ibmcloud iam access-group-policies "$GROUP_NAME" --output json 2>/dev/null || echo "[]") ALL_GROUP_POLICIES=$(echo "$ALL_GROUP_POLICIES $GROUP_POLICIES" | jq -s 'add') done < <(echo "$ACCESS_GROUPS_FOR_ADMIN" | jq -r '.[].name // empty') - # Check all group policies at once if check_policies "$ALL_GROUP_POLICIES"; then has_permission=true fi @@ -115,7 +112,6 @@ secrets-manager|Administrator|Manager sysdig-secure|Administrator| is|Editor|" -# New friendly names list (service|friendly name) FRIENDLY_NAMES="apprapp|App Configuration cloud-object-storage|Cloud Object Storage dns-svcs|DNS Services @@ -136,44 +132,10 @@ get_friendly_name() { } ##################################### -# 4. Helper to check if policy exists +# 4. Role normalization helper ##################################### -policy_exists() { - local SERVICE="$1" - local ROLES="$2" - local RG_ID="$3" - local ACCOUNT_ID="$4" - - local existing_policies - if [ -n "$ACCESS_GROUP" ]; then - existing_policies=$(ibmcloud iam access-group-policies "$ACCESS_GROUP" --output json 2>/dev/null || echo "[]") - elif [ -n "$USER_EMAIL" ]; then - existing_policies=$(ibmcloud iam user-policies "$USER_EMAIL" --output json 2>/dev/null || echo "[]") - else - echo "❗ ERROR: Neither ACCESS_GROUP nor USER_EMAIL is set in policy_exists" - return 1 - fi - - echo "$existing_policies" | jq -e \ - --arg service "$SERVICE" \ - --arg roles "$ROLES" \ - --arg rg_id "$RG_ID" \ - --arg account_id "$ACCOUNT_ID" ' - .[] | - select(([.roles[].display_name] | sort) | contains($roles | split(",") | sort)) | - if $service == "" then - select(any(.resources[].attributes[]?; - .name == "resourceGroupId" and .value == $rg_id)) | - select(all(.resources[].attributes[]?.name; . != "serviceName")) - else - select(any(.resources[].attributes[]?; - .name == "resourceGroupId" and .value == $rg_id)) | - select(any(.resources[].attributes[]?; - .name == "serviceName" and .value == $service)) | - select([.resources[].attributes[]?.name] | unique | sort - == ["accountId","resourceGroupId","serviceName"]) - end - ' >/dev/null +normalize_roles() { + echo "$1" | tr ',' '\n' | sed 's/^ *//;s/ *$//' | sort -u | paste -sd, - } ##################################### @@ -186,24 +148,71 @@ if [ -n "$ACCESS_GROUP" ] && [ -z "$USER_EMAIL" ]; then fname=$(get_friendly_name "$SERVICE_NAME") [ -n "$fname" ] && DISPLAY_NAME="$SERVICE_NAME ($fname)" || DISPLAY_NAME="$SERVICE_NAME" - if ! policy_exists "$SERVICE_NAME" "$ROLES" "$RESOURCE_GROUP_ID" "$ACCOUNT_ID"; then - echo "Assigning roles '$ROLES' for service $DISPLAY_NAME" + existing_policies=$(ibmcloud iam access-group-policies "$ACCESS_GROUP" --output json 2>/dev/null || echo "[]") + + POLICY_ID=$(echo "$existing_policies" | jq -r \ + --arg service "$SERVICE_NAME" \ + --arg rg_id "$RESOURCE_GROUP_ID" ' + .[] | select(any(.resources[].attributes[]?; + .name == "resourceGroupId" and .value == $rg_id)) | + select(any(.resources[].attributes[]?; + .name == "serviceName" and .value == $service)) | + .id' | head -n1) + + if [ -n "$POLICY_ID" ] && [ "$POLICY_ID" != "null" ]; then + EXISTING_ROLES=$(echo "$existing_policies" | jq -r --arg id "$POLICY_ID" ' + .[] | select(.id == $id) | [.roles[].display_name] | join(",")') + + EXISTING_SORTED=$(normalize_roles "$EXISTING_ROLES") + MERGED_SORTED=$(normalize_roles "$EXISTING_ROLES,$ROLES") + + if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then + echo "✅ Policy already exists with required roles for $DISPLAY_NAME" + else + echo "🔄 Updating existing policy $POLICY_ID for $DISPLAY_NAME" + ibmcloud iam access-group-policy-update "$ACCESS_GROUP" "$POLICY_ID" \ + --roles "$MERGED_SORTED" \ + --resource-group-id "$RESOURCE_GROUP_ID" \ + --service-name "$SERVICE_NAME" || echo "⚠️ Failed to update roles for $DISPLAY_NAME" + fi + else + echo "➕ Creating new policy for $DISPLAY_NAME" ibmcloud iam access-group-policy-create "$ACCESS_GROUP" \ --roles "$ROLES" \ --service-name "$SERVICE_NAME" \ --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign $ROLES for $DISPLAY_NAME" - else - echo "✅ Policy already exists for $DISPLAY_NAME" fi done - if ! policy_exists "" "Administrator,Manager" "$RESOURCE_GROUP_ID" "$ACCOUNT_ID"; then - echo "Assigning global Administrator,Manager roles to access group: $ACCESS_GROUP" + echo "🔍 Checking global Administrator/Manager policy for access group: $ACCESS_GROUP" + existing_policies=$(ibmcloud iam access-group-policies "$ACCESS_GROUP" --output json 2>/dev/null || echo "[]") + POLICY_ID=$(echo "$existing_policies" | jq -r --arg rg_id "$RESOURCE_GROUP_ID" ' + .[] | + select(any(.resources[].attributes[]?; + .name == "resourceGroupId" and .value == $rg_id)) | + select(all(.resources[].attributes[]?.name; . != "serviceName")) | + .id' | head -n1) + + if [ -n "$POLICY_ID" ] && [ "$POLICY_ID" != "null" ]; then + EXISTING_ROLES=$(echo "$existing_policies" | jq -r --arg id "$POLICY_ID" ' + .[] | select(.id == $id) | [.roles[].display_name] | join(",")') + + EXISTING_SORTED=$(normalize_roles "$EXISTING_ROLES") + MERGED_SORTED=$(normalize_roles "$EXISTING_ROLES,Administrator,Manager") + + if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then + echo "✅ Global Administrator/Manager policy already present with required roles for access group: $ACCESS_GROUP" + else + echo "🔄 Updating global policy $POLICY_ID for access group: $ACCESS_GROUP" + ibmcloud iam access-group-policy-update "$ACCESS_GROUP" "$POLICY_ID" \ + --roles "$MERGED_SORTED" \ + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to update global Administrator/Manager roles for access group: $ACCESS_GROUP" + fi + else + echo "➕ Creating new global Administrator/Manager policy for access group: $ACCESS_GROUP" ibmcloud iam access-group-policy-create "$ACCESS_GROUP" \ --roles "Administrator,Manager" \ - --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign Administrator,Manager roles for All Identity and Access enabled services to access group: $ACCESS_GROUP" - else - echo "✅ All Identity and Access enabled services Administrator/Manager policy already exists for access group" + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign global Administrator/Manager roles for access group: $ACCESS_GROUP" fi elif [ -z "$ACCESS_GROUP" ] && [ -n "$USER_EMAIL" ]; then @@ -213,28 +222,74 @@ elif [ -z "$ACCESS_GROUP" ] && [ -n "$USER_EMAIL" ]; then fname=$(get_friendly_name "$SERVICE_NAME") [ -n "$fname" ] && DISPLAY_NAME="$SERVICE_NAME ($fname)" || DISPLAY_NAME="$SERVICE_NAME" - if ! policy_exists "$SERVICE_NAME" "$ROLES" "$RESOURCE_GROUP_ID" "$ACCOUNT_ID"; then - echo "Assigning roles '$ROLES' for service $DISPLAY_NAME" + existing_policies=$(ibmcloud iam user-policies "$USER_EMAIL" --output json 2>/dev/null || echo "[]") + + POLICY_ID=$(echo "$existing_policies" | jq -r \ + --arg service "$SERVICE_NAME" \ + --arg rg_id "$RESOURCE_GROUP_ID" ' + .[] | select(any(.resources[].attributes[]?; + .name == "resourceGroupId" and .value == $rg_id)) | + select(any(.resources[].attributes[]?; + .name == "serviceName" and .value == $service)) | + .id' | head -n1) + + if [ -n "$POLICY_ID" ] && [ "$POLICY_ID" != "null" ]; then + EXISTING_ROLES=$(echo "$existing_policies" | jq -r --arg id "$POLICY_ID" ' + .[] | select(.id == $id) | [.roles[].display_name] | join(",")') + + EXISTING_SORTED=$(normalize_roles "$EXISTING_ROLES") + MERGED_SORTED=$(normalize_roles "$EXISTING_ROLES,$ROLES") + + if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then + echo "✅ Policy already exists with required roles for $DISPLAY_NAME" + else + echo "🔄 Updating existing policy $POLICY_ID for $DISPLAY_NAME" + ibmcloud iam user-policy-update "$USER_EMAIL" "$POLICY_ID" \ + --roles "$MERGED_SORTED" \ + --resource-group-id "$RESOURCE_GROUP_ID" \ + --service-name "$SERVICE_NAME" || echo "⚠️ Failed to update roles for $DISPLAY_NAME" + fi + else + echo "➕ Creating new policy for $DISPLAY_NAME" ibmcloud iam user-policy-create "$USER_EMAIL" \ --roles "$ROLES" \ --service-name "$SERVICE_NAME" \ --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign $ROLES for $DISPLAY_NAME" - else - echo "✅ Policy already exists for $DISPLAY_NAME" fi done - if ! policy_exists "" "Administrator,Manager" "$RESOURCE_GROUP_ID" "$ACCOUNT_ID"; then - echo "Assigning global Administrator,Manager roles to $USER_EMAIL" + echo "🔍 Checking global Administrator/Manager policy for $USER_EMAIL" + existing_policies=$(ibmcloud iam user-policies "$USER_EMAIL" --output json 2>/dev/null || echo "[]") + POLICY_ID=$(echo "$existing_policies" | jq -r --arg rg_id "$RESOURCE_GROUP_ID" ' + .[] | + select(any(.resources[].attributes[]?; + .name == "resourceGroupId" and .value == $rg_id)) | + select(all(.resources[].attributes[]?.name; . != "serviceName")) | + .id' | head -n1) + + if [ -n "$POLICY_ID" ] && [ "$POLICY_ID" != "null" ]; then + EXISTING_ROLES=$(echo "$existing_policies" | jq -r --arg id "$POLICY_ID" ' + .[] | select(.id == $id) | [.roles[].display_name] | join(",")') + + EXISTING_SORTED=$(normalize_roles "$EXISTING_ROLES") + MERGED_SORTED=$(normalize_roles "$EXISTING_ROLES,Administrator,Manager") + + if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then + echo "✅ Global Administrator/Manager policy already present with required roles for $USER_EMAIL" + else + echo "🔄 Updating global policy $POLICY_ID for $USER_EMAIL" + ibmcloud iam user-policy-update "$USER_EMAIL" "$POLICY_ID" \ + --roles "$MERGED_SORTED" \ + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to update global Administrator/Manager roles for user: $USER_EMAIL" + fi + else + echo "➕ Creating new global Administrator/Manager policy for $USER_EMAIL" ibmcloud iam user-policy-create "$USER_EMAIL" \ --roles "Administrator,Manager" \ - --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign Administrator,Manager roles for All Identity and Access enabled services to user: $USER_EMAIL" - else - echo "✅ All Identity and Access enabled services Administrator/Manager policy already exists" + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign global Administrator/Manager roles for user: $USER_EMAIL" fi else echo "❗ Please choose either Access Group or User." exit 1 fi - From fbcb50cc087e31a72b300889bd68ee310bed88d6 Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Tue, 23 Sep 2025 15:50:26 +0530 Subject: [PATCH 03/11] fixing display messages --- tools/access-management/permissions.sh | 36 +++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/tools/access-management/permissions.sh b/tools/access-management/permissions.sh index 1f3cd657..9a1e9fa6 100755 --- a/tools/access-management/permissions.sh +++ b/tools/access-management/permissions.sh @@ -169,7 +169,14 @@ if [ -n "$ACCESS_GROUP" ] && [ -z "$USER_EMAIL" ]; then if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then echo "✅ Policy already exists with required roles for $DISPLAY_NAME" else + NEW_ROLES=$(comm -13 \ + <(echo "$EXISTING_SORTED" | tr ',' '\n' | sort) \ + <(echo "$MERGED_SORTED" | tr ',' '\n' | sort) | paste -sd, -) + echo "🔄 Updating existing policy $POLICY_ID for $DISPLAY_NAME" + echo " • Current roles : $EXISTING_SORTED" + echo " • Adding roles : $NEW_ROLES" + ibmcloud iam access-group-policy-update "$ACCESS_GROUP" "$POLICY_ID" \ --roles "$MERGED_SORTED" \ --resource-group-id "$RESOURCE_GROUP_ID" \ @@ -203,16 +210,23 @@ if [ -n "$ACCESS_GROUP" ] && [ -z "$USER_EMAIL" ]; then if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then echo "✅ Global Administrator/Manager policy already present with required roles for access group: $ACCESS_GROUP" else + NEW_ROLES=$(comm -13 \ + <(echo "$EXISTING_SORTED" | tr ',' '\n' | sort) \ + <(echo "$MERGED_SORTED" | tr ',' '\n' | sort) | paste -sd, -) + echo "🔄 Updating global policy $POLICY_ID for access group: $ACCESS_GROUP" + echo " • Current roles : $EXISTING_SORTED" + echo " • Adding roles : $NEW_ROLES" + ibmcloud iam access-group-policy-update "$ACCESS_GROUP" "$POLICY_ID" \ --roles "$MERGED_SORTED" \ - --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to update global Administrator/Manager roles for access group: $ACCESS_GROUP" + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to update Administrator,Manager roles for All Identity and Access enabled services to access group: $ACCESS_GROUP" fi else echo "➕ Creating new global Administrator/Manager policy for access group: $ACCESS_GROUP" ibmcloud iam access-group-policy-create "$ACCESS_GROUP" \ --roles "Administrator,Manager" \ - --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign global Administrator/Manager roles for access group: $ACCESS_GROUP" + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign Administrator,Manager roles for All Identity and Access enabled services to access group: $ACCESS_GROUP" fi elif [ -z "$ACCESS_GROUP" ] && [ -n "$USER_EMAIL" ]; then @@ -243,7 +257,14 @@ elif [ -z "$ACCESS_GROUP" ] && [ -n "$USER_EMAIL" ]; then if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then echo "✅ Policy already exists with required roles for $DISPLAY_NAME" else + NEW_ROLES=$(comm -13 \ + <(echo "$EXISTING_SORTED" | tr ',' '\n' | sort) \ + <(echo "$MERGED_SORTED" | tr ',' '\n' | sort) | paste -sd, -) + echo "🔄 Updating existing policy $POLICY_ID for $DISPLAY_NAME" + echo " • Current roles : $EXISTING_SORTED" + echo " • Adding roles : $NEW_ROLES" + ibmcloud iam user-policy-update "$USER_EMAIL" "$POLICY_ID" \ --roles "$MERGED_SORTED" \ --resource-group-id "$RESOURCE_GROUP_ID" \ @@ -277,16 +298,23 @@ elif [ -z "$ACCESS_GROUP" ] && [ -n "$USER_EMAIL" ]; then if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then echo "✅ Global Administrator/Manager policy already present with required roles for $USER_EMAIL" else + NEW_ROLES=$(comm -13 \ + <(echo "$EXISTING_SORTED" | tr ',' '\n' | sort) \ + <(echo "$MERGED_SORTED" | tr ',' '\n' | sort) | paste -sd, -) + echo "🔄 Updating global policy $POLICY_ID for $USER_EMAIL" + echo " • Current roles : $EXISTING_SORTED" + echo " • Adding roles : $NEW_ROLES" + ibmcloud iam user-policy-update "$USER_EMAIL" "$POLICY_ID" \ --roles "$MERGED_SORTED" \ - --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to update global Administrator/Manager roles for user: $USER_EMAIL" + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to update Administrator,Manager roles for All Identity and Access enabled services to user: $USER_EMAIL" fi else echo "➕ Creating new global Administrator/Manager policy for $USER_EMAIL" ibmcloud iam user-policy-create "$USER_EMAIL" \ --roles "Administrator,Manager" \ - --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign global Administrator/Manager roles for user: $USER_EMAIL" + --resource-group-id "$RESOURCE_GROUP_ID" || echo "⚠️ Failed to assign Administrator,Manager roles for All Identity and Access enabled services to user: $USER_EMAIL" fi else From 43ad32c866e2de90b733e9092e8f10f7f94bf5bc Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Tue, 23 Sep 2025 20:57:21 +0530 Subject: [PATCH 04/11] fixing display messages --- tools/access-management/permissions.sh | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/tools/access-management/permissions.sh b/tools/access-management/permissions.sh index 9a1e9fa6..49dc191d 100755 --- a/tools/access-management/permissions.sh +++ b/tools/access-management/permissions.sh @@ -49,6 +49,7 @@ has_permission=false check_policies() { local policies="$1" + local scope="$2" # Check Administrator role for serviceType=service local has_admin @@ -70,12 +71,25 @@ check_policies() { select(any(.resources[].attributes[]?; .name == "serviceType" and .value == "platform_service")) ' >/dev/null 2>&1 && echo "true" || echo "false") + # Debug printing + if [ "$has_admin" = "true" ]; then + echo "✅ $scope: Has Administrator for All Identity and Access enabled service" + else + echo "❌ $scope: Missing Administrator for All Identity and Access enabled service" + fi + + if [ "$has_platform_role" = "true" ]; then + echo "✅ $scope: Has Viewer/Editor/Administrator for All Account Management services" + else + echo "❌ $scope: Missing Viewer/Editor/Administrator for All Account Management services" + fi + [[ "$has_admin" == "true" && "$has_platform_role" == "true" ]] } USER_POLICIES=$(ibmcloud iam user-policies "$ADMIN_EMAIL" --output json 2>/dev/null || echo "[]") if echo "$USER_POLICIES" | jq empty 2>/dev/null; then - if check_policies "$USER_POLICIES"; then + if check_policies "$USER_POLICIES" "User"; then has_permission=true fi fi @@ -88,13 +102,14 @@ if [ "$has_permission" != true ]; then GROUP_POLICIES=$(ibmcloud iam access-group-policies "$GROUP_NAME" --output json 2>/dev/null || echo "[]") ALL_GROUP_POLICIES=$(echo "$ALL_GROUP_POLICIES $GROUP_POLICIES" | jq -s 'add') done < <(echo "$ACCESS_GROUPS_FOR_ADMIN" | jq -r '.[].name // empty') - if check_policies "$ALL_GROUP_POLICIES"; then + # echo $ALL_GROUP_POLICIES + if check_policies "$ALL_GROUP_POLICIES" "Access Group"; then has_permission=true fi fi if [ "$has_permission" != true ]; then - echo "❌ $ADMIN_EMAIL does NOT have account-level Administrator rights — cannot assign permissions." + echo "❌ $ADMIN_EMAIL lacks required account-level Administrator rights (checked User & Access Groups policies)." exit 1 fi From ecca9139092586c50733c31f664062c8678ec612 Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Wed, 24 Sep 2025 15:19:25 +0530 Subject: [PATCH 05/11] updating display --- tools/access-management/permissions.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tools/access-management/permissions.sh b/tools/access-management/permissions.sh index 49dc191d..dd5946ad 100755 --- a/tools/access-management/permissions.sh +++ b/tools/access-management/permissions.sh @@ -73,15 +73,15 @@ check_policies() { # Debug printing if [ "$has_admin" = "true" ]; then - echo "✅ $scope: Has Administrator for All Identity and Access enabled service" + echo "✅ At $scope policy level: Has Administrator for All Identity and Access enabled service" else - echo "❌ $scope: Missing Administrator for All Identity and Access enabled service" + echo "❌ At $scope policy level: Missing Administrator for All Identity and Access enabled service" fi if [ "$has_platform_role" = "true" ]; then - echo "✅ $scope: Has Viewer/Editor/Administrator for All Account Management services" + echo "✅ At $scope policy level: Has Viewer/Editor/Administrator for All Account Management services" else - echo "❌ $scope: Missing Viewer/Editor/Administrator for All Account Management services" + echo "❌ At $scope policy level: Missing Viewer/Editor/Administrator for All Account Management services" fi [[ "$has_admin" == "true" && "$has_platform_role" == "true" ]] @@ -109,11 +109,11 @@ if [ "$has_permission" != true ]; then fi if [ "$has_permission" != true ]; then - echo "❌ $ADMIN_EMAIL lacks required account-level Administrator rights (checked User & Access Groups policies)." + echo "❌ $ADMIN_EMAIL lacks required Administrator rights (checked User & Access Group policies) — cannot assign permissions." exit 1 fi -echo "✅ $ADMIN_EMAIL has account-level Administrator rights — proceeding." +echo "✅ $ADMIN_EMAIL has Administrator rights (verified from User & Access Group policies) — proceeding with permission assignment." ##################################### # 3. Role assignment definitions @@ -182,7 +182,7 @@ if [ -n "$ACCESS_GROUP" ] && [ -z "$USER_EMAIL" ]; then MERGED_SORTED=$(normalize_roles "$EXISTING_ROLES,$ROLES") if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then - echo "✅ Policy already exists with required roles for $DISPLAY_NAME" + echo "✅ Policy for $DISPLAY_NAME already includes required roles: $EXISTING_SORTED" else NEW_ROLES=$(comm -13 \ <(echo "$EXISTING_SORTED" | tr ',' '\n' | sort) \ @@ -270,7 +270,7 @@ elif [ -z "$ACCESS_GROUP" ] && [ -n "$USER_EMAIL" ]; then MERGED_SORTED=$(normalize_roles "$EXISTING_ROLES,$ROLES") if [ "$MERGED_SORTED" = "$EXISTING_SORTED" ]; then - echo "✅ Policy already exists with required roles for $DISPLAY_NAME" + echo "✅ Policy for $DISPLAY_NAME already includes required roles: $EXISTING_SORTED" else NEW_ROLES=$(comm -13 \ <(echo "$EXISTING_SORTED" | tr ',' '\n' | sort) \ From 251e9ca0f8c4925c237b9b77013aa438065063e6 Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Wed, 24 Sep 2025 17:14:55 +0530 Subject: [PATCH 06/11] fixing readme --- tools/access-management/README.md | 51 ++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 4 deletions(-) diff --git a/tools/access-management/README.md b/tools/access-management/README.md index 6f1ca6f6..13bdbd2e 100644 --- a/tools/access-management/README.md +++ b/tools/access-management/README.md @@ -1,13 +1,56 @@ # IAM Permissions Assignment for LSF Deployment -### Before deploying an IBM Cloud LSF cluster, specific IAM permissions must be assigned to either a user or an access group. This script automates that process. +#### Before deploying an IBM Spectrum LSF cluster, specific IAM permissions must be assigned to either a user or an access group. The automation script enables this process. -How to run: +User has the flexibility to run the specific scripts to gain the required IAM permissions to perform the LSF deployment. The automation ensures that if the user has a certain permissions, then the script will omit them and add only the required permissions to perform the deployment. + +For example, for the App configuration service, the user requires Administrator and Manager permissions. If the user already has the Administrator permission, then the script will omit this and provide only Manager permission. + +### Benefits of the scripts: + +#### Interactive input collection - The script prompts for the IBMid (admin email), Resource Group ID, Account ID, and target (User or Access Group). + +#### Permission check - The script verifies that the admin has account-level Administrator rights which is required to assign policies. + +#### Assigns required permissions for LSF deployment - This script grants the appropriate permissions across IBM Cloud services that LSF depends upon (for example, VPC, COS, DNS services, KMS, Secrets Manager, and Sysdig Monitoring). + +#### Avoids duplicates - The script skips the assignment if a matching policy already exists. + +You can get the scripts by performing gitclone on the branch: ``` -ibmcloud login --apikey -g +git clone -b main https://github.com/terraform-ibm-modules/terraform-ibm-hpc.git +``` -chmod +x permissions.sh +1. Navigate to cd tools/access-management, you will get the permissions.sh file. + +2. Login to the IBM Cloud with your API key. Run the following command: +``` +ibmcloud login --apikey -g +chmod +x permissions.sh ./permissions.sh ``` + +3. Enter the admin email or IBMid. +4. Enter the Resource group and Account ID. + +For the Account ID, login to the IBM Cloud account by using your unique credentials. Go to Manage > Account > Account settings. You will find the Account ID. + +5. You will be asked to assign the roles: + +a. Access Group - Select this option, if you want to assign the access to the entire access group. +b. User - Select this option, if you want to assign the access to an individual user. +Select the required option. + +6. Enter the target user email, if you select the option 2. +7. User policy is successfully created. + +If the user skips to enter the RESOURCE_GROUP_ID or the ACCOUNT_ID, then script displays the error message: + +``` +:x: RESOURCE_GROUP_ID is required. +:x: ACCOUNT_ID is required. +``` + +This script ensures the user or access group has all the required IAM permissions to successfully deploy an LSF environment. \ No newline at end of file From 8b5372a5af8771a267044aba4a034e5027331bd7 Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Wed, 24 Sep 2025 17:16:50 +0530 Subject: [PATCH 07/11] fixing readme --- tools/access-management/README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/access-management/README.md b/tools/access-management/README.md index 13bdbd2e..a8980b51 100644 --- a/tools/access-management/README.md +++ b/tools/access-management/README.md @@ -33,17 +33,21 @@ chmod +x permissions.sh ``` 3. Enter the admin email or IBMid. + 4. Enter the Resource group and Account ID. For the Account ID, login to the IBM Cloud account by using your unique credentials. Go to Manage > Account > Account settings. You will find the Account ID. 5. You will be asked to assign the roles: -a. Access Group - Select this option, if you want to assign the access to the entire access group. -b. User - Select this option, if you want to assign the access to an individual user. +``` +Access Group - Select this option, if you want to assign the access to the entire access group. +User - Select this option, if you want to assign the access to an individual user. Select the required option. +``` 6. Enter the target user email, if you select the option 2. + 7. User policy is successfully created. If the user skips to enter the RESOURCE_GROUP_ID or the ACCOUNT_ID, then script displays the error message: From 9d8e968958cf3ccd80e2b2cd22d4f1396e883bd7 Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Wed, 24 Sep 2025 20:59:52 +0530 Subject: [PATCH 08/11] updating readme --- tools/minimal-demo-prod-scripts/README.md | 121 +++++++++++++++------- 1 file changed, 82 insertions(+), 39 deletions(-) diff --git a/tools/minimal-demo-prod-scripts/README.md b/tools/minimal-demo-prod-scripts/README.md index 309f6cfa..b719b770 100644 --- a/tools/minimal-demo-prod-scripts/README.md +++ b/tools/minimal-demo-prod-scripts/README.md @@ -1,37 +1,29 @@ # Deploying and Connecting to LSF Environment via CLI -### Notes: - -The must be 16 characters or fewer, i.e. abc-lsf - -The catalog_values__deployment.json specifies the configuation of the LSF environment. Please review to avoid unexpected costs. +The current LSF setup is designed for production grade deployments. This approach is high-priced for trying before-you-buy option and demonstration use cases. As a solution, now users can select the deployment options using three different t-shirt sizes - Small, Medium, and Large. This solution has the ability to deploy a smaller and less expensive environment on IBM Cloud to try the capability or to provide a demonstration. ### Deployment Types: -#### Minimal: -Deploys the smallest possible environment (a single management instance) for the fastest setup. All optional services (observability, logging, SCC, Atracker, Ldap etc.) are disabled. +You will be able to choose from these 3 deployment size options: -#### Demo: -Showcases the full set of capabilities. All optional services (observability, logging, SCC, etc.) are enabled. Deployment takes longer compared to minimal. +#### Small (Minimal): +This deploys the smallest possible environment (a single management instance) for the fastest setup. All optional services like observability, logging, SCC, Atracker, and LDAP are disabled. -#### Production: -Allows customization for production-grade deployments. Optional services like observability, logging, and SCC are enabled by default but can be tailored as required. +#### Medium (Demo): +This displays the full set of capabilities. All optional services like observability, logging, and SCC are enabled. The deployment takes longer compared to minimal. -All JSON files are customizable (users can tweak configs as needed). -But the .env file is mandatory because that’s where the required variables must always be filled. +#### Large (Production): +This option allows customization for production grade deployments. The optional services like observability, logging, and SCC are enabled by default but can be changed as required. -## Step 1. Fill the .env file +All the JSON files are customizable (users can make configuration changes as needed). -``` -############################################################################## -# Environment Configuration +#### Note: The .env file is mandatory because it contains all the variables required to update the file regardless of deployment types. + +### Step 1: Create the .env file -# Step 1: Update the variables below as needed. -# Step 2: If you require additional optional variables, update them directly -# in the JSON file(s) for your deployment type. -# Step 3: Always validate the JSON file before running the script. -############################################################################## +The following inputs are required to update the .env file. +``` # IBM Cloud API key API_KEY="YOUR_API_KEY" @@ -40,15 +32,14 @@ ACCOUNT_GUID="ACCOUNT_GUID" ZONES="ZONES" RESOURCE_GROUP="RESOURCE_GROUP" -# SSH key name (must exist in your account) +# SSH key name SSH_KEY="SSH_KEY" # Template JSON file (choose as per your deployment type) TEMPLATE_FILE="catalog_values_minimal_deployment.json" # LSF tile version locator -# Example below is for 3.0.0 version -LSF_TILE_VERSION="1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc.6c26cd4c-4f72-45e5-8bde-77387aa05138-global" +LSF_TILE_VERSION="1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc.2ad06fe1-6125-45c5-b8b6-6454eb4907e6-global" # App Center GUI password # Rules: Minimum 8 characters, at least 1 uppercase, 1 lowercase, 1 number, @@ -56,38 +47,90 @@ LSF_TILE_VERSION="1082e7d2-5e2f-0a11-a3bc-f88a8e1931fc.6c26cd4c-4f72-45e5-8bde-7 APP_CENTER_GUI_PASSWORD="APP_CENTER_GUI_PASSWORD" ``` -## Step 2. Deploy the LSF Environment: +From the above snippet, below are the descriptions for the parameters: + +API_KEY - This key is used to authenticate your deployment and grant the necessary access to create and manage resources in your IBM Cloud environment. + +ACCOUNT_GUID - Login to the IBM Cloud account by using your unique credentials. Go to Manage > Account > Account settings. You will find the Account ID. + +ZONES - Provide the IBM Cloud zone. + +RESOURCE_GROUP - The existing resource group of your IBM Cloud account where VPC resources will be deployed. + +SSH_KEY - A list of SSH key names that are already configured in your IBM Cloud account to establish a connection to the Spectrum LSF nodes. + +TEMPLATE_FILE - All the .json files are uploaded in https://github.ibm.com/workload-eng-services/HPCaaS/tree/sml/tools/minimal-demo-prod-scripts. + +catalog_values_minimal_deployment.json - choose this file for small deployments. +catalog_values_demo_deployment.json - choose this file for medium deployments. +catalog_values_production_deployment.json - choose this file for large deployments. + +LSF_TILE_VERSION - Login to the IBM Cloud catalog by using your unique credentials. Click Review deployment options. In the Deployment options section, select Create from the CLI, copy the version_locator_value, and save this value. +Note: The version_locator_value changes are based on the tile version selected. + +APP_CENTER_GUI_PASSWORD - This is the password that is required to access the IBM Spectrum LSF Application Center (App Center) GUI, which is enabled by default in both Fix Pack 15 and Fix Pack 14 with HTTPS. This is a mandatory value and omitting it will result in deployment failure. + +### Step 2: Deploy the LSF environment + +You can get the scripts by performing gitclone on the branch: + +``` +git clone -b main https://github.com/terraform-ibm-modules/terraform-ibm-hpc.git +``` + +1. Navigate to minimal-demo-prod-scripts to get the all the required files. + +2. Run the chmod +x *.sh, gives permissions to all the files. + ``` -1. chmod +x create_lsf_environment.sh -2. ./create_lsf_environment.sh +chmod +x create_lsf_environment.sh +./create_lsf_environment.sh ``` -## Step 3. Connect to the LSF Cluster and Run Jobs +create_lsf_environment - This script automates the end-to-end deployment of an IBM Cloud LSF environment. It installs required plugins, generates configuration files from your .env, triggers the Schematics workspace deployment, and finally the prints access details (bastion, login, management IPs) with next steps for connecting and submitting jobs. + +### Step 3: Connect to the LSF cluster and run the jobs + +Now that your environment is set up, you can connect to the LSF cluster and perform operations such as submitting jobs, monitoring workloads, viewing infrastructure details. -Now that your environment is set up, you can connect to the LSF cluster and perform operations such as submitting jobs, monitoring workloads, viewing infrastructure details. etc. +Using Utility Scripts -#### 1. To view the infra details +1. Run the following command to view the infra details: ``` chmod +x show.sh - ./show.sh +./show.sh ``` -#### 2. Copy the job submission script to the cluster +show.sh - This script retrieves details of the Schematics workspace for a given LSF cluster prefix. It ensures you are logged into the correct account and region, locates the workspace, and then displays its full configuration and state. + +2. Copy the job submission script to the cluster by using the command: ``` chmod +x cp.sh - ./cp.sh submit.sh +./cp.sh submit.sh ``` -#### 3. Jump to the LSF Environment +cp.sh - This script copies the submit.sh file into your LSF cluster. It validates account and region, fetches the bastion, login, and management IPs, and then securely transfers the submit.sh file either to the login node (default) or the management node (if management is specified). + +submit.sh - This script demonstrates how to submit a sample job to the LSF scheduler. It provides a simple command (sleep 30) wrapped in an LSF job submission request (bsub). By default, it requests 8 CPU cores for the job. Users can update: + +Job options (for example, -n 8 to change the number of requested cores). + +Command (for example, replace sleep 30 with their own workload). + +This serves as a template for testing job submission and can be adapted for real workloads. + +3. Run the following command to jump to the LSF environment: ``` chmod +x jump.sh - ./jump.sh +./jump.sh ``` -#### 4. Submit jobs +jump.sh - This script connects you directly to the LSF login node. It ensures you are targeting the right IBM Cloud account/region, fetches the bastion, login, and management IPs, and then uses SSH (with bastion as a jump host) to securely log into the LSF login node. + +4. Run the following commands to submit the jobs: ``` sh submit.sh @@ -95,9 +138,9 @@ bjobs lshosts -w ``` -#### 5. To destroy the created infrastructure +#### 5. Run the following command to destroy the created infrastructure ``` chmod +x destroy.sh - ./destroy.sh +./destroy.sh ``` From f540a3083735f212197c286853098237fa7939d9 Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Wed, 24 Sep 2025 21:03:23 +0530 Subject: [PATCH 09/11] updating readme --- tools/minimal-demo-prod-scripts/README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/minimal-demo-prod-scripts/README.md b/tools/minimal-demo-prod-scripts/README.md index b719b770..6d9dbdd8 100644 --- a/tools/minimal-demo-prod-scripts/README.md +++ b/tools/minimal-demo-prod-scripts/README.md @@ -2,17 +2,17 @@ The current LSF setup is designed for production grade deployments. This approach is high-priced for trying before-you-buy option and demonstration use cases. As a solution, now users can select the deployment options using three different t-shirt sizes - Small, Medium, and Large. This solution has the ability to deploy a smaller and less expensive environment on IBM Cloud to try the capability or to provide a demonstration. -### Deployment Types: +## Deployment Types: You will be able to choose from these 3 deployment size options: -#### Small (Minimal): +### Small (Minimal): This deploys the smallest possible environment (a single management instance) for the fastest setup. All optional services like observability, logging, SCC, Atracker, and LDAP are disabled. -#### Medium (Demo): +### Medium (Demo): This displays the full set of capabilities. All optional services like observability, logging, and SCC are enabled. The deployment takes longer compared to minimal. -#### Large (Production): +### Large (Production): This option allows customization for production grade deployments. The optional services like observability, logging, and SCC are enabled by default but can be changed as required. All the JSON files are customizable (users can make configuration changes as needed). @@ -93,9 +93,9 @@ create_lsf_environment - This script automates the end-to-end deployment of an I Now that your environment is set up, you can connect to the LSF cluster and perform operations such as submitting jobs, monitoring workloads, viewing infrastructure details. -Using Utility Scripts +### Using Utility Scripts -1. Run the following command to view the infra details: +#### 1. Run the following command to view the infra details: ``` chmod +x show.sh @@ -104,7 +104,7 @@ chmod +x show.sh show.sh - This script retrieves details of the Schematics workspace for a given LSF cluster prefix. It ensures you are logged into the correct account and region, locates the workspace, and then displays its full configuration and state. -2. Copy the job submission script to the cluster by using the command: +#### 2. Copy the job submission script to the cluster by using the command: ``` chmod +x cp.sh @@ -121,7 +121,7 @@ Command (for example, replace sleep 30 with their own workload). This serves as a template for testing job submission and can be adapted for real workloads. -3. Run the following command to jump to the LSF environment: +#### 3. Run the following command to jump to the LSF environment: ``` chmod +x jump.sh @@ -130,7 +130,7 @@ chmod +x jump.sh jump.sh - This script connects you directly to the LSF login node. It ensures you are targeting the right IBM Cloud account/region, fetches the bastion, login, and management IPs, and then uses SSH (with bastion as a jump host) to securely log into the LSF login node. -4. Run the following commands to submit the jobs: +#### 4. Run the following commands to submit the jobs: ``` sh submit.sh From af6dd129b6686e8dbb163dd24a2ad4f8989d14a4 Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Wed, 24 Sep 2025 21:08:53 +0530 Subject: [PATCH 10/11] fixing pre-commit --- tools/access-management/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/access-management/README.md b/tools/access-management/README.md index a8980b51..9431e3fa 100644 --- a/tools/access-management/README.md +++ b/tools/access-management/README.md @@ -57,4 +57,4 @@ If the user skips to enter the RESOURCE_GROUP_ID or the ACCOUNT_ID, then script :x: ACCOUNT_ID is required. ``` -This script ensures the user or access group has all the required IAM permissions to successfully deploy an LSF environment. \ No newline at end of file +This script ensures the user or access group has all the required IAM permissions to successfully deploy an LSF environment. From 0ad2cf22242b359eeca5a084a46553a2fd3d545d Mon Sep 17 00:00:00 2001 From: Nupur Goyal Date: Wed, 24 Sep 2025 23:12:34 +0530 Subject: [PATCH 11/11] fixing pre-commit --- .secrets.baseline | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index af25d937..23b773e6 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2025-09-17T10:23:03Z", + "generated_at": "2025-09-24T15:40:32Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -108,7 +108,7 @@ "hashed_secret": "89a6cfe2a229151e8055abee107d45ed087bbb4f", "is_secret": true, "is_verified": false, - "line_number": 36, + "line_number": 28, "type": "Secret Keyword", "verified_result": null }, @@ -116,7 +116,7 @@ "hashed_secret": "365b78d42089abe4583503eded60fa7c1b3e1cd0", "is_secret": true, "is_verified": false, - "line_number": 56, + "line_number": 47, "type": "Secret Keyword", "verified_result": null }