diff --git a/modules/access-groups/main.tf b/modules/access-groups/main.tf new file mode 100644 index 00000000..cfdc499c --- /dev/null +++ b/modules/access-groups/main.tf @@ -0,0 +1,50 @@ +module "access_group" { + count = var.existing_access_group_name != null ? 1 : 0 + source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-iam-access-group.git/?ref=v1.3.0" + providers = { + ibm = ibm + } + provision = false + access_group_name = var.existing_access_group_name + add_members = false + dynamic_rules = {} + policies = { + watson_assistant_edit = { + roles = ["Reader", "Writer", "Viewer", "Editor"] + tags = [] + resources = [ + { + service = "conversation" + resource = var.watsonx_assistant_id + resource_type = "assistant" + }] + } + watson_assistant_environment_edit = { + roles = ["Reader", "Writer", "Viewer", "Editor"] + tags = [] + resources = [{ + service = "conversation" + resource = var.assistant_environment_id + resource_type = "environment" + }] + } + watson_assistant_search_edit = { + roles = ["Reader", "Writer", "Viewer", "Editor"] + tags = [] + resources = [{ + service = "conversation" + resource = var.assistant_search_skill_id + resource_type = "skill" + }] + } + watson_assistant_action_edit = { + roles = ["Reader", "Writer", "Viewer", "Editor"] + tags = [] + resources = [{ + service = "conversation" + resource = var.assistant_action_skill_id + resource_type = "skill" + }] + } + } +} diff --git a/modules/access-groups/outputs.tf b/modules/access-groups/outputs.tf new file mode 100644 index 00000000..065c9c30 --- /dev/null +++ b/modules/access-groups/outputs.tf @@ -0,0 +1,9 @@ +output "access_group_id" { + value = var.existing_access_group_name != null ? module.access_group[0].id : null + description = "Access group ID." +} + +output "access_group_policy_ids" { + value = var.existing_access_group_name != null ? module.access_group[0].policy_ids : null + description = "List of access group policy IDs." +} diff --git a/modules/access-groups/variables.tf b/modules/access-groups/variables.tf new file mode 100644 index 00000000..619f73a1 --- /dev/null +++ b/modules/access-groups/variables.tf @@ -0,0 +1,30 @@ +variable "watsonx_assistant_id" { + description = "Watson Assistant instance ID" + type = string + default = null +} + +variable "assistant_environment_id" { + description = "Watson Assistant environment ID" + type = string + default = null +} + +variable "assistant_search_skill_id" { + description = "Search skill configuration ID" + type = string + default = null +} + +variable "assistant_action_skill_id" { + description = "Action skill configuration ID" + type = string + default = null +} + + +variable "existing_access_group_name" { + description = "Access group to add policies to" + type = string + default = null +} diff --git a/modules/access-groups/version.tf b/modules/access-groups/version.tf new file mode 100644 index 00000000..cd72b2c6 --- /dev/null +++ b/modules/access-groups/version.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + ibm = { + source = "IBM-Cloud/ibm" + version = ">= 1.67.1" + } + } + required_version = ">= 1.3.0" +} diff --git a/solutions/banking/main.tf b/solutions/banking/main.tf index 6fd1a126..eebdf16f 100644 --- a/solutions/banking/main.tf +++ b/solutions/banking/main.tf @@ -12,7 +12,8 @@ locals { watson_ml_project_name = var.prefix != null ? "${var.prefix}-${var.watson_project_name}" : var.watson_project_name sensitive_tokendata = sensitive(data.ibm_iam_auth_token.tokendata.iam_access_token) - elastic_index_name = var.prefix != null ? "${var.prefix}-${var.elastic_index_name}" : var.elastic_index_name + # Translate index name to lowercase to avoid Elastic errors + elastic_index_name = lower(var.prefix != null ? "${var.prefix}-${var.elastic_index_name}" : var.elastic_index_name) elastic_credentials_data = local.use_elastic_index ? jsondecode(data.ibm_resource_key.elastic_credentials[0].credentials_json).connection.https : null # Compose the URL without credentials to keep the latter sensitive elastic_service_binding = local.use_elastic_index ? { @@ -207,6 +208,21 @@ moved { to = module.configure_watson_assistant.shell_script.watson_assistant } +### Optionally add access policies for Watson Assistant sub-resources to an existing access group +module "watson_assistant_access_policies" { + count = var.existing_wa_access_group_name != null ? 1 : 0 + source = "../../modules/access-groups" + providers = { + ibm = ibm.ibm_resources + } + existing_access_group_name = var.existing_wa_access_group_name + watsonx_assistant_id = module.configure_watson_assistant.watsonx_assistant_id + assistant_environment_id = module.configure_watson_assistant.watsonx_assistant_environment.environment_id + assistant_action_skill_id = one([for skill in module.configure_watson_assistant.watsonx_assistant_environment.skill_references : skill.skill_id if skill.type == "action"]) + assistant_search_skill_id = one([for skill in module.configure_watson_assistant.watsonx_assistant_environment.skill_references : skill.skill_id if skill.type == "search"]) +} + + ### Make all pipeline properties dependent on CD instance ### to avoid errors when the toolchains are out of grace period diff --git a/solutions/banking/variables.tf b/solutions/banking/variables.tf index 93c5e3fb..53d2005e 100644 --- a/solutions/banking/variables.tf +++ b/solutions/banking/variables.tf @@ -70,6 +70,12 @@ variable "watson_assistant_region" { type = string } +variable "existing_wa_access_group_name" { + description = "Access group to add policies for new Watson Assistant resources" + type = string + default = null +} + variable "watson_discovery_instance_id" { description = "ID of the WatsonX Discovery instance" type = string