bpgould/parameterized_access_policy.tf

## parameterized_access_policy.tf
locals {
  redis-viewer = [
    ibm_database.team1-redis-us-south-uat.id,
    ibm_database.team3-redis-uat.id,
    ibm_database.team1-redis-us-south-prod.id
  ]
  # Processes out the resource_instance_id
  redis-viewer-processed = [for infra in local.redis-viewer : element(split(":", infra), 7)]

  rabbitmq-viewer = [
    ibm_resource_instance.team3-rabbitmq-uat.id
  ]
  # Processes out the resource_instance_id
  rabbitmq-viewer-processed = [for infra in local.rabbitmq-viewer : element(split(":", infra), 7)]

  postgresql-viewer = [
    ibm_database.team1-postgres-us-south-uat.id,
    ibm_database.team1-postgres-us-south-prod.id
  ]
  # Processes out the resource_instance_id
  postgresql-viewer-processed = [for infra in local.postgresql-viewer : element(split(":", infra), 7)]

  mongodb-viewer = [
    ibm_database.team2-mongodb-us-south-uat.id,
    ibm_database.team2-mongodb-us-south-prod.id
  ]
  mongodb-viewer-processed = [for infra in local.mongodb-viewer : element(split(":", infra), 7)]

  viewer-only-resources = {
    "databases-for-redis"      = local.redis-viewer-processed
    "messages-for-rabbitmq"    = local.rabbitmq-viewer-processed
    "databases-for-postgresql" = local.postgresql-viewer-processed
    "databases-for-mongodb"    = local.mongodb-viewer-processed
  }
  # This should never need to be modified, services and instances of services will just be added above
  flattened-resources = flatten([
    for cloudservice in keys(local.viewer-only-resources) : [
      for resource in local.viewer-only-resources[cloudservice] : {
        service              = cloudservice
        resource_instance_id = resource
      }
    ]
  ])
}
# Example policy resource that makes use of for_each to loop through services/ instances defined in locals
resource "ibm_iam_access_group_policy" "some-department-viewer" {
  for_each        = { for entry in local.flattened-resources : "${entry.service}.${entry.resource_instance_id}" => entry }
  access_group_id = data.ibm_iam_access_group.some-department.groups[0].id
  roles           = ["Viewer"]
  resources {
    service              = each.value.service
    resource_instance_id = each.value.resource_instance_id
  }
}
	locals {
	redis-viewer = [
	ibm_database.team1-redis-us-south-uat.id,
	ibm_database.team3-redis-uat.id,
	ibm_database.team1-redis-us-south-prod.id
	]
	# Processes out the resource_instance_id
	redis-viewer-processed = [for infra in local.redis-viewer : element(split(":", infra), 7)]

	rabbitmq-viewer = [
	ibm_resource_instance.team3-rabbitmq-uat.id
	]
	# Processes out the resource_instance_id
	rabbitmq-viewer-processed = [for infra in local.rabbitmq-viewer : element(split(":", infra), 7)]

	postgresql-viewer = [
	ibm_database.team1-postgres-us-south-uat.id,
	ibm_database.team1-postgres-us-south-prod.id
	]
	# Processes out the resource_instance_id
	postgresql-viewer-processed = [for infra in local.postgresql-viewer : element(split(":", infra), 7)]

	mongodb-viewer = [
	ibm_database.team2-mongodb-us-south-uat.id,
	ibm_database.team2-mongodb-us-south-prod.id
	]
	mongodb-viewer-processed = [for infra in local.mongodb-viewer : element(split(":", infra), 7)]

	viewer-only-resources = {
	"databases-for-redis" = local.redis-viewer-processed
	"messages-for-rabbitmq" = local.rabbitmq-viewer-processed
	"databases-for-postgresql" = local.postgresql-viewer-processed
	"databases-for-mongodb" = local.mongodb-viewer-processed
	}
	# This should never need to be modified, services and instances of services will just be added above
	flattened-resources = flatten([
	for cloudservice in keys(local.viewer-only-resources) : [
	for resource in local.viewer-only-resources[cloudservice] : {
	service = cloudservice
	resource_instance_id = resource
	}
	]
	])
	}
	# Example policy resource that makes use of for_each to loop through services/ instances defined in locals
	resource "ibm_iam_access_group_policy" "some-department-viewer" {
	for_each = { for entry in local.flattened-resources : "${entry.service}.${entry.resource_instance_id}" => entry }
	access_group_id = data.ibm_iam_access_group.some-department.groups[0].id
	roles = ["Viewer"]
	resources {
	service = each.value.service
	resource_instance_id = each.value.resource_instance_id
	}
	}