Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Public Access to IBM COS bucket #1268

Open
hkantare opened this issue Apr 6, 2020 · 10 comments
Open

Support for Public Access to IBM COS bucket #1268

hkantare opened this issue Apr 6, 2020 · 10 comments
Assignees
@hkantare
Labels
service/Object Storage Issues related to Cloud Object Storage

Comments

@hkantare
Copy link
Collaborator

hkantare commented Apr 6, 2020

In IBM Cloud UI there is a “Public Access” group. How can I use it via terraform?
@kavya498 kavya498 added the service/Object Storage Issues related to Cloud Object Storage label Mar 30, 2021
@ac427
Copy link

ac427 commented Jun 3, 2021

@hkantare , any update on this?

@hkantare
Copy link
Collaborator Author

hkantare commented Jun 3, 2021

COS team is looking into it
@Priyaranimishra

@ZVilusinsky
Copy link

Any chance of implementing this? And other missing configuration options ?

Frankly, it kinda fails as a provider at this moment, when I have to keep a separate set of buckets, that can't be managed with TF because I have no way to set public access and CORS rules.

@ZVilusinsky
Copy link

Well, I have figured out how to do it in current provider. It actually did not hurt as much as I thought. The key was realising, that public access is not some kind of setting on a bucket, but an access policy. WIth that in mind...

resource "ibm_iam_access_group" "public" {
  name        = "Public Access"
  description = "This group includes all users and service IDs by default. All group members, including unauthenticated users, are given public access to any resources that are defined in the policies for the group."
}
resource "ibm_iam_access_group_policy" "public-bucketname" {
  access_group_id = ibm_iam_access_group.public.id
  roles           = ["Object Reader"] //or Content Reader
  resources {
    attributes           = {}
    resource             = "BUCKET_NAME"
    resource_instance_id = ibm_resource_instance.YOUR_COS_RESOURCE.guid
    resource_type        = "bucket"
    service              = "cloud-object-storage"
  }
}

That's actually it, what worked on our instance, with two caviats. "Public Access" is probably an already existing default group so you have to bring it to the state. terraform import ibm_iam_access_group.public AccessGroupId-PublicAcces
And second, for some reason it only works with the cos.guid reference and not cos.id, like I would expect. That stumped me for a while.

@IBM-Deeksha
Copy link
Contributor

Hi @ZVilusinsky, thanks for sharing the clarification. Since it looks like the issue has been resolved ,would it be okay if we close the issue on our end ?
Please let us know if there's anything else that needs to be addressed. Thank you!

@ZVilusinsky
Copy link

Hi @IBM-Deeksha ,
I am not the OP, so probably not the person to ask.
From my point of view, it should minimally be documented somewhere that you can do it and the way you can do it. Stuff dealing with buckets / cos should be a part of that resource group (see for example aws provider) but I guess IBM cloud does many things differently.

If you want sometihing to be addressed next, this comes to mind #1509 :)

@IBM-Deeksha
Copy link
Contributor

Hi @ZVilusinsky,
Thanks for pointing that out, and I apologise for the mix-up. I appreciate your suggestion regarding documentation. Since access policy is a separate resource , the process of applying public access policy has been covered and documented here : https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_access_group_policy.

@ZVilusinsky
Copy link

@IBM-Deeksha
Yes access policy is separate resource and that is part of the (percieved?) issue. I'll try to describe it some more.
Your user wants to do a "simple thing" - for a bucket to have public access. Where does he look? To the "Object storage" part of provider, because he works with a bucket. When doing it through UI, you do it in bucket settings, so it is a natural conclusion. But there si no imb_cos_bucket_public_access resource, so after a while he concludes it is not possible.

It took me personally several hours of working (on not entirely related bucket migration) to make the mental switch and realise I could probably do it the way I described. But what I did is in a way a hack and goes against TF principles.

  • you have to manually import already existing default resource (Public Access group) so you can reference it when creating access_group_policy
  • why does the matching resource_instance_id = ibm_resource_instance.YOUR_COS_RESOURCE.guid works only with GUID and not ID as would one expect ?

As for documentation I would suggest making an example "Public access for bucket" in https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cos_bucket_object how to do it the way you expect it to be achieved in the TF provider.

@IBM-Deeksha IBM-Deeksha mentioned this issue May 17, 2024
Merged
@IBM-Deeksha
Copy link
Contributor

Hi @ZVilusinsky @hkantare
Thank you for your suggestion on the documentation changes. We've gone ahead and raised a PR to incorporate these changes.
Please feel free to review the modifications and provide any further feedback you might have.
Thank you for bringing this to our attention.

@ZVilusinsky
Copy link

ZVilusinsky commented May 17, 2024
edited
Loading

Just went full facepalm, when reading, because I totally forgot about the data data source option 🙈 So that importing part was totally wrong of me.

I need a vacation :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hkantare hkantare

Labels
service/Object Storage Issues related to Cloud Object Storage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ac427 @hkantare @kavya498 @ZVilusinsky @IBM-Deeksha