Support for IAM

[gfelbing]

We are using the provider to create our stackit projects.
But the resources only allows us to set the project owner, not the actual access rights to the projects, but has to be maintained by hand.

I see two options fixing that:

1. Extend stackit_resourcemanager_project to maintain the list of members (as far as supported by the api)
2. Add a resource to support the membership api

Or obvious 3rd option: both.

[joaopalet]

Hi @gfelbing,

Thanks for opening the issue. As far as I could see providing a list of members is supported in the memberships API (members field of the "create project" endpoint). Although the list cannot be updated after creation (it's not present in the "update project" endpoint)

So we will plan the integration of the members field in the project resource, and will look into what funcionality from the membership API can be onboarded in separate resources

[joaopalet]

Hi @gfelbing,

We've added support for members in the project resource in version v0.26.1. You can now specify a list of members, each consisting in a subject and role, that will be added to the project.

We have deprecated the existing owner_email field, but it will still work to set the user as a project owner for backwards compatibility. The new members field will take precedence and be used if it's specified in the config.

[GokceGK]

Hi @gfelbing,

after discussions with the product team, we agreed that managing IAM resources with TFP is not currently possible and may be supported in the future. Therefore, we need to remove the members field from the stackit_resourcemanager_project resource.

In order not to completely break the TFP settings, we will mark members field as deprecated for a while. Any changes made to the field will not affect existing projects. We strongly recommend against using the members field.

The owner_email field will remain in use so that a user can be added to the resource at project creation.

We apologize for any inconvenience.