github.com/IBM-Cloud/bluemix-go@v0.0.0-20240423071914-9e96525baef4/examples/iam/service_policy/main.go (about) 1 package main 2 3 import ( 4 "flag" 5 "log" 6 "os" 7 "strings" 8 9 "github.com/IBM-Cloud/bluemix-go/models" 10 "github.com/IBM-Cloud/bluemix-go/utils" 11 12 "github.com/IBM-Cloud/bluemix-go/api/account/accountv2" 13 "github.com/IBM-Cloud/bluemix-go/api/iam/iamv1" 14 "github.com/IBM-Cloud/bluemix-go/api/iampap/iampapv1" 15 "github.com/IBM-Cloud/bluemix-go/api/mccp/mccpv2" 16 "github.com/IBM-Cloud/bluemix-go/session" 17 "github.com/IBM-Cloud/bluemix-go/trace" 18 ) 19 20 func main() { 21 var org string 22 flag.StringVar(&org, "org", "", "Bluemix Organization") 23 24 var serviceID string 25 flag.StringVar(&serviceID, "serviceID", "", "Bluemix service id name") 26 27 var service string 28 flag.StringVar(&service, "service", "", "Bluemix service name") 29 30 var roles string 31 flag.StringVar(&roles, "roles", "", "Comma seperated list of roles") 32 33 var serviceInstance string 34 flag.StringVar(&serviceInstance, "serviceInstance", "", "Bluemix service instance name") 35 36 var region string 37 flag.StringVar(®ion, "region", "", "Bluemix region") 38 39 var resourceType string 40 flag.StringVar(&resourceType, "resourceType", "", "Bluemix resource type") 41 42 var resource string 43 flag.StringVar(&resource, "resource", "", "Bluemix resource") 44 45 var resourceGroupID string 46 flag.StringVar(&resourceGroupID, "resourceGroupID", "", "Bluemix resource group ") 47 48 var serviceType string 49 flag.StringVar(&serviceType, "serviceType", "", "service type") 50 51 flag.Parse() 52 if org == "" || serviceID == "" || roles == "" { 53 flag.Usage() 54 os.Exit(1) 55 } 56 57 trace.Logger = trace.NewLogger("true") 58 sess, err := session.New() 59 if err != nil { 60 log.Fatal(err) 61 } 62 63 client, err := mccpv2.New(sess) 64 65 if err != nil { 66 log.Fatal(err) 67 } 68 orgAPI := client.Organizations() 69 myorg, err := orgAPI.FindByName(org, sess.Config.Region) 70 71 if err != nil { 72 log.Fatal(err) 73 } 74 75 accClient, err := accountv2.New(sess) 76 if err != nil { 77 log.Fatal(err) 78 } 79 accountAPI := accClient.Accounts() 80 myAccount, err := accountAPI.FindByOrg(myorg.GUID, sess.Config.Region) 81 if err != nil { 82 log.Fatal(err) 83 } 84 85 regionAPI := client.Regions() 86 regionList, err := regionAPI.FindRegionByName(sess.Config.Region) 87 if err != nil { 88 log.Fatal(err) 89 } 90 91 iamClient, err := iamv1.New(sess) 92 if err != nil { 93 log.Fatal(err) 94 } 95 serviceIDAPI := iamClient.ServiceIds() 96 97 serviceRolesAPI := iamClient.ServiceRoles() 98 99 boundTo := utils.GenerateBoundToCRN(*regionList, myAccount.GUID).String() 100 101 data := models.ServiceID{ 102 Name: serviceID, 103 BoundTo: boundTo, 104 } 105 sID, err := serviceIDAPI.Create(data) 106 if err != nil { 107 log.Fatal(err) 108 } 109 log.Println(sID) 110 111 sID, err = serviceIDAPI.Get(sID.UUID) 112 if err != nil { 113 log.Fatal(err) 114 } 115 log.Println(sID) 116 117 var policy iampapv1.Policy 118 119 var definedRoles []models.PolicyRole 120 121 if service == "" { 122 definedRoles, err = serviceRolesAPI.ListSystemDefinedRoles() 123 } else { 124 definedRoles, err = serviceRolesAPI.ListServiceRoles(service) 125 } 126 127 if err != nil { 128 log.Fatal(err) 129 } 130 131 filterRoles, err := utils.GetRolesFromRoleNames(strings.Split(roles, ","), definedRoles) 132 133 if err != nil { 134 log.Fatal(err) 135 } 136 137 policyResource := iampapv1.Resource{} 138 139 if service != "" { 140 policyResource.SetServiceName(service) 141 } 142 143 if serviceInstance != "" { 144 policyResource.SetServiceInstance(serviceInstance) 145 } 146 147 if region != "" { 148 policyResource.SetRegion(region) 149 } 150 151 if resourceType != "" { 152 policyResource.SetResourceType(resourceType) 153 } 154 155 if resource != "" { 156 policyResource.SetResource(resource) 157 } 158 159 if resourceGroupID != "" { 160 policyResource.SetResourceGroupID(resourceGroupID) 161 } 162 163 switch serviceType { 164 case "service": 165 fallthrough 166 case "platform_service": 167 policyResource.SetServiceType(serviceType) 168 } 169 170 if len(policyResource.Attributes) == 0 { 171 policyResource.SetServiceType("service") 172 } 173 174 policy = iampapv1.Policy{Roles: iampapv1.ConvertRoleModels(filterRoles), Resources: []iampapv1.Resource{policyResource}} 175 176 policy.Resources[0].SetAccountID(myAccount.GUID) 177 178 policy.Subjects = []iampapv1.Subject{ 179 { 180 Attributes: []iampapv1.Attribute{ 181 { 182 Name: "iam_id", 183 Value: sID.IAMID, 184 }, 185 }, 186 }, 187 } 188 189 policy.Type = iampapv1.AccessPolicyType 190 191 iampapClient, err := iampapv1.New(sess) 192 if err != nil { 193 log.Fatal(err) 194 } 195 196 servicePolicyAPI := iampapClient.V1Policy() 197 198 createdPolicy, err := servicePolicyAPI.Create(policy) 199 if err != nil { 200 log.Fatal(err) 201 } 202 203 log.Println(createdPolicy) 204 205 createdPolicy, err = servicePolicyAPI.Get(createdPolicy.ID) 206 if err != nil { 207 log.Fatal(err) 208 } 209 210 log.Println(createdPolicy) 211 212 err = servicePolicyAPI.Delete(createdPolicy.ID) 213 214 if err != nil { 215 log.Fatal(err) 216 } 217 218 err = serviceIDAPI.Delete(sID.UUID) 219 if err != nil { 220 log.Fatal(err) 221 } 222 223 }