[FEATURE] Export of role collection assignments

[Kaefermade]

What area do you want to see improved?

CLI commands

Is your feature request related to a problem? Please describe.

It would be useful to be able to export role collection assignments. Even if not by default (all) without specifying the resources to be exported, an optional function for this would be helpful.

Describe the solution you would like

Adding the option for resource btp_subaccount_role_collection_assignment

Describe alternatives you have considered

No response

Additional context

No response

[github-actions]

Thanks for the feature request. We evaluate it and update the issue accordingly.

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[lechnerc77]

@Kaefermade thanks for the feature request. However, we can only export resources into configurations that support the import in the Terraform Provider for SAP BTP. There are some limitations with respect to the import of resources due to restrictions in the underlying APIs. The limitations concerning the import are listed in the Terraform provider (Import).

We will also make this more transparent in the documentation of the exporter to be transparent about the suppoorted features.

[Kaefermade]

@lechnerc77 I should probably have been more precise. Looking back, my feature request is actually misleading. My goal is to export users and their assigned roles. Since the creation of users with the provider was only possible via the resource btp_subaccount_role_assignment, I asked for an implementation of this. I only realized again after the feature request that there is no data source for this. Here is an example of how I worked around the problem of the missing data source for role collection assignments in order to copy the users from one subaccount to another.

locals {
  source_subaccount = 
  target_subaccount = 

  user_role_assignments = flatten([
    for user_name, user in data.btp_subaccount_user.someone : [
      for role_collection in user.role_collections : {
        user_name            = user.user_name
        role_collection_name = role_collection
      }
    ]
  ])
}

data "btp_subaccount_users" "defaultidp" {
  subaccount_id = local.source_subaccount
}

data "btp_subaccount_user" "someone" {
  for_each      = { for user in data.btp_subaccount_users.defaultidp.values : user => user }
  subaccount_id = local.source_subaccount
  user_name     = each.value
}

resource "btp_subaccount_role_collection_assignment" "assignment" {
  for_each             = { for idx, assignment in local.user_role_assignments : idx => assignment }
  subaccount_id        = local.target_subaccount
  user_name            = each.value.user_name
  role_collection_name = each.value.role_collection_name
}

I therefore thought that it would be possible to realize something like this with the Exporter. But if there is no import for this, it is understandable.

[lechnerc77]

@Kaefermade thanks for elaborating more on the use case and thanks for sharing the code snippet. We will look into the setup and validate how to move forward. I put the issue back to the original status.

[lechnerc77]

@Kaefermade short update: I reviewed the overall flow for the role collections as the import must be supported by the provider. As the provider is built on top of the BTP CLI server we are restricted to the functionality provided there. This API does not provide a READ functionality for the role collection assignment. The READ functionality is a prerequisite to support the import on the resource

Your approach looks good and orchestrating the corresponding API endpoints would probably work to mitigate the missing READ functionality for role collection assignments. However, this mitigation would only be feasible for role collections assigned to a user. When the assignment was executed for a group or attributes the approach would not work. Consequently this type of role collection assignment cannot be covered and could not be imported.

We will continue the discussion internally on the best and most sustainable approach to handle this.

[lechnerc77]

@Kaefermade update after the internal discussion. Technically it would be possible to integrate the flow you presented to enable the import of role collection assignments to users. However, this would still leave the gap with regards to role collection assignment to groups and attributes.
To have a consistent implementation the flow would have to become part of the Terraform provider (namely the resource role_collection_assignment and its READ functionality) and the import functionality of the resource including the aforementioned gaps.

After internal discussion we decided against such a implementation in the provider as this workaround would only partially cover the requirements for an import of role collections. We are pushing that the existing APIs that are available to cover all scenarios of role collections will be integrated into the BTP CLI server that we technically rely on.

As there is not timeline until when this will be implemented in the on CLI server side, we will have this gap in the exporter.

I will leave this issue open, to post updates on this topic, once available.