ibm 1.78.0, Apr 30 25

ibm 1.78.0 published on Wednesday, Apr 30, 2025 by ibm-cloud

ibm.IamAccessGroupDynamicRule

Explore with Pulumi AI

ibm 1.78.0 published on Wednesday, Apr 30, 2025 by ibm-cloud

Create, update, or delete a dynamic rule for an IAM access group. With dynamic rules, you can automatically add federated users to access groups based on specific identity attributes. When your users log in with a federated ID, the data from the identity provider dynamically maps your users to an access group based on the rules that you set. For more information, about IAM access group dynamic rule, see reating dynamic rules for access groups.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";

const rule1 = new ibm.IamAccessGroupDynamicRule("rule1", {
    accessGroupId: "AccessGroupId-dsnd4bvsaf",
    conditions: [{
        claim: "blueGroups",
        operator: "CONTAINS",
        value: "\"test-bluegroup-saml\"",
    }],
    expiration: 4,
    identityProvider: "test-idp.com",
});

import pulumi
import pulumi_ibm as ibm

rule1 = ibm.IamAccessGroupDynamicRule("rule1",
    access_group_id="AccessGroupId-dsnd4bvsaf",
    conditions=[{
        "claim": "blueGroups",
        "operator": "CONTAINS",
        "value": "\"test-bluegroup-saml\"",
    }],
    expiration=4,
    identity_provider="test-idp.com")

package main

import (
	"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := ibm.NewIamAccessGroupDynamicRule(ctx, "rule1", &ibm.IamAccessGroupDynamicRuleArgs{
			AccessGroupId: pulumi.String("AccessGroupId-dsnd4bvsaf"),
			Conditions: ibm.IamAccessGroupDynamicRuleConditionArray{
				&ibm.IamAccessGroupDynamicRuleConditionArgs{
					Claim:    pulumi.String("blueGroups"),
					Operator: pulumi.String("CONTAINS"),
					Value:    pulumi.String("\"test-bluegroup-saml\""),
				},
			},
			Expiration:       pulumi.Float64(4),
			IdentityProvider: pulumi.String("test-idp.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;

return await Deployment.RunAsync(() => 
{
    var rule1 = new Ibm.IamAccessGroupDynamicRule("rule1", new()
    {
        AccessGroupId = "AccessGroupId-dsnd4bvsaf",
        Conditions = new[]
        {
            new Ibm.Inputs.IamAccessGroupDynamicRuleConditionArgs
            {
                Claim = "blueGroups",
                Operator = "CONTAINS",
                Value = "\"test-bluegroup-saml\"",
            },
        },
        Expiration = 4,
        IdentityProvider = "test-idp.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamAccessGroupDynamicRule;
import com.pulumi.ibm.IamAccessGroupDynamicRuleArgs;
import com.pulumi.ibm.inputs.IamAccessGroupDynamicRuleConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var rule1 = new IamAccessGroupDynamicRule("rule1", IamAccessGroupDynamicRuleArgs.builder()
            .accessGroupId("AccessGroupId-dsnd4bvsaf")
            .conditions(IamAccessGroupDynamicRuleConditionArgs.builder()
                .claim("blueGroups")
                .operator("CONTAINS")
                .value("\"test-bluegroup-saml\"")
                .build())
            .expiration(4)
            .identityProvider("test-idp.com")
            .build());

    }
}

resources:
  rule1:
    type: ibm:IamAccessGroupDynamicRule
    properties:
      accessGroupId: AccessGroupId-dsnd4bvsaf
      conditions:
        - claim: blueGroups
          operator: CONTAINS
          value: '"test-bluegroup-saml"'
      expiration: 4
      identityProvider: test-idp.com

Create IamAccessGroupDynamicRule Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new IamAccessGroupDynamicRule(name: string, args: IamAccessGroupDynamicRuleArgs, opts?: CustomResourceOptions);

@overload
def IamAccessGroupDynamicRule(resource_name: str,
                              args: IamAccessGroupDynamicRuleArgs,
                              opts: Optional[ResourceOptions] = None)

@overload
def IamAccessGroupDynamicRule(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              access_group_id: Optional[str] = None,
                              conditions: Optional[Sequence[IamAccessGroupDynamicRuleConditionArgs]] = None,
                              expiration: Optional[float] = None,
                              identity_provider: Optional[str] = None,
                              iam_access_group_dynamic_rule_id: Optional[str] = None,
                              name: Optional[str] = None)

func NewIamAccessGroupDynamicRule(ctx *Context, name string, args IamAccessGroupDynamicRuleArgs, opts ...ResourceOption) (*IamAccessGroupDynamicRule, error)

public IamAccessGroupDynamicRule(string name, IamAccessGroupDynamicRuleArgs args, CustomResourceOptions? opts = null)

public IamAccessGroupDynamicRule(String name, IamAccessGroupDynamicRuleArgs args)
public IamAccessGroupDynamicRule(String name, IamAccessGroupDynamicRuleArgs args, CustomResourceOptions options)

type: ibm:IamAccessGroupDynamicRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args IamAccessGroupDynamicRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args IamAccessGroupDynamicRuleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args IamAccessGroupDynamicRuleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args IamAccessGroupDynamicRuleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args IamAccessGroupDynamicRuleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var iamAccessGroupDynamicRuleResource = new Ibm.IamAccessGroupDynamicRule("iamAccessGroupDynamicRuleResource", new()
{
    AccessGroupId = "string",
    Conditions = new[]
    {
        new Ibm.Inputs.IamAccessGroupDynamicRuleConditionArgs
        {
            Claim = "string",
            Operator = "string",
            Value = "string",
        },
    },
    Expiration = 0,
    IdentityProvider = "string",
    IamAccessGroupDynamicRuleId = "string",
    Name = "string",
});

example, err := ibm.NewIamAccessGroupDynamicRule(ctx, "iamAccessGroupDynamicRuleResource", &ibm.IamAccessGroupDynamicRuleArgs{
	AccessGroupId: pulumi.String("string"),
	Conditions: ibm.IamAccessGroupDynamicRuleConditionArray{
		&ibm.IamAccessGroupDynamicRuleConditionArgs{
			Claim:    pulumi.String("string"),
			Operator: pulumi.String("string"),
			Value:    pulumi.String("string"),
		},
	},
	Expiration:                  pulumi.Float64(0),
	IdentityProvider:            pulumi.String("string"),
	IamAccessGroupDynamicRuleId: pulumi.String("string"),
	Name:                        pulumi.String("string"),
})

var iamAccessGroupDynamicRuleResource = new IamAccessGroupDynamicRule("iamAccessGroupDynamicRuleResource", IamAccessGroupDynamicRuleArgs.builder()
    .accessGroupId("string")
    .conditions(IamAccessGroupDynamicRuleConditionArgs.builder()
        .claim("string")
        .operator("string")
        .value("string")
        .build())
    .expiration(0)
    .identityProvider("string")
    .iamAccessGroupDynamicRuleId("string")
    .name("string")
    .build());

iam_access_group_dynamic_rule_resource = ibm.IamAccessGroupDynamicRule("iamAccessGroupDynamicRuleResource",
    access_group_id="string",
    conditions=[{
        "claim": "string",
        "operator": "string",
        "value": "string",
    }],
    expiration=0,
    identity_provider="string",
    iam_access_group_dynamic_rule_id="string",
    name="string")

const iamAccessGroupDynamicRuleResource = new ibm.IamAccessGroupDynamicRule("iamAccessGroupDynamicRuleResource", {
    accessGroupId: "string",
    conditions: [{
        claim: "string",
        operator: "string",
        value: "string",
    }],
    expiration: 0,
    identityProvider: "string",
    iamAccessGroupDynamicRuleId: "string",
    name: "string",
});

type: ibm:IamAccessGroupDynamicRule
properties:
    accessGroupId: string
    conditions:
        - claim: string
          operator: string
          value: string
    expiration: 0
    iamAccessGroupDynamicRuleId: string
    identityProvider: string
    name: string

IamAccessGroupDynamicRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The IamAccessGroupDynamicRule resource accepts the following input properties:

AccessGroupId string

The ID of the access group.

Conditions List<IamAccessGroupDynamicRuleCondition>

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

Expiration double

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

IdentityProvider string

Enter the URI for your identity provider. This is the SAML entity ID field, which is sometimes referred to as the issuer ID, for the identity provider as part of the federation configuration for onboarding with IBMID. For example, https://idp.example.org/SAML2.

IamAccessGroupDynamicRuleId string

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

Name string

The name of the dynamic rule for the IAM access group.

AccessGroupId string

The ID of the access group.

Conditions []IamAccessGroupDynamicRuleConditionArgs

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

Expiration float64

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

IdentityProvider string

IamAccessGroupDynamicRuleId string

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

Name string

The name of the dynamic rule for the IAM access group.

accessGroupId String

The ID of the access group.

conditions List<IamAccessGroupDynamicRuleCondition>

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

expiration Double

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

identityProvider String

iamAccessGroupDynamicRuleId String

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

name String

The name of the dynamic rule for the IAM access group.

accessGroupId string

The ID of the access group.

conditions IamAccessGroupDynamicRuleCondition[]

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

expiration number

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

identityProvider string

iamAccessGroupDynamicRuleId string

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

name string

The name of the dynamic rule for the IAM access group.

access_group_id str

The ID of the access group.

conditions Sequence[IamAccessGroupDynamicRuleConditionArgs]

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

expiration float

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

identity_provider str

iam_access_group_dynamic_rule_id str

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

name str

The name of the dynamic rule for the IAM access group.

accessGroupId String

The ID of the access group.

conditions List<Property Map>

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

expiration Number

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

identityProvider String

iamAccessGroupDynamicRuleId String

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

name String

The name of the dynamic rule for the IAM access group.

Outputs

All input properties are implicitly available as output properties. Additionally, the IamAccessGroupDynamicRule resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
RuleId string: (String) The ID of the rule.

Id string: The provider-assigned unique ID for this managed resource.
RuleId string: (String) The ID of the rule.

id String: The provider-assigned unique ID for this managed resource.
ruleId String: (String) The ID of the rule.

id string: The provider-assigned unique ID for this managed resource.
ruleId string: (String) The ID of the rule.

id str: The provider-assigned unique ID for this managed resource.
rule_id str: (String) The ID of the rule.

id String: The provider-assigned unique ID for this managed resource.
ruleId String: (String) The ID of the rule.

Look up Existing IamAccessGroupDynamicRule Resource

Get an existing IamAccessGroupDynamicRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: IamAccessGroupDynamicRuleState, opts?: CustomResourceOptions): IamAccessGroupDynamicRule

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_group_id: Optional[str] = None,
        conditions: Optional[Sequence[IamAccessGroupDynamicRuleConditionArgs]] = None,
        expiration: Optional[float] = None,
        iam_access_group_dynamic_rule_id: Optional[str] = None,
        identity_provider: Optional[str] = None,
        name: Optional[str] = None,
        rule_id: Optional[str] = None) -> IamAccessGroupDynamicRule

func GetIamAccessGroupDynamicRule(ctx *Context, name string, id IDInput, state *IamAccessGroupDynamicRuleState, opts ...ResourceOption) (*IamAccessGroupDynamicRule, error)

public static IamAccessGroupDynamicRule Get(string name, Input<string> id, IamAccessGroupDynamicRuleState? state, CustomResourceOptions? opts = null)

public static IamAccessGroupDynamicRule get(String name, Output<String> id, IamAccessGroupDynamicRuleState state, CustomResourceOptions options)

resources:  _:    type: ibm:IamAccessGroupDynamicRule    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessGroupId string

The ID of the access group.

Conditions List<IamAccessGroupDynamicRuleCondition>

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

Expiration double

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

IamAccessGroupDynamicRuleId string

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

IdentityProvider string

Name string

The name of the dynamic rule for the IAM access group.

RuleId string

(String) The ID of the rule.

AccessGroupId string

The ID of the access group.

Conditions []IamAccessGroupDynamicRuleConditionArgs

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

Expiration float64

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

IamAccessGroupDynamicRuleId string

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

IdentityProvider string

Name string

The name of the dynamic rule for the IAM access group.

RuleId string

(String) The ID of the rule.

accessGroupId String

The ID of the access group.

conditions List<IamAccessGroupDynamicRuleCondition>

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

expiration Double

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

iamAccessGroupDynamicRuleId String

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

identityProvider String

name String

The name of the dynamic rule for the IAM access group.

ruleId String

(String) The ID of the rule.

accessGroupId string

The ID of the access group.

conditions IamAccessGroupDynamicRuleCondition[]

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

expiration number

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

iamAccessGroupDynamicRuleId string

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

identityProvider string

name string

The name of the dynamic rule for the IAM access group.

ruleId string

(String) The ID of the rule.

access_group_id str

The ID of the access group.

conditions Sequence[IamAccessGroupDynamicRuleConditionArgs]

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

expiration float

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

iam_access_group_dynamic_rule_id str

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

identity_provider str

name str

The name of the dynamic rule for the IAM access group.

rule_id str

(String) The ID of the rule.

accessGroupId String

The ID of the access group.

conditions List<Property Map>

A list of conditions that the rule must satisfy.

Nested scheme for conditions:

expiration Number

The number of hours that authenticated users can work in IBM Cloud before they must refresh their access. This value must be between 1 and 24.

iamAccessGroupDynamicRuleId String

(String) The unique identifier of the dynamic rule. The ID is composed of <access_group_ID>/<rule_ID>.

identityProvider String

name String

The name of the dynamic rule for the IAM access group.

ruleId String

(String) The ID of the rule.

Supporting Types

IamAccessGroupDynamicRuleCondition, IamAccessGroupDynamicRuleConditionArgs

Claim string: The key value to evaluate the condition against. The key that you enter depends on what key-value pairs your identity provider provides. For example, your identity provider might include a key that is named blueGroups and that holds all the user groups that have access. To apply a condition for a specific user group within the blueGroups key, you specify blueGroups as your claim and add the value that you are looking for in conditions.value.
Operator string: The operation to perform on the claim. Supported values are EQUALS, EQUALS_IGNORE_CASE, IN, NOT_EQUALS_IGNORE_CASE, NOT_EQUALS, and CONTAINS.
Value string: The value that the claim is compared by using the conditions.operator.

Claim string: The key value to evaluate the condition against. The key that you enter depends on what key-value pairs your identity provider provides. For example, your identity provider might include a key that is named blueGroups and that holds all the user groups that have access. To apply a condition for a specific user group within the blueGroups key, you specify blueGroups as your claim and add the value that you are looking for in conditions.value.
Operator string: The operation to perform on the claim. Supported values are EQUALS, EQUALS_IGNORE_CASE, IN, NOT_EQUALS_IGNORE_CASE, NOT_EQUALS, and CONTAINS.
Value string: The value that the claim is compared by using the conditions.operator.

claim String: The key value to evaluate the condition against. The key that you enter depends on what key-value pairs your identity provider provides. For example, your identity provider might include a key that is named blueGroups and that holds all the user groups that have access. To apply a condition for a specific user group within the blueGroups key, you specify blueGroups as your claim and add the value that you are looking for in conditions.value.
operator String: The operation to perform on the claim. Supported values are EQUALS, EQUALS_IGNORE_CASE, IN, NOT_EQUALS_IGNORE_CASE, NOT_EQUALS, and CONTAINS.
value String: The value that the claim is compared by using the conditions.operator.

claim string: The key value to evaluate the condition against. The key that you enter depends on what key-value pairs your identity provider provides. For example, your identity provider might include a key that is named blueGroups and that holds all the user groups that have access. To apply a condition for a specific user group within the blueGroups key, you specify blueGroups as your claim and add the value that you are looking for in conditions.value.
operator string: The operation to perform on the claim. Supported values are EQUALS, EQUALS_IGNORE_CASE, IN, NOT_EQUALS_IGNORE_CASE, NOT_EQUALS, and CONTAINS.
value string: The value that the claim is compared by using the conditions.operator.

claim str: The key value to evaluate the condition against. The key that you enter depends on what key-value pairs your identity provider provides. For example, your identity provider might include a key that is named blueGroups and that holds all the user groups that have access. To apply a condition for a specific user group within the blueGroups key, you specify blueGroups as your claim and add the value that you are looking for in conditions.value.
operator str: The operation to perform on the claim. Supported values are EQUALS, EQUALS_IGNORE_CASE, IN, NOT_EQUALS_IGNORE_CASE, NOT_EQUALS, and CONTAINS.
value str: The value that the claim is compared by using the conditions.operator.

claim String: The key value to evaluate the condition against. The key that you enter depends on what key-value pairs your identity provider provides. For example, your identity provider might include a key that is named blueGroups and that holds all the user groups that have access. To apply a condition for a specific user group within the blueGroups key, you specify blueGroups as your claim and add the value that you are looking for in conditions.value.
operator String: The operation to perform on the claim. Supported values are EQUALS, EQUALS_IGNORE_CASE, IN, NOT_EQUALS_IGNORE_CASE, NOT_EQUALS, and CONTAINS.
value String: The value that the claim is compared by using the conditions.operator.

Import

The iam_access_group_dynamic_rule resource can be imported by using access group ID and rule ID.

Syntax

$ pulumi import ibm:index/iamAccessGroupDynamicRule:IamAccessGroupDynamicRule example <access_group_ID>/<rule_ID>

Example

$ pulumi import ibm:index/iamAccessGroupDynamicRule:IamAccessGroupDynamicRule example AccessGroupId-5391772e-1207-45e8-b032-2a21941c11ab/ClaimRule-3c5cd5fd-5b95-45f3-a693-08047eee56b5

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: ibm ibm-cloud/terraform-provider-ibm
License
Notes: This Pulumi package is based on the ibm Terraform Provider.

ibm 1.78.0 published on Wednesday, Apr 30, 2025 by ibm-cloud

ibm-cloud/terraform-provider-ibm

ibm.IamAccessGroupDynamicRule

On this page

On this page

Example Usage

Create IamAccessGroupDynamicRule Resource

Constructor syntax

Parameters

Constructor example

IamAccessGroupDynamicRule Resource Properties

Inputs

Outputs

Look up Existing IamAccessGroupDynamicRule Resource

Supporting Types

IamAccessGroupDynamicRuleCondition, IamAccessGroupDynamicRuleConditionArgs

Import

Package Details

On this page

On this page