Role assignment with Terraform

The following shows an example of environment creation using the PingOne Terraform provider, followed by role permission assignment to administration users that are members of a group we will create.

PingOne supports assigning administrator roles groups, and members of those groups are assigned administrator roles. Although you can use Terraform to assign administrator roles to individuals directly, Ping Identity recommends that role assignments provisioned by Terraform are assigned to groups instead and that you manage group membership through Joiner/Mover/Leaver Identity Governance processes.

The example assumes that all relevant admins users will have a role strategy as follows:

Environment Admin, scoped to individual environments (not scoped to the organization)
Identity Data Admin, scoped to individual environments

The example uses:

The pingone_admin_environment_id variable that can be mapped directly or can be found from the environment name from the pingone_environment data source
The license_id variable that can be mapped directly or can be found from the license name from the pingone_licenses data source.

First, you’ll create the group in PingOne to which you’ll assign your administrator users. This example uses the pingone_group resource.

resource "pingone_group" "my_awesome_admins_group" {
  environment_id = var.pingone_admin_environment_id

  name        = "My awesome admins group"
  description = "My new awesome group for admins who are awesome"

  lifecycle {
    # change the `prevent_destroy` parameter value to `true` to prevent this data carrying resource from being destroyed
    prevent_destroy = false
  }
}

Next, you’ll fetch the required roles. You’ll need to find the IDs of the Identity Data Admin and Environment Admin predefined admin roles, which are different between tenant organizations. You can use the pingidentity/utils/pingone helper module to retrieve the role IDs, so that you can use role IDs in role assignment to the group:

module "admin_utils" {
  source  = "pingidentity/utils/pingone"
  version = "0.1.0"

  region_code    = "EU" // Will be either NA, EU, CA, AU or AP depending on your tenant region.
  environment_id = var.pingone_admin_environment_id
}

When including a new module in Terraform HCL, remember to re-run terraform init to initialize the module in the Terraform project.

You can then define the new sandbox environment using the PingOne Terraform provider with the pingone_environment resource, with the SSO service enabled. This is the environment to which you want to scope the administrator roles so that your users can manage configuration and data within this environment:

resource "pingone_environment" "my_environment" {
  name        = "Example PingOne Role Permission Assignment Environment"
  type        = "SANDBOX"
  license_id  = var.license_id

  services = [
    {
      type = "SSO"
    }
  ]
}

After you’ve created the new environment, you can assign the roles to the administration users with the pingone_group_role_assignment resource.

resource "pingone_group_role_assignment" "admin_sso_identity_admin" {
  environment_id = var.pingone_admin_environment_id
  group_id       = pingone_group.my_awesome_admins_group.id
  role_id        = module.admin_utils.pingone_role_id_identity_data_admin

  scope_environment_id = pingone_environment.my_environment.id
}

resource "pingone_group_role_assignment" "admin_sso_environment_admin" {
  environment_id = var.pingone_admin_environment_id
  group_id       = pingone_group.my_awesome_admins_group.id
  role_id        = module.admin_utils.pingone_role_id_environment_admin

  scope_environment_id = pingone_environment.my_environment.id
}

The group "My awesome admins group" has now been assigned the Identity Data Admin and Environment Admin roles. Any user who is made a member of the group will inherit these administrative roles and their associated permissions.

Configuration Automation - Terraform

Role assignment with Terraform