Improve creation and handling of CDP groups in cdp-deploy (#101)

Signed-off-by: Jim Enright <[email protected]>

Author: jimright

modules/terraform-cdp-deploy/README.md

@@ -43,6 +43,7 @@ No resources.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_backup_storage_location"></a> [backup\_storage\_location](#input\_backup\_storage\_location) | Backup storage location. The location has to be in uri format for the cloud provider - i.e. s3a:// for AWS, abfs:// for Azure,  gs:// | `string` | n/a | yes |
+| <a name="input_cdp_groups"></a> [cdp\_groups](#input\_cdp\_groups) | List of CDP Groups to be added to the IDBroker mappings of the environment. If create\_group is set to true then the group will be created. | <pre>set(object({<br>    name                          = string<br>    create_group                  = bool<br>    sync_membership_on_user_login = optional(bool)<br>    add_id_broker_mappings        = bool<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_data_storage_location"></a> [data\_storage\_location](#input\_data\_storage\_location) | Data storage location. The location has to be in uri format for the cloud provider - i.e. s3a:// for AWS, abfs:// for Azure,  gs:// | `string` | n/a | yes |
 | <a name="input_deployment_template"></a> [deployment\_template](#input\_deployment\_template) | Deployment Pattern to use for Cloud resources and CDP | `string` | n/a | yes |
 | <a name="input_env_prefix"></a> [env\_prefix](#input\_env\_prefix) | Shorthand name for the environment. Used in CDP resource descriptions. This will be used to construct the value of where any of the CDP resource variables (e.g. environment\_name, cdp\_iam\_admin\_group\_name) are not defined. | `string` | n/a | yes |
@@ -85,8 +86,6 @@ No resources.
 | <a name="input_azure_vnet_name"></a> [azure\_vnet\_name](#input\_azure\_vnet\_name) | Azure Virtual Network ID. Required for CDP deployment on Azure. | `string` | `null` | no |
 | <a name="input_azure_xaccount_app_pword"></a> [azure\_xaccount\_app\_pword](#input\_azure\_xaccount\_app\_pword) | Password for the Azure AD Cross Account Application. Required for CDP deployment on Azure. | `string` | `null` | no |
 | <a name="input_azure_xaccount_app_uuid"></a> [azure\_xaccount\_app\_uuid](#input\_azure\_xaccount\_app\_uuid) | UUID for the Azure AD Cross Account Application. Required for CDP deployment on Azure. | `string` | `null` | no |
-| <a name="input_cdp_admin_group_name"></a> [cdp\_admin\_group\_name](#input\_cdp\_admin\_group\_name) | Name of the CDP IAM Admin Group associated with the environment. Defaults to '<env\_prefix>-cdp-admin-group' if not specified. | `string` | `null` | no |
-| <a name="input_cdp_user_group_name"></a> [cdp\_user\_group\_name](#input\_cdp\_user\_group\_name) | Name of the CDP IAM User Group associated with the environment. Defaults to '<env\_prefix>-cdp-user-group' if not specified. | `string` | `null` | no |
 | <a name="input_cdp_xacccount_credential_name"></a> [cdp\_xacccount\_credential\_name](#input\_cdp\_xacccount\_credential\_name) | Name of the CDP Cross Account Credential. Defaults to '<env\_prefix>-xaccount-cred' if not specified. If create\_cdp\_credential is set to false then this should should be a valid pre-existing credential. | `string` | `null` | no |
 | <a name="input_create_cdp_credential"></a> [create\_cdp\_credential](#input\_create\_cdp\_credential) | Flag to specify if the CDP Cross Account Credential should be created. If set to false then cdp\_xacccount\_credential\_name should be a valid pre-existing credential. | `bool` | `true` | no |
 | <a name="input_datalake_async_creation"></a> [datalake\_async\_creation](#input\_datalake\_async\_creation) | Flag to specify if Terraform should wait for CDP datalake resource creation/deletion | `bool` | `false` | no |
@@ -148,4 +147,5 @@ No resources.
 |------|-------------|
 | <a name="output_cdp_environment_crn"></a> [cdp\_environment\_crn](#output\_cdp\_environment\_crn) | CDP Environment CRN |
 | <a name="output_cdp_environment_name"></a> [cdp\_environment\_name](#output\_cdp\_environment\_name) | CDP Environment Name |
+| <a name="output_cdp_groups"></a> [cdp\_groups](#output\_cdp\_groups) | Details about CDP Groups |
 <!-- END_TF_DOCS -->

modules/terraform-cdp-deploy/defaults.tf

@@ -30,12 +30,6 @@ locals {
   cdp_xacccount_credential_name = coalesce(var.cdp_xacccount_credential_name,
   "${var.env_prefix}-xaccount-cred")
 
-  cdp_admin_group_name = coalesce(var.cdp_admin_group_name,
-  "${var.env_prefix}-${local.cloud_shorthand[var.infra_type]}-cdp-admin-group")
-
-  cdp_user_group_name = coalesce(var.cdp_user_group_name,
-  "${var.env_prefix}-${local.cloud_shorthand[var.infra_type]}-cdp-user-group")
-
   datalake_scale = coalesce(
     var.datalake_scale,
     (var.deployment_template == "public" ?

modules/terraform-cdp-deploy/examples/ex01-aws-basic/main.tf

@@ -92,6 +92,7 @@ module "cdp_deploy" {
   region              = var.aws_region
   keypair_name        = var.aws_key_pair
   deployment_template = var.deployment_template
+  cdp_groups          = var.cdp_groups
 
   environment_async_creation = var.environment_async_creation
   datalake_async_creation    = var.datalake_async_creation

modules/terraform-cdp-deploy/examples/ex01-aws-basic/variables.tf

@@ -68,6 +68,35 @@ variable "datalake_async_creation" {
 
   default = false
 }
+
+variable "cdp_groups" {
+  type = set(object({
+    name                          = string
+    create_group                  = bool
+    sync_membership_on_user_login = optional(bool)
+    add_id_broker_mappings        = bool
+    })
+  )
+
+  description = "List of CDP Groups to be added to the IDBroker mappings of the environment. If create_group is set to true then the group will be created."
+
+  validation {
+    condition = (var.cdp_groups == null ? true : alltrue([
+      for grp in var.cdp_groups :
+      length(grp.name) >= 1 && length(grp.name) <= 64
+    ]))
+    error_message = "The length of all CDP group names must be 64 characters or less."
+  }
+  validation {
+    condition = (var.cdp_groups == null ? true : alltrue([
+      for grp in var.cdp_groups :
+      can(regex("^[a-zA-Z0-9\\-\\_\\.]{1,90}$", grp.name))
+    ]))
+    error_message = "CDP group names can consist only of letters, numbers, dots (.), hyphens (-) and underscores (_)."
+  }
+
+  default = null
+}
 # ------- Network Resources -------
 variable "ingress_extra_cidrs_and_ports" {
   type = object({

modules/terraform-cdp-deploy/examples/ex02-azure-basic/main.tf

@@ -83,6 +83,7 @@ module "cdp_deploy" {
   region              = var.azure_region
   public_key_text     = var.public_key_text
   deployment_template = var.deployment_template
+  cdp_groups          = var.cdp_groups
 
   environment_async_creation = var.environment_async_creation
   datalake_async_creation    = var.datalake_async_creation

modules/terraform-cdp-deploy/examples/ex02-azure-basic/variables.tf

@@ -67,6 +67,35 @@ variable "datalake_async_creation" {
 
   default = false
 }
+
+variable "cdp_groups" {
+  type = set(object({
+    name                          = string
+    create_group                  = bool
+    sync_membership_on_user_login = optional(bool)
+    add_id_broker_mappings        = bool
+    })
+  )
+
+  description = "List of CDP Groups to be added to the IDBroker mappings of the environment. If create_group is set to true then the group will be created."
+
+  validation {
+    condition = (var.cdp_groups == null ? true : alltrue([
+      for grp in var.cdp_groups :
+      length(grp.name) >= 1 && length(grp.name) <= 64
+    ]))
+    error_message = "The length of all CDP group names must be 64 characters or less."
+  }
+  validation {
+    condition = (var.cdp_groups == null ? true : alltrue([
+      for grp in var.cdp_groups :
+      can(regex("^[a-zA-Z0-9\\-\\_\\.]{1,90}$", grp.name))
+    ]))
+    error_message = "CDP group names can consist only of letters, numbers, dots (.), hyphens (-) and underscores (_)."
+  }
+
+  default = null
+}
 # ------- Network Resources -------
 variable "ingress_extra_cidrs_and_ports" {
   type = object({

modules/terraform-cdp-deploy/examples/ex03-gcp-basic/main.tf

@@ -69,6 +69,7 @@ module "cdp_deploy" {
   region              = var.gcp_region
   public_key_text     = var.public_key_text
   deployment_template = var.deployment_template
+  cdp_groups          = var.cdp_groups
 
   environment_async_creation = var.environment_async_creation
   datalake_async_creation    = var.datalake_async_creation

modules/terraform-cdp-deploy/examples/ex03-gcp-basic/variables.tf

@@ -74,6 +74,35 @@ variable "datalake_async_creation" {
 
   default = false
 }
+
+variable "cdp_groups" {
+  type = set(object({
+    name                          = string
+    create_group                  = bool
+    sync_membership_on_user_login = optional(bool)
+    add_id_broker_mappings        = bool
+    })
+  )
+
+  description = "List of CDP Groups to be added to the IDBroker mappings of the environment. If create_group is set to true then the group will be created."
+
+  validation {
+    condition = (var.cdp_groups == null ? true : alltrue([
+      for grp in var.cdp_groups :
+      length(grp.name) >= 1 && length(grp.name) <= 64
+    ]))
+    error_message = "The length of all CDP group names must be 64 characters or less."
+  }
+  validation {
+    condition = (var.cdp_groups == null ? true : alltrue([
+      for grp in var.cdp_groups :
+      can(regex("^[a-zA-Z0-9\\-\\_\\.]{1,90}$", grp.name))
+    ]))
+    error_message = "CDP group names can consist only of letters, numbers, dots (.), hyphens (-) and underscores (_)."
+  }
+
+  default = null
+}
 # ------- Network Resources -------
 variable "ingress_extra_cidrs_and_ports" {
   type = object({

modules/terraform-cdp-deploy/main.tf

@@ -25,8 +25,7 @@ module "cdp_on_aws" {
   datalake_name                 = local.datalake_name
   create_cdp_credential         = var.create_cdp_credential
   cdp_xacccount_credential_name = local.cdp_xacccount_credential_name
-  cdp_admin_group_name          = local.cdp_admin_group_name
-  cdp_user_group_name           = local.cdp_user_group_name
+  cdp_groups                    = var.cdp_groups
 
   security_group_default_id = var.aws_security_group_default_id
   security_group_knox_id    = var.aws_security_group_knox_id
@@ -101,8 +100,7 @@ module "cdp_on_azure" {
   datalake_name                 = local.datalake_name
   create_cdp_credential         = var.create_cdp_credential
   cdp_xacccount_credential_name = local.cdp_xacccount_credential_name
-  cdp_admin_group_name          = local.cdp_admin_group_name
-  cdp_user_group_name           = local.cdp_user_group_name
+  cdp_groups                    = var.cdp_groups
 
   security_group_default_uri = var.azure_security_group_default_uri
   security_group_knox_uri    = var.azure_security_group_knox_uri
@@ -194,8 +192,7 @@ module "cdp_on_gcp" {
   datalake_name                 = local.datalake_name
   create_cdp_credential         = var.create_cdp_credential
   cdp_xacccount_credential_name = local.cdp_xacccount_credential_name
-  cdp_admin_group_name          = local.cdp_admin_group_name
-  cdp_user_group_name           = local.cdp_user_group_name
+  cdp_groups                    = var.cdp_groups
 
   firewall_default_id = var.gcp_firewall_default_id
   firewall_knox_id    = var.gcp_firewall_knox_id

modules/terraform-cdp-deploy/modules/aws/data.tf

@@ -0,0 +1,25 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "cdp_iam_group" "cdp_groups" {
+
+  for_each = {
+    for k, v in coalesce(var.cdp_groups, []) : k.name => v
+  }
+
+  group_name = each.value.name
+
+  depends_on = [cdp_iam_group.cdp_groups]
+}
+

modules/terraform-cdp-deploy/modules/aws/defaults.tf

@@ -19,4 +19,14 @@ locals {
     var.cdp_xacccount_credential_name :
     cdp_environments_aws_credential.cdp_cred[0].credential_name
   )
+
+  # Construct IDBroker mappings
+  cdp_group_id_broker_mappings = [
+    for grp, grp_details in coalesce(var.cdp_groups, []) :
+    {
+      accessor_crn = data.cdp_iam_group.cdp_groups[grp_details.name].crn
+      role         = var.datalake_admin_role_arn
+    }
+    if try(grp_details.add_id_broker_mappings, false)
+  ]
 }

modules/terraform-cdp-deploy/modules/aws/main.tf

@@ -82,27 +82,21 @@ resource "cdp_environments_aws_environment" "cdp_env" {
   ]
 }
 
-# ------- CDP Admin Group -------
+# ------- CDP Group -------
 # Create group
-resource "cdp_iam_group" "cdp_admin_group" {
-  group_name                    = var.cdp_admin_group_name
-  sync_membership_on_user_login = false
-}
-
-# TODO: Assign roles and resource roles to the group
-
-# TODO: Assign users to the group
+resource "cdp_iam_group" "cdp_groups" {
+  for_each = {
+    for k, v in coalesce(var.cdp_groups, []) : k.name => v
+    if v.create_group
+  }
 
-# ------- CDP User Group -------
-# Create group
-resource "cdp_iam_group" "cdp_user_group" {
-  group_name                    = var.cdp_user_group_name
-  sync_membership_on_user_login = false
+  group_name                    = each.value.name
+  sync_membership_on_user_login = each.value.sync_membership_on_user_login
 }
 
-# TODO: Assign roles and resource roles to the group
+# TODO: (When supported) Assign roles and resource roles to the group
 
-# TODO: Assign users to the group
+# TODO: (When supported) Assign users to the group
 
 # ------- IdBroker Mappings -------
 resource "cdp_environments_id_broker_mappings" "cdp_idbroker" {
@@ -113,17 +107,11 @@ resource "cdp_environments_id_broker_mappings" "cdp_idbroker" {
   data_access_role                    = var.datalake_admin_role_arn
   ranger_cloud_access_authorizer_role = var.enable_raz ? var.raz_role_arn : null
 
-  mappings = [{
-    accessor_crn = cdp_iam_group.cdp_admin_group.crn
-    role         = var.datalake_admin_role_arn
-    },
-    {
-      accessor_crn = cdp_iam_group.cdp_user_group.crn
-      role         = var.datalake_admin_role_arn
-    }
-  ]
+  mappings           = local.cdp_group_id_broker_mappings
+  set_empty_mappings = length(local.cdp_group_id_broker_mappings) == 0 ? true : null
 
   depends_on = [
+    cdp_iam_group.cdp_groups,
     cdp_environments_aws_environment.cdp_env
   ]
 }

modules/terraform-cdp-deploy/modules/aws/outputs.tf

@@ -23,3 +23,10 @@ output "cdp_environment_crn" {
 
   description = "CDP Environment CRN"
 }
+
+output "cdp_groups" {
+
+  value = data.cdp_iam_group.cdp_groups
+
+  description = "CDP Group information"
+}

modules/terraform-cdp-deploy/modules/aws/variables.tf

@@ -56,16 +56,16 @@ variable "cdp_xacccount_credential_name" {
 
 }
 
-variable "cdp_admin_group_name" {
-  type        = string
-  description = "Name of the CDP IAM Admin Group associated with the environment."
-
-}
-
-variable "cdp_user_group_name" {
-  type        = string
-  description = "Name of the CDP IAM User Group associated with the environment."
+variable "cdp_groups" {
+  type = set(object({
+    name                          = string
+    create_group                  = bool
+    sync_membership_on_user_login = optional(bool)
+    add_id_broker_mappings        = bool
+    })
+  )
 
+  description = "List of CDP Groups to be added to the id broker of the environment. If create_group is set to true then the group will be created."
 }
 
 variable "enable_ccm_tunnel" {

modules/terraform-cdp-deploy/modules/azure/data.tf

@@ -0,0 +1,25 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data "cdp_iam_group" "cdp_groups" {
+
+  for_each = {
+    for k, v in coalesce(var.cdp_groups, []) : k.name => v
+  }
+
+  group_name = each.value.name
+
+  depends_on = [cdp_iam_group.cdp_groups]
+}
+

modules/terraform-cdp-deploy/modules/azure/defaults.tf

@@ -19,4 +19,14 @@ locals {
     var.cdp_xacccount_credential_name :
     cdp_environments_azure_credential.cdp_cred[0].credential_name
   )
+
+  # Construct IDBroker mappings
+  cdp_group_id_broker_mappings = [
+    for grp, grp_details in coalesce(var.cdp_groups, []) :
+    {
+      accessor_crn = data.cdp_iam_group.cdp_groups[grp_details.name].crn
+      role         = var.datalakeadmin_identity_id
+    }
+    if try(grp_details.add_id_broker_mappings, false)
+  ]
 }