[FEATURE] possibility to attach user to role (not backend role)

[rapcore2]

Is your feature request related to a problem?

I tried to map custom role to user, but there is no possibility with opensearch terraform provider.

What solution would you like?

Possibility to attach (custom) role to user. For example (as it possible):

resource "opensearch_user" "simple_user" {
  username    = "simple.user"
  password    = "SuperPassword!"
  description = "Simple User"
  backend_roles = [
    "my_custom_backend_role"
  ]
  roles = [
    "my_custom_role
  ]
}

What alternatives have you considered?

In Dev Tools

PUT _plugins/_security/api/rolesmapping/custom_role
{
  "users" : [ "custom_user" ]
}

[rblcoder]

PUT _plugins/_security/api/rolesmapping/custom_role
{
  "users" : [ "custom_user" ]
}

The above can be called using opensearch_roles_mapping resource

terraform-provider-opensearch/provider/resource_opensearch_roles_mapping.go

Lines 186 to 205 in 3699cfb

	func resourceOpensearchPutOpenDistroRolesMapping(d *schema.ResourceData, m interface{}) (*RoleMappingResponse, error) {
	var err error
	response := new(RoleMappingResponse)
	rolesMappingDefinition := RolesMapping{
	BackendRoles: expandStringList(d.Get("backend_roles").(*schema.Set).List()),
	Hosts: expandStringList(d.Get("hosts").(*schema.Set).List()),
	Users: expandStringList(d.Get("users").(*schema.Set).List()),
	Description: d.Get("description").(string),
	AndBackendRoles: expandStringList(d.Get("and_backend_roles").(*schema.Set).List()),
	}
	roleJSON, err := json.Marshal(rolesMappingDefinition)
	if err != nil {
	return response, fmt.Errorf("Body Error : %s", roleJSON)
	}
	path, err := uritemplates.Expand("/_plugins/_security/api/rolesmapping/{name}", map[string]string{
	"name": d.Get("role_name").(string),
	})

terraform-provider-opensearch/provider/resource_opensearch_roles_mapping.go

Lines 36 to 41 in 3699cfb

	"users": {
	Description: "A list of users.",
	Type: schema.TypeSet,
	Optional: true,
	Elem: &schema.Schema{Type: schema.TypeString},
	},

[rapcore2]

@rblcoder thank You for reply. Could You provide example in terraform how to attach role (not backend role) in opensearch_roles_mapping ? In my opinion it is impossible.

[rblcoder]

Here is an example terraform code

https://github.com/idealo/terraform-aws-opensearch/blob/main/role_mapping.tf

Also documentation specifying the schema

https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/roles_mapping#schema

[rapcore2]

@rblcoder thank You for reply. But its backend_role not a role... I asked about possibility to attach role not backend role.

Role - Security roles define the scope of a permission or action group: cluster, index, document, or field. For example, a role named delivery_analyst might have no cluster permissions, the READ action group for all indexes that match the delivery-data-* pattern, access to all document types within those indexes, and access to all fields except delivery_driver_name.

Backend role - (Optional) Arbitrary strings that you specify or that come from an external authentication system (for example, LDAP/Active Directory). Backend roles can help simplify the role mapping process. Rather than mapping a role to 100 individual users, you can map the role to a single backend role that all 100 users share.

[rblcoder]

PUT _plugins/_security/api/rolesmapping/custom_role
{
"users" : [ "custom_user" ]
}
the above is mapping a user to a role.

[rblcoder]

You can see a test added here that the same works using the provider as well

https://github.com/opensearch-project/terraform-provider-opensearch/pull/193/files

[rapcore2]

works as expected in version 2.3.0 .
@rblcoder thank You :)