feat(iam/user): support external_identity_id param

docs/resources/identity_user.md

@@ -49,6 +49,13 @@ The following arguments are supported:
   + **programmatic**: only support programmatic access.
   + **console**: only support management console access.
 
+* `external_identity_id` - (Optional, String) Specifies the ID of the IAM user in the external system.
+  This parameter is used for IAM user SSO type, make sure that the **IAM_SAML_Attributes_xUserId** of the federated user
+  is the same as the `external_identity_id` of the corresponding IAM user.
+
+* `external_identity_type` - (Optional, String) Specifies the type of the IAM user in the external system.
+  Only **TenantIdp** is supported now. This parameter must be used together with `external_identity_id`.
+
 ## Attribute Reference
 
 In addition to all arguments above, the following attributes are exported:

go.mod

@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
-	github.com/chnsz/golangsdk v0.0.0-20230816083154-a48d61280e1c
+	github.com/chnsz/golangsdk v0.0.0-20230821030330-f0c4cb624629
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-uuid v1.0.3

go.sum

@@ -19,8 +19,8 @@ github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJE
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/chnsz/golangsdk v0.0.0-20230816083154-a48d61280e1c h1:CYGxNjWqvlpND5UDR5TqWNnc8YbmUj1KI5QU2Mniiwk=
-github.com/chnsz/golangsdk v0.0.0-20230816083154-a48d61280e1c/go.mod h1:j6UR2TfACtmWBEvYrQqTpk5wy3b2QsEdiLkjMoM47j8=
+github.com/chnsz/golangsdk v0.0.0-20230821030330-f0c4cb624629 h1:lraFu3V1NCWYbMjhSyFuNiOt+CeCX/3PF9rokiSgq3I=
+github.com/chnsz/golangsdk v0.0.0-20230821030330-f0c4cb624629/go.mod h1:j6UR2TfACtmWBEvYrQqTpk5wy3b2QsEdiLkjMoM47j8=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

huaweicloud/services/acceptance/iam/resource_huaweicloud_identity_user_test.go

@@ -77,6 +77,59 @@ func TestAccIdentityUser_basic(t *testing.T) {
 	})
 }
 
+func TestAccIdentityUser_external(t *testing.T) {
+	var user users.User
+	userName := acceptance.RandomAccResourceName()
+	password := acceptance.RandomPassword()
+	initXUserID := "123456789-abcdefg"
+	newXUserID := "abcdefg-123456789"
+	resourceName := "huaweicloud_identity_user.user_1"
+
+	rc := acceptance.InitResourceCheck(
+		resourceName,
+		&user,
+		getIdentityUserResourceFunc,
+	)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			acceptance.TestAccPreCheck(t)
+			acceptance.TestAccPreCheckAdminOnly(t)
+		},
+		ProviderFactories: acceptance.TestAccProviderFactories,
+		CheckDestroy:      rc.CheckResourceDestroy(),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIdentityUser_external(userName, password, initXUserID),
+				Check: resource.ComposeTestCheckFunc(
+					rc.CheckResourceExists(),
+					resource.TestCheckResourceAttr(resourceName, "name", userName),
+					resource.TestCheckResourceAttr(resourceName, "description", "IAM user with external identity id"),
+					resource.TestCheckResourceAttr(resourceName, "enabled", "true"),
+					resource.TestCheckResourceAttr(resourceName, "pwd_reset", "true"),
+					resource.TestCheckResourceAttr(resourceName, "password_strength", "Strong"),
+					resource.TestCheckResourceAttr(resourceName, "external_identity_id", initXUserID),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"password",
+				},
+			},
+			{
+				Config: testAccIdentityUser_external(userName, password, newXUserID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", userName),
+					resource.TestCheckResourceAttr(resourceName, "external_identity_id", newXUserID),
+				),
+			},
+		},
+	})
+}
+
 func testAccIdentityUser_basic(name, password string) string {
 	return fmt.Sprintf(`
 resource "huaweicloud_identity_user" "user_1" {
@@ -101,3 +154,14 @@ resource "huaweicloud_identity_user" "user_1" {
 }
 `, name, password)
 }
+
+func testAccIdentityUser_external(name, password, xUserID string) string {
+	return fmt.Sprintf(`
+resource "huaweicloud_identity_user" "user_1" {
+  name                 = "%s"
+  password             = "%s"
+  description          = "IAM user with external identity id"
+  external_identity_id = "%s"
+}
+`, name, password, xUserID)
+}

huaweicloud/services/iam/resource_huaweicloud_identity_user.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/common"
 	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/config"
+	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/utils"
 )
 
 func ResourceIdentityUser() *schema.Resource {
@@ -59,6 +60,16 @@ func ResourceIdentityUser() *schema.Resource {
 				Optional:     true,
 				RequiredWith: []string{"phone"},
 			},
+			"external_identity_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"external_identity_type": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				RequiredWith: []string{"external_identity_id"},
+			},
 			"enabled": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -93,6 +104,21 @@ func ResourceIdentityUser() *schema.Resource {
 	}
 }
 
+func buildExternalIdentityType(d *schema.ResourceData) string {
+	// external_identity_type is valid only when external_identity_id is specified.
+	if _, ok := d.GetOk("external_identity_id"); !ok {
+		return ""
+	}
+
+	// the default value of external_identity_type is TenantIdp
+	v, ok := d.GetOk("external_identity_type")
+	if !ok {
+		return "TenantIdp"
+	}
+
+	return v.(string)
+}
+
 func resourceIdentityUserCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	cfg := meta.(*config.Config)
 	iamClient, err := cfg.IAMV3Client(cfg.GetRegion(d))
@@ -113,6 +139,8 @@ func resourceIdentityUserCreate(ctx context.Context, d *schema.ResourceData, met
 		Phone:         d.Get("phone").(string),
 		AreaCode:      d.Get("country_code").(string),
 		AccessMode:    d.Get("access_type").(string),
+		XUserID:       d.Get("external_identity_id").(string),
+		XUserType:     buildExternalIdentityType(d),
 		Enabled:       &enabled,
 		PasswordReset: &reset,
 		DomainID:      cfg.DomainID,
@@ -156,6 +184,8 @@ func resourceIdentityUserRead(_ context.Context, d *schema.ResourceData, meta in
 		d.Set("pwd_reset", user.PasswordStatus),
 		d.Set("create_time", user.CreateAt),
 		d.Set("last_login", user.LastLogin),
+		d.Set("external_identity_id", user.XUserID),
+		d.Set("external_identity_type", user.XUserType),
 	)
 
 	if err = mErr.ErrorOrNil(); err != nil {
@@ -200,6 +230,11 @@ func resourceIdentityUserUpdate(ctx context.Context, d *schema.ResourceData, met
 		updateOpts.Phone = d.Get("phone").(string)
 	}
 
+	if d.HasChanges("external_identity_id", "external_identity_type") {
+		updateOpts.XUserID = utils.String(d.Get("external_identity_id").(string))
+		updateOpts.XUserType = utils.String(buildExternalIdentityType(d))
+	}
+
 	if d.HasChange("access_type") {
 		updateOpts.AccessMode = d.Get("access_type").(string)
 	}

vendor/modules.txt

@@ -13,7 +13,7 @@ github.com/apparentlymart/go-cidr/cidr
 # github.com/apparentlymart/go-textseg/v13 v13.0.0
 ## explicit; go 1.16
 github.com/apparentlymart/go-textseg/v13/textseg
-# github.com/chnsz/golangsdk v0.0.0-20230816083154-a48d61280e1c
+# github.com/chnsz/golangsdk v0.0.0-20230821030330-f0c4cb624629
 ## explicit; go 1.14
 github.com/chnsz/golangsdk
 github.com/chnsz/golangsdk/auth