# --- this role MAY be bootstrapped, if this is the case use terraform import to import it to the tf state

# This role is needed by tight cinder <-> nova service user linking
# see https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html and https://docs.openstack.org/releasenotes/cinder/yoga.html#upgrade-notes
resource "openstack_identity_role_v3" "service" {
  name = "service"
}

# --- data source to get IDs, these domain + project are normally bootstrapped

# recognize service domain (created by deployed OpenStack components)
data "openstack_identity_project_v3" "service" {
  name = "service"
  is_domain = true
}

# recognize project service in domain service (created by deployed OpenStack components)
data "openstack_identity_project_v3" "service_service" {
  name = "service"
  domain_id = data.openstack_identity_project_v3.service.id
}

# --- 

# This role assignment is needed by tight cinder <-> nova service user linking
# see https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html and https://docs.openstack.org/releasenotes/cinder/yoga.html#upgrade-notes

# recognize user nova in domain service (created by OpenStack nova bootstrap)
data "openstack_identity_user_v3" "service_nova" {
  name = "nova"
  domain_id = data.openstack_identity_project_v3.service.id
}

# add role service to service user nova
resource "openstack_identity_role_assignment_v3" "service_nova_service" {
  user_id    = data.openstack_identity_user_v3.service_nova.id
  project_id = data.openstack_identity_project_v3.service_service.id
  role_id    = openstack_identity_role_v3.service.id
}

# ---

# This role assignment is needed by tight cinder <-> nova service user linking
# see https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html and https://docs.openstack.org/releasenotes/cinder/yoga.html#upgrade-notes

# recognize user cinder in domain service (created by OpenStack cinder bootstrap)
data "openstack_identity_user_v3" "service_cinder" {
  name = "cinder"
  domain_id = data.openstack_identity_project_v3.service.id
}

# add role service to service user cinder
resource "openstack_identity_role_assignment_v3" "service_cinder_service" {
  user_id    = data.openstack_identity_user_v3.service_cinder.id
  project_id = data.openstack_identity_project_v3.service_service.id
  role_id    = openstack_identity_role_v3.service.id
}