feat: add iam_resourcegroup data and resources

Author: fehrnah

Diff for: ovh/data_iam_resource_group.go

@@ -0,0 +1,81 @@
+package ovh
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceIamResourceGroup() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"name": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"resources": {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"owner": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"created_at": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"updated_at": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"read_only": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			"urn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+		ReadContext: datasourceIamResourceGroupRead,
+	}
+}
+
+func datasourceIamResourceGroupRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	config := meta.(*Config)
+	id := d.Get("id").(string)
+
+	var pol IamResourceGroup
+	err := config.OVHClient.GetWithContext(ctx, fmt.Sprintf("/v2/iam/resourceGroup/%s?details=true", url.PathEscape(id)), &pol)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(id)
+
+	var urns []string
+	for _, r := range pol.Resources {
+		urns = append(urns, r.URN)
+	}
+
+	d.Set("resources", urns)
+	d.Set("name", pol.Name)
+	d.Set("owner", pol.Owner)
+	d.Set("created_at", pol.CreatedAt)
+	d.Set("updated_at", pol.UpdatedAt)
+	d.Set("read_only", pol.ReadOnly)
+	d.Set("urn", pol.URN)
+
+	return nil
+}

Diff for: ovh/data_iam_resource_group_test.go

@@ -0,0 +1,146 @@
+package ovh
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccIamResourceGroupDataSource_basic(t *testing.T) {
+	resourceGroupName1 := acctest.RandomWithPrefix(test_prefix)
+	resourceGroupName2 := acctest.RandomWithPrefix(test_prefix)
+
+	resource1 := "urn:v1:eu:resource:vrack:" + os.Getenv("OVH_VRACK_SERVICE_TEST")
+	resource2 := "urn:v1:eu:resource:vps:" + os.Getenv("OVH_VPS")
+
+	preSetup := fmt.Sprintf(
+		testAccIamResourceGroupDatasourceConfigInit,
+		resourceGroupName1,
+		resource1,
+		resourceGroupName2,
+		resource1,
+		resource2,
+	)
+
+	dataConfig := fmt.Sprintf(
+		testAccIamResourceGroupDatasourceConfigData,
+		resourceGroupName1,
+		resource1,
+		resourceGroupName2,
+		resource1,
+		resource2,
+	)
+
+	config := fmt.Sprintf(
+		testAccIamResourceGroupDatasourceConfigList,
+		resourceGroupName1,
+		resource1,
+		resourceGroupName2,
+		resource1,
+		resource2,
+	)
+
+	checks := append(
+		checkIamResourceGroupResourceAttr("ovh_iam_resource_group.resource_group_1", resourceGroupName1, resource1),
+		checkIamResourceGroupResourceAttr("ovh_iam_resource_group.resource_group_2", resourceGroupName2, resource1, resource2)...,
+	)
+
+	checksData := append(
+		checkIamResourceGroupResourceAttr("data.ovh_iam_resource_group.resource_group_1", resourceGroupName1, resource1),
+		checkIamResourceGroupResourceAttr("data.ovh_iam_resource_group.resource_group_2", resourceGroupName2, resource1, resource2)...,
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheckIamResourceGroup(t)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: preSetup,
+				Check:  resource.ComposeTestCheckFunc(checks...),
+			}, {
+				Config: dataConfig,
+				Check:  resource.ComposeTestCheckFunc(checksData...),
+			}, {
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckOutput("keys_present", "true"),
+				),
+			},
+		},
+	})
+}
+
+func checkIamResourceGroupResourceAttr(name, grpName string, resourceURNs ...string) []resource.TestCheckFunc {
+	checks := []resource.TestCheckFunc{
+		resource.TestCheckResourceAttr(name, "name", grpName),
+	}
+	for _, urn := range resourceURNs {
+		checks = append(checks,
+			resource.TestCheckTypeSetElemAttr(name, "resources.*", urn),
+		)
+	}
+	return checks
+}
+
+const testAccIamResourceGroupDatasourceConfigInit = `
+resource "ovh_iam_resource_group" "resource_group_1" {
+	name        = "%s"
+	resources   = ["%s"]
+}
+
+resource "ovh_iam_resource_group" "resource_group_2" {
+	name        = "%s"
+	resources   = ["%s", "%s"]
+}
+`
+
+const testAccIamResourceGroupDatasourceConfigData = `
+resource "ovh_iam_resource_group" "resource_group_1" {
+	name        = "%s"
+	resources   = ["%s"]
+}
+
+resource "ovh_iam_resource_group" "resource_group_2" {
+	name        = "%s"
+	resources   = ["%s", "%s"]
+}
+
+data "ovh_iam_resource_group" "resource_group_1" {
+	id = ovh_iam_resource_group.resource_group_1.id
+}
+
+data "ovh_iam_resource_group" "resource_group_2" {
+	id = ovh_iam_resource_group.resource_group_2.id
+}
+`
+
+const testAccIamResourceGroupDatasourceConfigList = `
+resource "ovh_iam_resource_group" "resource_group_1" {
+	name        = "%s"
+	resources   = ["%s"]
+}
+
+resource "ovh_iam_resource_group" "resource_group_2" {
+	name        = "%s"
+	resources   = ["%s", "%s"]
+}
+
+data "ovh_iam_resource_group" "data_resource_group_1" {
+	id = ovh_iam_resource_group.resource_group_1.id
+}
+
+
+data "ovh_iam_resource_groups" "resource_groups" {}
+
+output "keys_present" {
+	value = tostring(
+		contains(data.ovh_iam_resource_groups.resource_groups.resource_groups, ovh_iam_resource_group.resource_group_1.id) &&
+		contains(data.ovh_iam_resource_groups.resource_groups.resource_groups, ovh_iam_resource_group.resource_group_2.id)
+	)
+}
+`

Diff for: ovh/data_iam_resource_groups.go

@@ -0,0 +1,41 @@
+package ovh
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/ovh/terraform-provider-ovh/ovh/helpers/hashcode"
+)
+
+func dataSourceIamResourceGroups() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"resource_groups": {
+				Type:     schema.TypeSet,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Computed: true,
+			},
+		},
+		ReadContext: datasourceIamResourceGroupsRead,
+	}
+}
+
+func datasourceIamResourceGroupsRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	config := meta.(*Config)
+
+	var groups []IamResourceGroup
+	err := config.OVHClient.GetWithContext(ctx, "/v2/iam/resourceGroup?details=true", &groups)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	var grpsId []string
+	for _, grp := range groups {
+		grpsId = append(grpsId, grp.ID)
+	}
+
+	d.SetId(hashcode.Strings(grpsId))
+	d.Set("resource_groups", grpsId)
+	return nil
+}

Diff for: ovh/provider.go

@@ -113,6 +113,8 @@ func Provider() *schema.Provider {
 			"ovh_iam_policy":                                          dataSourceIamPolicy(),
 			"ovh_iam_reference_actions":                               dataSourceIamReferenceActions(),
 			"ovh_iam_reference_resource_type":                         dataSourceIamReferenceResourceType(),
+			"ovh_iam_resource_group":                                  dataSourceIamResourceGroup(),
+			"ovh_iam_resource_groups":                                 dataSourceIamResourceGroups(),
 			"ovh_ip_service":                                          dataSourceIpService(),
 			"ovh_iploadbalancing":                                     dataSourceIpLoadbalancing(),
 			"ovh_iploadbalancing_vrack_network":                       dataSourceIpLoadbalancingVrackNetwork(),
@@ -192,6 +194,7 @@ func Provider() *schema.Provider {
 			"ovh_hosting_privatedatabase_user_grant":                      resourceHostingPrivateDatabaseUserGrant(),
 			"ovh_hosting_privatedatabase_whitelist":                       resourceHostingPrivateDatabaseWhitelist(),
 			"ovh_iam_policy":                                              resourceIamPolicy(),
+			"ovh_iam_resource_group":                                      resourceIamResourceGroup(),
 			"ovh_ip_reverse":                                              resourceIpReverse(),
 			"ovh_ip_service":                                              resourceIpService(),
 			"ovh_iploadbalancing":                                         resourceIpLoadbalancing(),

Diff for: ovh/provider_test.go

@@ -373,3 +373,9 @@ func testAccPreCheckWorkflowBackup(t *testing.T) {
 func testAccPreCheckDedicatedServerNetworking(t *testing.T) {
 	checkEnvOrSkip(t, "TEST_DEDICATED_SERVER_NETWORKING")
 }
+
+func testAccPreCheckIamResourceGroup(t *testing.T) {
+	testAccPreCheckCredentials(t)
+	checkEnvOrSkip(t, "OVH_VRACK_SERVICE_TEST")
+	checkEnvOrSkip(t, "OVH_VPS")
+}

Diff for: ovh/resource_iam_resource_group.go

@@ -0,0 +1,153 @@
+package ovh
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func resourceIamResourceGroup() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"resources": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"owner": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"created_at": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"updated_at": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"read_only": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			"urn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+		Importer: &schema.ResourceImporter{
+			StateContext: func(ctx context.Context, rd *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+				// Before importing, check that the resource group is not read-only.
+				config := meta.(*Config)
+				id := rd.Id()
+
+				var pol IamResourceGroup
+				err := config.OVHClient.GetWithContext(ctx, fmt.Sprintf("/v2/iam/resourceGroup/%s?details=true", url.PathEscape(id)), &pol)
+				if err != nil {
+					return nil, err
+				}
+
+				if pol.ReadOnly {
+					return nil, fmt.Errorf("resource_group '%s' is read-only", id)
+				}
+
+				return []*schema.ResourceData{rd}, nil
+			},
+		},
+		ReadContext:   resourceIamResourceGroupRead,
+		CreateContext: resourceIamResourceGroupCreate,
+		UpdateContext: resourceIamResourceGroupUpdate,
+		DeleteContext: resourceIamResourceGroupDelete,
+	}
+}
+
+func resourceIamResourceGroupRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	config := meta.(*Config)
+	id := d.Id()
+
+	var pol IamResourceGroup
+	err := config.OVHClient.GetWithContext(ctx, fmt.Sprintf("/v2/iam/resourceGroup/%s?details=true", url.PathEscape(id)), &pol)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	var urns []string
+	for _, r := range pol.Resources {
+		urns = append(urns, r.URN)
+	}
+	d.Set("resources", urns)
+
+	d.Set("name", pol.Name)
+	d.Set("owner", pol.Owner)
+	d.Set("created_at", pol.CreatedAt)
+	d.Set("updated_at", pol.UpdatedAt)
+	d.Set("read_only", pol.ReadOnly)
+	d.Set("urn", pol.URN)
+
+	return nil
+}
+
+func resourceIamResourceGroupCreate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	config := meta.(*Config)
+
+	var grp IamResourceGroup
+
+	grp.Name = d.Get("name").(string)
+	urns := d.Get("resources").(*schema.Set)
+	for _, r := range urns.List() {
+		urn := r.(string)
+		grp.Resources = append(grp.Resources, IamResourceDetails{URN: urn})
+	}
+
+	var grpOut IamResourceGroup
+	err := config.OVHClient.PostWithContext(ctx, "/v2/iam/resourceGroup", grp, &grpOut)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(grpOut.ID)
+
+	return resourceIamResourceGroupRead(ctx, d, meta)
+}
+
+func resourceIamResourceGroupUpdate(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	config := meta.(*Config)
+	id := d.Id()
+
+	var pol IamResourceGroup
+
+	pol.Name = d.Get("name").(string)
+	urns := d.Get("resources").(*schema.Set)
+	for _, r := range urns.List() {
+		urn := r.(string)
+		pol.Resources = append(pol.Resources, IamResourceDetails{URN: urn})
+	}
+
+	err := config.OVHClient.PutWithContext(ctx, "/v2/iam/resourceGroup/"+url.PathEscape(id), &pol, nil)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return resourceIamResourceGroupRead(ctx, d, meta)
+}
+
+func resourceIamResourceGroupDelete(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	config := meta.(*Config)
+	id := d.Id()
+
+	err := config.OVHClient.DeleteWithContext(ctx, "/v2/iam/resourceGroup/"+url.PathEscape(id), nil)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}

Diff for: ovh/resource_iam_resource_group_test.go

@@ -0,0 +1,113 @@
+package ovh
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func init() {
+	resource.AddTestSweepers("ovh_iam_resource_group", &resource.Sweeper{
+		Name: "ovh_iam_resource_group",
+		F:    testSweepMeIdentityResourceGroup,
+	})
+}
+
+func testSweepMeIdentityResourceGroup(region string) error {
+	client, err := sharedClientForRegion(region)
+	if err != nil {
+		return fmt.Errorf("error getting client: %s", err)
+	}
+
+	var groups []IamResourceGroup
+	if err := client.Get("/v2/iam/resourceGroup", &groups); err != nil {
+		return fmt.Errorf("Error calling /v2/iam/resourceGroup:\n\t %q", err)
+	}
+
+	if len(groups) == 0 {
+		log.Print("[DEBUG] No identity users to sweep")
+		return nil
+	}
+	for _, resGrp := range groups {
+		if !strings.HasPrefix(resGrp.Name, test_prefix) {
+			continue
+		}
+
+		if resGrp.ReadOnly {
+			continue
+		}
+		log.Printf("[DEBUG] IAM resource group found %s: %s", resGrp.Name, resGrp.ID)
+		err = resource.Retry(5*time.Minute, func() *resource.RetryError {
+			log.Printf("[INFO] Deleting IAM resource group %s: %s", resGrp.Name, resGrp.ID)
+			if err := client.Delete(fmt.Sprintf("/v2/iam/resourceGroup/%s", resGrp.ID), nil); err != nil {
+				return resource.RetryableError(err)
+			}
+
+			// Successful delete
+			return nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+	}
+	return nil
+}
+
+func TestAccIamResourceGroupResource_basic(t *testing.T) {
+	resourceGroupName1 := acctest.RandomWithPrefix(test_prefix)
+	resourceGroupName2 := acctest.RandomWithPrefix(test_prefix)
+
+	resource1 := "urn:v1:eu:resource:vrack:" + os.Getenv("OVH_VRACK_SERVICE_TEST")
+	resource2 := "urn:v1:eu:resource:vps:" + os.Getenv("OVH_VPS")
+
+	config := fmt.Sprintf(
+		testAccIamResourceGroupResourceConfig_preSetup,
+		resourceGroupName1,
+		resource1,
+		resourceGroupName2,
+		resource1,
+		resource2,
+	)
+
+	checks := append(
+		checkIamResourceGroupResourceAttr("ovh_iam_resource_group.resource_group_1", resourceGroupName1, resource1),
+		checkIamResourceGroupResourceAttr("ovh_iam_resource_group.resource_group_2", resourceGroupName2, resource1, resource2)...,
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheckIamResourceGroup(t)
+		},
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check:  resource.ComposeTestCheckFunc(checks...),
+			}, {
+				ResourceName:      "ovh_iam_resource_group.resource_group_1",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+const testAccIamResourceGroupResourceConfig_preSetup = `
+resource "ovh_iam_resource_group" "resource_group_1" {
+	name        = "%s"
+	resources   = ["%s"]
+}
+
+resource "ovh_iam_resource_group" "resource_group_2" {
+	name        = "%s"
+	resources   = ["%s", "%s"]
+}
+`

Diff for: ovh/types_iam.go

@@ -66,24 +66,25 @@ func (p IamPolicy) ToMap() map[string]any {
 	return out
 }
 
+// IamResource represent a possible information returned when viewing a policy
 type IamResource struct {
-	URN      string                  `json:"urn,omitempty"`
-	Group    *IamPolicyResourceGroup `json:"group,omitempty"`
-	Resource *IamResourceDetails     `json:"resource,omitempty"`
-}
-
-type IamPolicyResourceGroup struct {
-	Id       string `json:"id"`
-	Name     string `json:"name"`
-	ReadOnly bool   `json:"readOnly"`
+	// URN is always returned and is the urn of the resource or resource group
+	// can also be a globing urn, for example "urn:v1:eu:resource:*"
+	URN string `json:"urn,omitempty"`
+	// If the urn is a resourceGroup. the details are also present
+	Group *IamResourceGroup `json:"group,omitempty"`
+	// If the urn is an IAM resource, the details are also present
+	Resource *IamResourceDetails `json:"resource,omitempty"`
 }
 
 type IamResourceDetails struct {
-	Id          string `json:"id"`
-	Name        string `json:"name"`
-	DisplayName string `json:"displayName"`
-	Owner       string `json:"owner"`
-	Type        string `json:"type"`
+	Id          string            `json:"id,omitempty"`
+	URN         string            `json:"urn,omitempty"`
+	Name        string            `json:"name,omitempty"`
+	DisplayName string            `json:"displayName,omitempty"`
+	Owner       string            `json:"owner,omitempty"`
+	Type        string            `json:"type,omitempty"`
+	Tags        map[string]string `json:"tags,omitempty"`
 }
 
 type IamPermissions struct {
@@ -108,3 +109,19 @@ func (p IamPermissions) ToLists() ([]string, []string) {
 type IamAction struct {
 	Action string `json:"action"`
 }
+
+type IamResourceGroup struct {
+	ID        string               `json:"id,omitempty"`
+	Name      string               `json:"name"`
+	Resources []IamResourceDetails `json:"resources"`
+	URN       string               `json:"urn,omitempty"`
+	Owner     string               `json:"owner,omitempty"`
+	CreatedAt string               `json:"createdAt,omitempty"`
+	UpdatedAt string               `json:"updatedAt,omitempty"`
+	ReadOnly  bool                 `json:"readOnly,omitempty"`
+}
+
+type IamResourceGroupCreate struct {
+	Name      string               `json:"name"`
+	Resources []IamResourceDetails `json:"resources"`
+}

Diff for: website/docs/d/iam_resource_group.html.markdown

@@ -0,0 +1,29 @@
+---
+subcategory : "Account Management"
+---
+
+# ovh_iam_resource_group (Data Source)
+
+Use this data source get details about a resource group.
+
+## Example Usage
+
+```hcl
+data "ovh_iam_resource_group" "my_resource_group" {
+    id = "my_resource_group_id"
+}
+```
+
+## Argument Reference
+
+* `id`- Id of the resource group
+
+## Attributes Reference
+
+* `name`- Name of the resource group
+* `resources`- Set of the URNs of the resources contained in the resource group
+* `owner`- Name of the account owning the resource group
+* `created_at`- Date of the creation of the resource group
+* `updated_at`- Date of the last modification of the resource group
+* `read_only`- Marks that the resource group is not editable. Usually means that this is a default resource group created by OVHcloud
+* `urn`- URN of the resource group, used when writing policies

Diff for: website/docs/d/iam_resource_groups.html.markdown

@@ -0,0 +1,21 @@
+---
+subcategory : "Account Management"
+---
+
+# ovh_iam_resource_groups (Data Source)
+
+Use this data source to list the existing IAM policies of an account.
+
+## Example Usage
+
+```hcl
+data "ovh_iam_resource_groups" "my_groups" {
+}
+```
+
+## Argument Reference
+
+## Attributes Reference
+
+* `id` - Hash of the list of the resource groups IDs.
+* `resource_groups` - List of the resource groups IDs.

Diff for: website/docs/r/iam_resource_group.html.markdown

@@ -0,0 +1,44 @@
+---
+subcategory : "Account Management"
+---
+
+# ovh_iam_resource_group (Resource)
+
+Provides an OVHcloud IAM resource group.
+
+## Example Usage
+
+```hcl
+resource "ovh_iam_resource_group" "my_resource_group" {
+    name = "my_resource_group"
+    resources = [
+        "urn:v1:eu:resource:service1:service1-id",
+        "urn:v1:eu:resource:service2:service2-id",
+    ]
+}
+```
+
+## Argument Reference
+
+* `name`- Name of the resource group
+* `resources`- Set of the URNs of the resources contained in the resource group. All urns must be ones of valid resources
+
+## Attributes Reference
+
+* `id`- Id of the resource group
+* `owner`- Name of the account owning the resource group
+* `created_at`- Date of the creation of the resource group
+* `updated_at`- Date of the last modification of the resource group
+* `read_only`- Marks that the resource group is not editable. Usually means that this is a default resource group created by OVHcloud
+* `urn`- URN of the resource group, used when writing policies
+
+## Import 
+
+
+Resource groups can be imported by using their id.
+
+```bash
+$ terraform import ovh_iam_resource_group.my_resource_group resource_group_id
+```
+
+-> Read only resource groups cannot be imported