-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiam.tf
29 lines (25 loc) · 1.25 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
resource "oci_identity_dynamic_group" "oci-ccm" {
#Required
name = "${var.cluster_name}-oci-ccm"
compartment_id = var.tenancy_ocid # tenancy_ocid, compartment_ocid and domain_ocid doesn't work
description = "Instance access"
matching_rule = "ALL {instance.compartment.id = '${var.compartment_ocid}'}"
#Optional
freeform_tags = local.common_labels
}
locals {
ns_type_name = strcontains(var.compartment_ocid, ".tenancy.") ? "tenancy" : "compartment"
ns_select_name = strcontains(var.compartment_ocid, ".compartment.") ? data.oci_identity_compartment.this.name : ""
}
resource "oci_identity_policy" "oci-ccm" {
#Required
name = "${var.cluster_name}-oci-ccm"
compartment_id = var.tenancy_ocid
description = "Instance access"
statements = [
"Allow dynamic-group ${oci_identity_dynamic_group.oci-ccm.name} to read instance-family in ${local.ns_type_name} ${local.ns_select_name}",
"Allow dynamic-group ${oci_identity_dynamic_group.oci-ccm.name} to use virtual-network-family in ${local.ns_type_name} ${local.ns_select_name}",
"Allow dynamic-group ${oci_identity_dynamic_group.oci-ccm.name} to manage load-balancers in ${local.ns_type_name} ${local.ns_select_name}",
]
freeform_tags = local.common_labels
}