Merge pull request #81 in RSA/oci-enterprise-scale-baseline-landing-z…

…one from LANZ-238 to main * commit '17b5a29c07f3756e5a8652d3b672796ca1e4dc6c': policies conditionally created
oracle-quickstart · Jun 7, 2022 · d7e18ee · d7e18ee
2 parents afc32ea + 17b5a29
commit d7e18ee
Showing 1 changed file with 20 additions and 11 deletions.
diff --git a/iam/policies/main.tf b/iam/policies/main.tf
@@ -7,6 +7,25 @@ terraform {
   }
 }
 
+locals {
+  security_admins_policy_list = concat(
+    var.key_id != "PLACEHOLDER" ? [
+      # Ability to associate an Object Storage bucket, Block Volume volume, File Storage file system, Kubernetes cluster, or Streaming stream pool with a specific key
+      "Allow group ${var.security_admins_group_name} to use key-delegate in compartment ${var.security_compartment_name} where target.key.id = '${var.key_id}'",
+    ] : [],
+    var.vault_id != "PLACEHOLDER" ? [
+      # Ability to do all things with secrets in a specific vault
+      "Allow group ${var.security_admins_group_name} to read vaults in compartment ${var.security_compartment_name} where target.vault.id='${var.vault_id}'",
+      "Allow group ${var.security_admins_group_name} to manage secret-family in compartment ${var.security_compartment_name} where target.vault.id='${var.vault_id}'"
+    ] : [],
+    [
+      # Ability to list, view, and perform cryptographic operations with all keys in compartment
+      "Allow group ${var.security_admins_group_name} to use keys in compartment ${var.security_compartment_name}",
+      "Allow service blockstorage, objectstorage-${var.region}, FssOc1Prod, oke, streaming to use keys in compartment ${var.security_compartment_name}",
+    ]
+  )
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # IAM Policy Network Admins
 # ---------------------------------------------------------------------------------------------------------------------
@@ -64,17 +83,7 @@ resource "oci_identity_policy" "security_admins_policy" {
     "GeoLocation" = var.tag_geo_location
   }
 
-  statements = [
-    # Ability to associate an Object Storage bucket, Block Volume volume, File Storage file system, Kubernetes cluster, or Streaming stream pool with a specific key
-    "Allow group ${var.security_admins_group_name} to use key-delegate in compartment ${var.security_compartment_name} where target.key.id = '${var.key_id}'",
-    # Ability to list, view, and perform cryptographic operations with all keys in compartment
-    "Allow group ${var.security_admins_group_name} to use keys in compartment ${var.security_compartment_name}",
-    "Allow service blockstorage, objectstorage-${var.region}, FssOc1Prod, oke, streaming to use keys in compartment ${var.security_compartment_name}",
-    # Ability to do all things with secrets in a specific vault
-    "Allow group ${var.security_admins_group_name} to read vaults in compartment ${var.security_compartment_name} where target.vault.id='${var.vault_id}'",
-    "Allow group ${var.security_admins_group_name} to manage secret-family in compartment ${var.security_compartment_name} where target.vault.id='${var.vault_id}'"
-
-  ]
+  statements = local.security_admins_policy_list
 }
 
 resource "oci_identity_policy" "security_admins_policy_network" {