Skip to content

Latest commit

 

History

History
59 lines (44 loc) · 3.38 KB

File metadata and controls

59 lines (44 loc) · 3.38 KB

OCI Landing Zones IAM Dynamic Groups Module

Landing Zone logo

This module manages Identity and Access Management (IAM) dynamic groups in Oracle Cloud Infrastructure (OCI) based on a single map of objects. Dynamic groups have their members dynamically defined by rules. These rules enable principal actors other than human users as IAM policy grantees. Dynamic groups can be made of a variety of OCI resources, like Database instances, Compute Instances, Functions, to mention a few.

Check module specification for a full description of module requirements, supported variables, managed resources and outputs.

The module defines a single input variable named dynamic_groups_configuration, supporting the following attributes:

  • dynamic_groups: the map of objects that define the dynamic groups. Each object correspond to a dynamic group, with name, description, matching_rule, defined_tags and freeform_tags attributes. matching_rule is an expression that defines the principals assigned to the dynamic group resource.
  • default_defined_tags: defined tags to apply to all dynamic groups, unless overriden by defined_tags attribute within each dynamic group object.
  • default_freeform_tags: freeform tags to apply to all dynamic groups, unless overriden by freeform_tags attribute within each dynamic group object.

Check the examples folder for module usage. Specifically, see vision example for the dynamic groups deployed by OCI Base Landing Zone.

Requirements

Terraform Version >= 1.3.0

This module requires Terraform binary version 1.3.0 or greater, as it relies on Optional Object Type Attributes feature. The feature shortens the amount of input values in complex object types, by having Terraform automatically inserting a default value for any missing optional attributes.

IAM Permissions

This module requires the following OCI IAM permission:

Allow group <group> to manage dynamic-groups in tenancy

How to Invoke the Module

Terraform modules can be invoked locally or remotely.

For invoking the module locally, just set the module source attribute to the module file path (relative path works). The following example assumes the module is two folders up in the file system.

module "dynamic-groups" {
  source = "../.."
  tenancy_id     = var.tenancy_id
  dynamic_groups_configuration = var.dynamic_groups_configuration
}

For invoking the module remotely, set the module source attribute to the dynamic-groups module folder in this repository, as shown:

module "dynamic-groups" {
  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/dynamic-groups"
  tenancy_id     = var.tenancy_id
  dynamic_groups_configuration = var.dynamic_groups_configuration
}

For referring to a specific module version, append ref=<version> to the source attribute value, as in:

  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//dynamic-groups?ref=v0.1.0"

Related Documentation

Known Issues

None.