-
Notifications
You must be signed in to change notification settings - Fork 2
/
identity-domain-user-resources.tf
66 lines (59 loc) · 2.91 KB
/
identity-domain-user-resources.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# RSA key of size 4096 bits for AGCS User API Key
resource "tls_private_key" "private_keys" {
count = var.use_existing_agcs_user ? 0 : 1
algorithm = "RSA"
rsa_bits = 4096
}
resource "oci_identity_user" "agcs_user" {
count = var.use_existing_agcs_user ? 0 : 1
depends_on = [tls_private_key.private_keys, data.oci_identity_domains.ag_user_domain_data]
compartment_id = var.tenancy_ocid
description = "Local User for AGCS access"
name = var.agcs_user_name
email = var.agcs_user_email
freeform_tags = { "AGCS" = "true" }
}
#AGCS User Capabilities
resource "oci_identity_user_capabilities_management" "agcs_user_capabilities_management" {
count = var.use_existing_agcs_user ? 0 : 1
depends_on = [oci_identity_user.agcs_user]
user_id = oci_identity_user.agcs_user[count.index].id
can_use_api_keys = "true"
can_use_auth_tokens = "false"
can_use_console_password = "false"
can_use_customer_secret_keys = "false"
can_use_smtp_credentials = "false"
}
resource "oci_identity_api_key" "upload_api_key" {
count = var.use_existing_agcs_user ? 0 : 1
depends_on = [oci_identity_user.agcs_user]
key_value = tls_private_key.private_keys[count.index].public_key_pem
user_id = oci_identity_user.agcs_user[count.index].id
}
resource "oci_identity_group" "agcs_group" {
count = var.use_existing_agcs_user ? 0 : 1
depends_on = [oci_identity_user.agcs_user]
description = "AGCS Users"
name = var.agcs_user_group_display_name
compartment_id = local.agcs_tenancy
freeform_tags = { "AGCS" = "true" }
}
resource "oci_identity_policy" "ag-access-policy" {
count = var.use_existing_agcs_user ? 0 : 1
depends_on = [oci_identity_group.agcs_group, data.oci_identity_domains.ag_user_domain_data]
description = "AGCS User Policies"
name = "${oci_identity_group.agcs_group[count.index].name}_policies"
statements = [
"ALLOW GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to inspect all-resources IN TENANCY",
"ALLOW GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to read policies IN TENANCY",
"Allow GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to read domains IN TENANCY",
]
compartment_id = local.agcs_tenancy
freeform_tags = { "AGCS" = "true" }
}
resource "oci_identity_user_group_membership" "agcs_user_to_agcs_group" {
depends_on = [oci_identity_policy.ag-access-policy]
count = var.use_existing_agcs_user ? 0 : 1
group_id = oci_identity_group.agcs_group[count.index].id
user_id = oci_identity_user.agcs_user[count.index].id
}