Mastering Terraform on Oracle Cloud Infrastructure – Deep dive training
Table of Content
- Terraform setting up variables
- Creating a Compartment on OCI
- Creating an Instance with existing Network
- Creating an Instance with Network
- Create Non Federated User
- Create user, group, dynamic group, attach users to group and policies
- Create Highly Scalable Cluster on OCI
- Create Load Balancer on OCI
- Author : Madhusudhan Rao
Creating a Federated User
Terraform on OCI create user, group, dynamic group, attach users to group and policies
Here we would need 2 files in a folder they are listed below
- terraform.tfvars
- main.tf
- outputs.tf
Folder Structure
Its important to have modules under our working folder usergrouppolicy
You can download terraform-oci-iam-master from github
terraform.tfvars
You can get these variable values from our previous exercise
# OCI Authentication details tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa6vfq4yXXXpsdd6ahdouq" compartment_ocid = "ocid1.compartment.oc1..aaaaaYYYYn6j4paqphq" user_ocid = "ocid1.user.oc1..aaaaaaaa7yvywjzq5XXXXjsf3s4mca" fingerprint= "e6:65:1d:3f:8f:94:c9:43:XX:9b:45:a1" private_key_path = "/Users/madhusudhanrao/tf/keys/myopensslkey.pem" region = "us-ashburn-1"
main.tf
Create Following
- Non Federated user [email protected] and [email protected]
- Group tf_my_group
- Group tf_my_dynamic_group
- Attach Policies Allow group tf_my_group to read instances in compartment Compartment-15Nov
- Attach Policies Allow group tf_my_group to inspect instances in compartment Compartment-15Nov
- Attach Policy Allow dynamic-group tf_my_dynamic_group to read instances in compartment Compartment-15Nov
// Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. variable "tenancy_ocid" {} variable "user_ocid" {} variable "fingerprint" {} variable "private_key_path" {} variable "region" {} provider "oci" { tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa6vXXXqpsdd6ahdouq" user_ocid = "ocid1.user.oc1..aaaaaaaa7yYYYnbuxjsf3s4mca" fingerprint = "e6:65:1d:3f:8f:XX:9c:9b:45:a1" private_key_path = "/Users/madhusudhanrao/tf/keys/myopensslkey.pem" region = "us-ashburn-1" } module "iam_compartment" { source = "../modules/iam-compartment" #source = "oracle-terraform-modules/iam/oci//modules/iam-compartment" tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa6vfq4yXXXsdd6ahdouq" compartment_name = "Compartment-15Nov" compartment_description = "compartment created by terraform" compartment_create = false } module "iam_user1" { source = "../modules/iam-user" tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa6vfYYYY5vjqpsdd6ahdouq" user_name = "[email protected]" user_description = "user3 created by terraform" } module "iam_user2" { source = "../modules/iam-user" tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa6vfq4XXXXXsdd6ahdouq" user_name = "[email protected]" user_description = "user4 created by terraform" } module "iam_group" { source = "../modules/iam-group" tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa6vfq4yiXXXXXdd6ahdouq" group_name = "tf_my_group" group_description = "group created by terraform" user_count = 2 user_ids = ["${module.iam_user1.user_id}", "${module.iam_user2.user_id}"] policy_compartment_id = "ocid1.compartment.oc1..aaaaaaaahbXXXXXwbzx5nuauaa" policy_name = "tf-my-policy" policy_description = "policy created by terraform" policy_statements = ["Allow group tf_my_group to read instances in compartment Compartment-15Nov", "Allow group tf_my_group to inspect instances in compartment Compartment-15Nov"] } module "iam_dynamic_group" { source = "../modules/iam-dynamic-group" tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa6vfq4yiXXXXXpsdd6ahdouq" dynamic_group_name = "tf_my_dynamic_group" dynamic_group_description = "dynamic group created by terraform" dynamic_group_rule = "instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaatcXXXXX6j4paqphq'" policy_compartment_id = "ocid1.compartment.oc1..aaaaaaaahb7s4w3larbd2u7ryp5o634ts5jhbduqjaexkqukwwbzx5nuauaa" policy_name = "tf-my-dynamic-policy" policy_description = "dynamic policy created by terraform" policy_statements = ["Allow dynamic-group tf_my_dynamic_group to read instances in compartment Compartment-15Nov"] }
outputs.tf
output "compartment_name" { value = "${module.iam_compartment.compartment_name}" } output "compartment_id" { value = "${module.iam_compartment.compartment_id}" } output "iam_user1_name" { value = "${module.iam_user1.user_name}" } output "iam_user2_name" { value = "${module.iam_user2.user_name}" } output "iam_user1_id" { value = "${module.iam_user1.user_id}" } output "iam_user2_id" { value = "${module.iam_user2.user_id}" } output "iam_group_name" { value = "${module.iam_group.group_name}" } output "iam_dynamic_group_name" { value = "${module.iam_dynamic_group.dynamic_group_name}" }
terraform init
- statements ignored -
terraform plan
- statement ignored -
terraform apply
[email protected] usergrouppolicy % terraform apply module.iam_compartment.data.oci_identity_compartments.this[0]: Refreshing state... [id=IdentityCompartmentsDataSource-2015428497] module.iam_group.oci_identity_group.this[0]: Refreshing state... [id=ocid1.group.oc1..XXX] module.iam_user1.oci_identity_user.this[0]: Refreshing state... [id=ocid1.user.oc1..YYY] module.iam_dynamic_group.oci_identity_dynamic_group.this[0]: Refreshing state... [id=ocid1.dynamicgroup.oc1..XXX] module.iam_user2.oci_identity_user.this[0]: Refreshing state... [id=ocid1.user.oc1..ZZZ] module.iam_dynamic_group.oci_identity_policy.this[0]: Refreshing state... [id=ocid1.policy.oc1..XXX] module.iam_group.oci_identity_user_group_membership.this[1]: Refreshing state... [id=ocid1.groupmembership.oc1..YYYY] module.iam_group.oci_identity_user_group_membership.this[0]: Refreshing state... [id=ocid1.groupmembership.oc1..XXXX] An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # module.iam_group.oci_identity_policy.this[0] will be created + resource "oci_identity_policy" "this" { + ETag = (known after apply) + compartment_id = "ocid1.compartment.oc1..aaaaaaaahb7s4w3larbXXXXbzx5nuauaa" + defined_tags = (known after apply) + description = "policy created by terraform" + freeform_tags = (known after apply) + id = (known after apply) + inactive_state = (known after apply) + lastUpdateETag = (known after apply) + name = "tf-my-policy" + policyHash = (known after apply) + state = (known after apply) + statements = [ + "Allow group tf_my_group to read instances in compartment Compartment-15Nov", + "Allow group tf_my_group to inspect instances in compartment Compartment-15Nov", ] + time_created = (known after apply) + version_date = (known after apply) } Plan: 1 to add, 0 to change, 0 to destroy. Warning: Value for undeclared variable The root module does not declare a variable named "compartment_ocid" but a value was found in file "terraform.tfvars". To use this value, add a "variable" block to the configuration. Using a variables file to set an undeclared variable is deprecated and will become an error in a future release. If you wish to provide certain "global" settings to all configurations in your organization, use TF_VAR_... environment variables to set these instead. Warning: Interpolation-only expressions are deprecated on main.tf line 51, in module "iam_group": 51: user_ids = ["${module.iam_user1.user_id}", "${module.iam_user2.user_id}"] Terraform 0.11 and earlier required all non-constant expressions to be provided via interpolation syntax, but this pattern is now deprecated. To silence this warning, remove the "${ sequence from the start and the }" sequence from the end of this expression, leaving just the inner expression. Template interpolation syntax is still used to construct strings from expressions when the template includes multiple interpolation sequences or a mixture of literal strings and interpolations. This deprecation applies only to templates that consist entirely of a single interpolation sequence. (and 75 more similar warnings elsewhere) Warning: Quoted references are deprecated on ../modules/iam-dynamic-group/main.tf line 33, in resource "oci_identity_policy" "this": 33: depends_on = ["oci_identity_dynamic_group.this"] In this context, references are expected literally rather than in quotes. Terraform 0.11 and earlier required quotes, but quoted references are now deprecated and will be removed in a future version of Terraform. Remove the quotes surrounding this reference to silence this warning. (and one more similar warning elsewhere) Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes module.iam_group.oci_identity_policy.this[0]: Creating... module.iam_group.oci_identity_policy.this[0]: Creation complete after 3s [id=ocid1.policy.oc1..aaaaaaaaXXXXignkzeda] Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Outputs: compartment_id = ocid1.compartment.oc1..aaaaaaaahb7s4w3XXXXX5nuauaa compartment_name = Compartment-15Nov iam_dynamic_group_name = tf_my_dynamic_group iam_group_name = tf_my_group iam_user1_id = ocid1.user.oc1..aaaaaaaarv6pjivXXXXrchgmtjrnuh3pq iam_user1_name = [email protected] iam_user2_id = ocid1.user.oc1..aaaaaaaakoi64XXXXnykznk7jrzsdadfra iam_user2_name = [email protected]
Reality Check
login to cloud console https://console.us-ashburn-1.oraclecloud.com/ and you should be able to see new users , group, dynamic group and policies created.
Users Created
Group Created
Group Policies
Dynamic Group
Dynamic Group Policies
All Policies listed
Cleanup what was created .
[email protected] mytf-vnc % terraform destroy - ignored -