Terraform on OCI create user, group, dynamic group and policies

Mastering Terraform on Oracle Cloud Infrastructure – Deep dive training

Table of Content

Creating a Federated UserĀ 

Terraform on OCI create user, group, dynamic group, attach users to group and policies

Here we would need 2 files in a folder they are listed below

  1. terraform.tfvars
  2. main.tf
  3. outputs.tf

Folder Structure

Its important to have modules under our working folder usergrouppolicy

You can download terraform-oci-iam-master from github

terraform.tfvars

You can get these variable values from our previous exercise

# OCI Authentication details 
tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa6vfq4yXXXpsdd6ahdouq"
compartment_ocid = "ocid1.compartment.oc1..aaaaaYYYYn6j4paqphq"
user_ocid = "ocid1.user.oc1..aaaaaaaa7yvywjzq5XXXXjsf3s4mca"
fingerprint= "e6:65:1d:3f:8f:94:c9:43:XX:9b:45:a1"
private_key_path = "/Users/madhusudhanrao/tf/keys/myopensslkey.pem"   
region = "us-ashburn-1" 

main.tf

Create Following

  1. Non Federated user [email protected] and [email protected]
  2. Group tf_my_group
  3. Group tf_my_dynamic_group
  4. Attach Policies Allow group tf_my_group to read instances in compartment Compartment-15Nov
  5. Attach Policies Allow group tf_my_group to inspect instances in compartment Compartment-15Nov
  6. Attach Policy Allow dynamic-group tf_my_dynamic_group to read instances in compartment Compartment-15Nov
  
// Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
 
variable "tenancy_ocid" {}
variable "user_ocid" {}
variable "fingerprint" {}
variable "private_key_path" {}
variable "region" {} 

provider "oci" {
  tenancy_ocid     = "ocid1.tenancy.oc1..aaaaaaaa6vXXXqpsdd6ahdouq"
  user_ocid        = "ocid1.user.oc1..aaaaaaaa7yYYYnbuxjsf3s4mca"
  fingerprint      = "e6:65:1d:3f:8f:XX:9c:9b:45:a1"
  private_key_path = "/Users/madhusudhanrao/tf/keys/myopensslkey.pem"
  region           = "us-ashburn-1"
}
 
module "iam_compartment" {
  source                  = "../modules/iam-compartment"
  #source                 = "oracle-terraform-modules/iam/oci//modules/iam-compartment"
  tenancy_ocid            = "ocid1.tenancy.oc1..aaaaaaaa6vfq4yXXXsdd6ahdouq"
  compartment_name        = "Compartment-15Nov"
  compartment_description = "compartment created by terraform"
  compartment_create      = false
}

module "iam_user1" {
  source           = "../modules/iam-user" 
  tenancy_ocid     = "ocid1.tenancy.oc1..aaaaaaaa6vfYYYY5vjqpsdd6ahdouq"
  user_name        = "[email protected]"
  user_description = "user3 created by terraform"
}

module "iam_user2" {
  source           = "../modules/iam-user"
  tenancy_ocid     = "ocid1.tenancy.oc1..aaaaaaaa6vfq4XXXXXsdd6ahdouq"
  user_name        = "[email protected]"
  user_description = "user4 created by terraform"
}

module "iam_group" {
  source                = "../modules/iam-group" 
  tenancy_ocid          = "ocid1.tenancy.oc1..aaaaaaaa6vfq4yiXXXXXdd6ahdouq"
  group_name            = "tf_my_group"
  group_description     = "group created by terraform"
  user_count            = 2
  user_ids              = ["${module.iam_user1.user_id}", "${module.iam_user2.user_id}"]
  policy_compartment_id = "ocid1.compartment.oc1..aaaaaaaahbXXXXXwbzx5nuauaa"
  policy_name           = "tf-my-policy"
  policy_description    = "policy created by terraform"
  policy_statements     = ["Allow group tf_my_group to read instances in compartment Compartment-15Nov",
 "Allow group tf_my_group to inspect instances in compartment Compartment-15Nov"]
}

module "iam_dynamic_group" {
  source                    = "../modules/iam-dynamic-group" 
  tenancy_ocid              = "ocid1.tenancy.oc1..aaaaaaaa6vfq4yiXXXXXpsdd6ahdouq"
  dynamic_group_name        = "tf_my_dynamic_group"
  dynamic_group_description = "dynamic group created by terraform"
  dynamic_group_rule        = "instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaatcXXXXX6j4paqphq'"
  policy_compartment_id     = "ocid1.compartment.oc1..aaaaaaaahb7s4w3larbd2u7ryp5o634ts5jhbduqjaexkqukwwbzx5nuauaa"
  policy_name               = "tf-my-dynamic-policy"
  policy_description        = "dynamic policy created by terraform"
  policy_statements         = ["Allow dynamic-group tf_my_dynamic_group to read instances in compartment Compartment-15Nov"]
}

outputs.tf

    
output "compartment_name" {
  value = "${module.iam_compartment.compartment_name}"
}

output "compartment_id" {
  value = "${module.iam_compartment.compartment_id}"
}

output "iam_user1_name" {
  value = "${module.iam_user1.user_name}"
}

output "iam_user2_name" {
  value = "${module.iam_user2.user_name}"
}

output "iam_user1_id" {
  value = "${module.iam_user1.user_id}"
}

output "iam_user2_id" {
  value = "${module.iam_user2.user_id}"
}

output "iam_group_name" {
  value = "${module.iam_group.group_name}"
}

output "iam_dynamic_group_name" {
  value = "${module.iam_dynamic_group.dynamic_group_name}"
}

terraform init

- statements ignored -

terraform plan

- statement ignored -

terraform apply

[email protected] usergrouppolicy % terraform apply
module.iam_compartment.data.oci_identity_compartments.this[0]: Refreshing state... [id=IdentityCompartmentsDataSource-2015428497]
module.iam_group.oci_identity_group.this[0]: Refreshing state... [id=ocid1.group.oc1..XXX]
module.iam_user1.oci_identity_user.this[0]: Refreshing state... [id=ocid1.user.oc1..YYY]
module.iam_dynamic_group.oci_identity_dynamic_group.this[0]: Refreshing state... [id=ocid1.dynamicgroup.oc1..XXX]
module.iam_user2.oci_identity_user.this[0]: Refreshing state... [id=ocid1.user.oc1..ZZZ]
module.iam_dynamic_group.oci_identity_policy.this[0]: Refreshing state... [id=ocid1.policy.oc1..XXX]
module.iam_group.oci_identity_user_group_membership.this[1]: Refreshing state... [id=ocid1.groupmembership.oc1..YYYY]
module.iam_group.oci_identity_user_group_membership.this[0]: Refreshing state... [id=ocid1.groupmembership.oc1..XXXX]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.iam_group.oci_identity_policy.this[0] will be created
  + resource "oci_identity_policy" "this" {
      + ETag           = (known after apply)
      + compartment_id = "ocid1.compartment.oc1..aaaaaaaahb7s4w3larbXXXXbzx5nuauaa"
      + defined_tags   = (known after apply)
      + description    = "policy created by terraform"
      + freeform_tags  = (known after apply)
      + id             = (known after apply)
      + inactive_state = (known after apply)
      + lastUpdateETag = (known after apply)
      + name           = "tf-my-policy"
      + policyHash     = (known after apply)
      + state          = (known after apply)
      + statements     = [
          + "Allow group tf_my_group to read instances in compartment Compartment-15Nov",
          + "Allow group tf_my_group to inspect instances in compartment Compartment-15Nov",
        ]
      + time_created   = (known after apply)
      + version_date   = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.


Warning: Value for undeclared variable

The root module does not declare a variable named "compartment_ocid" but a
value was found in file "terraform.tfvars". To use this value, add a
"variable" block to the configuration.

Using a variables file to set an undeclared variable is deprecated and will
become an error in a future release. If you wish to provide certain "global"
settings to all configurations in your organization, use TF_VAR_...
environment variables to set these instead.


Warning: Interpolation-only expressions are deprecated

  on main.tf line 51, in module "iam_group":
  51:   user_ids              = ["${module.iam_user1.user_id}", "${module.iam_user2.user_id}"]

Terraform 0.11 and earlier required all non-constant expressions to be
provided via interpolation syntax, but this pattern is now deprecated. To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.

Template interpolation syntax is still used to construct strings from
expressions when the template includes multiple interpolation sequences or a
mixture of literal strings and interpolations. This deprecation applies only
to templates that consist entirely of a single interpolation sequence.

(and 75 more similar warnings elsewhere) 
Warning: Quoted references are deprecated

  on ../modules/iam-dynamic-group/main.tf line 33, in resource "oci_identity_policy" "this":
  33:   depends_on     = ["oci_identity_dynamic_group.this"]

In this context, references are expected literally rather than in quotes.
Terraform 0.11 and earlier required quotes, but quoted references are now
deprecated and will be removed in a future version of Terraform. Remove the
quotes surrounding this reference to silence this warning.

(and one more similar warning elsewhere)

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.iam_group.oci_identity_policy.this[0]: Creating...
module.iam_group.oci_identity_policy.this[0]: Creation complete after 3s [id=ocid1.policy.oc1..aaaaaaaaXXXXignkzeda]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

compartment_id = ocid1.compartment.oc1..aaaaaaaahb7s4w3XXXXX5nuauaa
compartment_name = Compartment-15Nov
iam_dynamic_group_name = tf_my_dynamic_group
iam_group_name = tf_my_group
iam_user1_id = ocid1.user.oc1..aaaaaaaarv6pjivXXXXrchgmtjrnuh3pq
iam_user1_name = [email protected]
iam_user2_id = ocid1.user.oc1..aaaaaaaakoi64XXXXnykznk7jrzsdadfra
iam_user2_name = [email protected]

Reality Check

login to cloud console https://console.us-ashburn-1.oraclecloud.com/ and you should be able to see new users , group, dynamic group and policies created.

Users Created

Group Created

Group Policies

Dynamic Group

Dynamic Group PoliciesĀ 

All Policies listed

Cleanup what was created .

[email protected] mytf-vnc % terraform destroy
- ignored -