Skip to content

Commit

Permalink
Merge branch 'v2.9.0-dev' into master
Browse files Browse the repository at this point in the history
  • Loading branch information
Binsabbar authored Nov 5, 2023
2 parents bde449f + eb9af67 commit 28455fc
Show file tree
Hide file tree
Showing 4 changed files with 99 additions and 19 deletions.
30 changes: 28 additions & 2 deletions modules/identity/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,20 @@ module "IAM" {
source = PATH_TO_MODULE

tenant_id = "oci.xxxxxxxxx.xxxxxx"
service_accounts = ["terraform-cli", "github-client"] # then using the service accout name, you can assign policy to the service account.
service_accounts = {
"terraform-cli" = {
name = "terraform-cli",
capabilities = {
api_keys = true
}
},
"github-client" = {
name = "github-client",
capabilities = {
smtp_credentials = true
}
}
}
}
```

Expand Down Expand Up @@ -276,7 +289,20 @@ locals {
]
}

service_accounts = ["terraform-cicd"]
service_accounts = {
"terraform-cli" = {
name = "terraform-cli",
capabilities = {
api_keys = true
}
},
"github-client" = {
name = "github-client",
capabilities = {
smtp_credentials = true
}
}
}

tenant_id = "oci.xxxxxxxxx.xxxxxx"
}
Expand Down
33 changes: 23 additions & 10 deletions modules/identity/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ locals {
])

groups = [for group in keys(var.memberships) : oci_identity_group.groups[group]]
service_accounts_groups = [for sa in var.service_accounts : oci_identity_group.service_accounts_groups[sa]]
service_accounts_groups = [for key, sa in var.service_accounts : oci_identity_group.service_accounts_groups[sa.name]]

depends_on = concat(local.groups, local.service_accounts_groups)
}
Expand Down Expand Up @@ -75,28 +75,41 @@ resource "oci_identity_user_group_membership" "user_group_membership" {
# Service Accounts - to associate a policy with a service account, the
# service account must belong to a group
resource "oci_identity_user" "service_accounts" {
for_each = toset(var.service_accounts)
for_each = var.service_accounts

compartment_id = var.tenant_id
description = each.key
name = each.key
description = each.value.name
name = each.value.name
}

resource "oci_identity_group" "service_accounts_groups" {
for_each = toset(var.service_accounts)
for_each = var.service_accounts

compartment_id = var.tenant_id
description = each.key
name = each.key
description = each.value.name
name = each.value.name
}

resource "oci_identity_user_group_membership" "service_accounts_group_membership" {
for_each = toset(var.service_accounts)
for_each = var.service_accounts

group_id = oci_identity_group.service_accounts_groups[each.value].id
user_id = oci_identity_user.service_accounts[each.value].id
group_id = oci_identity_group.service_accounts_groups[each.key].id
user_id = oci_identity_user.service_accounts[each.key].id
}

resource "oci_identity_user_capabilities_management" "service_accounts_capabilities_management" {
for_each = var.service_accounts

user_id = oci_identity_user.service_accounts[each.key].id

can_use_api_keys = lookup(each.value.capabilities, "api_keys", false)
can_use_auth_tokens = lookup(each.value.capabilities, "auth_tokens", false)
can_use_console_password = lookup(each.value.capabilities, "console_password", false)
can_use_customer_secret_keys = lookup(each.value.capabilities, "customer_secret_keys", false)
can_use_smtp_credentials = lookup(each.value.capabilities, "smtp_credentials", false)
}


# Some policies have to be applied at the tenancy level so compartment_id must be the tenant_id
resource "oci_identity_policy" "tenancy_policies" {
for_each = var.tenancy_policies != null ? { (var.tenancy_policies.name) = var.tenancy_policies.policies } : {}
Expand Down
24 changes: 21 additions & 3 deletions modules/identity/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -51,15 +51,33 @@ variable "memberships" {
EOF
}

# Note this will completely changed in V3 of this module
variable "service_accounts" {
type = set(string)
default = []
type = map(object({ name = string, capabilities = map(bool) }))
default = {}

validation {
condition = alltrue(flatten([
for key, service_account in var.service_accounts : [
for capability in keys(service_account.capabilities) : contains(["api_keys", "auth_tokens", "console_password", "customer_secret_keys", "smtp_credentials"], capability)
]
]))
error_message = "The var.service_accounts.*.capabilities accepts \"api_keys\", \"auth_tokens\", \"console_password\", \"customer_secret_keys\", \"smtp_credentials\"."
}

description = <<EOF
This variable is optonal.
Set of service account users. A group with the same name of the service account
map of service account names. A group with the same name of the service account
will be created and the service account will be added to it. This is because
policy can only be applied to group. This way you can attach policy to the service
account by using its name as group name.
name: name of the service account and its group
capabilities: map of bool to set service_account capabilities. Allowed values:
api_keys
auth_tokens
console_password
customer_secret_keys
smtp_credentials
EOF
}

Expand Down
31 changes: 27 additions & 4 deletions releases.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,35 @@
# v2.8.1:
# v2.9.0:
## **New**
None
* `identity`: add new argument `capabilities` in `var.service_accounts` variable.

## **Fix**
* Correct `path` argument by `source` argument to specify the module path in `identity` module usage examples in `README.md`.

## _**Breaking Changes**_
None
* `identity` modules input for `service_accounts` is updated. A new key `capabilities` is now required under `var.service_accounts.*`.
* Add `capabilities` and set its value to `{}`.

from:
>```h
>module "identity" {
> ...
> service_accounts = toset(["terraform-cli"])
> ...
>}
>```
to:
>```h
>module "identity" {
> ...
> service_accounts = {
> "terraform-cli" = {
> name = "terraform-cli",
> capabilities = {}
> }
> }
> ...
>}
```
# v2.8.0:
## **New**
Expand Down

0 comments on commit 28455fc

Please sign in to comment.