Merge pull request #64 from Binsabbar/v2.9.0-dev

V2.9.0

modules/identity/README.md

@@ -71,7 +71,7 @@ locals {
 }
 
 module "IAM" {
-  path = PATH_TO_MODULE
+  source = PATH_TO_MODULE
 
   tenant_id = "oci.xxxxxxxxx.xxxxxx"
   memberships = local.memberships
@@ -111,14 +111,14 @@ locals {
 }
 
 module "IAM" {
-  path = PATH_TO_MODULE
+  source = PATH_TO_MODULE
 
   tenant_id = "oci.xxxxxxxxx.xxxxxx"
   memberships = local.memberships
 }
 
 module "idp_mapping" {
-  path = PATH_TO_MODULE
+  source = PATH_TO_MODULE
 
   tenant_id = "oci.xxxxxxxxx.xxxxxx"
   identity_group_mapping = {
@@ -150,10 +150,23 @@ Service accounts are accounts that meant to used by machines. When a service acc
 
 ```h
 module "IAM" {
-  path = PATH_TO_MODULE
+  source = PATH_TO_MODULE
 
   tenant_id = "oci.xxxxxxxxx.xxxxxx"
-  service_accounts = ["terraform-cli", "github-client"] # then using the service accout name, you can assign policy to the service account.
+  service_accounts = {
+    "terraform-cli" = { 
+      name = "terraform-cli", 
+      capabilities = {
+        api_keys = true
+      }
+    }, 
+    "github-client" = {
+      name = "github-client", 
+      capabilities = {
+        smtp_credentials = true
+      }
+    }
+  }
 }
 ```
 
@@ -188,7 +201,7 @@ locals {
 }
 
 module "top_level_compartments" {
-  path = PATH_TO_MODULE
+  source = PATH_TO_MODULE
 
   tenant_id = local.tenant_id
 
@@ -210,7 +223,7 @@ module "top_level_compartments" {
 }
 
 module "child_compartments" {
-  path = PATH_TO_MODULE
+  source = PATH_TO_MODULE
 
   tenant_id = local.tenant_id
 
@@ -233,7 +246,7 @@ Some policies must be attached to the tenancy itself, but not to a compartment.
 
 ```h
 module "tenancy_policies" {
-  path = PATH_TO_MODULE
+  source = PATH_TO_MODULE
 
   tenant_id = "oci.xxxxxxxxx.xxxxxx"
   tenancy_policies = {
@@ -276,13 +289,26 @@ locals {
     ]
   }
 
-  service_accounts = ["terraform-cicd"]
+  service_accounts = {
+    "terraform-cli" = { 
+      name = "terraform-cli", 
+      capabilities = {
+        api_keys = true
+      }
+    }, 
+    "github-client" = {
+      name = "github-client", 
+      capabilities = {
+        smtp_credentials = true
+      }
+    }
+  }
 
   tenant_id = "oci.xxxxxxxxx.xxxxxx"
 }
 
 module "main_iam" {
-  path = PATH_TO_MODULE
+  source = PATH_TO_MODULE
 
   tenant_id        = local.tenant_id
   memberships      = local.memberships
@@ -312,7 +338,7 @@ module "main_iam" {
 }
 
 module "child_compartments" {
-  path = PATH_TO_MODULE
+  source = PATH_TO_MODULE
 
   tenant_id = local.tenant_id
 
@@ -328,4 +354,4 @@ module "child_compartments" {
     }
   }
 }
-```
+```

modules/identity/main.tf

@@ -18,7 +18,7 @@ locals {
   ])
 
   groups                  = [for group in keys(var.memberships) : oci_identity_group.groups[group]]
-  service_accounts_groups = [for sa in var.service_accounts : oci_identity_group.service_accounts_groups[sa]]
+  service_accounts_groups = [for key, sa in var.service_accounts : oci_identity_group.service_accounts_groups[sa.name]]
 
   depends_on = concat(local.groups, local.service_accounts_groups)
 }
@@ -75,28 +75,41 @@ resource "oci_identity_user_group_membership" "user_group_membership" {
 # Service Accounts - to associate a policy with a service account, the
 # service account must belong to a group
 resource "oci_identity_user" "service_accounts" {
-  for_each = toset(var.service_accounts)
+  for_each = var.service_accounts
 
   compartment_id = var.tenant_id
-  description    = each.key
-  name           = each.key
+  description    = each.value.name
+  name           = each.value.name
 }
 
 resource "oci_identity_group" "service_accounts_groups" {
-  for_each = toset(var.service_accounts)
+  for_each = var.service_accounts
 
   compartment_id = var.tenant_id
-  description    = each.key
-  name           = each.key
+  description    = each.value.name
+  name           = each.value.name
 }
 
 resource "oci_identity_user_group_membership" "service_accounts_group_membership" {
-  for_each = toset(var.service_accounts)
+  for_each = var.service_accounts
 
-  group_id = oci_identity_group.service_accounts_groups[each.value].id
-  user_id  = oci_identity_user.service_accounts[each.value].id
+  group_id = oci_identity_group.service_accounts_groups[each.key].id
+  user_id  = oci_identity_user.service_accounts[each.key].id
 }
 
+resource "oci_identity_user_capabilities_management" "service_accounts_capabilities_management" {
+  for_each = var.service_accounts
+
+  user_id = oci_identity_user.service_accounts[each.key].id
+
+  can_use_api_keys             = lookup(each.value.capabilities, "api_keys", false)
+  can_use_auth_tokens          = lookup(each.value.capabilities, "auth_tokens", false)
+  can_use_console_password     = lookup(each.value.capabilities, "console_password", false)
+  can_use_customer_secret_keys = lookup(each.value.capabilities, "customer_secret_keys", false)
+  can_use_smtp_credentials     = lookup(each.value.capabilities, "smtp_credentials", false)
+}
+
+
 # Some policies have to be applied at the tenancy level so compartment_id must be the tenant_id
 resource "oci_identity_policy" "tenancy_policies" {
   for_each = var.tenancy_policies != null ? { (var.tenancy_policies.name) = var.tenancy_policies.policies } : {}

modules/identity/variables.tf

@@ -51,15 +51,33 @@ variable "memberships" {
   EOF
 }
 
+# Note this will completely changed in V3 of this module
 variable "service_accounts" {
-  type        = set(string)
-  default     = []
+  type    = map(object({ name = string, capabilities = map(bool) }))
+  default = {}
+
+  validation {
+    condition = alltrue(flatten([
+      for key, service_account in var.service_accounts : [
+        for capability in keys(service_account.capabilities) : contains(["api_keys", "auth_tokens", "console_password", "customer_secret_keys", "smtp_credentials"], capability)
+      ]
+    ]))
+    error_message = "The var.service_accounts.*.capabilities accepts \"api_keys\", \"auth_tokens\", \"console_password\", \"customer_secret_keys\", \"smtp_credentials\"."
+  }
+
   description = <<EOF
     This variable is optonal.
-    Set of service account users. A group with the same name of the service account
+    map of service account names. A group with the same name of the service account
     will be created and the service account will be added to it. This is because
     policy can only be applied to group. This way you can attach policy to the service
     account by using its name as group name.
+      name: name of the service account and its group
+      capabilities: map of bool to set service_account capabilities. Allowed values:
+        api_keys
+        auth_tokens
+        console_password
+        customer_secret_keys
+        smtp_credentials
   EOF
 }
 

releases.md

@@ -1,3 +1,36 @@
+# v2.9.0:
+## **New**
+* `identity`: add new argument `capabilities` in `var.service_accounts` variable.
+
+## **Fix**
+* Correct `path` argument by `source` argument to specify the module path in `identity` module usage examples in `README.md`.
+
+## _**Breaking Changes**_
+* `identity` modules input for `service_accounts` is updated. A new key `capabilities` is now required under `var.service_accounts.*`.
+  * Add `capabilities` and set its value to `{}`.
+
+from:
+>```h
+>module "identity" {
+>  ...
+>  service_accounts = toset(["terraform-cli"])
+>  ...
+>}
+>```
+to:
+>```h
+>module "identity" {
+>  ...
+>  service_accounts = {
+>    "terraform-cli" = { 
+>      name = "terraform-cli", 
+>      capabilities = {}
+>    }
+>  }
+>  ...
+>}
+```
+
 # v2.8.0:
 ## **New**
 * `instances`: add new argument `availability_config`. for VM migration during infrastructure maintenance events