diff --git a/module-iam.tf b/module-iam.tf index 3cf61c96..02c19c6a 100644 --- a/module-iam.tf +++ b/module-iam.tf @@ -55,7 +55,8 @@ module "iam" { source = "./modules/iam" compartment_id = local.compartment_id state_id = local.state_id - tenancy_id = local.tenancy_id + tenancy_id = local.iam_compartment_id + identity_domain_name = local.identity_domain_name cluster_id = local.cluster_id create_iam_resources = var.create_iam_resources create_iam_autoscaler_policy = local.create_iam_autoscaler_policy diff --git a/modules/iam/data-common.tf b/modules/iam/data-common.tf new file mode 100644 index 00000000..40ffb6fe --- /dev/null +++ b/modules/iam/data-common.tf @@ -0,0 +1,26 @@ +# Copyright (c) 2022, 2023 Oracle Corporation and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +locals { + identity_domain_name = coalesce(var.identity_domain_name, "Default" ) + isDefaultIdentityDomain = local.identity_domain_name == "Default" ? true : false +} + +data "oci_identity_domains" "domains" { + count = local.isDefaultIdentityDomain ? 0 : 1 + + #Required + compartment_id = var.tenancy_id # dynamic groups exist in the parent compartment. + + #Optional + display_name = var.identity_domain_name + #home_region_url = var.domain_home_region_url ## TODO: provide the home region + #is_hidden_on_login = var.domain_is_hidden_on_login + #license_type = var.domain_license_type + #name = var.domain_name + #state = var.domain_state + #type = var.domain_type + #url = var.domain_url + + provider = oci.home +} diff --git a/modules/iam/group-autoscaling.tf b/modules/iam/group-autoscaling.tf index 22016e92..f18ea259 100644 --- a/modules/iam/group-autoscaling.tf +++ b/modules/iam/group-autoscaling.tf @@ -15,26 +15,26 @@ locals { ])) : local.autoscaler_compartment_rule autoscaler_templates = [ - "Allow dynamic-group %v to manage cluster-node-pools in compartment id %v", - "Allow dynamic-group %v to manage compute-management-family in compartment id %v", - "Allow dynamic-group %v to manage instance-family in compartment id %v", - "Allow dynamic-group %v to manage volume-family in compartment id %v", - "Allow dynamic-group %v to use subnets in compartment id %v", - "Allow dynamic-group %v to read virtual-network-family in compartment id %v", - "Allow dynamic-group %v to use vnics in compartment id %v", - "Allow dynamic-group %v to inspect compartments in compartment id %v", + "Allow dynamic-group '%v'/'%v' to manage cluster-node-pools in compartment id %v", + "Allow dynamic-group '%v'/'%v' to manage compute-management-family in compartment id %v", + "Allow dynamic-group '%v'/'%v' to manage instance-family in compartment id %v", + "Allow dynamic-group '%v'/'%v' to manage volume-family in compartment id %v", + "Allow dynamic-group '%v'/'%v' to use subnets in compartment id %v", + "Allow dynamic-group '%v'/'%v' to read virtual-network-family in compartment id %v", + "Allow dynamic-group '%v'/'%v' to use vnics in compartment id %v", + "Allow dynamic-group '%v'/'%v' to inspect compartments in compartment id %v", ] autoscaler_policy_statements = var.create_iam_autoscaler_policy ? tolist([ for statement in local.autoscaler_templates : formatlist(statement, - local.autoscaler_group_name, local.worker_compartments, + local.identity_domain_name, local.autoscaler_group_name, local.worker_compartments, ) ]) : [] } resource "oci_identity_dynamic_group" "autoscaling" { provider = oci.home - count = var.create_iam_resources && var.create_iam_autoscaler_policy ? 1 : 0 + count = var.create_iam_resources && var.create_iam_autoscaler_policy && local.isDefaultIdentityDomain ? 1 : 0 compartment_id = var.tenancy_id # dynamic groups exist in root compartment (tenancy) description = format("Dynamic group of cluster autoscaler-capable worker nodes for OKE Terraform state %v", var.state_id) matching_rule = local.autoscaler_group_rules @@ -45,3 +45,18 @@ resource "oci_identity_dynamic_group" "autoscaling" { ignore_changes = [defined_tags, freeform_tags] } } + +resource "oci_identity_domains_dynamic_resource_group" "autoscaling" { + provider = oci.home + count = var.create_iam_resources && var.create_iam_autoscaler_policy && !local.isDefaultIdentityDomain ? 1 : 0 + #Optional + description = format("Dynamic group of cluster autoscaler-capable worker nodes for OKE Terraform state %v", var.state_id) + #Required + matching_rule = local.autoscaler_group_rules + display_name = local.autoscaler_group_name + idcs_endpoint = data.oci_identity_domains.domains[0].domains[0]["url"] + schemas = [ + "urn:ietf:params:scim:schemas:oracle:idcs:DynamicResourceGroup", + "urn:ietf:params:scim:schemas:oracle:idcs:extension:OCITags" + ] +} diff --git a/modules/iam/group-cluster.tf b/modules/iam/group-cluster.tf index 99211069..80fb1f06 100644 --- a/modules/iam/group-cluster.tf +++ b/modules/iam/group-cluster.tf @@ -12,14 +12,14 @@ locals { # Cluster secrets encryption using OCI Key Management System (KMS) cluster_policy_statements = coalesce(var.cluster_kms_key_id, "none") != "none" ? tolist([format( - "Allow dynamic-group %v to use keys in compartment id %v where target.key.id = '%v'", - local.cluster_group_name, var.compartment_id, var.cluster_kms_key_id, + "Allow dynamic-group '%v'/'%v' to use keys in compartment id %v where target.key.id = '%v'", + local.identity_domain_name, local.cluster_group_name, var.compartment_id, var.cluster_kms_key_id, )]) : [] } resource "oci_identity_dynamic_group" "cluster" { provider = oci.home - count = var.create_iam_resources && var.create_iam_kms_policy ? 1 : 0 + count = var.create_iam_resources && var.create_iam_kms_policy && local.isDefaultIdentityDomain ? 1 : 0 compartment_id = var.tenancy_id # dynamic groups exist in root compartment (tenancy) description = format("Dynamic group with cluster for OKE Terraform state %v", var.state_id) matching_rule = local.cluster_rule @@ -30,3 +30,18 @@ resource "oci_identity_dynamic_group" "cluster" { ignore_changes = [defined_tags, freeform_tags] } } + +resource "oci_identity_domains_dynamic_resource_group" "cluster" { + provider = oci.home + count = var.create_iam_resources && var.create_iam_kms_policy && !local.isDefaultIdentityDomain ? 1 : 0 + #Optional + description = format("Dynamic group with cluster for OKE Terraform state %v", var.state_id) + #Required + matching_rule = local.cluster_rule + display_name = local.cluster_group_name + idcs_endpoint = data.oci_identity_domains.domains[0].domains[0]["url"] + schemas = [ + "urn:ietf:params:scim:schemas:oracle:idcs:DynamicResourceGroup", + "urn:ietf:params:scim:schemas:oracle:idcs:extension:OCITags" + ] +} diff --git a/modules/iam/group-operator.tf b/modules/iam/group-operator.tf index 865e2596..0b58843d 100644 --- a/modules/iam/group-operator.tf +++ b/modules/iam/group-operator.tf @@ -9,8 +9,8 @@ locals { ])) : "ALL {instance.compartment.id = '${var.compartment_id}'}" cluster_manage_statement = format( - "Allow dynamic-group %v to MANAGE clusters in compartment id %v", - local.operator_group_name, var.compartment_id, + "Allow dynamic-group '%v'/'%v' to MANAGE clusters in compartment id %v", + local.identity_domain_name ,local.operator_group_name, var.compartment_id, ) # TODO support keys defined at worker group level @@ -33,7 +33,7 @@ locals { resource "oci_identity_dynamic_group" "operator" { provider = oci.home - count = var.create_iam_resources && var.create_iam_operator_policy ? 1 : 0 + count = var.create_iam_resources && var.create_iam_operator_policy && local.isDefaultIdentityDomain ? 1 : 0 compartment_id = var.tenancy_id # dynamic groups exist in root compartment (tenancy) description = format("Dynamic group of operator instance(s) for OKE Terraform state %v", var.state_id) matching_rule = local.operator_group_rules @@ -44,3 +44,18 @@ resource "oci_identity_dynamic_group" "operator" { ignore_changes = [defined_tags, freeform_tags] } } + +resource "oci_identity_domains_dynamic_resource_group" "operator" { + provider = oci.home + count = var.create_iam_resources && var.create_iam_operator_policy && !local.isDefaultIdentityDomain ? 1 : 0 + #Optional + description = format("Dynamic group of operator instance(s) for OKE Terraform state %v", var.state_id) + #Required + matching_rule = local.operator_group_rules + display_name = local.operator_group_name + idcs_endpoint = data.oci_identity_domains.domains[0].domains[0]["url"] + schemas = [ + "urn:ietf:params:scim:schemas:oracle:idcs:DynamicResourceGroup", + "urn:ietf:params:scim:schemas:oracle:idcs:extension:OCITags" + ] +} diff --git a/modules/iam/group-workers.tf b/modules/iam/group-workers.tf index 629fc574..cf8c2bb5 100644 --- a/modules/iam/group-workers.tf +++ b/modules/iam/group-workers.tf @@ -18,15 +18,15 @@ locals { ]))) cluster_join_statements = formatlist( - "Allow dynamic-group %v to {CLUSTER_JOIN} in compartment id %v where %v", - local.worker_group_name, local.worker_compartments, local.cluster_join_where_clause + "Allow dynamic-group '%v'/'%v' to {CLUSTER_JOIN} in compartment id %v where %v", + local.identity_domain_name, local.worker_group_name, local.worker_compartments, local.cluster_join_where_clause ) # TODO support keys defined at worker group level worker_kms_volume_templates = tolist([ "Allow service oke to USE key-delegates in compartment id %v where target.key.id = '%v'", "Allow service blockstorage to USE keys in compartment id %v where target.key.id = '%v'", - "Allow dynamic-group ${local.worker_group_name} to USE key-delegates in compartment id %v where target.key.id = '%v'" + "Allow dynamic-group '${local.identity_domain_name}'/'${local.worker_group_name}' to USE key-delegates in compartment id %v where target.key.id = '%v'" ]) # Block volume encryption using OCI Key Management System (KMS) @@ -43,7 +43,7 @@ locals { resource "oci_identity_dynamic_group" "workers" { provider = oci.home - count = var.create_iam_resources && var.create_iam_worker_policy ? 1 : 0 + count = var.create_iam_resources && var.create_iam_worker_policy && local.isDefaultIdentityDomain ? 1 : 0 compartment_id = var.tenancy_id # dynamic groups exist in root compartment (tenancy) description = format("Dynamic group of self-managed worker nodes for OKE Terraform state %v", var.state_id) matching_rule = local.worker_group_rules @@ -54,3 +54,18 @@ resource "oci_identity_dynamic_group" "workers" { ignore_changes = [defined_tags, freeform_tags] } } + +resource "oci_identity_domains_dynamic_resource_group" "workers" { + provider = oci.home + count = var.create_iam_resources && var.create_iam_worker_policy && !local.isDefaultIdentityDomain ? 1 : 0 + #Optional + description = format("Dynamic group of self-managed worker nodes for OKE Terraform state %v", var.state_id) + #Required + matching_rule = local.worker_group_rules + display_name = local.worker_group_name + idcs_endpoint = data.oci_identity_domains.domains[0].domains[0]["url"] + schemas = [ + "urn:ietf:params:scim:schemas:oracle:idcs:DynamicResourceGroup", + "urn:ietf:params:scim:schemas:oracle:idcs:extension:OCITags" + ] +} diff --git a/modules/iam/outputs.tf b/modules/iam/outputs.tf index 64402b84..48e31c2b 100644 --- a/modules/iam/outputs.tf +++ b/modules/iam/outputs.tf @@ -3,12 +3,17 @@ output "dynamic_group_ids" { description = "Cluster IAM dynamic group IDs" - value = local.has_policy_statements ? compact([ - one(oci_identity_dynamic_group.cluster[*].id), - one(oci_identity_dynamic_group.workers[*].id), - one(oci_identity_dynamic_group.autoscaling[*].id), - one(oci_identity_dynamic_group.operator[*].id), - ]) : null + value = local.has_policy_statements && local.isDefaultIdentityDomain ? compact([ + one(oci_identity_dynamic_group.cluster[*].id), + one(oci_identity_dynamic_group.workers[*].id), + one(oci_identity_dynamic_group.autoscaling[*].id), + one(oci_identity_dynamic_group.operator[*].id), + ]) : local.has_policy_statements && !local.isDefaultIdentityDomain ? compact([ + one(oci_identity_domains_dynamic_resource_group.cluster[*].id), + one(oci_identity_domains_dynamic_resource_group.workers[*].id), + one(oci_identity_domains_dynamic_resource_group.autoscaling[*].id), + one(oci_identity_domains_dynamic_resource_group.operator[*].id), + ]) : null } output "policy_statements" { diff --git a/modules/iam/variables.tf b/modules/iam/variables.tf index 8518d341..aa985576 100644 --- a/modules/iam/variables.tf +++ b/modules/iam/variables.tf @@ -7,6 +7,7 @@ variable "compartment_id" { type = string } variable "state_id" { type = string } variable "tenancy_id" { type = string } variable "worker_compartments" { type = list(string) } +variable "identity_domain_name" { type = string } # Tags variable "create_iam_defined_tags" { type = bool } diff --git a/variables-iam.tf b/variables-iam.tf index 4444cfdb..c413e9fd 100644 --- a/variables-iam.tf +++ b/variables-iam.tf @@ -3,6 +3,8 @@ locals { tenancy_id = coalesce(var.tenancy_id, var.tenancy_ocid, "unknown") + iam_compartment_id = coalesce(var.iam_compartment_id, local.tenancy_id) + identity_domain_name = coalesce(var.identity_domain_name, "Default") compartment_id = coalesce(var.compartment_id, var.compartment_ocid, var.tenancy_id) worker_compartment_id = coalesce(var.worker_compartment_id, var.compartment_id) user_id = var.user_id != "" ? var.user_id : var.current_user_ocid @@ -50,6 +52,18 @@ variable "tenancy_ocid" { type = string } +variable "iam_compartment_id" { + default = null + description = "The comparment id of the parent comparment in which to create the IAM resources." + type = string +} + +variable "identity_domain_name" { + default = null + description = "The Identity domain name to use. If not defined, it will use the tenancy default" + type = string +} + # Overrides Resource Manager variable "user_id" { default = null