-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathiam.tf
38 lines (36 loc) · 3.6 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
resource "oci_identity_dynamic_group" "FoggyKitchenDevOpsProjectPipelineDynamicGroup" {
provider = oci.homeregion
name = "FoggyKitchenDevOpsProjectPipelineDynamicGroup"
description = "FoggyKitchen DevOps Project Pipeline Dynamic Group"
compartment_id = var.tenancy_ocid
matching_rule = "All {resource.compartment.id = '${oci_identity_compartment.FoggyKitchenCompartment.id}', Any {resource.type = 'devopsdeploypipeline', resource.type = 'devopsbuildpipeline', resource.type = 'devopsrepository', resource.type = 'devopsconnection', resource.type = 'devopstrigger'}}"
}
resource "oci_identity_policy" "FoggyKitchenDevOpsProjectPipelinePolicy1" {
provider = oci.homeregion
depends_on = [oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup]
name = "FoggyKitchenDevOpsProjectPipelinePolicy1"
description = "FoggyKitchen DevOps Project Pipeline Policy (use/manage resources in FoggyKitchen compartment)"
compartment_id = oci_identity_compartment.FoggyKitchenCompartment.id
statements = [
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to manage all-resources in compartment id ${oci_identity_compartment.FoggyKitchenCompartment.id}",
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to use ons-topics in compartment id ${oci_identity_compartment.FoggyKitchenCompartment.id}",
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to use adm-knowledge-bases in compartment id ${oci_identity_compartment.FoggyKitchenCompartment.id}",
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to use devops-family in compartment id ${oci_identity_compartment.FoggyKitchenCompartment.id}",
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to manage adm-vulnerability-audits in compartment id ${oci_identity_compartment.FoggyKitchenCompartment.id}",
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to use subnets in compartment id ${oci_identity_compartment.FoggyKitchenCompartment.id}",
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to use vnics in compartment id ${oci_identity_compartment.FoggyKitchenCompartment.id}",
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to use network-security-groups in compartment id ${oci_identity_compartment.FoggyKitchenCompartment.id}",
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to use cabundles in compartment id ${oci_identity_compartment.FoggyKitchenCompartment.id}",
]
}
resource "oci_identity_policy" "FoggyKitchenDevOpsProjectPipelinePolicy2" {
provider = oci.homeregion
depends_on = [oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup]
name = "FoggyKitchenDevOpsProjectPipelinePolicy2"
description = "FoggyKitchen DevOps Project Pipeline Policy (read secrets from OCI Vault in tenancy)"
compartment_id = var.tenancy_ocid
statements = [
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to read secret-family in tenancy",
"Allow dynamic-group ${oci_identity_dynamic_group.FoggyKitchenDevOpsProjectPipelineDynamicGroup.name} to read devops-family in compartment '${oci_identity_compartment.FoggyKitchenCompartment.name}'"
]
}