generated from oracle-devrel/repo-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
policies.tf
56 lines (47 loc) · 2.5 KB
/
policies.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
## Copyright (c) 2023, Oracle and/or its affiliates.
## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl
resource "oci_identity_dynamic_group" "devopsgroup1" {
provider = oci.home_region
name = "devopsdyngroup-${random_id.tag.hex}"
description = "DevOps deploy pipeline dynamic group"
compartment_id = var.tenancy_ocid
matching_rule = "ALL {resource.type = 'devopsdeploypipeline', resource.compartment.id = '${var.compartment_ocid}'}"
}
resource "oci_identity_dynamic_group" "devopsgroup2" {
provider = oci.home_region
name = "CodeReposDynamicGroup-${random_id.tag.hex}"
description = "DevOps code repository dynamic group"
compartment_id = var.tenancy_ocid
matching_rule = "ALL {resource.type = 'devopsrepository'}"
}
resource "oci_identity_dynamic_group" "devopsgroup3" {
provider = oci.home_region
name = "MyDynamicGroup-${random_id.tag.hex}"
description = "DevOps repository build pipeline dynamic group"
compartment_id = var.tenancy_ocid
matching_rule = "ALL {resource.type = 'devopsbuildpipeline'}"
}
# Policy without Dynamic group
# ALLOW ANY-USER to manage generative-ai-family in tenancy WHERE ALL {request.principal.type='opensearchcluster', request.resource.compartment.id='<cluster_compartment_id>'}
# ALLOW ANY-USER to manage generative-ai-family in tenancy WHERE request.principal.id='ocid1..oda.xxxx'
resource "oci_identity_policy" "devopspolicy" {
provider = oci.home_region
name = "devops-policies-${random_id.tag.hex}"
description = "policy created for devops"
compartment_id = var.compartment_ocid
statements = [
"Allow group Administrators to manage devops-family in compartment id ${var.compartment_ocid}",
"Allow group Administrators to manage all-artifacts in compartment id ${var.compartment_ocid}",
"Allow dynamic-group ${oci_identity_dynamic_group.devopsgroup1.name} to manage all-resources in compartment id ${var.compartment_ocid}",
]
}
resource "oci_identity_policy" "devopsrootpolicy" {
provider = oci.home_region
name = "devops-root-policies-${random_id.tag.hex}"
description = "policy created for root compartment"
compartment_id = var.tenancy_ocid
statements = [
"Allow dynamic-group ${oci_identity_dynamic_group.devopsgroup2.name} to manage all-resources in tenancy",
"Allow dynamic-group ${oci_identity_dynamic_group.devopsgroup3.name} to manage all-resources in tenancy",
]
}