From 4e488922125c5c9e865703c130134d04d302a075 Mon Sep 17 00:00:00 2001 From: Abeer Date: Thu, 2 Nov 2023 14:32:21 +0300 Subject: [PATCH 1/4] Abeer: update the module argument in the README.md usage examples. Module path specified by 'source' argument, which has the module path as a value. --- modules/identity/README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/identity/README.md b/modules/identity/README.md index b211538..53c4c9a 100644 --- a/modules/identity/README.md +++ b/modules/identity/README.md @@ -71,7 +71,7 @@ locals { } module "IAM" { - path = PATH_TO_MODULE + source = PATH_TO_MODULE tenant_id = "oci.xxxxxxxxx.xxxxxx" memberships = local.memberships @@ -111,14 +111,14 @@ locals { } module "IAM" { - path = PATH_TO_MODULE + source = PATH_TO_MODULE tenant_id = "oci.xxxxxxxxx.xxxxxx" memberships = local.memberships } module "idp_mapping" { - path = PATH_TO_MODULE + source = PATH_TO_MODULE tenant_id = "oci.xxxxxxxxx.xxxxxx" identity_group_mapping = { @@ -150,7 +150,7 @@ Service accounts are accounts that meant to used by machines. When a service acc ```h module "IAM" { - path = PATH_TO_MODULE + source = PATH_TO_MODULE tenant_id = "oci.xxxxxxxxx.xxxxxx" service_accounts = ["terraform-cli", "github-client"] # then using the service accout name, you can assign policy to the service account. @@ -188,7 +188,7 @@ locals { } module "top_level_compartments" { - path = PATH_TO_MODULE + source = PATH_TO_MODULE tenant_id = local.tenant_id @@ -210,7 +210,7 @@ module "top_level_compartments" { } module "child_compartments" { - path = PATH_TO_MODULE + source = PATH_TO_MODULE tenant_id = local.tenant_id @@ -233,7 +233,7 @@ Some policies must be attached to the tenancy itself, but not to a compartment. ```h module "tenancy_policies" { - path = PATH_TO_MODULE + source = PATH_TO_MODULE tenant_id = "oci.xxxxxxxxx.xxxxxx" tenancy_policies = { @@ -282,7 +282,7 @@ locals { } module "main_iam" { - path = PATH_TO_MODULE + source = PATH_TO_MODULE tenant_id = local.tenant_id memberships = local.memberships @@ -312,7 +312,7 @@ module "main_iam" { } module "child_compartments" { - path = PATH_TO_MODULE + source = PATH_TO_MODULE tenant_id = local.tenant_id @@ -328,4 +328,4 @@ module "child_compartments" { } } } -``` \ No newline at end of file +``` From 00e33d93a1e2ffc9cecbc3aa091d334df184c75b Mon Sep 17 00:00:00 2001 From: Abeer Date: Thu, 2 Nov 2023 14:38:02 +0300 Subject: [PATCH 2/4] Abeer: track fix in releases.md --- releases.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/releases.md b/releases.md index f8f25dc..ecc6a8d 100644 --- a/releases.md +++ b/releases.md @@ -1,3 +1,13 @@ +# v2.8.1: +## **New** +None + +## **Fix** +* Correct `path` argument by `source` argument to specify the module path in `identity` module usage examples in `README.md`. + +## _**Breaking Changes**_ +None + # v2.8.0: ## **New** * `instances`: add new argument `availability_config`. for VM migration during infrastructure maintenance events From 33914fb0e43dd33da33d23ed17de75c2e995ca62 Mon Sep 17 00:00:00 2001 From: Mohammed Binsabbar Date: Sun, 5 Nov 2023 16:11:30 +0300 Subject: [PATCH 3/4] Mo: add user capabilities to service account --- modules/identity/main.tf | 33 +++++++++++++++++++++++---------- modules/identity/variables.tf | 24 +++++++++++++++++++++--- 2 files changed, 44 insertions(+), 13 deletions(-) diff --git a/modules/identity/main.tf b/modules/identity/main.tf index bf72874..001bf35 100644 --- a/modules/identity/main.tf +++ b/modules/identity/main.tf @@ -18,7 +18,7 @@ locals { ]) groups = [for group in keys(var.memberships) : oci_identity_group.groups[group]] - service_accounts_groups = [for sa in var.service_accounts : oci_identity_group.service_accounts_groups[sa]] + service_accounts_groups = [for key, sa in var.service_accounts : oci_identity_group.service_accounts_groups[sa.name]] depends_on = concat(local.groups, local.service_accounts_groups) } @@ -75,28 +75,41 @@ resource "oci_identity_user_group_membership" "user_group_membership" { # Service Accounts - to associate a policy with a service account, the # service account must belong to a group resource "oci_identity_user" "service_accounts" { - for_each = toset(var.service_accounts) + for_each = var.service_accounts compartment_id = var.tenant_id - description = each.key - name = each.key + description = each.value.name + name = each.value.name } resource "oci_identity_group" "service_accounts_groups" { - for_each = toset(var.service_accounts) + for_each = var.service_accounts compartment_id = var.tenant_id - description = each.key - name = each.key + description = each.value.name + name = each.value.name } resource "oci_identity_user_group_membership" "service_accounts_group_membership" { - for_each = toset(var.service_accounts) + for_each = var.service_accounts - group_id = oci_identity_group.service_accounts_groups[each.value].id - user_id = oci_identity_user.service_accounts[each.value].id + group_id = oci_identity_group.service_accounts_groups[each.key].id + user_id = oci_identity_user.service_accounts[each.key].id } +resource "oci_identity_user_capabilities_management" "service_accounts_capabilities_management" { + for_each = var.service_accounts + + user_id = oci_identity_user.service_accounts[each.key].id + + can_use_api_keys = lookup(each.value.capabilities, "api_keys", false) + can_use_auth_tokens = lookup(each.value.capabilities, "auth_tokens", false) + can_use_console_password = lookup(each.value.capabilities, "console_password", false) + can_use_customer_secret_keys = lookup(each.value.capabilities, "customer_secret_keys", false) + can_use_smtp_credentials = lookup(each.value.capabilities, "smtp_credentials", false) +} + + # Some policies have to be applied at the tenancy level so compartment_id must be the tenant_id resource "oci_identity_policy" "tenancy_policies" { for_each = var.tenancy_policies != null ? { (var.tenancy_policies.name) = var.tenancy_policies.policies } : {} diff --git a/modules/identity/variables.tf b/modules/identity/variables.tf index 2f30f16..2246dc8 100644 --- a/modules/identity/variables.tf +++ b/modules/identity/variables.tf @@ -51,15 +51,33 @@ variable "memberships" { EOF } +# Note this will completely changed in V3 of this module variable "service_accounts" { - type = set(string) - default = [] + type = map(object({ name = string, capabilities = map(bool) })) + default = {} + + validation { + condition = alltrue(flatten([ + for key, service_account in var.service_accounts : [ + for capability in keys(service_account.capabilities) : contains(["api_keys", "auth_tokens", "console_password", "customer_secret_keys", "smtp_credentials"], capability) + ] + ])) + error_message = "The var.service_accounts.*.capabilities accepts \"api_keys\", \"auth_tokens\", \"console_password\", \"customer_secret_keys\", \"smtp_credentials\"." + } + description = < Date: Sun, 5 Nov 2023 16:21:07 +0300 Subject: [PATCH 4/4] Mo: add release notes --- modules/identity/README.md | 30 ++++++++++++++++++++++++++++-- releases.md | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/modules/identity/README.md b/modules/identity/README.md index b211538..3cc6960 100644 --- a/modules/identity/README.md +++ b/modules/identity/README.md @@ -153,7 +153,20 @@ module "IAM" { path = PATH_TO_MODULE tenant_id = "oci.xxxxxxxxx.xxxxxx" - service_accounts = ["terraform-cli", "github-client"] # then using the service accout name, you can assign policy to the service account. + service_accounts = { + "terraform-cli" = { + name = "terraform-cli", + capabilities = { + api_keys = true + } + }, + "github-client" = { + name = "github-client", + capabilities = { + smtp_credentials = true + } + } + } } ``` @@ -276,7 +289,20 @@ locals { ] } - service_accounts = ["terraform-cicd"] + service_accounts = { + "terraform-cli" = { + name = "terraform-cli", + capabilities = { + api_keys = true + } + }, + "github-client" = { + name = "github-client", + capabilities = { + smtp_credentials = true + } + } + } tenant_id = "oci.xxxxxxxxx.xxxxxx" } diff --git a/releases.md b/releases.md index f8f25dc..a04528f 100644 --- a/releases.md +++ b/releases.md @@ -1,3 +1,37 @@ +# v2.9.0: +## **New** +* `identity`: add new argument `capabilities` in `var.service_accounts` variable. + +## **Fix** +None +## _**Breaking Changes**_ +* `identity` modules input for `service_accounts` is updated. A new key `capabilities` is now required under `var.service_accounts.*`. + * Add `capabilities` and set its value to `{}`. + +from: +>```h +>module "identity" { +> ... +> service_accounts = toset(["terraform-cli"]) +> ... +>} +>``` +to: +>```h +>module "identity" { +> ... +> service_accounts = { +> "terraform-cli" = { +> name = "terraform-cli", +> capabilities = {} +> } +> } +> ... +>} +``` + + + # v2.8.0: ## **New** * `instances`: add new argument `availability_config`. for VM migration during infrastructure maintenance events