-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathiam.tf
More file actions
30 lines (25 loc) · 1.33 KB
/
iam.tf
File metadata and controls
30 lines (25 loc) · 1.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Dynamic group is scoped to instances tagged with this cluster's name,
# so multiple clusters in the same compartment don't cross-pollinate permissions.
resource "oci_identity_dynamic_group" "k3s" {
compartment_id = var.tenancy_ocid
description = "k3s cluster '${var.cluster_name}' instances"
name = var.oci_identity_dynamic_group_name
matching_rule = "All {instance.compartment.id = '${var.compartment_ocid}'}"
freeform_tags = local.common_tags
}
resource "oci_identity_policy" "k3s" {
compartment_id = var.compartment_ocid
description = "Allow k3s cluster '${var.cluster_name}' instances to read OCI instance metadata"
name = var.oci_identity_policy_name
statements = concat(
[
"allow dynamic-group ${oci_identity_dynamic_group.k3s.name} to read instance-family in compartment id ${var.compartment_ocid}",
"allow dynamic-group ${oci_identity_dynamic_group.k3s.name} to read compute-management-family in compartment id ${var.compartment_ocid}",
"allow dynamic-group ${oci_identity_dynamic_group.k3s.name} to use log-content in compartment id ${var.compartment_ocid}",
],
var.enable_vault ? [
"allow dynamic-group ${oci_identity_dynamic_group.k3s.name} to read secret-family in compartment id ${var.compartment_ocid}",
] : []
)
freeform_tags = local.common_tags
}