auto.tfvars syntax for Identity Module
These are the syntax and sample format for providing inputs to the modules via *.auto.tfvars files. "key" must be unique to every resource that is created. Comments preceed with ##.
1. Compartments
- Syntax
compartments = {
root = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
parent_compartment_id = string
name = string
# Optional
description = string
enable_delete = boolean
defined_tags = map
freeform_tags = map
},
},
compartment_level1 = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
parent_compartment_id = string
name = string
# Optional
description = string
enable_delete = boolean
defined_tags = map
freeform_tags = map
},
},
compartment_level2 = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
parent_compartment_id = string
name = string
# Optional
description = string
enable_delete = boolean
defined_tags = map
freeform_tags = map
},
},
compartment_level3 = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
parent_compartment_id = string
name = string
# Optional
description = string
enable_delete = boolean
defined_tags = map
freeform_tags = map
},
},
compartment_level4 = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
parent_compartment_id = string
name = string
# Optional
description = string
enable_delete = boolean
defined_tags = map
freeform_tags = map
},
},
compartment_level5 = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
parent_compartment_id = string
name = string
# Optional
description = string
enable_delete = boolean
defined_tags = map
freeform_tags = map
},
},
}
- Example:
############################ # Identity # Compartments - tfvars # Allowed Values: # parent_compartment_id can be the ocid or the name of the compartment hierarchy delimited by double hiphens "--" # Example : parent_compartment_id = "ocid1.compartment.oc1..aaaaaaaahwwiefb56epvdlzfic6ah6jy3xf3c" or parent_compartment_id = "Network-root-cpt--Network" where "Network-root-cpt" is the parent of "Network" compartment ############################ compartments = { root = { Network = { # Required parent_compartment_id = root name = "Network" # Optional description = "Compartment for all network related resources: VCNs, subnets, network gateways, security lists, NSGs, load balancers, VNICs." defined_tags = { "Oracle-Tags.CreatedOn"= "2022-08-09T11:15:45.919Z" , "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/abc@oracle.com" } }, Database = { # Required parent_compartment_id = root name = "Database" # Optional description = "Compartment for all database related resources." defined_tags = { "Oracle-Tags.CreatedOn"= "2022-08-09T11:15:45.919Z" , "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/abc@oracle.com" } freeform_tags = {} }, AppDev = { # Required parent_compartment_id = root name = "AppDev" # Optional description = "Compartment for all resources related to application development: functions, OKE, API Gateway, streaming, notifications." defined_tags = { "Oracle-Tags.CreatedOn"= "2022-08-09T11:15:45.919Z" , "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/abc@oracle.com" } }, }, compartment_level1 = { Non-Prod = { # Required parent_compartment_id = AppDev name = "Non-Prod" # Optional description = "Compartment for all the non-prod application resources." enable_delete = true defined_tags = { "Oracle-Tags.CreatedOn"= "2022-08-09T11:15:45.919Z" , "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/abc@oracle.com" } }, Prod = { # Required parent_compartment_id = AppDev name = "Prod" # Optional description = "Compartment for all the prod application resources." enable_delete = true defined_tags = { "Oracle-Tags.CreatedOn"= "2022-08-09T11:15:45.919Z" , "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/abc@oracle.com" } }, }, ## Similar values can be entered for the compartment levels below. compartment_level2 = {}, compartment_level3 = {}, compartment_level4 = {}, compartment_level5 = {}, }
2. Groups/Dynamic Groups
ⓘ The parameter that differentiates dynamic groups from normal groups is matching_rule . Normal Groups will be created when you omit this parameter or pass it as "" or null. All the groups are created in the root compartment.
- Syntax for IDCS
groups = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
group_name = string
group_description = string
# Optional
members = list(string)
matching_rule = string #Required only for Dynamic Group
defined_tags = map
freeform_tags = map
},
}
- Example for IDCS:
############################ # Identity # Groups/Dynamic Groups - tfvars ############################ groups = { # Normal Group Administrators = { # Required group_name = "Administrators" group_description = "Administrators" }, # Normal Group IAMAdmins = { # Required group_name = "IAMAdmins" group_description = "Group responsible for managing IAM resources in the tenancy." # Optional members = ["xyz@oracle.com", "bcd@oracle.com"] defined_tags = { "Oracle-Tags.CreatedOn"= "2022-03-23T07:00:34.666Z" , "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/abc@oracle.com" } }, # Dynamic Group CD3_Instances = { group_name = "CD3_Instances" group_description = "Instance Group for CD3 Instances" # Optional matching_rule = "Any {Any {instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaasfwefuhwkjfew2rrcxx37d5ntq7r53wtaq'},Any {instance.compartment.id = 'ocid1.compartment.oc1..aaz2ylwikr5rg4slidxzec7aijanq'}}" # Can be null or "" for regular groups }, } - Syntax for IAM Domains
identity_domain_groups = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
group_name = string
group_description = string
idcs_endpoint = string
compartment_id = string
# Optional
members = list(string)
matching_rule = string #Required only for Dynamic Group
defined_tags = list(map)
freeform_tags = list(map)
},
}
- Example for IAM Domains:
############################ # Identity # Groups/Dynamic Groups - tfvars ############################ groups = { # Normal Group Administrators = { # Required group_name = "Administrators" group_description = "Administrators" idcs_endpoint = "default" compartment_id = "root" }, # Normal Group IAMAdmins = { # Required group_name = "IAMAdmins" group_description = "Group responsible for managing IAM resources in the tenancy." idcs_endpoint = "default" compartment_id = "root" # Optional members = ["xyz@oracle.com", "bcd@oracle.com"] defined_tags = defined_tags = [ { key = "CreatedBy" namespace = "Oracle-Tags" value = "default/abc@oracle.com" }, { key = "CreatedOn" namespace = "Oracle-Tags" value = "2024-08-05T01:22:03.225Z" } ] }, # Dynamic Group CD3_Instances = { group_name = "CD3_Instances" group_description = "Instance Group for CD3 Instances" # Optional matching_rule = "Any {Any {instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaasfwefuhwkjfew2rrcxx37d5ntq7r53wtaq'},Any {instance.compartment.id = 'ocid1.compartment.oc1..aaz2ylwikr5rg4slidxzec7aijanq'}}" # Can be null or "" for regular groups }, }
3. Policies
- Syntax
policies = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
name = string
compartment_id = string
policy_description = string
policy_statements = list(string)
# Optional
policy_version_date = string
defined_tags = map
freeform_tags = map
},
}
- Example:
############################ # Identity # Policies - tfvars # Allowed Values: # compartment_id can be the ocid or the name of the compartment hierarchy delimited by double hiphens "--" # Example : compartment_id = "ocid1.compartment.oc1..aaaaaaaahwwiefb56epvdlzfic6ah6jy3xf3c" or compartment_id = "Network-root-cpt--Network" where "Network-root-cpt" is the parent of "Network" compartment ############################ policies = { CD3_Instances_Policy = { # Required name = "CD3_Instances_Policy" compartment_id = "root" policy_description = "Policy for VMs in CD3 Compartment" policy_statements = [ "Allow dynamic-group CD3_Instances to manage object-family in tenancy" ,"Allow dynamic-group CD3_Instances to manage instance-family in tenancy" ,"Allow dynamic-group CD3_Instances to manage database-family in tenancy" ,"Allow dynamic-group CD3_Instances to manage secret-family in tenancy" ,"Allow dynamic-group CD3_Instances to read all-resources in tenancy" ] }, IAMAdmins-Policy = { # Required name = "IAMAdmins-Policy" compartment_id = "root" policy_description = "Policy allowing IAMAdmins group to manage IAM resources in tenancy, except changing Administrators group assignments." policy_statements = [ "Allow group IAMAdmins to manage policies in tenancy" ,"Allow group IAMAdmins to manage compartments in tenancy" ,"Allow group IAMAdmins to manage tag-defaults in tenancy" ,"Allow group IAMAdmins to manage tag-namespaces in tenancy" ,"Allow group IAMAdmins to manage orm-stacks in tenancy" ,"Allow group IAMAdmins to manage orm-jobs in tenancy" ,"Allow group IAMAdmins to manage orm-config-source-providers in tenancy" ,"Allow group IAMAdmins to inspect users in tenancy" ,"Allow group IAMAdmins to inspect groups in tenancy" ,"Allow group IAMAdmins to manage groups in tenancy where all {target.group.name != 'Administrators', target.group.name != 'CredAdmins'}" ,"Allow group IAMAdmins to inspect identity-providers in tenancy" ,"Allow group IAMAdmins to manage identity-providers in tenancy where any {request.operation = 'AddIdpGroupMapping', request.operation = 'DeleteIdpGroupMapping'}" ,"Allow group IAMAdmins to manage dynamic-groups in tenancy" ,"Allow group IAMAdmins to manage authentication-policies in tenancy" ,"Allow group IAMAdmins to manage network-sources in tenancy" ,"Allow group IAMAdmins to manage quota in tenancy" ,"Allow group IAMAdmins to read audit-events in tenancy" ,"Allow group IAMAdmins to use cloud-shell in tenancy" ] # Optional defined_tags = { "Oracle-Tags.CreatedOn"= "2022-03-23T07:19:18.918Z" , "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/abc@oracle.com" } }, }
4. Users
- Syntax for IDCS
users = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
name = string
description = string
email = string
enable_capabilities = list(string)
# Optional
defined_tags = map
},
}
- Example for IDCS:
############################
# Identity
# Users - tfvars
############################
users = {
testUser = {
# Required
name = "testUser"
description = "this is a test user"
email = "testUser@oracle.com"
enable_capabilities = ["can_use_console_password","can_use_customer_secret_keys"]
# Optional
defined_tags = {
"Oracle-Tags.CreatedOn"= "2023-05-23T07:19:18.918Z" ,
"Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/abc@oracle.com"
}
}
}
- Syntax for IAM Domains
identity_domain_users = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
family_name = string
idcs_endpoint = string
user_name = string
compartment_id = string
description = string
email = string
groups = list(string)
enable_capabilities = list(string)
# Optional
defined_tags = map(list)
},
}
- Example for IAM Domain:
############################
# Identity
# Users - tfvars
############################
identity_domain_users = {
DEFAULT_testuser-test-com = {
family_name = "test"
idcs_endpoint = "DEFAULT"
description = "test"
user_name = "testuser@test.com"
compartment_id = "root"
email = "testuser@test.com"
enabled_capabilities = ["api_keys", "auth_tokens", "console_password", "customer_secret_keys", "db_credentials", "oauth2client_credentials", "smtp_credentials"]
defined_tags = [
{
key = "CreatedBy"
namespace = "Oracle-Tags"
value = "default/abc@oracle.com"
},
{
key = "CreatedOn"
namespace = "Oracle-Tags"
value = "2024-07-16T15:24:28.572Z"
} ]
},
}
5. Network Sources
- Syntax
networkSources = {
## key - Is a unique value to reference the resources respectively
key = {
# Required
name = string
description = string
public_source_list = list(string)
virtual_source_list = list(map)
# Optional
defined_tags = map
},
}
- Example
############################
# Identity
# Network Sources - tfvars
############################
networkSources = {
networkSourcesExample = {
# Required
name = "myNetworkSource"
description = "this is a network source"
public_source_list = ["192.0.2.0/24","192.0.3.0/26"]
virtual_source_list =
[
{
vcn_name = ["VCN1"],
network_compartment_id = ["NetworkCompartment"],
ip_ranges = [ "10.169.0.0/16"]
},
{
vcn_name = ["VCN2"],
network_compartment_id = ["NetworkCompartment"],
ip_ranges = ["172.16.2.0/24", "172.16.2.0/26"]
}
]
# Optional
defined_tags = {
"Oracle-Tags.CreatedOn"= "2023-05-23T07:19:18.918Z" ,
"Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/abc@oracle.com"
}
}
}