Skip to content

auto.tfvars syntax for Identity Module

These are the syntax and sample format for providing inputs to the modules via *.auto.tfvars files. "key" must be unique to every resource that is created. Comments preceed with ##.

1. Compartments

  • Syntax
compartments = {
        root = {
            ## key - Is a unique value to reference the resources respectively
            key = {

                # Required
                parent_compartment_id = string
                name                  = string

                # Optional
                description           = string 
                enable_delete         = boolean 
                defined_tags          = map 
                freeform_tags         = map 

        compartment_level1 = {
             ## key - Is a unique value to reference the resources respectively
             key = {
                # Required
                parent_compartment_id = string
                name                  = string

                # Optional
                description           = string 
                enable_delete         = boolean 
                defined_tags          = map 
                freeform_tags         = map 

        compartment_level2 = {
            ## key - Is a unique value to reference the resources respectively
            key = {
                # Required
                parent_compartment_id = string
                name                  = string

                # Optional
                description           = string 
                enable_delete         = boolean 
                defined_tags          = map 
                freeform_tags         = map 

        compartment_level3 = {
            ## key - Is a unique value to reference the resources respectively
            key = {
                # Required
                parent_compartment_id = string
                name                  = string

                # Optional
                description           = string 
                enable_delete         = boolean 
                defined_tags          = map 
                freeform_tags         = map 

        compartment_level4 = {
            ## key - Is a unique value to reference the resources respectively
            key = {
                # Required
                parent_compartment_id = string
                name                  = string

                # Optional
                description           = string 
                enable_delete         = boolean 
                defined_tags          = map 
                freeform_tags         = map 

        compartment_level5 = {
            ## key - Is a unique value to reference the resources respectively
            key = {
                # Required
                parent_compartment_id = string
                name                  = string

                # Optional
                description           = string 
                enable_delete         = boolean 
                defined_tags          = map 
                freeform_tags         = map 
  • Example:
      # Identity
      # Compartments - tfvars
      # Allowed Values:
      # parent_compartment_id can be the ocid or the name of the compartment hierarchy delimited by double hiphens "--"
      # Example : parent_compartment_id = "ocid1.compartment.oc1..aaaaaaaahwwiefb56epvdlzfic6ah6jy3xf3c" or parent_compartment_id = "Network-root-cpt--Network" where "Network-root-cpt" is the parent of "Network" compartment
      compartments = {
          root = {
              Network = {
                  # Required
                  parent_compartment_id = root
                  name                  = "Network"
                  # Optional
                  description           = "Compartment for all network related resources: VCNs, subnets, network gateways, security lists, NSGs, load balancers, VNICs."
                  defined_tags          = {
                            "Oracle-Tags.CreatedOn"= "2022-08-09T11:15:45.919Z" ,
                            "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/"
              Database = {
                  # Required
                  parent_compartment_id = root
                  name                  = "Database"
                  # Optional
                  description           = "Compartment for all database related resources."
                  defined_tags          = {
                            "Oracle-Tags.CreatedOn"= "2022-08-09T11:15:45.919Z" ,
                            "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/"
                  freeform_tags         = {}
              AppDev = {
                  # Required
                  parent_compartment_id = root
                  name                  = "AppDev"
                  # Optional
                  description           = "Compartment for all resources related to application development: functions, OKE, API Gateway, streaming, notifications."
                  defined_tags          = {
                            "Oracle-Tags.CreatedOn"= "2022-08-09T11:15:45.919Z" ,
                            "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/"
          compartment_level1 = {
              Non-Prod = {
                  # Required
                  parent_compartment_id = AppDev
                  name                  = "Non-Prod"
                  # Optional
                  description           = "Compartment for all the non-prod application resources."
                  enable_delete         = true
                  defined_tags          = {
                            "Oracle-Tags.CreatedOn"= "2022-08-09T11:15:45.919Z" ,
                            "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/"
              Prod = {
                  # Required
                  parent_compartment_id = AppDev
                  name                  = "Prod"
                  # Optional
                  description           = "Compartment for all the prod application resources."
                  enable_delete         = true
                  defined_tags          = {
                            "Oracle-Tags.CreatedOn"= "2022-08-09T11:15:45.919Z" ,
                            "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/"
          ## Similar values can be entered for the compartment levels below.
          compartment_level2 = {},
          compartment_level3 = {},
          compartment_level4 = {},
          compartment_level5 = {},

2. Groups/Dynamic Groups

ⓘ The parameter that differentiate dynamic groups from normal groups is matching_rule . Normal Groups will be created when you omit this parameter or pass it as "" or null. All the groups are created in the root compartment.

  • Syntax
groups = {
     ## key - Is a unique value to reference the resources respectively
     key = {
        # Required
        group_name            = string
        group_description     = string

        # Optional
        matching_rule         = string  (Required only for Dynamic Group)
        defined_tags          = map 
        freeform_tags         = map 
  • Example:
      # Identity
      # Groups/Dynamic Groups - tfvars
      groups = {
      # Normal Group
      Administrators = {
          # Required
          group_name        = "Administrators"
          group_description = "Administrators"
      # Normal Group
      IAMAdmins = {
          # Required
          group_name        = "IAMAdmins"
          group_description = "Group responsible for managing IAM resources in the tenancy."
          # Optional
          defined_tags = {
                  "Oracle-Tags.CreatedOn"= "2022-03-23T07:00:34.666Z" ,
                  "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/"
      # Dynamic Group
      CD3_Instances = {
          group_name        = "CD3_Instances"
          group_description = "Instance Group for CD3 Instances"
          # Optional 
          matching_rule     = "Any {Any { = 'ocid1.compartment.oc1..aaaaaaaasfwefuhwkjfew2rrcxx37d5ntq7r53wtaq'},Any { = 'ocid1.compartment.oc1..aaz2ylwikr5rg4slidxzec7aijanq'}}" # Can be null or "" for regular groups

3. Policies

  • Syntax
  policies = {
     ## key - Is a unique value to reference the resources respectively
     key = {
        # Required
        name               = string
        compartment_id     = string
        policy_description = string
        policy_statements  = list(string)

        # Optional
        policy_version_date   = string
        defined_tags          = map 
        freeform_tags         = map 
  • Example:
      # Identity
      # Policies - tfvars
      # Allowed Values:
      # compartment_id can be the ocid or the name of the compartment hierarchy delimited by double hiphens "--"
      # Example : compartment_id = "ocid1.compartment.oc1..aaaaaaaahwwiefb56epvdlzfic6ah6jy3xf3c" or compartment_id = "Network-root-cpt--Network" where "Network-root-cpt" is the parent of "Network" compartment
      policies = {
         CD3_Instances_Policy = {
              # Required
              name               = "CD3_Instances_Policy"
              compartment_id     = "root"
              policy_description = "Policy for VMs in CD3 Compartment"
              policy_statements  = [ "Allow dynamic-group CD3_Instances to manage object-family in tenancy" ,"Allow dynamic-group CD3_Instances to manage instance-family in tenancy" ,"Allow dynamic-group CD3_Instances to manage database-family in tenancy" ,"Allow dynamic-group CD3_Instances to manage secret-family in tenancy" ,"Allow dynamic-group CD3_Instances to read all-resources in tenancy"  ]
         IAMAdmins-Policy = {
              # Required
              name        = "IAMAdmins-Policy"
              compartment_id = "root"
              policy_description = "Policy allowing IAMAdmins group to manage IAM resources in tenancy, except changing Administrators group assignments."
              policy_statements = [ "Allow group IAMAdmins to manage policies in tenancy" ,"Allow group IAMAdmins to manage compartments in tenancy" ,"Allow group IAMAdmins to manage tag-defaults in tenancy" ,"Allow group IAMAdmins to manage tag-namespaces in tenancy" ,"Allow group IAMAdmins to manage orm-stacks in tenancy" ,"Allow group IAMAdmins to manage orm-jobs in tenancy" ,"Allow group IAMAdmins to manage orm-config-source-providers in tenancy" ,"Allow group IAMAdmins to inspect users in tenancy" ,"Allow group IAMAdmins to inspect groups in tenancy" ,"Allow group IAMAdmins to manage groups in tenancy where all { != 'Administrators', != 'CredAdmins'}" ,"Allow group IAMAdmins to inspect identity-providers in tenancy" ,"Allow group IAMAdmins to manage identity-providers in tenancy where any {request.operation = 'AddIdpGroupMapping', request.operation = 'DeleteIdpGroupMapping'}" ,"Allow group IAMAdmins to manage dynamic-groups in tenancy" ,"Allow group IAMAdmins to manage authentication-policies in tenancy" ,"Allow group IAMAdmins to manage network-sources in tenancy" ,"Allow group IAMAdmins to manage quota in tenancy" ,"Allow group IAMAdmins to read audit-events in tenancy" ,"Allow group IAMAdmins to use cloud-shell in tenancy"  ]
              # Optional
              defined_tags = {
                      "Oracle-Tags.CreatedOn"= "2022-03-23T07:19:18.918Z" ,
                      "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/"

4. Users

  • Syntax
  users = {
     ## key - Is a unique value to reference the resources respectively
      key = {
      # Required
      name                  = string
      description           = string
      email                 = string
      group_membership      = list(string)
      disable_capabilities  = list(string)

      # Optional
      defined_tags          = map
  • Example:
      # Identity
      # Users - tfvars
      users = {
         testUser = {
          # Required
          name                 = "testUser"
          description          = "this is a test user"
          email                = ""
          group_membership     = ["OSAdmin","Administrators"]
          disable_capabilities = ["can_use_console_password","can_use_customer_secret_keys"]

          # Optional
              defined_tags = {
                      "Oracle-Tags.CreatedOn"= "2023-05-23T07:19:18.918Z" ,
                      "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/"

5. Network Sources

  • Syntax
      networkSources = {
         ## key - Is a unique value to reference the resources respectively
         key = {
            # Required
            name                  = string
            description           = string
            public_source_list    = list(string)
            virtual_source_list   = list(map)

          # Optional
          defined_tags          = map
  • Example
        # Identity
        # Network Sources - tfvars
        networkSources = {
           networkSourcesExample = {
            # Required
            name                 = "myNetworkSource"
            description          = "this is a network source"
            public_source_list   = ["",""]
            virtual_source_list  =
                  vcn_name               = ["VCN1"],
                  network_compartment_id = ["NetworkCompartment"],
                  ip_ranges              = [ ""]
                  vcn_name                   = ["VCN2"],
                  network_compartment_id = ["NetworkCompartment"],
                  ip_ranges              = ["", ""]

          # Optional
          defined_tags = {
                  "Oracle-Tags.CreatedOn"= "2023-05-23T07:19:18.918Z" ,
                  "Oracle-Tags.CreatedBy"= "oracleidentitycloudservice/"