IAM-Modul erstellen

Das IAM-Modul enthält die Konfiguration für die Gruppen und Policys. Definieren Sie jede Gruppe und Policy als Ressource in der Konfiguration, und deklarieren Sie die erforderlichen Variablen.

Policys und Gruppen

Um den Benutzerzugriff auf die Ressourcen in Ihrer Topologie zu steuern, erstellen Sie Gruppen, und weisen Sie Policys zu, um jeder Gruppe die erforderlichen Berechtigungen zu erteilen.

In der folgenden Tabelle werden die erforderlichen Gruppen und Berechtigungen für eine Multitier-Architektur aufgeführt:

Gruppieren Berechtigungen
DBAdmins
  • Lesen Sie alle Ressourcen in den Mandanten.
  • Datenbankressourcen verwalten
IAMAdminManagers
  • Benutzer verwalten.
  • Verwalten Sie die Gruppen Administrators und NetSecAdmins.

Hinweis : Oracle erstellt die Gruppe Administrators, wenn Sie Oracle Cloud abonnieren. Die Benutzer in dieser Gruppe haben vollständigen Zugriff auf alle Ressourcen im Mandanten, einschließlich der Verwaltung von Benutzern und Gruppen. Beschränken Sie die Mitgliedschaft auf diese Gruppe.

IAMManagers
  • Benutzer verwalten.
  • Verwalten Sie alle Gruppen mit Ausnahme von Administrators und NetSecAdmins.
NetworkAdmins
  • Lesen Sie alle Ressourcen in den Mandanten.
  • Verwalten Sie alle Netzwerkressourcen, mit Ausnahme von Sicherheitslisten, Internetgateways, IPSec-VPN-Verbindungen und Customer Premise.
NetSecAdmins
  • Lesen Sie alle Ressourcen in den Mandanten.
  • Verwalten Sie Sicherheitslisten, Internetgateways, Customer Premise Equipment, IPSec-VPN-Verbindungen und Load Balancer.
  • Alle virtuellen Netzwerkressourcen verwenden.
ReadOnly Zeigen Sie den Mandanten an, und prüfen Sie ihn. Diese Gruppe ist für Benutzer gedacht, die keine Ressourcen erstellen oder verwalten (z.B. Auditor und Schulungen).
StorageAdmins
  • Lesen Sie alle Ressourcen in den Mandanten.
  • Verwalten Sie die Ressourcen des Objektspeichers und des Block-Volumes.
SysAdmins
  • Lesen Sie alle Ressourcen in den Mandanten.
  • Verwalten Sie die Compute- und Speicherressourcen.
  • Verwalten Sie Compartments.
  • Load Balancer, Subnetze und VNICs verwenden.

Gruppen und Policys definieren

Erstellen Sie die Terraform-Konfigurationsdateien, die die erforderlichen Oracle Cloud Infrastructure Identity and Access Management-Policys und -Gruppen definieren.

Führen Sie die folgenden Schritte im Unterverzeichnis iam aus:

  1. Erstellen Sie eine Textdatei mit dem Namen variables.tf, und fügen Sie den folgenden Code in die Datei ein.
    Dieser Code deklariert die in diesem Modul verwendeten Variablen.
    variable "tenancy_ocid" {}
    variable "app_tag" {}
    variable "environment" {}
  2. Erstellen Sie eine Textdatei mit dem Namen groups.tf, und fügen Sie den folgenden Code in die Datei ein.
    resource "oci_identity_group" "db_admins" {
      description = "Group for users allowed to manage the databases in the tenancy."
      name        = "DBAdmins.grp"
    }
    resource "oci_identity_group" "iam_admin_managers" {
      description = "Group for users allowed to modify the Administrators and NetSecAdmins group."
      name        = "IAMAdminManagers.grp"
    }
    
    resource "oci_identity_group" "iam_managers" {
      description = "Group for users allowed to modify all users and groups except the Administrators and NetSecAdmin groups."
      name        = "IAMManagers.grp"
    }
    
    resource "oci_identity_group" "net_sec_admins" {
      description = "Administrators of the VCNs, but restricted from the following resources: vcns, subnets, route-tables, dhcp-options, drgs, drg-attachments, vnics, vnic-attachments"
      name        = "NetSecAdmins.grp"
    }
    
    resource "oci_identity_group" "network_admins" {
      description = "Administrators of the VCNs, but restricted from the following resources: security-lists, internet-gateways, cpes, ipsec-connections"
      name        = "NetworkAdmins.grp"
    }
    
    resource "oci_identity_group" "read_only" {
      description = "Groups for users allowed to view and inspect the tenancy configuration; for example, trainees"
      name        = "ReadOnly.grp"
    }
    
    resource "oci_identity_group" "storage_admins" {
      description = "Group for users allowed manage the Storage resources in the tenancy."
      name        = "StorageAdmins.grp"
    }
    
    resource "oci_identity_group" "sys_admins" {
      description = "Group for users allowed manage the Compute and Storage resources in the tenancy. Tenant administrators should be in this group."
      name        = "SysAdmins.grp"
    }
  3. Erstellen Sie eine Textdatei mit dem Namen policies.tf, und fügen Sie den folgenden Code in die Datei ein.
    resource "oci_identity_policy" "iam_admin_managers" {
      name           = "IAMAdminManagers.pl"
      description    = "IAMAdminManagers.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to read users IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to read groups IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage users IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage groups IN TENANCY where target.group.name = 'Administrators'",
        "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage groups IN TENANCY where target.group.name = '${oci_identity_group.net_sec_admins.name}'",
      ]
    }
    
    resource "oci_identity_policy" "iam_managers" {
      name           = "IAMManagers.pl"
      description    = "IAMManagers.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.iam_managers.name} to read users IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_managers.name} to read groups IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_managers.name} to manage users IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_managers.name} to manage groups IN TENANCY where all {target.group.name ! = 'Administrators', target.group.name ! = '${oci_identity_group.net_sec_admins.name}'}",
      ]
    }
    
    resource "oci_identity_policy" "sys_admins" {
      name           = "SysAdmins.pl"
      description    = "SysAdmins.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage instance-family IN TENANCY where all {target.compartment.name=/*/, target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage object-family IN TENANCY where all {target.compartment.name=/*/, target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage volume-family IN TENANCY where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use load-balancers IN TENANCY where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use subnets IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use vnics IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use vnic-attachments IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage compartments in Tenancy where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/, target.compartment.name!=/Shared-Infra-Services/}",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to read all-resources IN TENANCY",
      ]
    }
    
    resource "oci_identity_policy" "storage_admins" {
      name           = "StorageAdmins.pl"
      description    = "StorageAdmins.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.storage_admins.name} to manage object-family IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.storage_admins.name} to manage volume-family IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.storage_admins.name} to read all-resources IN TENANCY",
      ]
    }
    
    resource "oci_identity_policy" "db_admins" {
      name           = "DBAdmins.pl"
      description    = "DBAdmins.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.db_admins.name} manage database-family IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.db_admins.name} read all-resources IN TENANCY",
      ]
    }
    
    resource "oci_identity_policy" "network_admins" {
      name           = "NetworkAdmins.pl"
      description    = "NetworkAdmins.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vcns IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage subnets IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage route-tables IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage dhcp-options IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage drgs IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage cross-connects IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage cross-connect-groups IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage virtual-circuits IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vnics IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vnic-attachments IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage load-balancers IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to use virtual-network-family IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to read all-resources IN TENANCY",
      ]
    }
    
    resource "oci_identity_policy" "net_sec_admins" {
      name           = "NetSecAdmins.pl"
      description    = "NetSecAdmins.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage security-lists IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage internet-gateways IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage cpes IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage ipsec-connections IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to use virtual-network-family IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage load-balancers IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to read all-resources IN TENANCY",
      ]
    }
    
    resource "oci_identity_policy" "read_only" {
      name           = "ReadOnly.pl"
      description    = "ReadOnly.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = ["ALLOW GROUP ${oci_identity_group.read_only.name} to read all-resources IN TENANCY"]
    }
  4. Erstellen Sie eine Datei namens iam_outputs.tf, und fügen Sie den folgenden Code in die Datei ein.
    Dieser Code führt dazu, dass Terraform nach der Erstellung die IDs der Ressourcen anzeigt.
    output "db_admins_id" {
      value = "${oci_identity_group.db_admins.id}"
    }
    
    output "iam_admin_managers_id" {
      value = "${oci_identity_group.iam_admin_managers.id}"
    }
    
    output "iam_managers_id" {
      value = "${oci_identity_group.iam_managers.id}"
    }
    
    output "net_sec_admins_id" {
      value = "${oci_identity_group.net_sec_admins.id}"
    }
    
    output "network_admins_id" {
      value = "${oci_identity_group.network_admins.id}"
    }
    
    output "read_only_id" {
      value = "${oci_identity_group.read_only.id}"
    }
    
    output "storage_admins_id" {
      value = "${oci_identity_group.storage_admins.id}"
    }
    
    output "sys_admins_id" {
      value = "${oci_identity_group.sys_admins.id}"
    }