Create Policies and Groups

Policies and groups control access to resources within the tenancy.

About Policies and Groups

To manage access to resources, policies are applied to users that are members of a groups. Policies control access to resources.

The policy profiles apply the following criteria on the members of the group:

ReadOnly policy: The ReadOnly policy is applied to members of the ReadOnly group. The ReadOnly group is used by auditors and new members. Members have read-only access to all resources in the tenancy, and cannot use or manage any other resources. This policy is the most restrictive.
DBAdmin policy: The DBAdmin policy is applied to members of the DBAdmins group. The members of this policy and group have read access to all resources in the tenancy and can manage and use resources that are part of the database family.
IAMAdminManager policy: The IAMAdminManager policy is applied to members of the IAMAdminManagers group. Members of the group determine which users can be members of the Administrator and NetSecAdmins groups.
StorageAdmin policy: The StorageAdmin policy is applied to members of the StorageAdmin group. Members of this group can manage objects and volumes in the tenancy. They also have read-only access to all other objects in the tenancy.
NetworkAdmin policy: The NetworkAdmin policy applies to members of the NetworkAdmin group. This group can manage network resources in the tenancy, and can use virtual network resources. They also have read-only access to all other objects in the tenancy.
SysAdmin policy: The SysAdmin policy applies to members of the SysAdmin group. Members of this group can manage non-network instances, objects, volumes and compartments in the tenancy. They can use non-network subnets, virtual network interface cards (VNICs), VNIC attachments, and load balancer instances in the tenancy. They have read-only access to all other objects in the tenancy.

Define the Policies and Groups Variables

Create the identity and access management (IAM) module configuration files that define policies and groups.

Change directories to the iam folder.

Create a text file named policies.tf and copy the following code into the file.

resource "oci_identity_policy" "iam_admin_managers" {
  name           = "IAMAdminManagers.pl"
  description    = "IAMAdminManagers.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to read users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to read groups IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage groups IN TENANCY where target.group.name = 'Administrators'",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage groups IN TENANCY where target.group.name = '${oci_identity_group.net_sec_admins.name}'",
  ]
}

resource "oci_identity_policy" "iam_managers" {
  name           = "IAMManagers.pl"
  description    = "IAMManagers.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to read users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to read groups IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to manage users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to manage groups IN TENANCY where all {target.group.name ! = 'Administrators', target.group.name ! = '${oci_identity_group.net_sec_admins.name}'}",
  ]
}

resource "oci_identity_policy" "sys_admins" {
  name           = "SysAdmins.pl"
  description    = "SysAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage instance-family IN TENANCY where all {target.compartment.name=/*/, target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage object-family IN TENANCY where all {target.compartment.name=/*/, target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage volume-family IN TENANCY where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use load-balancers IN TENANCY where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use subnets IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use vnics IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use vnic-attachments IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage compartments in Tenancy where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/, target.compartment.name!=/Shared-Infra-Services/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "storage_admins" {
  name           = "StorageAdmins.pl"
  description    = "StorageAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.storage_admins.name} to manage object-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.storage_admins.name} to manage volume-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.storage_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "db_admins" {
  name           = "DBAdmins.pl"
  description    = "DBAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.db_admins.name} manage database-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.db_admins.name} read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "network_admins" {
  name           = "NetworkAdmins.pl"
  description    = "NetworkAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vcns IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage subnets IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage route-tables IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage dhcp-options IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage drgs IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage cross-connects IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage cross-connect-groups IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage virtual-circuits IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vnics IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vnic-attachments IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage load-balancers IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to use virtual-network-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "net_sec_admins" {
  name           = "NetSecAdmins.pl"
  description    = "NetSecAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage security-lists IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage internet-gateways IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage cpes IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage ipsec-connections IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to use virtual-network-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage load-balancers IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "read_only" {
  name           = "ReadOnly.pl"
  description    = "ReadOnly.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = ["ALLOW GROUP ${oci_identity_group.read_only.name} to read all-resources IN TENANCY"]
}

Create a text file named groups.tf and copy the following code into the file.

resource "oci_identity_group" "db_admins" {
  description = "Group for users allowed manage the Database resources in the tenancy."
  name        = "DBAdmins.grp"
}
resource "oci_identity_group" "iam_admin_managers" {
  description = "Group for users allowed to modify the Administrators and NetSecAdmins group."
  name        = "IAMAdminManagers.grp"
}

resource "oci_identity_group" "iam_managers" {
  description = "Group for users allowed to modify all users groups except the Administrators and NetSecAdmin group."
  name        = "IAMManagers.grp"
}

resource "oci_identity_group" "net_sec_admins" {
  description = "Administrators of the VCN’s, but restricted from the follow resources: vcns, subnets, route-tables, dhcp-options, drgs, drg-attachments, vnics, vnic-attachments."
  name        = "NetSecAdmins.grp"
}

resource "oci_identity_group" "network_admins" {
  description = "Administrators of the VCN’s, but restricted from the follow resources: security-lists, internet-gateways, cpes, ipsec-connections."
  name        = "NetworkAdmins.grp"
}

resource "oci_identity_group" "read_only" {
  description = "Viewing & Inspecting the tenancy configuration. Aim at Management and users in training before getting read/write access."
  name        = "ReadOnly.grp"
}

resource "oci_identity_group" "shared_infra_services_admins" {
  description = "Group Responsible for Managing the Shared-Infra-Services in the Tenancy."
  name        = "SharedInfraServicesAdmins.grp"
}

resource "oci_identity_group" "storage_admins" {
  description = "Group for users allowed manage the Storage resources in the tenancy."
  name        = "StorageAdmins.grp"
}

resource "oci_identity_group" "sys_admins" {
  description = "Group for users allowed manage the Compute and Storage resources in the tenancy. Tenant administrators should be in this group."
  name        = "SysAdmins.grp"
}

Build the Policies and Groups Terraform Configuration

Create the Terraform configuration files to define variables that are passed from the root file to the iam module and to report data to the Terraform user.

In the vcn folder, create a text file named variables.tf and copy the following code into the file.
```
variable "tenancy_ocid" {}

variable "app_tag" {}

variable "environment" {}
```

Create a file named iam_outputs.tf and copy the following code into the file.

"output" "db_admins_id" {
  "value" = "${oci_identity_group.db_admins.id}"
}

"output" "iam_admin_managers_id" {
  "value" = "${oci_identity_group.iam_admin_managers.id}"
}

"output" "iam_managers_id" {
  "value" = "${oci_identity_group.iam_managers.id}"
}

"output" "net_sec_admins_id" {
  "value" = "${oci_identity_group.net_sec_admins.id}"
}

"output" "network_admins_id" {
  "value" = "${oci_identity_group.network_admins.id}"
}

"output" "read_only_id" {
  "value" = "${oci_identity_group.read_only.id}"
}

"output" "shared_infra_services_admins_id" {
  "value" = "${oci_identity_group.shared_infra_services_admins.id}"
}

"output" "storage_admins_id" {
  "value" = "${oci_identity_group.storage_admins.id}"
}

"output" "sys_admins_id" {
  "value" = "${oci_identity_group.sys_admins.id}"
}