Crear el Módulo de IAM

El módulo de IAM contiene la configuración de los grupos y las políticas. Defina cada grupo y política como un recurso de la configuración y declare las variables necesarias.

Acerca de las Políticas y los Grupos

Para controlar el acceso de los usuarios a los recursos de la topología, crear grupos y asignar políticas para otorgar los permisos necesarios a cada grupo.

La siguiente tabla muestra los grupos y permisos necesarios, normalmente, para una arquitectura de varias capas:

Grupo	Permisos
`DBAdmins`	Leer todos los recursos del arrendamiento. Gestionar los recursos de la base de datos.
`IAMAdminManagers`	Gestionar usuarios. Gestione los grupos `Administrators` y `NetSecAdmins`. Nota : Oracle crea el grupo `Administrators` al suscribirse a Oracle Cloud. Los usuarios de este grupo tienen acceso completo a todos los recursos del arrendamiento, incluida la gestión de usuarios y grupos. Limitar los miembros a este grupo.
`IAMManagers`	Gestionar usuarios. Gestione todos los grupos excepto `Administrators` y `NetSecAdmins`.
`NetworkAdmins`	Leer todos los recursos del arrendamiento. Gestione todos los recursos de red, excepto las listas de seguridad, las puertas de enlace de Internet, las conexiones VPN de IPSec y los equipos locales de clientes.
`NetSecAdmins`	Leer todos los recursos del arrendamiento. Gestionar listas de seguridad, gateways de Internet, equipos locales de clientes, conexiones VPN de IPSec y equilibradores de carga. Usar todos los recursos de la red virtual.
`ReadOnly`	Ver e inspeccionar el arrendamiento. Este grupo es para los usuarios que no se espera crear o gestionar ningún recurso (por ejemplo, auditores y prácticas).
`StorageAdmins`	Leer todos los recursos del arrendamiento. Gestionar el almacenamiento de objetos y los recursos de volúmenes en bloque.
`SysAdmins`	Leer todos los recursos del arrendamiento. Gestionar los recursos de cálculo y almacenamiento. Gestionar compartimentos. Utilice equilibradores de carga, subredes y VNIC.

Definición de Grupos y Políticas

Cree los archivos de configuración de Terraform que definen las políticas y los grupos necesarios de Oracle Cloud Infrastructure Identity and Access Management .

Realice los siguientes pasos en el subdirectorio iam:

Cree un archivo de texto denominado variables.tf y pegue el siguiente código en el archivo.
Este código declara las variables utilizadas en este módulo.
```
variable "tenancy_ocid" {}
variable "app_tag" {}
variable "environment" {}
```

Cree un archivo de texto denominado groups.tf y pegue el siguiente código en el archivo.

resource "oci_identity_group" "db_admins" {
  description = "Group for users allowed to manage the databases in the tenancy."
  name        = "DBAdmins.grp"
}
resource "oci_identity_group" "iam_admin_managers" {
  description = "Group for users allowed to modify the Administrators and NetSecAdmins group."
  name        = "IAMAdminManagers.grp"
}

resource "oci_identity_group" "iam_managers" {
  description = "Group for users allowed to modify all users and groups except the Administrators and NetSecAdmin groups."
  name        = "IAMManagers.grp"
}

resource "oci_identity_group" "net_sec_admins" {
  description = "Administrators of the VCNs, but restricted from the following resources: vcns, subnets, route-tables, dhcp-options, drgs, drg-attachments, vnics, vnic-attachments"
  name        = "NetSecAdmins.grp"
}

resource "oci_identity_group" "network_admins" {
  description = "Administrators of the VCNs, but restricted from the following resources: security-lists, internet-gateways, cpes, ipsec-connections"
  name        = "NetworkAdmins.grp"
}

resource "oci_identity_group" "read_only" {
  description = "Groups for users allowed to view and inspect the tenancy configuration; for example, trainees"
  name        = "ReadOnly.grp"
}

resource "oci_identity_group" "storage_admins" {
  description = "Group for users allowed manage the Storage resources in the tenancy."
  name        = "StorageAdmins.grp"
}

resource "oci_identity_group" "sys_admins" {
  description = "Group for users allowed manage the Compute and Storage resources in the tenancy. Tenant administrators should be in this group."
  name        = "SysAdmins.grp"
}

Cree un archivo de texto denominado policies.tf y pegue el siguiente código en el archivo.

resource "oci_identity_policy" "iam_admin_managers" {
  name           = "IAMAdminManagers.pl"
  description    = "IAMAdminManagers.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to read users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to read groups IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage groups IN TENANCY where target.group.name = 'Administrators'",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage groups IN TENANCY where target.group.name = '${oci_identity_group.net_sec_admins.name}'",
  ]
}

resource "oci_identity_policy" "iam_managers" {
  name           = "IAMManagers.pl"
  description    = "IAMManagers.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to read users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to read groups IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to manage users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to manage groups IN TENANCY where all {target.group.name ! = 'Administrators', target.group.name ! = '${oci_identity_group.net_sec_admins.name}'}",
  ]
}

resource "oci_identity_policy" "sys_admins" {
  name           = "SysAdmins.pl"
  description    = "SysAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage instance-family IN TENANCY where all {target.compartment.name=/*/, target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage object-family IN TENANCY where all {target.compartment.name=/*/, target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage volume-family IN TENANCY where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use load-balancers IN TENANCY where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use subnets IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use vnics IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use vnic-attachments IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage compartments in Tenancy where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/, target.compartment.name!=/Shared-Infra-Services/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "storage_admins" {
  name           = "StorageAdmins.pl"
  description    = "StorageAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.storage_admins.name} to manage object-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.storage_admins.name} to manage volume-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.storage_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "db_admins" {
  name           = "DBAdmins.pl"
  description    = "DBAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.db_admins.name} manage database-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.db_admins.name} read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "network_admins" {
  name           = "NetworkAdmins.pl"
  description    = "NetworkAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vcns IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage subnets IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage route-tables IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage dhcp-options IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage drgs IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage cross-connects IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage cross-connect-groups IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage virtual-circuits IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vnics IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vnic-attachments IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage load-balancers IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to use virtual-network-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "net_sec_admins" {
  name           = "NetSecAdmins.pl"
  description    = "NetSecAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage security-lists IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage internet-gateways IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage cpes IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage ipsec-connections IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to use virtual-network-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage load-balancers IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "read_only" {
  name           = "ReadOnly.pl"
  description    = "ReadOnly.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = ["ALLOW GROUP ${oci_identity_group.read_only.name} to read all-resources IN TENANCY"]
}

Cree un archivo denominado iam_outputs.tf y pegue el siguiente código en el archivo.

Este código causa que Terraform muestre los ID de los recursos, después de crearlos.

output "db_admins_id" {
  value = "${oci_identity_group.db_admins.id}"
}

output "iam_admin_managers_id" {
  value = "${oci_identity_group.iam_admin_managers.id}"
}

output "iam_managers_id" {
  value = "${oci_identity_group.iam_managers.id}"
}

output "net_sec_admins_id" {
  value = "${oci_identity_group.net_sec_admins.id}"
}

output "network_admins_id" {
  value = "${oci_identity_group.network_admins.id}"
}

output "read_only_id" {
  value = "${oci_identity_group.read_only.id}"
}

output "storage_admins_id" {
  value = "${oci_identity_group.storage_admins.id}"
}

output "sys_admins_id" {
  value = "${oci_identity_group.sys_admins.id}"
}