创建 IAM 模块

IAM 模块包含组和策略的配置。将每个组和策略定义为配置中的资源，并声明所需的变量。

关于策略和组

要控制用户对拓扑中资源的访问权限，请创建组并分配策略以将所需权限授予每个组。

下表列出了多层体系结构通常需要的组和权限：

组	权限
`DBAdmins`	读取租户中的所有资源。管理数据库资源。
`IAMAdminManagers`	管理用户。管理 `Administrators` 和 `NetSecAdmins` 组。注：Oracle 在您订阅 Oracle Cloud 时创建 `Administrators` 组。此组中的用户具有租户中所有资源的完全访问权限，包括管理用户和组。将成员资格限制到此组。
`IAMManagers`	管理用户。管理除 `Administrators` 和 `NetSecAdmins` 之外的所有组。
`NetworkAdmins`	读取租户中的所有资源。管理除安全列表、Internet 网关、IPSec VPN 连接和客户内部部署设备外的所有网络资源。
`NetSecAdmins`	读取租户中的所有资源。管理安全列表、Internet 网关、客户内部部署设备、IPSec VPN 连接和负载平衡器。使用所有虚拟网络资源。
`ReadOnly`	查看和检查租户。此组适用于不是预期创建或管理任何资源（例如，审计者和培训人）的用户。
`StorageAdmins`	读取租户中的所有资源。管理对象存储和块存储卷资源。
`SysAdmins`	读取租户中的所有资源。管理计算和存储资源。管理划分。使用负载平衡器、子网和 Vnic。

定义组和策略

创建用于定义所需 Oracle Cloud Infrastructure Identity and Access Management 策略和组的 Terraform configuration 文件。

完成 iam 子目录中的以下步骤：

创建一个名为 variables.tf 的文本文件，然后将以下代码粘贴到文件中。
此代码声明此模块中使用的变量。
```
variable "tenancy_ocid" {}
variable "app_tag" {}
variable "environment" {}
```

创建一个名为 groups.tf 的文本文件，然后将以下代码粘贴到文件中。

resource "oci_identity_group" "db_admins" {
  description = "Group for users allowed to manage the databases in the tenancy."
  name        = "DBAdmins.grp"
}
resource "oci_identity_group" "iam_admin_managers" {
  description = "Group for users allowed to modify the Administrators and NetSecAdmins group."
  name        = "IAMAdminManagers.grp"
}

resource "oci_identity_group" "iam_managers" {
  description = "Group for users allowed to modify all users and groups except the Administrators and NetSecAdmin groups."
  name        = "IAMManagers.grp"
}

resource "oci_identity_group" "net_sec_admins" {
  description = "Administrators of the VCNs, but restricted from the following resources: vcns, subnets, route-tables, dhcp-options, drgs, drg-attachments, vnics, vnic-attachments"
  name        = "NetSecAdmins.grp"
}

resource "oci_identity_group" "network_admins" {
  description = "Administrators of the VCNs, but restricted from the following resources: security-lists, internet-gateways, cpes, ipsec-connections"
  name        = "NetworkAdmins.grp"
}

resource "oci_identity_group" "read_only" {
  description = "Groups for users allowed to view and inspect the tenancy configuration; for example, trainees"
  name        = "ReadOnly.grp"
}

resource "oci_identity_group" "storage_admins" {
  description = "Group for users allowed manage the Storage resources in the tenancy."
  name        = "StorageAdmins.grp"
}

resource "oci_identity_group" "sys_admins" {
  description = "Group for users allowed manage the Compute and Storage resources in the tenancy. Tenant administrators should be in this group."
  name        = "SysAdmins.grp"
}

创建一个名为 policies.tf 的文本文件，然后将以下代码粘贴到文件中。

resource "oci_identity_policy" "iam_admin_managers" {
  name           = "IAMAdminManagers.pl"
  description    = "IAMAdminManagers.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to read users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to read groups IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage groups IN TENANCY where target.group.name = 'Administrators'",
    "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage groups IN TENANCY where target.group.name = '${oci_identity_group.net_sec_admins.name}'",
  ]
}

resource "oci_identity_policy" "iam_managers" {
  name           = "IAMManagers.pl"
  description    = "IAMManagers.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to read users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to read groups IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to manage users IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.iam_managers.name} to manage groups IN TENANCY where all {target.group.name ! = 'Administrators', target.group.name ! = '${oci_identity_group.net_sec_admins.name}'}",
  ]
}

resource "oci_identity_policy" "sys_admins" {
  name           = "SysAdmins.pl"
  description    = "SysAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage instance-family IN TENANCY where all {target.compartment.name=/*/, target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage object-family IN TENANCY where all {target.compartment.name=/*/, target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage volume-family IN TENANCY where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use load-balancers IN TENANCY where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use subnets IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use vnics IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use vnic-attachments IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage compartments in Tenancy where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/, target.compartment.name!=/Shared-Infra-Services/}",
    "ALLOW GROUP ${oci_identity_group.sys_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "storage_admins" {
  name           = "StorageAdmins.pl"
  description    = "StorageAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.storage_admins.name} to manage object-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.storage_admins.name} to manage volume-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.storage_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "db_admins" {
  name           = "DBAdmins.pl"
  description    = "DBAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.db_admins.name} manage database-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.db_admins.name} read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "network_admins" {
  name           = "NetworkAdmins.pl"
  description    = "NetworkAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vcns IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage subnets IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage route-tables IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage dhcp-options IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage drgs IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage cross-connects IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage cross-connect-groups IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage virtual-circuits IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vnics IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vnic-attachments IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage load-balancers IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to use virtual-network-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.network_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "net_sec_admins" {
  name           = "NetSecAdmins.pl"
  description    = "NetSecAdmins.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = [
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage security-lists IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage internet-gateways IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage cpes IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage ipsec-connections IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to use virtual-network-family IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage load-balancers IN TENANCY",
    "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to read all-resources IN TENANCY",
  ]
}

resource "oci_identity_policy" "read_only" {
  name           = "ReadOnly.pl"
  description    = "ReadOnly.pl"
  compartment_id = "${var.tenancy_ocid}"

  statements = ["ALLOW GROUP ${oci_identity_group.read_only.name} to read all-resources IN TENANCY"]
}

创建一个名为 iam_outputs.tf 的文件，然后将以下代码粘贴到文件中。

此代码会导致 Terraform 在创建之后显示资源 ID。

output "db_admins_id" {
  value = "${oci_identity_group.db_admins.id}"
}

output "iam_admin_managers_id" {
  value = "${oci_identity_group.iam_admin_managers.id}"
}

output "iam_managers_id" {
  value = "${oci_identity_group.iam_managers.id}"
}

output "net_sec_admins_id" {
  value = "${oci_identity_group.net_sec_admins.id}"
}

output "network_admins_id" {
  value = "${oci_identity_group.network_admins.id}"
}

output "read_only_id" {
  value = "${oci_identity_group.read_only.id}"
}

output "storage_admins_id" {
  value = "${oci_identity_group.storage_admins.id}"
}

output "sys_admins_id" {
  value = "${oci_identity_group.sys_admins.id}"
}