创建 IAM 模块

IAM 模块包含组和策略的配置。将每个组和策略定义为配置中的资源,并声明所需的变量。

关于策略和组

要控制用户对拓扑中资源的访问权限,请创建组并分配策略以将所需权限授予每个组。

下表列出了多层体系结构通常需要的组和权限:

权限
DBAdmins
  • 读取租户中的所有资源。
  • 管理数据库资源。
IAMAdminManagers
  • 管理用户。
  • 管理 AdministratorsNetSecAdmins 组。

:Oracle 在您订阅 Oracle Cloud 时创建 Administrators 组。此组中的用户具有租户中所有资源的完全访问权限,包括管理用户和组。将成员资格限制到此组。

IAMManagers
  • 管理用户。
  • 管理除 AdministratorsNetSecAdmins 之外的所有组。
NetworkAdmins
  • 读取租户中的所有资源。
  • 管理除安全列表、Internet 网关、IPSec VPN 连接和客户内部部署设备外的所有网络资源。
NetSecAdmins
  • 读取租户中的所有资源。
  • 管理安全列表、Internet 网关、客户内部部署设备、IPSec VPN 连接和负载平衡器。
  • 使用所有虚拟网络资源。
ReadOnly 查看和检查租户。此组适用于不是预期创建或管理任何资源(例如,审计者和培训人)的用户。
StorageAdmins
  • 读取租户中的所有资源。
  • 管理对象存储和块存储卷资源。
SysAdmins
  • 读取租户中的所有资源。
  • 管理计算和存储资源。
  • 管理划分。
  • 使用负载平衡器、子网和 Vnic。

定义组和策略

创建用于定义所需 Oracle Cloud Infrastructure Identity and Access Management 策略和组的 Terraform configuration 文件。

完成 iam 子目录中的以下步骤:

  1. 创建一个名为 variables.tf 的文本文件,然后将以下代码粘贴到文件中。
    此代码声明此模块中使用的变量。
    variable "tenancy_ocid" {}
    variable "app_tag" {}
    variable "environment" {}
  2. 创建一个名为 groups.tf 的文本文件,然后将以下代码粘贴到文件中。
    resource "oci_identity_group" "db_admins" {
      description = "Group for users allowed to manage the databases in the tenancy."
      name        = "DBAdmins.grp"
    }
    resource "oci_identity_group" "iam_admin_managers" {
      description = "Group for users allowed to modify the Administrators and NetSecAdmins group."
      name        = "IAMAdminManagers.grp"
    }
    
    resource "oci_identity_group" "iam_managers" {
      description = "Group for users allowed to modify all users and groups except the Administrators and NetSecAdmin groups."
      name        = "IAMManagers.grp"
    }
    
    resource "oci_identity_group" "net_sec_admins" {
      description = "Administrators of the VCNs, but restricted from the following resources: vcns, subnets, route-tables, dhcp-options, drgs, drg-attachments, vnics, vnic-attachments"
      name        = "NetSecAdmins.grp"
    }
    
    resource "oci_identity_group" "network_admins" {
      description = "Administrators of the VCNs, but restricted from the following resources: security-lists, internet-gateways, cpes, ipsec-connections"
      name        = "NetworkAdmins.grp"
    }
    
    resource "oci_identity_group" "read_only" {
      description = "Groups for users allowed to view and inspect the tenancy configuration; for example, trainees"
      name        = "ReadOnly.grp"
    }
    
    resource "oci_identity_group" "storage_admins" {
      description = "Group for users allowed manage the Storage resources in the tenancy."
      name        = "StorageAdmins.grp"
    }
    
    resource "oci_identity_group" "sys_admins" {
      description = "Group for users allowed manage the Compute and Storage resources in the tenancy. Tenant administrators should be in this group."
      name        = "SysAdmins.grp"
    }
  3. 创建一个名为 policies.tf 的文本文件,然后将以下代码粘贴到文件中。
    resource "oci_identity_policy" "iam_admin_managers" {
      name           = "IAMAdminManagers.pl"
      description    = "IAMAdminManagers.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to read users IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to read groups IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage users IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage groups IN TENANCY where target.group.name = 'Administrators'",
        "ALLOW GROUP ${oci_identity_group.iam_admin_managers.name} to manage groups IN TENANCY where target.group.name = '${oci_identity_group.net_sec_admins.name}'",
      ]
    }
    
    resource "oci_identity_policy" "iam_managers" {
      name           = "IAMManagers.pl"
      description    = "IAMManagers.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.iam_managers.name} to read users IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_managers.name} to read groups IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_managers.name} to manage users IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.iam_managers.name} to manage groups IN TENANCY where all {target.group.name ! = 'Administrators', target.group.name ! = '${oci_identity_group.net_sec_admins.name}'}",
      ]
    }
    
    resource "oci_identity_policy" "sys_admins" {
      name           = "SysAdmins.pl"
      description    = "SysAdmins.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage instance-family IN TENANCY where all {target.compartment.name=/*/, target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage object-family IN TENANCY where all {target.compartment.name=/*/, target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage volume-family IN TENANCY where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use load-balancers IN TENANCY where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/}",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use subnets IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use vnics IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to use vnic-attachments IN TENANCY where target.compartment.name=/${var.app_tag}_${var.environment}_networks/",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to manage compartments in Tenancy where all {target.compartment.name=/*/ , target.compartment.name!=/${var.app_tag}_${var.environment}_networks/, target.compartment.name!=/Shared-Infra-Services/}",
        "ALLOW GROUP ${oci_identity_group.sys_admins.name} to read all-resources IN TENANCY",
      ]
    }
    
    resource "oci_identity_policy" "storage_admins" {
      name           = "StorageAdmins.pl"
      description    = "StorageAdmins.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.storage_admins.name} to manage object-family IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.storage_admins.name} to manage volume-family IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.storage_admins.name} to read all-resources IN TENANCY",
      ]
    }
    
    resource "oci_identity_policy" "db_admins" {
      name           = "DBAdmins.pl"
      description    = "DBAdmins.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.db_admins.name} manage database-family IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.db_admins.name} read all-resources IN TENANCY",
      ]
    }
    
    resource "oci_identity_policy" "network_admins" {
      name           = "NetworkAdmins.pl"
      description    = "NetworkAdmins.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vcns IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage subnets IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage route-tables IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage dhcp-options IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage drgs IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage cross-connects IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage cross-connect-groups IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage virtual-circuits IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vnics IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage vnic-attachments IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to manage load-balancers IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to use virtual-network-family IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.network_admins.name} to read all-resources IN TENANCY",
      ]
    }
    
    resource "oci_identity_policy" "net_sec_admins" {
      name           = "NetSecAdmins.pl"
      description    = "NetSecAdmins.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = [
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage security-lists IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage internet-gateways IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage cpes IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage ipsec-connections IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to use virtual-network-family IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to manage load-balancers IN TENANCY",
        "ALLOW GROUP ${oci_identity_group.net_sec_admins.name} to read all-resources IN TENANCY",
      ]
    }
    
    resource "oci_identity_policy" "read_only" {
      name           = "ReadOnly.pl"
      description    = "ReadOnly.pl"
      compartment_id = "${var.tenancy_ocid}"
    
      statements = ["ALLOW GROUP ${oci_identity_group.read_only.name} to read all-resources IN TENANCY"]
    }
  4. 创建一个名为 iam_outputs.tf 的文件,然后将以下代码粘贴到文件中。
    此代码会导致 Terraform 在创建之后显示资源 ID。
    output "db_admins_id" {
      value = "${oci_identity_group.db_admins.id}"
    }
    
    output "iam_admin_managers_id" {
      value = "${oci_identity_group.iam_admin_managers.id}"
    }
    
    output "iam_managers_id" {
      value = "${oci_identity_group.iam_managers.id}"
    }
    
    output "net_sec_admins_id" {
      value = "${oci_identity_group.net_sec_admins.id}"
    }
    
    output "network_admins_id" {
      value = "${oci_identity_group.network_admins.id}"
    }
    
    output "read_only_id" {
      value = "${oci_identity_group.read_only.id}"
    }
    
    output "storage_admins_id" {
      value = "${oci_identity_group.storage_admins.id}"
    }
    
    output "sys_admins_id" {
      value = "${oci_identity_group.sys_admins.id}"
    }