updated policies for EBS

JBAnderson5 · JBAnderson5 · commit 60342c01da01 · 2022-09-27T15:09:38.000-07:00
diff --git a/cloud-foundation/modules/cloud-foundation-library/identity/module/application.tf b/cloud-foundation/modules/cloud-foundation-library/identity/module/application.tf
@@ -75,47 +75,23 @@ locals {
         "manage ons-family", "manage alarms", "manage metrics", "manage logs", "manage cloudevents-rules",
         # Resource manager
         "manage orm-stacks", "manage orm-jobs", "manage orm-config-source-providers",
+        #File Storage Service
+        "manage file-systems", "manage export-sets",
 
         # read 
         "read all-resources", "read audit-events", "read work-requests",  "read instance-agent-plugins"
     ] ),
 
     var.application_type == "ebs" #adds additional database policy grants needed for ebs admins
         ? formatlist ("allow group %%s to %s in compartment %%s",[
-            "manage database-family", "manage autonomous-database-family",
+            "manage database-family", "manage autonomous-database-family", "manage load-balancers", "manage tag-namespaces"
         ]) 
         : []
         
-    ) # TODO: make clear seperation of Landing Zone statements and CM statements
-
-
-
- # TODO: clean up documentation
- 
-    # taken from EBS demo stack     -- https://docs.oracle.com/cd/E26401_01/doc.122/f35809/T679330T679339.htm#T679469
-    ebscm_statements = concat ( 
-        local.app_statements, 
-        formatlist("allow group %%s to %s in compartment %%s",[
-            "manage load-balancers", "manage tag-namespaces",  
-            "manage database-family" # not in docs but I think is necessary to create an ebs environment
-        ]),
-        var.with_identity_domains ? ["allow group %%s to use domains in compartment %%s"] : [] #docs say scope to tenancy
     )
 
-    /*
-    #tenancy
-        formatlist( "allow group ${oci_identity_group.application[0].name} to %s in tenancy", [
-        "manage buckets", "manage objects", "manage app-catalog-listing", "inspect compartments",
-        "inspect users", "inspect groups", "use tag-namespaces"
-    ]),
-        formatlist( "allow group ${oci_identity_group.application[0].name} to %s in compartment ${oci_identity_compartment.application[0].name}", [
-        "manage database-family", "manage instance-family", "manage load-balancers",
-        "manage tag-namespaces", "manage virtual-network-family", "manage volume-family"
-    ]),
-    */
-
 
-    applied_statement = local.app_statements #TODO add support for ebs application type
+    applied_statement = local.app_statements
 
 }
 
diff --git a/cloud-foundation/modules/cloud-foundation-library/identity/module/general.tf b/cloud-foundation/modules/cloud-foundation-library/identity/module/general.tf
@@ -27,6 +27,8 @@ resource "oci_identity_policy" "general" {
   description    = "general policy applying to any user"
   name           = "general"
   statements     = concat(formatlist("allow any-user to %s in tenancy", [
-      "read app-catalog-listing", "read instance-images", "read repos", "inspect users", "inspect groups", "inspect dynamic-groups"
-    ]))
+      "inspect buckets", "inspect compartments", "read app-catalog-listing", "read instance-images", "read repos", "inspect users", "inspect groups", "inspect dynamic-groups"
+    ]),
+    "allow any-user to use tag-namespaces in tenancy where target.tag-namespace.name='Oracle-Tags'"
+    )
 }
diff --git a/cloud-foundation/modules/cloud-foundation-library/identity/module/network.tf b/cloud-foundation/modules/cloud-foundation-library/identity/module/network.tf
@@ -76,7 +76,9 @@ resource "oci_identity_policy" "network" {
       ]),
       # network users in network compartment
       formatlist("allow group ${oci_identity_group.network_service[0].name} to %s in compartment ${oci_identity_compartment.network[0].name}", [
-        "read virtual-network-family", "use subnets", "use network-security-groups", "use vnics", "use load-balancers"
+        "use virtual-network-family",
+        # File Storage Service
+        "manage export-sets", "use mount-targets", "use file-systems"
       ]),
     )
 }

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,9 @@ resource "oci_identity_policy" "network" {`
`76`	`76`	`]),`
`77`	`77`	`# network users in network compartment`
`78`	`78`	`formatlist("allow group ${oci_identity_group.network_service[0].name} to %s in compartment ${oci_identity_compartment.network[0].name}", [`
`79`		`- "read virtual-network-family", "use subnets", "use network-security-groups", "use vnics", "use load-balancers"`
	`79`	`+ "use virtual-network-family",`
	`80`	`+ # File Storage Service`
	`81`	`+ "manage export-sets", "use mount-targets", "use file-systems"`
`80`	`82`	`]),`
`81`	`83`	`)`
`82`	`84`	`}`