1+ resource "oci_identity_policy" "clusters_policy" {
2+ count = . create_iam ? 1 : 0
3+ compartment_id = . tenancy_ocid
4+ description = " Policy for cluster ${ local . cluster_name } "
5+ name = " cluster-policy-${ local . cluster_name } "
6+ statements =
7+ " allow service compute_management to use tag-namespace in tenancy"
8+ " allow service compute_management to manage compute-management-family in tenancy"
9+ " allow service compute_management to read app-catalog-listing in tenancy"
10+ ]
11+ }
12+
13+ resource "oci_identity_policy" "cluster_policy" {
14+ count = . create_dynamic_group ? 1 : 0
15+ compartment_id = . tenancy_ocid
16+ description = " Policy for cluster ${ local . cluster_name } "
17+ name = " cluster-policy-${ local . cluster_name } "
18+ statements =
19+ " Allow dynamic-group ${ local . dynamic_group_name } to manage app-catalog-listing in tenancy"
20+ " Allow dynamic-group ${ local . dynamic_group_name } to use tag-namespace in tenancy"
21+ " Allow dynamic-group ${ local . dynamic_group_name } to manage compute-management-family in compartment id ${ var . targetCompartment } "
22+ " Allow dynamic-group ${ local . dynamic_group_name } to manage instance-family in compartment id ${ var . targetCompartment } "
23+ " Allow dynamic-group ${ local . dynamic_group_name } to manage volume-family in compartment id ${ var . targetCompartment } "
24+ " Allow dynamic-group ${ local . dynamic_group_name } to use virtual-network-family in compartment id ${ var . vcn_compartment } "
25+
26+ ]
27+ }
28+
29+ resource "oci_identity_dynamic_group" "cluster_group" {
30+ count = . create_dynamic_group ? 1 : 0
31+ compartment_id = . tenancy_ocid
32+ description = " Dynamic group for cluster ${ local . cluster_name } "
33+ name = . dynamic_group_name
34+ matching_rule = " Any { instance.id = '${ oci_core_instance . bastion . id } ' }"
35+ ]
36+ }
0 commit comments