added enable_instance_principal parameter for admin module

hyder · Djelibeybi · commit 3f6cf83f4372 · 2019-11-29T19:13:49.000+11:00
Signed-off-by: Ali Mukadam &lt;ali.mukadam@oracle.com&gt;
diff --git a/locals.tf b/locals.tf
@@ -57,12 +57,13 @@ locals {
   }
 
   oci_admin = {
-    admin_enabled       = var.oci_base_admin.admin_enabled
-    admin_image_id      = var.oci_base_admin.admin_image_id
-    admin_shape         = var.oci_base_admin.admin_shape
-    admin_upgrade       = var.oci_base_admin.admin_upgrade
-    ssh_public_key_path = var.oci_base_admin.ssh_public_key_path
-    timezone            = var.oci_base_admin.timezone
+    admin_enabled             = var.oci_base_admin.admin_enabled
+    admin_image_id            = var.oci_base_admin.admin_image_id
+    admin_shape               = var.oci_base_admin.admin_shape
+    admin_upgrade             = var.oci_base_admin.admin_upgrade
+    enable_instance_principal = var.oci_base_admin.enable_instance_principal
+    ssh_public_key_path       = var.oci_base_admin.ssh_public_key_path
+    timezone                  = var.oci_base_admin.timezone
   }
 
   oci_admin_notification = {
diff --git a/modules/admin/instance_principal.tf b/modules/admin/instance_principal.tf
@@ -28,7 +28,7 @@ resource "oci_identity_dynamic_group" "admin_instance_principal" {
   description    = "dynamic group to allow instances to call services for 1 admin"
   matching_rule  = "ALL {instance.id = '${join(",", data.oci_core_instance.admin.*.id)}'}"
   name           = "${var.oci_admin_general.label_prefix}-admin_instance_principal"
-  count          = var.oci_admin.admin_enabled == true ? 1 : 0
+  count          = var.oci_admin.admin_enabled == true && var.oci_admin.enable_instance_principal == true ? 1 : 0
 }
 
 resource "oci_identity_policy" "admin_instance_principal" {
@@ -37,5 +37,5 @@ resource "oci_identity_policy" "admin_instance_principal" {
   description    = "policy to allow admin host to call services"
   name           = "${var.oci_admin_general.label_prefix}-admin_instance_principal"
   statements     = ["Allow dynamic-group ${oci_identity_dynamic_group.admin_instance_principal[0].name} to manage all-resources in compartment id ${data.oci_identity_compartments.compartments_id.compartments.0.id}"]
-  count          = var.oci_admin.admin_enabled == true ? 1 : 0
+  count          = var.oci_admin.admin_enabled == true && var.oci_admin.enable_instance_principal == true ? 1 : 0
 }
diff --git a/modules/admin/outputs.tf b/modules/admin/outputs.tf
@@ -6,5 +6,5 @@ output "admin_private_ip" {
 }
 
 output "admin_instance_principal_group_name" {
-  value = oci_identity_dynamic_group.admin_instance_principal[0].name
+  value = var.oci_admin.admin_enabled == true && var.oci_admin.enable_instance_principal == true ? oci_identity_dynamic_group.admin_instance_principal[0].name : null
 }
diff --git a/modules/admin/variables.tf b/modules/admin/variables.tf
@@ -25,12 +25,13 @@ variable "oci_admin_general" {
 
 variable "oci_admin" {
   type = object({
-    admin_image_id      = string
-    admin_shape         = string
-    admin_upgrade       = bool
-    admin_enabled       = bool
-    ssh_public_key_path = string
-    timezone            = string
+    admin_image_id            = string
+    admin_shape               = string
+    admin_upgrade             = bool
+    admin_enabled             = bool
+    enable_instance_principal = bool
+    ssh_public_key_path       = string
+    timezone                  = string
   })
 }
 
@@ -52,6 +53,5 @@ variable "oci_admin_notification" {
     notification_endpoint = string
     notification_protocol = string
     notification_topic    = string
-
   })
 }

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ resource "oci_identity_dynamic_group" "admin_instance_principal" {`
`28`	`28`	`description = "dynamic group to allow instances to call services for 1 admin"`
`29`	`29`	`matching_rule = "ALL {instance.id = '${join(",", data.oci_core_instance.admin.*.id)}'}"`
`30`	`30`	`name = "${var.oci_admin_general.label_prefix}-admin_instance_principal"`
`31`		`- count = var.oci_admin.admin_enabled == true ? 1 : 0`
	`31`	`+ count = var.oci_admin.admin_enabled == true && var.oci_admin.enable_instance_principal == true ? 1 : 0`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`resource "oci_identity_policy" "admin_instance_principal" {`
`@@ -37,5 +37,5 @@ resource "oci_identity_policy" "admin_instance_principal" {`
`37`	`37`	`description = "policy to allow admin host to call services"`
`38`	`38`	`name = "${var.oci_admin_general.label_prefix}-admin_instance_principal"`
`39`	`39`	`statements = ["Allow dynamic-group ${oci_identity_dynamic_group.admin_instance_principal[0].name} to manage all-resources in compartment id ${data.oci_identity_compartments.compartments_id.compartments.0.id}"]`
`40`		`- count = var.oci_admin.admin_enabled == true ? 1 : 0`
	`40`	`+ count = var.oci_admin.admin_enabled == true && var.oci_admin.enable_instance_principal == true ? 1 : 0`
`41`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,5 @@ output "admin_private_ip" {`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`output "admin_instance_principal_group_name" {`
`9`		`- value = oci_identity_dynamic_group.admin_instance_principal[0].name`
	`9`	`+ value = var.oci_admin.admin_enabled == true && var.oci_admin.enable_instance_principal == true ? oci_identity_dynamic_group.admin_instance_principal[0].name : null`
`10`	`10`	`}`