Merge pull request #92 from hyder/issue_85

issue #85 added additional checks to prevent locals in policies modul…

Author: hyder

modules/base/bastion/datasources.tf

@@ -66,4 +66,4 @@ data "oci_core_instance" "bastion" {
   #Required
   instance_id = oci_core_instance.bastion[0].id
   count       = var.oci_bastion.create_bastion == true ? 1 : 0
-}
+}

modules/base/bastion/outputs.tf

@@ -6,5 +6,5 @@ output "bastion_public_ip" {
 }
 
 output "bastion_instance_principal_group_name" {
-  value = oci_identity_dynamic_group.bastion_instance_principal[0].name
-}
+  value = (var.oci_bastion.enable_instance_principal == true) ? oci_identity_dynamic_group.bastion_instance_principal[0].name : null
+}

modules/policies/groups.tf

@@ -6,8 +6,8 @@ resource "oci_identity_dynamic_group" "oke-kms-cluster" {
   compartment_id = var.oci_identity.tenancy_id
   description    = "dynamic group to allow cluster to use kms"
   matching_rule  = local.dynamic_group_rule_all_clusters
-  name  = "${var.label_prefix}-oke-kms-cluster"
-  count = var.oke_kms.use_encryption == true ? 1 : 0
+  name           = "${var.label_prefix}-oke-kms-cluster"
+  count          = (var.oke_kms.use_encryption == true) ? 1 : 0
 
   lifecycle {
     ignore_changes = [matching_rule]
@@ -24,7 +24,7 @@ data "template_file" "update_dynamic_group_script" {
 
   depends_on = ["oci_identity_dynamic_group.oke-kms-cluster"]
 
-  count = var.oke_kms.use_encryption == true && var.bastion.create_bastion == true && var.bastion.enable_instance_principal == true ? 1 : 0
+  count = (var.oke_kms.use_encryption == true && var.bastion.create_bastion == true && var.bastion.enable_instance_principal == true) ? 1 : 0
 }
 
 resource null_resource "update_dynamic_group" {
@@ -55,5 +55,5 @@ resource null_resource "update_dynamic_group" {
     ]
   }
 
-  count = var.oke_kms.use_encryption == true && var.bastion.create_bastion == true && var.bastion.enable_instance_principal == true ? 1 : 0
+  count = (var.oke_kms.use_encryption == true && var.bastion.create_bastion == true && var.bastion.enable_instance_principal == true) ? 1 : 0
 }

modules/policies/locals.tf

@@ -2,11 +2,11 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl
 
 locals {
-  
-  dynamic_group_rule_all_clusters = "ALL {resource.type = 'cluster', resource.compartment.id = '${var.oci_identity.compartment_id}'}"
-  
-  dynamic_group_rule_this_cluster = "ALL {resource.type = 'cluster', resource.id = '${var.cluster_id}'}"
 
-  policy_statement = "Allow dynamic-group ${oci_identity_dynamic_group.oke-kms-cluster[0].name} to use keys in compartment ${var.oci_identity.compartment_name} where target.key.id = '${var.oke_kms.key_id}'"
+  dynamic_group_rule_all_clusters = (var.oke_kms.use_encryption == true) ? "ALL {resource.type = 'cluster', resource.compartment.id = '${var.oci_identity.compartment_id}'}" : null
 
-}
+  dynamic_group_rule_this_cluster = (var.oke_kms.use_encryption == true) ? "ALL {resource.type = 'cluster', resource.id = '${var.cluster_id}'}" : null
+
+  policy_statement = (var.oke_kms.use_encryption == true) ? "Allow dynamic-group ${oci_identity_dynamic_group.oke-kms-cluster[0].name} to use keys in compartment ${var.oci_identity.compartment_name} where target.key.id = '${var.oke_kms.key_id}'" : ""
+
+}

modules/policies/policies.tf

@@ -7,7 +7,7 @@ resource "oci_identity_policy" "bastion_instance_principal_dynamic_group" {
   description    = "policy to allow bastion host to manage dynamic group"
   name           = "${var.label_prefix}-bastion-instance-principal-dynamic-group"
   statements     = ["Allow dynamic-group ${var.dynamic_group} to use dynamic-groups in tenancy"]
-  count          = var.oke_kms.use_encryption == true ? 1 : 0
+  count          = (var.oke_kms.use_encryption == true && var.bastion.create_bastion == true && var.bastion.enable_instance_principal == true) ? 1 : 0
 }
 
 resource "oci_identity_policy" "oke-kms" {
@@ -16,5 +16,5 @@ resource "oci_identity_policy" "oke-kms" {
   description    = "policy to allow instances to allow dynamic group ${var.label_prefix}-oke-kms-cluster to use kms"
   name           = "${var.label_prefix}-oke-kms"
   statements     = [local.policy_statement]
-  count          = var.oke_kms.use_encryption == true ? 1 : 0
+  count          = (var.oke_kms.use_encryption == true) ? 1 : 0
 }

terraform.tfvars.example

@@ -65,19 +65,13 @@ bastion_access = "ANYWHERE"
 
 enable_instance_principal = false
 
-image_operating_system = "Oracle Linux"
-
-image_operating_system_version = "7.7"
-
 # availability_domains
 
 # which AD where to place non-OKE resources
 availability_domains = {
   "bastion"     = 1
 }
 
-bastion_package_update = false
-
 bastion_package_upgrade = true
 
 # oke