Use stable name for dynamic group (#69)

devoncrouse · web-flow · commit 93ea8ab15614 · 2022-10-06T14:38:04.000+11:00
Signed-off-by: Devon Crouse &lt;devon.crouse@oracle.com&gt;

Signed-off-by: Devon Crouse &lt;devon.crouse@oracle.com&gt;
diff --git a/instance_principal.tf b/instance_principal.tf
@@ -1,29 +1,43 @@
-# Copyright 2017, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright (c) 2022, Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
-resource "oci_identity_dynamic_group" "enable_operator_instance_principal" {
+resource "random_id" "dynamic_group_suffix" {
+  keepers = {
+    # Generate a new suffix only when variables are changed
+    label_prefix = local.dynamic_group_prefix
+    tenancy_id   = var.tenancy_id
+  }
+
+  byte_length = 8
+}
+
+resource "oci_identity_dynamic_group" "operator_group" {
   provider = oci.home
 
-  compartment_id = var.tenancy_id
-  description    = var.label_prefix == "none" ? "dynamic group to allow operator instance to invoke services" : "dynamic group with label ${var.label_prefix} to allow operator to invoke services"
+  compartment_id = random_id.dynamic_group_suffix.keepers.tenancy_id
+  description    = "dynamic group %{ if var.label_prefix != "none" }with label ${var.label_prefix}%{ endif } to allow operator to invoke services"
 
   lifecycle {
-    ignore_changes = [name, defined_tags]
+    ignore_changes = [defined_tags]
   }
 
   matching_rule = "ALL {instance.id = '${join(",", data.oci_core_instance.operator.*.id)}'}"
-  name          = "operator-instance-principal-${substr(uuid(), 0, 8)}"
+  name           = join("-", compact([
+    random_id.dynamic_group_suffix.keepers.label_prefix,
+    "operator-instance-principal",
+    random_id.dynamic_group_suffix.hex
+  ]))
 
   count = var.enable_operator_instance_principal == true ? 1 : 0
 }
 
-resource "oci_identity_policy" "enable_operator_instance_principal" {
+resource "oci_identity_policy" "operator_group_policy" {
   provider = oci.home
 
   compartment_id = var.compartment_id
   description    = "policy to allow operator host to call services"
-  name           = var.label_prefix == "none" ? "operator-instance-principal" : "${var.label_prefix}-operator-instance-principal"
-  statements     = ["Allow dynamic-group ${oci_identity_dynamic_group.enable_operator_instance_principal[0].name} to manage all-resources in compartment id ${var.compartment_id}"]
+  name           = join("-", compact([ local.dynamic_group_prefix, "operator-instance-principal" ]))
+  statements     = ["Allow dynamic-group ${oci_identity_dynamic_group.operator_group[0].name} to manage all-resources in compartment id ${var.compartment_id}"]
 
   count = var.enable_operator_instance_principal == true ? 1 : 0
 }
diff --git a/locals.tf b/locals.tf
@@ -1,4 +1,4 @@
-# Copyright 2017, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright (c) 2022, Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 # Protocols are specified as protocol numbers.
@@ -9,6 +9,8 @@ locals {
 
   anywhere = "0.0.0.0/0"
 
+  dynamic_group_prefix = (var.label_prefix == "none") ? "" : "${var.label_prefix}"
+
   operator_image_id = var.operator_image_id == "Oracle" ? data.oci_core_images.oracle_images[0].images.0.id : var.operator_image_id
 
   operator_subnet = cidrsubnet(local.vcn_cidr, var.newbits, var.netnum) 
diff --git a/outputs.tf b/outputs.tf
@@ -1,12 +1,12 @@
-# Copyright 2017, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright (c) 2022, Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 output "operator_private_ip" {
   value = join(",", data.oci_core_vnic.operator_vnic.*.private_ip_address)
 }
 
 output "operator_instance_principal_group_name" {
-  value = var.enable_operator_instance_principal == true ? oci_identity_dynamic_group.enable_operator_instance_principal[0].name : null
+  value = var.enable_operator_instance_principal == true ? oci_identity_dynamic_group.operator_group[0].name : null
 }
 
 output "operator_subnet_id" {

Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,12 @@`
`1`		`-# Copyright 2017, 2021 Oracle Corporation and/or affiliates. All rights reserved.`
	`1`	`+# Copyright (c) 2022, Oracle Corporation and/or affiliates. All rights reserved.`
`2`	`2`	`# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl`
`3`	`3`
`4`	`4`	`output "operator_private_ip" {`
`5`	`5`	`value = join(",", data.oci_core_vnic.operator_vnic.*.private_ip_address)`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`output "operator_instance_principal_group_name" {`
`9`		`- value = var.enable_operator_instance_principal == true ? oci_identity_dynamic_group.enable_operator_instance_principal[0].name : null`
	`9`	`+ value = var.enable_operator_instance_principal == true ? oci_identity_dynamic_group.operator_group[0].name : null`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`output "operator_subnet_id" {`