Added - Support for Privileged API Access Control for Oracle Database Services

Author: Ashish

examples/apiaccesscontrol/api_metadata/api_metadata.tf

@@ -0,0 +1,39 @@
+// Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+variable "tenancy_ocid" {}
+variable "user_ocid" {}
+variable "fingerprint" {}
+variable "private_key_path" {}
+variable "region" {}
+
+variable "authz_compartment_id" {
+}
+
+variable "api_metadata_display_name" {
+  default = "displayName"
+}
+
+variable "api_metadata_resource_type" {
+  default = "EXADATAINFRASTRUCTURE"
+}
+
+variable "api_metadata_state" {
+  default = "ACTIVE"
+}
+
+provider "oci" {
+  tenancy_ocid     = var.tenancy_ocid
+  user_ocid        = var.user_ocid
+  fingerprint      = var.fingerprint
+  private_key_path = var.private_key_path
+  region           = var.region
+}
+
+data "oci_apiaccesscontrol_api_metadatas" "test_api_metadatas" {
+  compartment_id = var.authz_compartment_id
+  #Optional
+  display_name   = var.api_metadata_display_name
+  resource_type  = var.api_metadata_resource_type
+  state          = var.api_metadata_state
+}
+

examples/apiaccesscontrol/api_metadata_by_entity_type/api_metadata_by_entity_type.tf

@@ -0,0 +1,38 @@
+// Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+variable "tenancy_ocid" {}
+variable "user_ocid" {}
+variable "fingerprint" {}
+variable "private_key_path" {}
+variable "region" {}
+variable "authz_compartment_id" {
+}
+
+variable "api_metadata_by_entity_type_display_name" {
+  default = "displayName"
+}
+
+variable "api_metadata_by_entity_type_resource_type" {
+  default = "EXADATAINFRASTRUCTURE"
+}
+
+variable "api_metadata_by_entity_type_state" {
+  default = "ACTIVE"
+}
+
+provider "oci" {
+  tenancy_ocid     = var.tenancy_ocid
+  user_ocid        = var.user_ocid
+  fingerprint      = var.fingerprint
+  private_key_path = var.private_key_path
+  region           = var.region
+}
+
+data "oci_apiaccesscontrol_api_metadata_by_entity_types" "test_api_metadata_by_entity_types" {
+  compartment_id = var.authz_compartment_id
+  #Optional
+  display_name   = var.api_metadata_by_entity_type_display_name
+  resource_type  = var.api_metadata_by_entity_type_resource_type
+  state          = var.api_metadata_by_entity_type_state
+}
+

examples/apiaccesscontrol/description.md

@@ -0,0 +1,4 @@
+# Overview
+This is a Terraform configuration that creates the Api Access Control service on Oracle Cloud Infrastructure.
+
+The Terraform code is used to create a Resource Manager stack, that creates the required resources and configures the application on the created resources.

examples/apiaccesscontrol/privileged_api_control/privileged_api_control.tf

@@ -0,0 +1,100 @@
+// Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+variable "tenancy_ocid" {}
+variable "user_ocid" {}
+variable "fingerprint" {}
+variable "private_key_path" {}
+variable "region" {}
+variable "authz_compartment_id" {
+}
+variable "privileged_api_control_resources" {
+}
+variable "notification_topic_id" {
+}
+
+variable "privileged_api_control_privileged_operation_list_api_name" {
+}
+
+variable "privileged_api_control_privileged_operation_list_entity_type" {
+}
+
+variable "privileged_api_control_approver_group_id_list" {
+  default = ["use_iam_policy"]
+}
+
+variable "privileged_api_control_defined_tags_value" {
+  default = "value"
+}
+
+variable "privileged_api_control_description" {
+  default = "Control for pre approving the apis"
+}
+
+variable "privileged_api_control_display_name" {
+  default = "TestPrivilegedApiControl"
+}
+
+variable "privileged_api_control_freeform_tags" {
+  default = { "Department" = "db" }
+}
+
+variable "privileged_api_control_id" {
+  default = "id"
+}
+
+variable "privileged_api_control_number_of_approvers" {
+  default = 1
+}
+
+variable "privileged_api_control_privileged_operation_list_attribute_names" {
+  default = []
+}
+
+
+variable "privileged_api_control_resource_type" {
+  default = "EXADATAINFRASTRUCTURE"
+}
+
+variable "privileged_api_control_state" {
+  default = "ACTIVE"
+}
+
+provider "oci" {
+  tenancy_ocid     = var.tenancy_ocid
+  user_ocid        = var.user_ocid
+  fingerprint      = var.fingerprint
+  private_key_path = var.private_key_path
+  region           = var.region
+}
+
+resource "oci_apiaccesscontrol_privileged_api_control" "test_privileged_api_control" {
+  #Required
+  approver_group_id_list = var.privileged_api_control_approver_group_id_list
+  compartment_id         = var.authz_compartment_id
+  notification_topic_id  = var.notification_topic_id
+  privileged_operation_list {
+    #Required
+    api_name = var.privileged_api_control_privileged_operation_list_api_name
+    entity_type     = var.privileged_api_control_privileged_operation_list_entity_type
+    #Optional
+    attribute_names = var.privileged_api_control_privileged_operation_list_attribute_names
+  }
+  resource_type = var.privileged_api_control_resource_type
+  resources     = var.privileged_api_control_resources
+  number_of_approvers = var.privileged_api_control_number_of_approvers
+  description         = var.privileged_api_control_description
+  display_name        = var.privileged_api_control_display_name
+  #Optional
+  freeform_tags       = var.privileged_api_control_freeform_tags
+}
+
+data "oci_apiaccesscontrol_privileged_api_controls" "test_privileged_api_controls" {
+  compartment_id = var.authz_compartment_id
+  #Optional
+  display_name   = var.privileged_api_control_display_name
+  id             = var.privileged_api_control_id
+  resource_type  = var.privileged_api_control_resource_type
+  state          = var.privileged_api_control_state
+}
+

examples/apiaccesscontrol/privileged_api_request/privileged_api_request.tf

@@ -0,0 +1,116 @@
+// Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+variable "tenancy_ocid" {}
+variable "user_ocid" {}
+variable "fingerprint" {}
+variable "private_key_path" {}
+variable "region" {}
+variable "authz_compartment_id" {
+}
+variable "privileged_api_control_privileged_operation_list_api_name" {
+}
+variable "notification_topic_id" {
+}
+variable "resource_id" {
+}
+
+variable "privileged_api_request_defined_tags_value" {
+  default = "value"
+}
+
+variable "privileged_api_request_display_name" {
+  default = "displayName"
+}
+
+variable "privileged_api_request_duration_in_hrs" {
+  default = 1
+}
+
+variable "privileged_api_request_freeform_tags" {
+  default = { "Department" = "db" }
+}
+
+variable "privileged_api_request_id" {
+  default = "id"
+}
+
+variable "privileged_api_request_privileged_operation_list_attribute_names" {
+  default = []
+}
+
+variable "privileged_api_request_reason_detail" {
+  default = "reasonDetail"
+}
+
+variable "privileged_api_request_reason_summary" {
+  default = "TestPrivilegedApiControl"
+}
+
+variable "privileged_api_request_resource_type" {
+  default = "EXADATAINFRASTRUCTURE"
+}
+
+variable "privileged_api_request_severity" {
+  default = "SEV_3"
+}
+
+variable "privileged_api_request_state" {
+  default = "APPROVED"
+}
+
+variable "privileged_api_request_sub_resource_name_list" {
+  default = []
+}
+
+variable "privileged_api_request_ticket_numbers" {
+  default = []
+}
+
+variable "privileged_api_request_time_requested_for_future_access" {
+  default = ""
+}
+
+
+provider "oci" {
+  tenancy_ocid     = var.tenancy_ocid
+  user_ocid        = var.user_ocid
+  fingerprint      = var.fingerprint
+  private_key_path = var.private_key_path
+  region           = var.region
+}
+
+resource "oci_apiaccesscontrol_privileged_api_request" "test_privileged_api_request" {
+  #Required
+  compartment_id                   = var.authz_compartment_id
+  privileged_operation_list {
+    #Required
+    api_name = var.privileged_api_control_privileged_operation_list_api_name
+
+    #Optional
+    attribute_names = var.privileged_api_request_privileged_operation_list_attribute_names
+  }
+  reason_summary = var.privileged_api_request_reason_summary
+  resource_id    = var.resource_id
+
+  #Optional
+  duration_in_hrs                  = var.privileged_api_request_duration_in_hrs
+  freeform_tags                    = var.privileged_api_request_freeform_tags
+  notification_topic_id            = var.notification_topic_id
+  reason_detail                    = var.privileged_api_request_reason_detail
+  severity                         = var.privileged_api_request_severity
+  sub_resource_name_list           = var.privileged_api_request_sub_resource_name_list
+  ticket_numbers                   = var.privileged_api_request_ticket_numbers
+  time_requested_for_future_access = var.privileged_api_request_time_requested_for_future_access
+}
+
+data "oci_apiaccesscontrol_privileged_api_requests" "test_privileged_api_requests" {
+  compartment_id = var.authz_compartment_id
+  #Optional
+  display_name   = var.privileged_api_request_display_name
+  id             = var.privileged_api_request_id
+  resource_id    = var.resource_id
+  resource_type  = var.privileged_api_request_resource_type
+  state          = var.privileged_api_request_state
+}
+

internal/client/apiaccesscontrol_clients.go

@@ -0,0 +1,97 @@
+// Copyright (c) 2017, 2024, Oracle and/or its affiliates. All rights reserved.
+// Licensed under the Mozilla Public License v2.0
+
+package client
+
+import (
+	oci_apiaccesscontrol "github.com/oracle/oci-go-sdk/v65/apiaccesscontrol"
+
+	oci_common "github.com/oracle/oci-go-sdk/v65/common"
+)
+
+func init() {
+	RegisterOracleClient("oci_apiaccesscontrol.ApiMetadataClient", &OracleClient{InitClientFn: initApiaccesscontrolApiMetadataClient})
+	RegisterOracleClient("oci_apiaccesscontrol.PrivilegedApiWorkRequestClient", &OracleClient{InitClientFn: initApiaccesscontrolPrivilegedApiWorkRequestClient})
+	RegisterOracleClient("oci_apiaccesscontrol.PrivilegedApiControlClient", &OracleClient{InitClientFn: initApiaccesscontrolPrivilegedApiControlClient})
+	RegisterOracleClient("oci_apiaccesscontrol.PrivilegedApiRequestsClient", &OracleClient{InitClientFn: initApiaccesscontrolPrivilegedApiRequestsClient})
+}
+
+func initApiaccesscontrolApiMetadataClient(configProvider oci_common.ConfigurationProvider, configureClient ConfigureClient, serviceClientOverrides ServiceClientOverrides) (interface{}, error) {
+	client, err := oci_apiaccesscontrol.NewApiMetadataClientWithConfigurationProvider(configProvider)
+	if err != nil {
+		return nil, err
+	}
+	err = configureClient(&client.BaseClient)
+	if err != nil {
+		return nil, err
+	}
+
+	if serviceClientOverrides.HostUrlOverride != "" {
+		client.Host = serviceClientOverrides.HostUrlOverride
+	}
+	return &client, nil
+}
+
+func (m *OracleClients) ApiMetadataClient() *oci_apiaccesscontrol.ApiMetadataClient {
+	return m.GetClient("oci_apiaccesscontrol.ApiMetadataClient").(*oci_apiaccesscontrol.ApiMetadataClient)
+}
+
+func initApiaccesscontrolPrivilegedApiWorkRequestClient(configProvider oci_common.ConfigurationProvider, configureClient ConfigureClient, serviceClientOverrides ServiceClientOverrides) (interface{}, error) {
+	client, err := oci_apiaccesscontrol.NewPrivilegedApiWorkRequestClientWithConfigurationProvider(configProvider)
+	if err != nil {
+		return nil, err
+	}
+	err = configureClient(&client.BaseClient)
+	if err != nil {
+		return nil, err
+	}
+
+	if serviceClientOverrides.HostUrlOverride != "" {
+		client.Host = serviceClientOverrides.HostUrlOverride
+	}
+	return &client, nil
+}
+
+func (m *OracleClients) ApiaccesscontrolPrivilegedApiWorkRequestClient() *oci_apiaccesscontrol.PrivilegedApiWorkRequestClient {
+	return m.GetClient("oci_apiaccesscontrol.PrivilegedApiWorkRequestClient").(*oci_apiaccesscontrol.PrivilegedApiWorkRequestClient)
+}
+
+func initApiaccesscontrolPrivilegedApiControlClient(configProvider oci_common.ConfigurationProvider, configureClient ConfigureClient, serviceClientOverrides ServiceClientOverrides) (interface{}, error) {
+	client, err := oci_apiaccesscontrol.NewPrivilegedApiControlClientWithConfigurationProvider(configProvider)
+	if err != nil {
+		return nil, err
+	}
+	err = configureClient(&client.BaseClient)
+	if err != nil {
+		return nil, err
+	}
+
+	if serviceClientOverrides.HostUrlOverride != "" {
+		client.Host = serviceClientOverrides.HostUrlOverride
+	}
+	return &client, nil
+}
+
+func (m *OracleClients) PrivilegedApiControlClient() *oci_apiaccesscontrol.PrivilegedApiControlClient {
+	return m.GetClient("oci_apiaccesscontrol.PrivilegedApiControlClient").(*oci_apiaccesscontrol.PrivilegedApiControlClient)
+}
+
+func initApiaccesscontrolPrivilegedApiRequestsClient(configProvider oci_common.ConfigurationProvider, configureClient ConfigureClient, serviceClientOverrides ServiceClientOverrides) (interface{}, error) {
+	client, err := oci_apiaccesscontrol.NewPrivilegedApiRequestsClientWithConfigurationProvider(configProvider)
+	if err != nil {
+		return nil, err
+	}
+	err = configureClient(&client.BaseClient)
+	if err != nil {
+		return nil, err
+	}
+
+	if serviceClientOverrides.HostUrlOverride != "" {
+		client.Host = serviceClientOverrides.HostUrlOverride
+	}
+	return &client, nil
+}
+
+func (m *OracleClients) PrivilegedApiRequestsClient() *oci_apiaccesscontrol.PrivilegedApiRequestsClient {
+	return m.GetClient("oci_apiaccesscontrol.PrivilegedApiRequestsClient").(*oci_apiaccesscontrol.PrivilegedApiRequestsClient)
+}