Using Terraform to Create a Dynamic Group
The following examples show how to use Terraform to create a dynamic group.
variables.tf
variable "oci_config_file_profile" {
type = string
default = "DEFAULT"
}
variable "tenancy_ocid" {
description = "tenancy OCID"
type = string
nullable = false
}
variable "compartment_name" {
description = "compartment name"
type = string
nullable = false
}
variable "oke_dyn_grp" {
description = "Dynamic group that needs to be created for instance principal"
default = "oke-dyn-ip-grp"
}
variable "oke_policy_name" {
description = "Policy set name for dynamic group"
default = "oke-instance-principal-policy"
}terraform.tfvars
# Name of the profile to use from $HOME/.oci/config
oci_config_file_profile = "DEFAULT"
# Tenancy OCID from the oci_config_file_profile profile.
tenancy_ocid = "ocid1.tenancy.UNIQUE_ID"
# Compartment name
compartment_name = "oke"
# Dynamic Group Name
oke_dyn_grp = "oke-dyn-ip-group"
# OKE Dynamic Group Policy Name
oke_policy_name = "oke-dyn-grp-policy"provider.tf
provider "oci" {
config_file_profile = var.oci_config_file_profile
tenancy_ocid = var.tenancy_ocid
}main.tf
terraform {
required_providers {
oci = {
source = "oracle/oci"
version = ">= 4.50.0, <= 6.36.0"
# If necessary, you can pin a specific version here
# version = "6.36.0"
}
}
required_version = ">= 1.1"
}oke-dyn-grp.tf
resource "oci_identity_dynamic_group" "oke-dynamic-grp" {
compartment_id = "${var.tenancy_ocid}"
description = "PCA OKE worker dynamic group for instance principal"
matching_rule = "tag.${oci_identity_tag_namespace.oracle-pca.name}.${oci_identity_tag.cluster-id.name}.value"
name = "${var.oke_dyn_grp}"
depends_on = [oci_identity_tag.cluster-id]
}oke-policy.tf
resource "oci_identity_policy" "oke-dyn-grp-policy" {
compartment_id = "${var.tenancy_ocid}"
description = "Dynamic group policies for OKE Resources"
name = "${var.oke_policy_name}"
statements = [
"allow dynamic-group ${oci_identity_dynamic_group.oke-dynamic-grp.name} to manage load-balancers in compartment ${var.compartment_name}",
"allow dynamic-group ${oci_identity_dynamic_group.oke-dynamic-grp.name} to manage volume-family in compartment ${var.compartment_name}",
"allow dynamic-group ${oci_identity_dynamic_group.oke-dynamic-grp.name} to manage file-family in compartment ${var.compartment_name}",
"allow dynamic-group ${oci_identity_dynamic_group.oke-dynamic-grp.name} to manage instance-family in compartment ${var.compartment_name}",
"allow dynamic-group ${oci_identity_dynamic_group.oke-dynamic-grp.name} to manage virtual-network-family in compartment ${var.compartment_name}",
"allow dynamic-group ${oci_identity_dynamic_group.oke-dynamic-grp.name} to use tag-namespaces in compartment ${var.compartment_name}"
]
depends_on = [oci_identity_dynamic_group.oke-dynamic-grp]
}oke-tag-ns.tf
Create the OraclePCA-OKE.cluster_id tag, which is also described in Create the OraclePCA-OKE.cluster_id Tag.
resource "oci_identity_tag" "cluster-id" {
description = "Default tag key definition"
name = "cluster_id"
tag_namespace_id = "${oci_identity_tag_namespace.oracle-pca.id}"
depends_on = [oci_identity_tag_namespace.oracle-pca]
}
resource "oci_identity_tag_namespace" "oracle-pca" {
compartment_id = "${var.tenancy_ocid}"
description = "Default Tag namespace for Oracle PCA OKE"
name = "OraclePCA-OKE"
}