Skip to content

Commit ba68aa3

Browse files
EamonBrady1EamonBrady1
authored
Merge pull request #128 from DataDog/EamonBrady1/ECI-1657-Provision-OCI-Backfill-Resources
ECI-1657: Provision IAM for OCI metrics backfill / DLQ buckets
2 parents b66e8da + 8d8a47f commit ba68aa3

4 files changed

Lines changed: 20 additions & 12 deletions

File tree

datadog-integration/modules/auth/data.tf

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@ data "oci_identity_domains_groups" "existing_group" {
1111

1212
# Get user by OCID with group memberships (when user OCID is provided and not empty)
1313
data "oci_identity_domains_users" "existing_user_with_groups" {
14-
count = var.existing_user_id != null && var.existing_user_id != "" ? 1 : 0
14+
count = var.existing_user_id != null && var.existing_user_id != "" ? 1 : 0
1515
idcs_endpoint = var.idcs_endpoint
16-
user_filter = "ocid eq \"${var.existing_user_id}\""
17-
attributes = "groups"
16+
user_filter = "ocid eq \"${var.existing_user_id}\""
17+
attributes = "groups"
1818
}

datadog-integration/modules/auth/main.tf

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -190,7 +190,10 @@ resource "oci_identity_policy" "dd_auth" {
190190
"Allow group id ${local.dd_group_ocid} to read all-resources in tenancy",
191191
"Allow group id ${local.dd_group_ocid} to use tag-namespaces in tenancy",
192192
"Allow group id ${local.dd_group_ocid} to manage serviceconnectors in compartment id ${var.compartment_id}",
193-
"Allow group id ${local.dd_group_ocid} to manage functions-family in compartment id ${var.compartment_id} where ANY {request.permission = 'FN_FUNCTION_UPDATE', request.permission = 'FN_FUNCTION_LIST', request.permission = 'FN_APP_LIST'}",
193+
"Allow group id ${local.dd_group_ocid} to manage functions-family in compartment id ${var.compartment_id}",
194+
"Allow group id ${local.dd_group_ocid} to manage buckets in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/",
195+
"Allow group id ${local.dd_group_ocid} to manage object-family in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/",
196+
"Allow group id ${local.dd_group_ocid} to use fn-invocation in compartment id ${var.compartment_id}",
194197
"Endorse group id ${local.dd_group_ocid} to read objects in tenancy usage-report"
195198
]
196199
freeform_tags = var.tags
@@ -218,14 +221,15 @@ resource "oci_identity_domains_dynamic_resource_group" "forwarding_function" {
218221
resource "oci_identity_policy" "dynamic_group" {
219222
depends_on = [null_resource.user_group_variable_validation, oci_identity_domains_dynamic_resource_group.service_connector]
220223
compartment_id = var.tenancy_id
221-
description = "[DO NOT REMOVE] Policy to have any connector hub read from eligible sources and write to a target function"
224+
description = "[DO NOT REMOVE] Policy for connector hubs and forwarding functions"
222225
name = var.dg_policy_name
223226
statements = [
224227
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to read log-content in tenancy",
225228
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to read metrics in tenancy",
226229
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to use fn-function in compartment id ${var.compartment_id}",
227230
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to use fn-invocation in compartment id ${var.compartment_id}",
228-
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to read secret-bundles in compartment id ${var.compartment_id}"
231+
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to read secret-bundles in compartment id ${var.compartment_id}",
232+
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to manage object-family in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/"
229233
]
230234
freeform_tags = var.tags
231235
defined_tags = var.defined_tags

datadog-terraform-onboarding/modules/auth/data.tf

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@ data "oci_identity_domains_groups" "existing_group" {
1111

1212
# Get user by OCID with group memberships (when user OCID is provided and not empty)
1313
data "oci_identity_domains_users" "existing_user_with_groups" {
14-
count = var.existing_user_id != null && var.existing_user_id != "" ? 1 : 0
14+
count = var.existing_user_id != null && var.existing_user_id != "" ? 1 : 0
1515
idcs_endpoint = var.idcs_endpoint
16-
user_filter = "ocid eq \"${var.existing_user_id}\""
17-
attributes = "groups"
16+
user_filter = "ocid eq \"${var.existing_user_id}\""
17+
attributes = "groups"
1818
}

datadog-terraform-onboarding/modules/auth/main.tf

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -194,7 +194,10 @@ resource "oci_identity_policy" "dd_auth" {
194194
"Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to read all-resources in tenancy",
195195
"Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to use tag-namespaces in tenancy",
196196
"Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage serviceconnectors in compartment id ${var.compartment_id}",
197-
"Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage functions-family in compartment id ${var.compartment_id} where ANY {request.permission = 'FN_FUNCTION_UPDATE', request.permission = 'FN_FUNCTION_LIST', request.permission = 'FN_APP_LIST'}",
197+
"Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage functions-family in compartment id ${var.compartment_id}",
198+
"Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage buckets in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/",
199+
"Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage object-family in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/",
200+
"Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to use fn-invocation in compartment id ${var.compartment_id}",
198201
"Endorse group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to read objects in tenancy usage-report"
199202
]
200203
freeform_tags = var.tags
@@ -222,14 +225,15 @@ resource "oci_identity_domains_dynamic_resource_group" "forwarding_function" {
222225
resource "oci_identity_policy" "dynamic_group" {
223226
depends_on = [null_resource.user_group_variable_validation, oci_identity_domains_dynamic_resource_group.service_connector]
224227
compartment_id = var.tenancy_id
225-
description = "[DO NOT REMOVE] Policy to have any connector hub read from eligible sources and write to a target function"
228+
description = "[DO NOT REMOVE] Policy for connector hubs and forwarding functions"
226229
name = var.dg_policy_name
227230
statements = [
228231
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to read log-content in tenancy",
229232
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to read metrics in tenancy",
230233
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to use fn-function in compartment id ${var.compartment_id}",
231234
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to use fn-invocation in compartment id ${var.compartment_id}",
232-
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to read secret-bundles in compartment id ${var.compartment_id}"
235+
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to read secret-bundles in compartment id ${var.compartment_id}",
236+
"Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to manage object-family in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/"
233237
]
234238
freeform_tags = var.tags
235239
defined_tags = var.defined_tags

0 commit comments

Comments
 (0)