v2024.4.0

modules/identity/iam-group/main.tf

@@ -5,39 +5,43 @@
 # Resource Block - Identity
 # Create Groups
 ############################
-
+locals {
+  user_ids = {
+    for user in data.oci_identity_users.users.users :
+      user.name => user.id
+  }
+}
 resource "oci_identity_group" "group" {
   count = (var.matching_rule != "" && var.matching_rule != null) ? 0 : 1
-
   #Required
   compartment_id = var.tenancy_ocid
   description    = var.group_description
   name           = var.group_name
-
   #Optional
   defined_tags  = var.defined_tags
   freeform_tags = var.freeform_tags
-
 }
-
+resource "oci_identity_user_group_membership" "user_group_membership" {
+  for_each = {
+    for member in var.members : member => member
+  }
+  group_id = oci_identity_group.group[0].id
+  user_id  = local.user_ids[each.key]
+}
 ############################
 # Resource Block - Identity
 # Create Dynamic Groups
 ############################
-
 resource "oci_identity_dynamic_group" "dynamic_group" {
   count = (var.matching_rule != "" && var.matching_rule != null) ? 1 : 0
-
   #Required
   compartment_id = var.tenancy_ocid
   description    = var.group_description
   matching_rule  = var.matching_rule
   name           = var.group_name
-
   #Optional
   defined_tags  = var.defined_tags
   freeform_tags = var.freeform_tags
-
   lifecycle {
     ignore_changes = [defined_tags["Oracle-Tags.CreatedOn"], defined_tags["Oracle-Tags.CreatedBy"]]
   }

modules/identity/iam-group/variables.tf

@@ -12,6 +12,18 @@ variable "tenancy_ocid" {
   default     = null
 }
 
+variable "members" {
+  description = "List of members"
+  type = list(string)
+  default = []
+}
+
+variable "group_membership" {
+  type        = list(string)
+  description = "The name of the group user is member of."
+  default     = []
+}
+
 variable "group_name" {
   type        = string
   description = "The name you assign to the group during creation. The name must be unique across all compartments in the tenancy."

modules/identity/iam-user/main.tf

@@ -20,22 +20,14 @@ resource "oci_identity_user" "user" {
 
 }
 
-resource "oci_identity_user_group_membership" "user_group_membership" {
-  count      = var.group_membership != null ? length(var.group_membership) : 0
-  depends_on = [oci_identity_user.user]
-  user_id    = oci_identity_user.user.id
-  group_id   = length(regexall("ocid1.group.oc*", var.group_membership[count.index])) > 0 ? var.group_membership[count.index] : data.oci_identity_groups.iam_groups.groups[index(data.oci_identity_groups.iam_groups.groups.*.name, var.group_membership[count.index])].id
-}
-
 resource "oci_identity_user_capabilities_management" "user_capabilities_management" {
-  count      = var.disable_capabilities != null ? 1 : 0
+  count      = var.enabled_capabilities != null ? 1 : 0
   depends_on = [oci_identity_user.user]
   user_id    = oci_identity_user.user.id
 
-  can_use_api_keys             = var.disable_capabilities != null && contains(var.disable_capabilities, "can_use_api_keys") ? false : true
-  can_use_auth_tokens          = var.disable_capabilities != null && contains(var.disable_capabilities, "can_use_auth_tokens") ? false : true
-  can_use_console_password     = var.disable_capabilities != null && contains(var.disable_capabilities, "can_use_console_password") ? false : true
-  can_use_customer_secret_keys = var.disable_capabilities != null && contains(var.disable_capabilities, "can_use_customer_secret_keys") ? false : true
-  can_use_smtp_credentials     = var.disable_capabilities != null && contains(var.disable_capabilities, "can_use_smtp_credentials") ? false : true
-
+  can_use_api_keys             = contains(var.enabled_capabilities, "api_keys") ? true :false
+  can_use_auth_tokens          = contains(var.enabled_capabilities, "auth_tokens") ? true :false
+  can_use_console_password     = contains(var.enabled_capabilities, "console_password") ? true :false
+  can_use_customer_secret_keys = contains(var.enabled_capabilities, "customer_secret_keys") ? true :false
+  can_use_smtp_credentials     = contains(var.enabled_capabilities, "smtp_credentials") ? true :false
 }

modules/identity/iam-user/variables.tf

@@ -53,9 +53,9 @@ variable "user_email" {
   default     = null
 }
 
-variable "disable_capabilities" {
+variable "enabled_capabilities" {
   type        = list(string)
-  description = "The name of the capabilities disabled for user"
+  description = "The name of the capabilities enabled for user"
   default     = []
 }