oracle - Terraform OCI - 为尚未创建的组创建策略

问题描述

这次有一个问题，我不知道最好的解决方法是：

我需要为我也必须创建的用户组创建一个策略。

这是我的代码的一部分：

提供者.tf

provider "oci" {
  tenancy_ocid = local.json_data.TERRAFORM.tenancy_ocid
  user_ocid = local.json_data.TERRAFORM.user_ocid
  private_key_path = local.json_data.TERRAFORM.private_key_path
  fingerprint = local.json_data.TERRAFORM.fingerprint
  region = local.json_data.TERRAFORM.region
}


data "oci_identity_compartments" "compartment_id" {
  #Required
  compartment_id = local.json_data.COMPARTMENT.compartment_ocid
  //compartment_id = local.json_data.TERRAFORM.tenancy_ocid
}

data "oci_identity_tenancy" "test_tenancy" {
  #Required
  tenancy_id = local.json_data.TERRAFORM.tenancy_ocid
}

data "oci_identity_region_subscriptions" "test_region_subscriptions" {
  #Required
  tenancy_id = local.json_data.TERRAFORM.tenancy_ocid
}



// password: $KV3PeNx&f5QJD0OBJK&
resource "oci_identity_user" "create_user_Traininguser1" {
  #Required
  //compartment_id = data.oci_identity_compartments.compartment_id.id
  compartment_id = local.json_data.TERRAFORM.tenancy_ocid
  description = local.json_data.USER_GROUP.user_description
  name = local.json_data.USER_GROUP.user_name
}


resource "oci_identity_group" "create_group_Traininggroup" {
  #Required
  compartment_id = local.json_data.TERRAFORM.tenancy_ocid
  description = local.json_data.USER_GROUP.group_description
  name = local.json_data.USER_GROUP.group_name
}

resource "oci_identity_user_group_membership" "add_user_group_membership" {
  #Required
  group_id = oci_identity_group.create_group_Traininggroup.id
  user_id = oci_identity_user.create_user_Traininguser1.id
}


resource "oci_identity_policy" "test_policy" {
  #Required
  compartment_id = local.json_data.TERRAFORM.tenancy_ocid
  description = local.json_data.POLICY.policy_description
  name = local.json_data.POLICY.policy_name
  statements = local.json_data.POLICY.policy_statements
}

变量.tf

locals {
  json_data = jsondecode(file("${path.module}/init_values.json"))
}

init_values.json

{
  "TERRAFORM": {
    "tenancy_ocid": "ocid1.tenancy.ocxxxxxxxxxxxxx",
    "user_ocid": "ocid1.user.oc1.xxxxxxxxxxxxxxx",
    "private_key_path": "/Users/name/.oci/oci_api_key.pem",
    "fingerprint": "XX:X0:X2:5X:c0:32:XX:07:3f:7e:XX:af:XX:3f:31:93",
    "region": "eu-frankfurt-1",

    "new_compartment": "new_compartment"
  },

  "COMPARTMENT": {
    "compartment_ocid": "ocid1.compartment.oc1.Xxxxxxxxxxxxxxx"
  },

  "USER_GROUP": {
    "user_description": "usuario de prueba",
    "user_name": "Traininguser1",
    "group_description": "grupo de prueba",
    "group_name": "Traininggroup"
  },

  "POLICY": {
    "policy_name": "TrainingPolicy",
    "policy_description": "TrainingDescription",
    "policy_statements": ["Allow group Traininggroup to manage virtual-network-family in Tenancy", "Allow group Traininggroup to manage instance-family in Tenancy"]
  }
}

错误：

│ Error: 400-InvalidParameter 
│ Provider version: 4.28.0, released on 2021-05-26. This provider is 8 update(s) behind to current. 
│ Service: Identity Policy 
│ Error Message: The group Traininggroup specified in the policy statement does not exist under current compartment hierarchy.
│  
│ OPC request ID: 897be7b9cd1dfccdbf34826dca571765/69DB175ED2CA61834FB1EBE77EC362BA/8A9735EF7EACF883EDE87413C40FBD45 
│ Suggestion: Please update the parameter(s) in the Terraform config as per error message The group Traininggroup specified in the policy statement does not exist under current compartment hierarchy.
│ 
│ 
│ 
│   with oci_identity_policy.test_policy,
│   on provider.tf line 70, in resource "oci_identity_policy" "test_policy":
│   70: resource "oci_identity_policy" "test_policy" {
│ 
╵

我不想为此部分创建单独的脚本，这意味着：

• 首先执行一个脚本来创建一个用户组
• 第二次执行另一个脚本来创建策略等

例如，如果我想创建一个包含用户、用户组、策略等的隔间。

那么最好的方法是如何一次做到这一点呢？

有人可以帮助我吗？

问候

标签： oracleterraformoracle-cloud-infrastructure