Prepare account

2025-10-31 18:28:32 +00:00 · 2021-12-19 01:11:29 +02:00
parent 53cee62505
commit 32b2563794
7 changed files with 158 additions and 0 deletions
--- a/oracle/init/account.tf
+++ b/oracle/init/account.tf
@@ -0,0 +1,53 @@
 resource "oci_identity_compartment" "project" {
  name           = var.project
  description    = "Compartment created for ${var.project} project"
  compartment_id = var.tenancy_ocid
  enable_delete  = false
 }
 resource "oci_identity_group" "operator" {
  name           = "operator"
  description    = "group created by terraform for operators"
  compartment_id = var.tenancy_ocid
 }
 resource "oci_identity_group" "terraform" {
  name           = "terraform"
  description    = "group created by terraform for terraform"
  compartment_id = var.tenancy_ocid
 }
 resource "oci_identity_user" "terraform" {
  name           = "terraform"
  description    = "user created by terraform for terraform"
  compartment_id = var.tenancy_ocid
 }
 resource "oci_identity_user_group_membership" "terraform" {
  compartment_id = var.tenancy_ocid
  user_id        = oci_identity_user.terraform.id
  group_id       = oci_identity_group.terraform.id
 }
 resource "oci_identity_user_capabilities_management" "terraform" {
  user_id                      = oci_identity_user.terraform.id
  can_use_api_keys             = true
  can_use_auth_tokens          = false
  can_use_console_password     = false
  can_use_customer_secret_keys = false
  can_use_smtp_credentials     = false
 }
 resource "null_resource" "terraform_key" {
  provisioner "local-exec" {
    command = "openssl genrsa -out ~/.oci/oci_${var.project}_terraform.pem 2048 && openssl rsa -pubout -in ~/.oci/oci_${var.project}_terraform.pem -out ~/.oci/oci_${var.project}_terraform_public.pem"
  }
 }
 resource "oci_identity_api_key" "terraform" {
  user_id   = oci_identity_user.terraform.id
  key_value = file(pathexpand("~/.oci/oci_${var.project}_terraform_public.pem"))
  depends_on = [null_resource.terraform_key]
 }
--- a/oracle/init/auth.tf
+++ b/oracle/init/auth.tf
@@ -0,0 +1,13 @@
 # openssl genrsa -out ~/.oci/oci_api_key.pem 2048
 # chmod go-rwx ~/.oci/oci_api_key.pem
 # openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem
 provider "oci" {
  tenancy_ocid     = var.tenancy_ocid
  user_ocid        = var.user_ocid
  fingerprint      = var.fingerprint
  private_key_path = "~/.oci/oci_api_key.pem"
  region = var.region
 }
--- a/oracle/init/output.tf
+++ b/oracle/init/output.tf
@@ -0,0 +1,15 @@
 output "compartment_ocid" {
  description = "compartment id"
  value       = oci_identity_compartment.project.compartment_id
 }
 output "user_ocid" {
  description = "user id"
  value       = oci_identity_user.terraform.id
 }
 output "key_file" {
  description = "key_file"
  value       = "~/.oci/oci_${var.project}_terraform.pem"
 }
--- a/oracle/init/policy.tf
+++ b/oracle/init/policy.tf
@@ -0,0 +1,24 @@
 resource "oci_identity_policy" "terraform" {
  name           = "terraform"
  description    = "policy created by terraform for terraform"
  compartment_id = oci_identity_compartment.project.id
  statements = [
    "Allow group ${oci_identity_group.terraform.name} to manage virtual-network-family in compartment ${oci_identity_compartment.project.name}",
    "Allow group ${oci_identity_group.terraform.name} to manage load-balancers in compartment ${oci_identity_compartment.project.name}",
    "Allow group ${oci_identity_group.terraform.name} to manage compute-management-family in compartment ${oci_identity_compartment.project.name}",
    "Allow group ${oci_identity_group.terraform.name} to manage instance-family in compartment ${oci_identity_compartment.project.name}",
    "Allow group ${oci_identity_group.terraform.name} to manage instance-images in compartment ${oci_identity_compartment.project.name}",
  ]
 }
 resource "oci_identity_policy" "operator" {
  name           = "operator"
  description    = "policy created by terraform for operators"
  compartment_id = oci_identity_compartment.project.id
  statements = [
    "Allow group ${oci_identity_group.operator.name} to use instance-pools in compartment ${oci_identity_compartment.project.name}",
  ]
 }
--- a/oracle/init/variables.tf
+++ b/oracle/init/variables.tf
@@ -0,0 +1,14 @@
 variable "tenancy_ocid" {}
 variable "user_ocid" {}
 variable "fingerprint" {}
 variable "region" {
  description = "the OCI region where resources will be created"
  type        = string
  default     = null
 }
 variable "project" {
  type    = string
  default = "main"
 }
--- a/oracle/init/versions.tf
+++ b/oracle/init/versions.tf
@@ -0,0 +1,9 @@
 terraform {
  required_providers {
    oci = {
      source  = "hashicorp/oci"
      version = "4.56.0"
    }
  }
 }
--- a/oracle/prepare/images.tf
+++ b/oracle/prepare/images.tf
@@ -7,6 +7,14 @@ resource "oci_objectstorage_object" "talos_amd64" {
  content_md5 = filemd5("oracle-amd64.qcow2")
 }
 resource "oci_objectstorage_object" "talos_arm64" {
  bucket      = oci_objectstorage_bucket.images.name
  namespace   = data.oci_objectstorage_namespace.ns.namespace
  object      = "talos-arm64.qcow2"
  source      = "oracle-arm64.qcow2"
  content_md5 = filemd5("oracle-arm64.qcow2")
 }
 resource "oci_core_image" "talos_amd64" {
  compartment_id = var.tenancy_ocid
@@ -29,6 +37,28 @@ resource "oci_core_image" "talos_amd64" {
  }
 }
 resource "oci_core_image" "talos_arm64" {
  compartment_id = var.tenancy_ocid
  display_name = "Talos-arm64"
  launch_mode  = "NATIVE"
  image_source_details {
    source_type    = "objectStorageTuple"
    namespace_name = oci_objectstorage_bucket.images.namespace
    bucket_name    = oci_objectstorage_bucket.images.name
    object_name    = oci_objectstorage_object.talos_arm64.object
    operating_system         = "Talos"
    operating_system_version = "0.14.0"
    source_image_type        = "QCOW2"
  }
  timeouts {
    create = "30m"
  }
 }
 # resource "oci_core_compute_image_capability_schema" "talos_amd64" {
 #   compartment_id = var.tenancy_ocid