Creating IAM resources like Dynamic Group being forced to use Home region.
jayakrishnanl opened this issue · 4 comments
When using Terraform to launch resources in different regions causes the IAM modules to error out:
Error: Error applying plan:
1 error(s) occurred:
module.iam_dynamic_group.oci_identity_dynamic_group.this: 1 error(s) occurred:
oci_identity_dynamic_group.this: Service error:NotAllowed. Please go to your home region PHX to execute CREATE, UPDATE and DELETE operations.. http status code: 403. Opc request id: 4bd00eeec7c8b7279d3a4b4e503849e6/CE3B3A484FF757E6FA2FB1B88B1E99E0/2F6344962D0B15482FE4CA7AC3578B2C
How should we specify home region with the modules?
It is obvious that IAM needs to be run on home region.
We need to create another provider with home region, set an alias and refer that provider on IAM resources.
This is just making things difficult but we don't have another option.
I think it would be helpful for others using IAM via modules as I do not find a proper documentation on making it work with modules.
#provider.tf
$ cat provider.tf
provider "oci" {
version = ">= 3.0.0"
tenancy_ocid = "${var.tenancy_ocid}"
user_ocid = "${var.user_ocid}"
fingerprint = "${var.fingerprint}"
private_key_path = "${var.private_key_path}"
region = "${var.region}"
}provider "oci" {
alias = "home"
region = "${lookup(data.oci_identity_regions.home-region.regions[0], "name")}"
tenancy_ocid = "${var.tenancy_ocid}"
user_ocid = "${var.user_ocid}"
fingerprint = "${var.fingerprint}"
private_key_path = "${var.private_key_path}"
}
#main.tf
module "iam_dynamic_group" {
source = "./modules/iam/dynamic-group/"providers = {
"oci" = "oci.home"
}tenancy_ocid = "${var.tenancy_ocid}"
dynamic_group_name = "haproxy_dynamic_group"
dynamic_group_description = "dynamic group created for HaProxy env"
dynamic_group_rule = "instance.compartment.id = '${var.compartment_ocid}'"
policy_compartment_id = "${var.compartment_ocid}"
policy_compartment_name = "${var.compartment_name}"
policy_name = "haproxy-dynamic-policy"
policy_description = "dynamic policy created for HaProxy env"
policy_statements = ["Allow dynamic-group haproxy_dynamic_group to manage instances in compartment ${var.compartment_name}"]
}
Datasources
data "oci_identity_tenancy" "tenancy" {
tenancy_id = "${var.tenancy_ocid}"
}data "oci_identity_regions" "home-region" {
filter {
name = "key"
values = ["${data.oci_identity_tenancy.tenancy.home_region_key}"]
}
}
Module configuration
Dynamic Group
resource "oci_identity_dynamic_group" "this" {
count = "${var.dynamic_group_create ? 1 : 0}"
compartment_id = "${var.tenancy_ocid}"
name = "${var.dynamic_group_name}"
description = "${var.dynamic_group_description}"
matching_rule = "${var.dynamic_group_rule}"
}data "oci_identity_dynamic_groups" "this" {
count = "${var.dynamic_group_create ? 0 : 1}"
compartment_id = "${var.tenancy_ocid}"filter {
name = "name"
values = ["${var.dynamic_group_name}"]
}
}locals {
dynamic_group_ids = "${concat(flatten(data.oci_identity_dynamic_groups.this.*.dynamic_groups), list(map("id", "")))}"
}Dynamic Group Policy
resource "oci_identity_policy" "this" {
count = "${length(var.policy_name) > 0 ? 1 : 0}"
depends_on = ["oci_identity_dynamic_group.this"]
name = "${var.policy_name}"
description = "${var.policy_description}"
compartment_id = "${var.policy_compartment_id}"
statements = "${var.policy_statements}"
}
Thanks for bringing this up. I've opened a task to update the docs and examples for this module to mention this issue and show how to create resources in the home region when other regions are also being used in the same config. It sounds like you were able to unblock yourself, but let me know if any further help is needed.