How to add users to a group in terraform OCI

Question

I have to add existing user-list for each group in oracle cloud (OCI), could you please help in doing it in a easy way

example:

iam_group = {
  iamg1 = { group_name = "group_test", group_desc = "group test", user_list = ["test", "test1"] }
  iamg2 = { group_name = "group_test", group_desc = "group test1", user_list = ["test", "test1"] }
}

variable:

variable "iam_group" {
  type = map(object({
    group_name = string
    group_desc = string
    user_list = list(string)
  }))
}

I can create groups as below

resource "oci_identity_group" "this" {
  for_each       = var.iam_group
  compartment_id = var.tenancy_ocid
  name           = each.value.group_name
  description    = each.value.group_desc
}

I am not getting how to add users to a group in this scenario.

resource "oci_identity_user_group_membership" "test_user_group_membership" {
  <logic here>

}

Answer 1

(Massive disclaimer - this is untested so may need some tweaking to work)

I think the fundamental difficulty here is that Terraform only has limited support for complex loop techniques. Therefore you need a way in your oci_identity_user_group_membership to loop over a single object.

Additionally, the oci_identity_user_group_membership resource takes the ID's of both a oci_identity_group resource and a oci_identity_user resource. Therefore, before you can attempt to associate users with groups, you need to first create those users. Therefore, it looks like you need a variable to track the unique collection of users that may need to be granted access, so that you can create oci_identity_user resources. (In a more sophisticated solution you could likely generate that list from the contents of iam_groups, but one step at a time :) )

The variable iam_group_users defined in the locals section is intended to produce a structure like:

[
  { group_name = 'iamg1', user_name = 'test'}
  { group_name = 'iamg1', user_name = 'test1'}
  { group_name = 'iamg2', user_name = 'test'}
  { group_name = 'iamg2', user_name = 'test1'}
]

So a stab at the actual solution:

(Note I have pluralised your iam_group var name)

# Group Definitions
variable "iam_groups" {
  default = {
    iamg1 = { group_name = "group_test", group_desc = "group test", user_list = ["test", "test1"] }
    iamg2 = { group_name = "group_test1", group_desc = "group test1", user_list = ["test", "test1"] }
  }
}

# Unique User Definitions
variable "iam_users" {
  default = {
    test = {user_name = "test", user_desc = "user test"}
    test1 = {user_name = "test1", user_desc = "user test1"}
  }
}

locals {

  # Create a list of maps, containing unique group name/user name combinations
  iam_group_users = flatten([
    for group, group_data in var.iam_groups : [
      for user in group_data.user_list : {
        group_name = group
        user_name = user
      }
    ]  
  ])

}

# Iterate iam_groups, to create a collection of group resources
resource "oci_identity_group" "this" {
  for_each       = var.iam_groups
  compartment_id = var.tenancy_ocid
  name           = each.value.group_name
  description    = each.value.group_desc
}

# Iterate iam_users, to create a colelction of user resources
resource "oci_identity_user" "this" {
  for_each       = var.iam_users
  compartment_id = var.tenancy_ocid
  name           = each.value.user_name
  description    = each.value.user_desc
}

# Iterate the mapping of users that are members of each group to create the association
resource "oci_identity_user_group_membership" "test_user_group_membership" {
    for_each = toset(local.iam_group_users)
    group_id = oci_identity_group.this[each.value.group_name].id
    user_id = oci_identity_user.this[each.value.user_name].id
}

Note: each.value.group_name & each.value.user_name refers to the name that Terraform has associated with each instance of the resources, and is taken from the key used in the for_each statements when creating oci_identity_group & oci_identity_user, respectively. Also, given this, it is important that the user_list in your iam_groups var contains the resource name (i.e. the key in iam_users) for the user.

Some additional, possibly useful, reading:

Terraform 'flatten' docs

Terragrunt Blog post on Loops