From 0505f506d299fd96197dc8e72da55348a568b91e Mon Sep 17 00:00:00 2001
From: Kat Inskip <kat@inskip.me>
Date: Sun, 9 Jun 2024 10:44:54 -0700
Subject: [PATCH] feat(oci): add admin policy

---
 tf/oci_common_private_network.tf              | 11 ---
 tf/oci_common_private_network/nsg.tf          | 26 +++++++
 tf/oci_common_private_network/subnet.tf       |  8 +++
 tf/oci_compartment_bootstrap.tf               | 13 +++-
 tf/oci_compartment_bootstrap/group.tf         |  6 ++
 .../group_membership.tf                       |  4 ++
 tf/oci_compartment_bootstrap/policy.tf        | 21 ++++++
 tf/oci_servers/common.tf                      | 33 +++++++++
 tf/oci_servers/flex.tf                        | 63 ++++++++++++++++
 tf/oci_servers/micro.tf                       | 71 +++++++++++++++++++
 10 files changed, 244 insertions(+), 12 deletions(-)
 create mode 100644 tf/oci_common_private_network/nsg.tf
 create mode 100644 tf/oci_common_private_network/subnet.tf
 create mode 100644 tf/oci_compartment_bootstrap/group.tf
 create mode 100644 tf/oci_compartment_bootstrap/group_membership.tf
 create mode 100644 tf/oci_compartment_bootstrap/policy.tf
 create mode 100644 tf/oci_servers/common.tf
 create mode 100644 tf/oci_servers/flex.tf
 create mode 100644 tf/oci_servers/micro.tf

diff --git a/tf/oci_common_private_network.tf b/tf/oci_common_private_network.tf
index 40aed704..5cda782d 100644
--- a/tf/oci_common_private_network.tf
+++ b/tf/oci_common_private_network.tf
@@ -1,14 +1,3 @@
-# https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformgettingstarted.htm
-# https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
-provider "oci" {
-  alias = "oci_compartment"
-  private_key = module.oci_compartment_bootstrap.child_compartment_private_key
-  region           = var.oci_compartment_bootstrap_region
-  tenancy_ocid     = module.oci_compartment_bootstrap.child_compartment_id
-  user_ocid        = module.oci_compartment_bootstrap.child_user_id
-  fingerprint = module.oci_compartment_bootstrap.child_compartment_key_fingerprint
-}
-
 module "oci_common_private_network" {
   source = "./oci_common_private_network"
 
diff --git a/tf/oci_common_private_network/nsg.tf b/tf/oci_common_private_network/nsg.tf
new file mode 100644
index 00000000..a15cf06f
--- /dev/null
+++ b/tf/oci_common_private_network/nsg.tf
@@ -0,0 +1,26 @@
+resource "oci_core_network_security_group" "this" {
+  compartment_id = var.tenancy_ocid
+  vcn_id         = oci_core_vcn.this.id
+
+  display_name = oci_core_vcn.this.display_name
+}
+
+locals {
+  protocol_number = {
+    icmp   = 1
+    icmpv6 = 58
+    tcp    = 6
+    udp    = 17
+  }
+}
+
+resource "oci_core_network_security_group_security_rule" "this" {
+  direction                 = "INGRESS"
+  network_security_group_id = oci_core_network_security_group.this.id
+  protocol                  = local.protocol_number.icmp
+  source                    = "0.0.0.0/0"
+}
+
+output "nsg_id" {
+  value = oci_core_network_security_group.this.id
+}
\ No newline at end of file
diff --git a/tf/oci_common_private_network/subnet.tf b/tf/oci_common_private_network/subnet.tf
new file mode 100644
index 00000000..598ea8a0
--- /dev/null
+++ b/tf/oci_common_private_network/subnet.tf
@@ -0,0 +1,8 @@
+resource "oci_core_subnet" "this" {
+  cidr_block     = oci_core_vcn.this.cidr_blocks.0
+  compartment_id = var.tenancy_ocid
+  vcn_id         = oci_core_vcn.this.id
+
+  display_name = oci_core_vcn.this.display_name
+  dns_label    = "subnet"
+}
\ No newline at end of file
diff --git a/tf/oci_compartment_bootstrap.tf b/tf/oci_compartment_bootstrap.tf
index f4010326..bbbb2e46 100644
--- a/tf/oci_compartment_bootstrap.tf
+++ b/tf/oci_compartment_bootstrap.tf
@@ -75,4 +75,15 @@ output "oci_compartment_bootstrap_child_compartment_key_value" {
 output "oci_compartment_bootstrap_child_compartment_key_state" {
   value = module.oci_compartment_bootstrap.child_compartment_key_state
   sensitive = true
-}
\ No newline at end of file
+}
+
+# https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformgettingstarted.htm
+# https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm
+provider "oci" {
+  alias = "oci_compartment"
+  private_key = module.oci_compartment_bootstrap.child_compartment_private_key
+  region           = var.oci_compartment_bootstrap_region
+  tenancy_ocid     = module.oci_compartment_bootstrap.child_compartment_id
+  user_ocid        = module.oci_compartment_bootstrap.child_user_id
+  fingerprint = module.oci_compartment_bootstrap.child_compartment_key_fingerprint
+}
diff --git a/tf/oci_compartment_bootstrap/group.tf b/tf/oci_compartment_bootstrap/group.tf
new file mode 100644
index 00000000..d5ecc765
--- /dev/null
+++ b/tf/oci_compartment_bootstrap/group.tf
@@ -0,0 +1,6 @@
+resource "oci_identity_group" "this" {
+  compartment_id = var.tenancy_ocid
+
+  name = "terraform"
+  description = "terraform"
+}
\ No newline at end of file
diff --git a/tf/oci_compartment_bootstrap/group_membership.tf b/tf/oci_compartment_bootstrap/group_membership.tf
new file mode 100644
index 00000000..1e1d6a65
--- /dev/null
+++ b/tf/oci_compartment_bootstrap/group_membership.tf
@@ -0,0 +1,4 @@
+resource "oci_identity_user_group_membership" "this" {
+  user_id = oci_identity_user.this.id
+  group_id = oci_identity_group.this.id
+}
\ No newline at end of file
diff --git a/tf/oci_compartment_bootstrap/policy.tf b/tf/oci_compartment_bootstrap/policy.tf
new file mode 100644
index 00000000..549d1620
--- /dev/null
+++ b/tf/oci_compartment_bootstrap/policy.tf
@@ -0,0 +1,21 @@
+locals {
+  policy_multi_line_statement = <<EOF
+Allow group ${oci_identity_group.this.name} to manage vcns in compartment id ${var.tenancy_ocid} where ALL {
+ANY { request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup' }
+}
+  EOF
+
+}
+
+resource "oci_identity_policy" "terraform-admin" {
+  compartment_id = var.tenancy_ocid
+
+  name = "terraform-admin"
+  description = "terraform-admin"
+
+  statements = [
+    "Allow group ${oci_identity_group.this.name} to manage all-resources in compartment id ${local.child_compartment_id}",
+    "Allow group ${oci_identity_group.this.name} to read virtual-network-family in compartment id ${var.tenancy_ocid}",
+    local.policy_multi_line_statement,
+  ]
+}
diff --git a/tf/oci_servers/common.tf b/tf/oci_servers/common.tf
new file mode 100644
index 00000000..23fc3ce2
--- /dev/null
+++ b/tf/oci_servers/common.tf
@@ -0,0 +1,33 @@
+locals {
+  protocol_number = {
+    icmp   = 1
+    icmpv6 = 58
+    tcp    = 6
+    udp    = 17
+  }
+
+  shapes = {
+    flex : "VM.Standard.A1.Flex",
+    micro : "VM.Standard.E2.1.Micro",
+  }
+
+  availability_domain_micro = one(
+    [
+      for m in data.oci_core_shapes.this :
+      m.availability_domain
+      if contains(m.shapes[*].name, local.shapes.micro)
+    ]
+  )
+}
+
+data "oci_identity_availability_domains" "this" {
+  compartment_id = var.tenancy_ocid
+}
+
+data "oci_core_shapes" "this" {
+  for_each = toset(data.oci_identity_availability_domains.this.availability_domains[*].name)
+
+  compartment_id = var.tenancy_ocid
+
+  availability_domain = each.key
+}
diff --git a/tf/oci_servers/flex.tf b/tf/oci_servers/flex.tf
new file mode 100644
index 00000000..83f2098c
--- /dev/null
+++ b/tf/oci_servers/flex.tf
@@ -0,0 +1,63 @@
+data "oci_core_images" "that" {
+  compartment_id = var.tenancy_ocid
+
+  operating_system = "Oracle Linux"
+  shape            = local.shapes.flex
+  sort_by          = "TIMECREATED"
+  sort_order       = "DESC"
+  state            = "available"
+}
+
+data "cloudinit_config" "that" {
+  part {
+    content = file("user-data-that.yaml")
+  }
+}
+
+resource "oci_core_instance" "that" {
+  availability_domain = data.oci_identity_availability_domains.this.availability_domains.0.name
+  compartment_id = var.tenancy_ocid
+  shape               = local.shapes.flex
+
+  display_name         = "Oracle Linux"
+  preserve_boot_volume = false
+
+  metadata = {
+    ssh_authorized_keys = var.ssh_public_key
+    user_data           = data.cloudinit_config.that.rendered
+  }
+
+  agent_config {
+    are_all_plugins_disabled = true
+    is_management_disabled   = true
+    is_monitoring_disabled   = true
+  }
+
+  availability_config {
+    is_live_migration_preferred = null
+  }
+
+  create_vnic_details {
+    assign_public_ip = true
+    display_name     = "Oracle Linux"
+    hostname_label   = "oracle-linux"
+    nsg_ids          = [oci_core_network_security_group.this.id]
+    subnet_id        = oci_core_subnet.this.id
+  }
+
+  shape_config {
+    memory_in_gbs = 24
+    ocpus         = 4
+  }
+
+  source_details {
+    source_id               = data.oci_core_images.that.images.0.id
+    source_type             = "image"
+    boot_volume_size_in_gbs = 100
+  }
+
+  lifecycle {
+    ignore_changes = [source_details.0.source_id]
+  }
+}
+
diff --git a/tf/oci_servers/micro.tf b/tf/oci_servers/micro.tf
new file mode 100644
index 00000000..8ae2bfac
--- /dev/null
+++ b/tf/oci_servers/micro.tf
@@ -0,0 +1,71 @@
+locals {
+  display_name = ["Mei", "Mai"]
+  takeover_ubuntu = yamlencode({
+
+  })
+}
+
+data "oci_core_images" "this" {
+  compartment_id = var.tenancy_ocid
+
+  operating_system = "Canonical Ubuntu"
+  shape            = local.shapes.micro
+  sort_by          = "TIMECREATED"
+  sort_order       = "DESC"
+  state            = "available"
+
+  filter {
+    name   = "display_name"
+    values = ["^Canonical-Ubuntu-([\\.0-9-]+)$"]
+    regex  = true
+  }
+}
+
+data "cloudinit_config" "this" {
+  part {
+    content = local.takeover_ubuntu
+  }
+}
+
+resource "oci_core_instance" "this" {
+  count = 2
+
+  availability_domain = local.availability_domain_micro
+  compartment_id = var.tenancy_ocid
+  shape               = local.shapes.micro
+
+  display_name         = local.display_name[count.index]
+  preserve_boot_volume = false
+
+  metadata = {
+    ssh_authorized_keys = var.ssh_public_key
+    user_data           = data.cloudinit_config.this.rendered
+  }
+
+  agent_config {
+    are_all_plugins_disabled = true
+    is_management_disabled   = true
+    is_monitoring_disabled   = true
+  }
+
+  availability_config {
+    is_live_migration_preferred = null
+  }
+
+  create_vnic_details {
+    display_name   = format("Ubuntu %d", count.index + 1)
+    hostname_label = format("ubuntu-%d", count.index + 1)
+    nsg_ids        = [oci_core_network_security_group.this.id]
+    subnet_id      = oci_core_subnet.this.id
+  }
+
+  source_details {
+    source_id               = data.oci_core_images.this.images.0.id
+    source_type             = "image"
+    boot_volume_size_in_gbs = 50
+  }
+
+  lifecycle {
+    ignore_changes = [source_details.0.source_id]
+  }
+}
\ No newline at end of file