{OCI IAM} インスタンス・プリンシパル (タグによる条件指定)

 

 

https://docs.oracle.com/ja-jp/iaas/Content/Identity/Tasks/managingdynamicgroups.htm
https://docs.oracle.com/ja-jp/iaas/Content/Identity/callresources/Steps_to_Enable_Instances_to_Call_Services.htm
https://docs.oracle.com/ja-jp/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm

https://docs.oracle.com/ja-jp/iaas/Content/Identity/Concepts/policysyntax.htm
https://docs.oracle.com/ja-jp/iaas/Content/Tagging/Tasks/managingaccesswithtags.htm

 

-- 1. VCN、コンピュートインスタンス2個、オブジェクトストレージ2個作成

cat <<-'EOF' > variables.tf

locals {
  tenancy_ocid = "ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111"

}

variable "compartment_name" {
  description = "compartment_name"
  type = string
  default = "cmp01"
}

EOF

 

cat <<-'EOF' > main.tf

terraform {
  required_version = ">= 1.0.0, < 2.0.0"
  required_providers {
    oci = {
       source  = "hashicorp/oci"
       version = "= 5.23.0"
    }
  }
}

provider "oci" {
  tenancy_ocid = local.tenancy_ocid
  user_ocid = "ocid1.user.oc1..111111111111111111111111111111111111111111111111111111111111" 
  private_key_path = "~/.oci/oci_api_key.pem"
  fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
  region = "us-ashburn-1"
}

resource "oci_identity_compartment" "cmp01" {
    # Required
    compartment_id = local.tenancy_ocid
    description = var.compartment_name
    name = var.compartment_name
    
    enable_delete = true
}

resource "oci_core_vcn" "vcn01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id

    #Optional
    cidr_block = "10.0.0.0/16"
    display_name = "vcn01"
    dns_label = "vcn01"

}

resource "oci_core_internet_gateway" "igw01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    enabled = true
    display_name = "igw01"
}

resource "oci_core_route_table" "rt01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "rt01"
    route_rules {
        #Required
        network_entity_id = oci_core_internet_gateway.igw01.id
        #Optional
        destination = "0.0.0.0/0"
    }
    
}

resource "oci_core_security_list" "sl01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "sl01"
    
    egress_security_rules {
        destination = "0.0.0.0/0"
        protocol = "all"
        stateless = false
    }
    
    ingress_security_rules {
        protocol = "6"
        source = "0.0.0.0/0"
        stateless = false
        tcp_options {
            max = 22
            min = 22
        }
    }
}

 

resource "oci_core_subnet" "subnet01" {
    #Required
    cidr_block = "10.0.1.0/24"
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional

    display_name = "subnet01"
    dns_label = "subnet01"
    route_table_id = oci_core_route_table.rt01.id
    security_list_ids = [oci_core_security_list.sl01.id]
}

resource "oci_core_subnet" "subnet02" {
    #Required
    cidr_block = "10.0.2.0/24"
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional

    display_name = "subnet02"
    dns_label = "subnet02"
    route_table_id = oci_core_route_table.rt01.id
    security_list_ids = [oci_core_security_list.sl01.id]
}

resource "oci_core_nat_gateway" "ngw01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    block_traffic = false
    display_name = "ngw01"
}

data "oci_core_services" "svc01" {
  filter {
    name   = "name"
    values = ["All .* Services In Oracle Services Network"]
    regex  = true
  }
}

resource "oci_core_service_gateway" "sgw01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    services {
        #Required
        service_id = data.oci_core_services.svc01.services.0.id
    }
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "sgw01"
}

EOF

 

cat <<-'EOF' > outputs.tf

output "cmp01_id" {
  value = oci_identity_compartment.cmp01.id
  description = "cmp01.id"
}

output "vcn01_id" {
  value = oci_core_vcn.vcn01.id
  description = "vcn01.id"
}

output "igw01_id" {
  value = oci_core_internet_gateway.igw01.id
  description = "igw01.id"
}
output "rt01_id" {
  value = oci_core_route_table.rt01.id
  description = "rt01.id"
}

output "sl01_id" {
  value = oci_core_security_list.sl01.id
  description = "sl01.id"
}

output "subnet01_id" {
  value = oci_core_subnet.subnet01.id
  description = "subnet01.id"
}
output "subnet02_id" {
  value = oci_core_subnet.subnet02.id
  description = "subnet02.id"
}

output "ngw01_id" {
  value = oci_core_nat_gateway.ngw01.id
  description = "ngw01.id"
}

output "svc01_id" {
  value = data.oci_core_services.svc01.services.0.id
  description = "svc01.id"
}

output "sgw01_id" {
  value = oci_core_service_gateway.sgw01.id
  description = "sgw01.id"
}

EOF

 

# インスタンス(always free)
# Canonical-Ubuntu-22.04-aarch64-2023.10.13-0
# VM.Standard.A1.Flex

cat <<-'EOF' > instance.tf

resource "oci_core_instance" "vm11" {
    #Required
    availability_domain = "OEIw:US-ASHBURN-AD-1"
    compartment_id = oci_identity_compartment.cmp01.id
    shape = "VM.Standard.A1.Flex"

    shape_config {

        memory_in_gbs = 6
        ocpus = 1
    }
    
    #Optional

    create_vnic_details {
        #Optional
        assign_public_ip = true
        subnet_id = oci_core_subnet.subnet01.id
    }

    display_name = "vm11"

    metadata = {
        ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    } 

    source_details {
        #Required
        source_id = "ocid1.image.oc1.iad.aaaaaaaamphrdqdgcjfdmo5fzql4m6ewcuxkbepjbobgky254svsk3ueppfa"
        source_type = "image"

        #Optional
        boot_volume_size_in_gbs = 50
    }
    preserve_boot_volume = false
}

resource "oci_core_instance" "vm12" {
    #Required
    availability_domain = "OEIw:US-ASHBURN-AD-1"
    compartment_id = oci_identity_compartment.cmp01.id
    shape = "VM.Standard.A1.Flex"

    shape_config {

        memory_in_gbs = 6
        ocpus = 1
    }
    
    #Optional

    create_vnic_details {
        #Optional
        assign_public_ip = true
        subnet_id = oci_core_subnet.subnet01.id
    }

    display_name = "vm12"

    metadata = {
        ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    } 

    source_details {
        #Required
        source_id = "ocid1.image.oc1.iad.aaaaaaaamphrdqdgcjfdmo5fzql4m6ewcuxkbepjbobgky254svsk3ueppfa"
        source_type = "image"

        #Optional
        boot_volume_size_in_gbs = 50
    }
    preserve_boot_volume = false
}

 

EOF

 

 

cat <<-'EOF' > os.tf

data "oci_objectstorage_namespace" "ns01" {
    compartment_id = local.tenancy_ocid
}

resource "oci_objectstorage_bucket" "bucket01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    name = "bucket01"
    namespace = data.oci_objectstorage_namespace.ns01.namespace

    #Optional
    access_type = "NoPublicAccess"
    auto_tiering = "Disabled"
    object_events_enabled = false
    storage_tier = "Standard"
    versioning = "Disabled"
    
}

resource "oci_objectstorage_bucket" "bucket02" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    name = "bucket02"
    namespace = data.oci_objectstorage_namespace.ns01.namespace

    #Optional
    access_type = "NoPublicAccess"
    auto_tiering = "Disabled"
    object_events_enabled = false
    storage_tier = "Standard"
    versioning = "Disabled"
    
}

 

EOF

terraform init
terraform fmt
terraform -version

export TF_VAR_compartment_name=cmp01

terraform plan

 

terraform apply -auto-approve

 

 

terraform destroy -auto-approve

 

-- 2. ubuntu22にociコマンドインストール
-- コンピュートインスタンスでの作業

ssh -i $HOME/.ssh/id_rsa ubuntu@192.0.2.1
ssh -i $HOME/.ssh/id_rsa ubuntu@192.0.2.2

 

bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"
exec -l $SHELL
oci -v

 

 

-- 3. タグ作成

oci iam tag-namespace list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--all 

oci iam tag-namespace create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--description ns01 \
--name ns01 

oci iam tag-namespace retire \
--tag-namespace-id ocid1.tagnamespace.oc1..111111111111111111111111111111111111111111111111111111111111

oci iam tag-namespace delete \
--tag-namespace-id ocid1.tagnamespace.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force 

 

oci iam tag list \
--tag-namespace-id ocid1.tagnamespace.oc1..111111111111111111111111111111111111111111111111111111111111 \
--all 

 

oci iam tag create \
--tag-namespace-id ocid1.tagnamespace.oc1..111111111111111111111111111111111111111111111111111111111111 \
--description key01 \
--name key01 

oci iam tag retire \
--tag-namespace-id ocid1.tagnamespace.oc1..111111111111111111111111111111111111111111111111111111111111 \
--tag-name key01

 

oci iam tag delete \
--tag-namespace-id ocid1.tagnamespace.oc1..111111111111111111111111111111111111111111111111111111111111 \
--tag-name key01 \
--force 

 

-- 4. バケットへのタグ付与

※bucket01のみ付与

oci os bucket list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 

oci os bucket update \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--bucket-name bucket01 \
--defined-tags '{"ns01": {"key01": "val01"}}' 

oci os bucket get \
--bucket-name bucket01 

 

-- 5. インスタンスへのタグ付与

※vm11のみ付与

oci compute instance list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--query 'data[].{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table

oci compute instance list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 

oci compute instance update \
--instance-id ocid1.instance.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force \
--defined-tags '{"ns01": {"key01": "val02"}}' 

 

 

-- 6. 動的グループ作成

oci iam dynamic-group list 

 

oci iam dynamic-group create \
--description dg01 \
--matching-rule "Any { tag.ns01.key01.value='val02' }" \
--name dg01 

oci iam dynamic-group delete \
--dynamic-group-id ocid1.dynamicgroup.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force 

 

-- 7. 動的グループポリシー作成

※ タグのあるバケットのみ許可

oci iam policy list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 

 

echo -e [\"Allow dynamic-group dg01 to use object-family in compartment cmp01 where any { target.resource.tag.ns01.key01= \'val01\' }\"]  > a.txt

cat a.txt

oci iam policy create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--description policy12 \
--name policy12 \
--statements file://a.txt

oci iam policy delete \
--policy-id ocid1.policy.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force 

-- 8. 動作確認
-- コンピュートインスタンスでの作業

※ リソースをリストする権限は個別に付与する必要がある

export OCI_CLI_AUTH=instance_principal

oci os bucket get \
--bucket-name bucket01

oci os bucket get \
--bucket-name bucket02

 

下記を確認
vm11 -> bucket01 実行可
vm11 -> bucket02 実行不可
vm12 -> bucket01 実行不可
vm12 -> bucket02 実行不可