oci_policy - Manage policies in OCI Identity and Access Management¶
New in version 2.5.
Synopsis¶
- This module allows the user to create, delete and update policies in OCI Identity and Access Management service.
Requirements¶
The below requirements are needed on the host that executes this module.
- python >= 2.6
- Python SDK for Oracle Cloud Infrastructure https://oracle-cloud-infrastructure-python-sdk.readthedocs.io
Parameters¶
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| api_user |
The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the value of the OCI_USER_OCID environment variable, if any, is used. This option is required if the user is not specified through a configuration file (See
config_file_location). To get the user's OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm. |
|
| api_user_fingerprint |
Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT environment variable, if any, is used. This option is required if the key fingerprint is not specified through a configuration file (See
config_file_location). To get the key pair's fingerprint value please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm. |
|
| api_user_key_file |
Full path and filename of the private key (in PEM format). If not set, then the value of the OCI_USER_KEY_FILE variable, if any, is used. This option is required if the private key is not specified through a configuration file (See
config_file_location). If the key is encrypted with a pass-phrase, the api_user_key_pass_phrase option must also be provided. |
|
| api_user_key_pass_phrase |
Passphrase used by the key referenced in
api_user_key_file, if it is encrypted. If not set, then the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is used. This option is required if the key passphrase is not specified through a configuration file (See config_file_location). |
|
| auth_type |
|
The type of authentication to use for making API requests. By default
auth_type="api_key" based authentication is performed and the API key (see api_user_key_file) in your config file will be used. If this 'auth_type' module option is not specified, the value of the OCI_ANSIBLE_AUTH_TYPE, if any, is used. Use auth_type="instance_principal" to use instance principal based authentication when running ansible playbooks within an OCI compute instance. |
| compartment_id |
The OCID of the compartment containing the policy (either the tenancy or another compartment). Required when creating a policy with state=present.
|
|
| config_file_location |
Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment variable, if any, is used. Otherwise, defaults to ~/.oci/config.
|
|
| config_profile_name |
Default: DEFAULT
|
The profile to load from the config file referenced by
config_file_location. If not set, then the value of the OCI_CONFIG_PROFILE environment variable, if any, is used. Otherwise, defaults to the "DEFAULT" profile in config_file_location. |
| defined_tags |
Defined tags for this resource. Each key is predefined and scoped to a namespace. For more information, see https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/resourcetags.htm.
|
|
| description |
The description you assign to the policy. Does not have to be unique, and it's changeable. Required when creating a policy with state=present.
|
|
| freeform_tags |
Free-form tags for this resource. Each tag is a simple key-value pair with no predefined name, type, or namespace. For more information, see https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/resourcetags.htm.
|
|
| name |
The name you assign to the policy during creation. The name must be unique across all policies in the tenancy and cannot be changed. Required when creating a policy with state=present.
|
|
| policy_document |
The path to the policy file. This option is mutually exclusive with statements. Either statements or policy_document must be specified when creating a policy with state=present.
|
|
| policy_id |
The OCID of the policy. Required to update or delete a policy.
aliases: id |
|
| region |
The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set, then the value of the OCI_REGION variable, if any, is used. This option is required if the region is not specified through a configuration file (See
config_file_location). Please refer to https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm for more information on OCI regions. |
|
| state |
|
Create or update a policy with state=present. Delete a policy with state=absent.
|
| statements |
An array of policy statements written in the policy language. This option is mutually exclusive with policy_document. Either statements or policy_document must be specified when creating a policy with state=present.
|
|
| tenancy |
OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if any, is used. This option is required if the tenancy OCID is not specified through a configuration file (See
config_file_location). To get the tenancy OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm |
|
| version_date |
The version of the policy. The version of the policy. If null or set to an empty string, when a request comes in for authorization, the policy will be evaluated according to the current behavior of the services at that moment. If set to a particular date (YYYY-MM-DD), the policy will be evaluated according to the behavior of the services on that date.
|
|
|
wait
bool |
|
Whether to wait for create or delete operation to complete.
|
| wait_timeout |
Default: 1200
|
Time, in seconds, to wait when wait=yes.
|
| wait_until |
The lifecycle state to wait for the resource to transition into when wait=yes. By default, when wait=yes, we wait for the resource to get into ACTIVE/ATTACHED/AVAILABLE/PROVISIONED/ RUNNING applicable lifecycle state during create operation & to get into DELETED/DETACHED/ TERMINATED lifecycle state during delete operation.
|
Notes¶
Note
- For OCI python sdk configuration, please refer to https://oracle-cloud-infrastructure-python-sdk.readthedocs.io/en/latest/configuration.html
Examples¶
- name: Create a policy
oci_policy:
name: mypolicy
compartment_id: 'ocid1.compartment.oc1..xxxxxEXAMPLExxxxx'
description: 'GroupAdmins can add/remove users in Project-A compartment'
statements: 'Allow group GroupAdmins to manage users in compartment Project-A'
- name: Update a policy
oci_policy:
id: ocid1.policy.oc1..xxxxxEXAMPLExxxxx
name: mypolicy
description: 'GroupAdmins can add/remove users in Project-A compartment'
policy_document: '/home/ansible/samples/policy/trial_policy.txt'
- name: Delete a policy
oci_policy:
id: ocid1.policy.oc1..xxxxxEXAMPLExxxxx
state: 'absent'
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
policy
dict
|
On successful operation |
OCI policy details
Sample:
{'lifecycle_state': 'ACTIVE', 'inactive_status': None, 'statements': ['Allow group GroupAdmins to manage users in compartment Project-A'], 'name': 'mypolicy', 'compartment_id': 'ocid1.compartment.oc1..xxxxxEXAMPLExxxxx', 'time_created': '2017-11-01T19:19:36.700000+00:00', 'version_date': '2017-11-01T00:00:00+00:00', 'id': 'ocid1.policy.oc1..xxxxxEXAMPLExxxxx', 'description': 'GroupAdmins can add/remove users in Project-A compartment'}
|
Status¶
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
Author¶
- Rohit Chaware (@rohitChaware)
Hint
If you notice any issues in this documentation you can edit this document to improve it.