Resource Manager allows you to automate installing and provisioning Oracle Cloud Infrastructure resources by committing the provisioning instructions to configuration files. These configuration files capture the step-by-step provisioning instructions using a declarative language that follows the "infrastructure-as-code" model. The provisioning instructions are executed as "jobs"; the Oracle Cloud Infrastructure resources that are provisioned when you run the jobs are organized into "stacks."
Executing jobs and provisioning stacks is gated using role-based access control (RBAC), which is enabled by Oracle Cloud Infrastructure Identity and Access Management (IAM). This gives administrators granular control over user access to Oracle Cloud Infrastructure resources and the actions that users can take on these resources.
The Resource Manager security scheme rests on three pillars:
The Resource Manager supports two permission sets: one for stack resources and another for job resources. Table 1 lists permission sets that are associated with each resource type.
Resource Type | Permissions |
---|---|
Stacks (orm-stacks ) |
inspect orm-stackread orm-stack use orm-stack create orm-stack update orm-stack delete orm-stack |
Jobs (orm-jobs ) |
inspect orm-job read orm-job manage orm-job |
Each of the permissions in the preceding table are associated with specific Resource Manager operations. The table that follows lists Resource Manager operations, then shows which permissions are required to execute each of the operations. Notice that the CreateJob
operation requires two permissions.
Operation | Permission |
---|---|
Generate a list of stacks (ListStacks ) |
inspect orm-stack |
Create a stack (CreateStack ) |
create orm-stack |
Get a stack (GetStack ) |
read orm-stack |
Update a stack (UpdateStack ) |
update orm-stack |
Delete a stack (DeleteStack ) |
delete orm-stack |
Get a stack Terraform configuration
(GetStackTfConfig ) |
read orm-stack |
List jobs (ListJobs ) |
inspect orm-job |
Create a job (CreateJob ) |
use orm-stack and manage orm-job |
Get a job (GetJob ) |
read orm-jobs |
Update a job (UpdateJob ) |
manage orm-job |
Cancel a job (CancelJob ) |
manage orm-job |
Get a job Terraform state file
(GetJobTfState ) |
read orm-job |
Get a job Terraform configuration
(GetJobTfConfig ) |
read orm-job |
Get a job Terraform execution plan
(GetJobTfExecutionPlan ) |
read orm-job |
Get job logs (GetJobLogs ) |
read orm-job |
Following are policy recommendations for securing Resource Manager. For more information about security policies, see Getting Started with Policies. See also How Policies Work and Policy Syntax.
The following policy grants permission to a specified group to manage both stacks and jobs, and also to manage resources on the tenancy stacks.
Allow group <group_name> to manage orm-stacks in compartment
Allow group <group_name> to manage orm-jobs in compartment
In addition to granting permission to perform specific operations, you can also create a policy that prevents certain actions. The following policy example explicitly prevents members of a specified group from running Destroy jobs on a stack.
Allow group <group_name> to use orm-stacks in compartment
Allow group <group_name> to read orm-jobs in compartment
Allow group <group_name> to manage orm-jobs in compartment where any {target.job.operation = 'PLAN', target.job.operation = 'APPLY'}
Notice that you must include the new permission to read orm-jobs in compartment
because the statement includes a where
condition that references variables that are not relevant to listing or getting jobs.
Terraform state (.tfstate) can contain sensitive data, including resource IDs and in some cases sensitive user data like passwords. HashiCorp provides recommendations for handling Terraform state in the article Sensitive Data in State.
To control access to the Terraform state file, you can create a security policy that limits access to reading jobs, such as the following:
Allow group <group_name> to read orm-jobs in compartment
Note
Because the permission read orm-jobs also affects other operations such as getting logs and Terraform configurations, you should segregate state files in a compartment on which a restrictive policy will not limit the ability to perform other operations.
The Resource Manager workflow includes uploading your Terraform configuration to the service as a .zip file. Because the Terraform configuration can be accessed using the ORM API (GetJobTfConfig
), it is highly recommended that you do not include sensitive information in your configuration files.
About Oracle | Contact Us | Legal Notices | Terms of Use | Privacy | Document Conventions |
Copyright © , Oracle and/or its affiliates. All rights reserved.