RBAC and Federation modules

.gitignore

@@ -1,5 +1,8 @@
+.idea/**
+
 # Local .terraform directories
 **/.terraform/*
+**/.terraform.lock.hcl
 
 # .tfstate files
 *.tfstate

CONTRIBUTING.md

@@ -0,0 +1,34 @@
+# Contributing
+
+Oracle welcomes contributions to this repository from anyone.
+
+If you want to submit a pull request to fix a bug or enhance an existing feature, please first open an issue and link to that issue when you submit your pull request.
+
+If you have any questions about a possible submission, feel free to open an issue too.
+
+## Contributing to the repository
+
+Pull requests can be made under [The Oracle Contributor Agreement](https://oca.opensource.oracle.com/).
+
+For pull requests to be accepted, the bottom of your commit message must have the following line using your name and e-mail address as it appears in the OCA Signatories list.
+
+```
+Signed-off-by: Your Name <[email protected]>
+```
+
+This can be automatically added to pull requests by committing with:
+
+```
+  git commit --signoff
+```
+
+Only pull requests from committers that can be verified as having
+signed the OCA can be accepted.
+
+### Pull request process
+
+1. Fork this repository
+1. Create a branch in your fork to implement the changes. We recommend using the issue number as part of your branch name, e.g. `1234-fixes`
+1. Ensure that any documentation is updated with the changes that are required by your fix.
+1. Ensure that any samples are updated if the base image has been changed.
+1. Submit the pull request. *Do not leave the pull request blank*. Explain exactly what your changes are meant to do and provide simple steps on how to validate your changes. Ensure that you reference the issue you created as well. We will assign the pull request to 2-3 people for review before it is merged.

modules/gcp-identity/README.md

@@ -0,0 +1,55 @@
+# GCP Identity - RBAC 
+## Introduction
+Setup Roles Based access control for ODB@G service.
+
+## Providers
+
+| Name                                                                      | Version  |
+|---------------------------------------------------------------------------|----------|
+| [google](https://registry.terraform.io/providers/hashicorp/google/latest) | ~> 5.0.0 |
+
+
+## Inputs Variables
+| VARIABLE               |                DESCRIPTION                 | REQUIRED | DEFAULT_VALUE |                                              SAMPLE VALUE |
+|:-----------------------|:------------------------------------------:|:--------:|--------------:|--------------------------------------------------------:|
+| `gcp_org_id`           |            GCP Organization ID             |   YES    |            "" | |
+| `gcp_project`          |              GCP Project ID.               |   YES    |            "" |  |
+| `group_prefix`         | Custom role prefix for all created groups. |    NO    |            {} |  |
+| `initial_group_config` |   Ownership of the newly created groups.   |    NO    |              WITH_INITIAL_OWNER | WITH_INITIAL_OWNER |
+
+
+# Setup Roles based access
+Setting up RBAC for Exa and ADB-S in Azure using default group names.
+
+### Authentication
+There are several alternatives for GCP authentication, including
+using a service account JSON credentials file or using a OAuth access
+tokens.
+
+Details on authentication options can be found on the 
+[Google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication) details page.
+
+To run this module on a local workstation `gcloud auth` can be used:
+
+```
+# authenticate GCP CLI for execution on a local workstation
+gcloud auth application-default login <ACCOUNT>
+```
+
+### Initialize
+```
+$ terraform init
+```
+### Apply
+
+To create the default ODB@G roles using non-custom names
+
+```
+$ terraform apply -var="gcp_org_id=<org_id>" -var="gcp_project=<project_id>"
+```
+
+To create ODB@G roles using a custom prefix.
+
+```
+$ terraform apply -var="gcp_org_id=<org_id>" -var="gcp_project=<project_id>" -var="group_prefix=<custom_prefix>"
+```

modules/gcp-identity/gcp-rbac/README.md

@@ -0,0 +1,45 @@
+# Azure Identity  
+## Introduction
+Setup Roles Based access control for ODB@G service.
+
+## Providers
+
+| Name                                                                      | Version  |
+|---------------------------------------------------------------------------|----------|
+| [google](https://registry.terraform.io/providers/hashicorp/google/latest) | ~> 5.0.0 |
+
+
+## Inputs Variables
+| VARIABLE               |                           DESCRIPTION                           | REQUIRED | DEFAULT_VALUE |                                              SAMPLE VALUE |
+|:-----------------------|:---------------------------------------------------------------:|:--------:|--------------:|--------------------------------------------------------:|
+| `gcp_org_id`           |                      GCP Organization ID                        |   YES    |            "" | |
+| `gcp_project`          |                         GCP Project ID.                         |   YES    |            "" |  |
+| `odbag_built_in_roles` | Map of Role ID to Role Description for the roles to be created. |    NO    |            {} |  |
+| `initial_group_config` |             Ownership of the newly created groups.              |    NO    |              WITH_INITIAL_OWNER | WITH_INITIAL_OWNER |
+
+
+# Setup Roles based access
+See [parent project](../README.md) to run this module with the required groups and roles.
+
+### Authentication
+There are several alternatives for GCP authentication, including
+using a service account JSON credentials file or using a OAuth access
+tokens.
+
+Details on authentication options can be found on the 
+[Google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication) details page.
+
+To run this module on a local workstation `gcloud auth` can be used:
+
+```
+# authenticate GCP CLI for execution on a local workstation
+gcloud auth application-default login <ACCOUNT>
+```
+
+### Initialize
+```
+$ terraform init
+```
+### Apply
+
+See [parent project](../README.md) for apply details.

modules/gcp-identity/gcp-rbac/main.tf

@@ -0,0 +1,42 @@
+terraform {
+  required_providers {
+    google = {
+      source = "hashicorp/google"
+    }
+  }
+}
+
+locals {
+  gcp_org_id            = var.gcp_org_id
+  gcp_project           = var.gcp_project
+  odbag_built_in_roles  = var.odbag_built_in_roles
+}
+
+provider "google" {
+  project = local.gcp_project
+}
+
+data "google_organization" "org" {
+  organization = var.gcp_org_id
+}
+
+module "groups" {
+  source   = "terraform-google-modules/group/google"
+  version  = "~> 0.6"
+  for_each = local.odbag_built_in_roles
+
+  id                   = each.key
+  display_name         = each.value
+  description          = each.value
+  initial_group_config = var.initial_group_config
+  customer_id          = data.google_organization.org.directory_customer_id
+  types                = ["default", "security"]
+}
+
+resource "google_project_iam_member" "project" {
+  project = local.gcp_project
+  role    = "roles/${each.key}"
+  member  = "group:${each.key}"
+
+  for_each = local.odbag_built_in_roles
+}

modules/gcp-identity/gcp-rbac/variables.tf

@@ -0,0 +1,22 @@
+variable "gcp_org_id" {
+  description = "GCP Organization ID"
+  type        = string
+}
+
+variable "gcp_project" {
+  type        = string
+  default     = ""
+  description = "GCP project"
+}
+
+variable "odbag_built_in_roles" {
+  type        = map(string)
+  default     = {}
+  description = "Groups required on GCP"
+}
+
+variable "initial_group_config" {
+  description = "Define the group configuration when it is initialized. Valid values are: WITH_INITIAL_OWNER, EMPTY and INITIAL_GROUP_CONFIG_UNSPECIFIED."
+  type        = string
+  default     = "WITH_INITIAL_OWNER"
+}