oci-kms-vault module clean up

junior · junior · commit 6ea864c3aa46 · 2022-08-31T00:26:26.000-05:00
Signed-off-by: junior &lt;junior@users.noreply.github.com&gt;
diff --git a/modules/oci-vault-kms/main.tf b/modules/oci-vault-kms/main.tf
@@ -9,9 +9,9 @@
 ### OCI Vault vault
 resource "oci_kms_vault" "oke_vault" {
   compartment_id = var.oke_cluster_compartment_ocid
-  display_name   = "${local.vault_display_name} - ${var.app_details.app_deployment_id}"
+  display_name   = "${local.vault_display_name} - ${var.freeform_deployment_tags.DeploymentID}"
   vault_type     = local.vault_type[0]
-  freeform_tags  = local.freeform_deployment_tags
+  freeform_tags  = var.freeform_deployment_tags
 
   # depends_on = [oci_identity_policy.kms_user_group_compartment_policies]
 
@@ -20,10 +20,10 @@ resource "oci_kms_vault" "oke_vault" {
 ### OCI Vault key
 resource "oci_kms_key" "oke_key" {
   compartment_id      = var.oke_cluster_compartment_ocid
-  display_name        = "${local.vault_key_display_name} - ${var.app_details.app_deployment_id}"
+  display_name        = "${local.vault_key_display_name} - ${var.freeform_deployment_tags.DeploymentID}"
   management_endpoint = oci_kms_vault.oke_vault[0].management_endpoint
   protection_mode     = local.vault_key_protection_mode
-  freeform_tags       = local.freeform_deployment_tags
+  freeform_tags       = var.freeform_deployment_tags
 
   key_shape {
     algorithm = local.vault_key_key_shape_algorithm
diff --git a/modules/oci-vault-kms/outputs.tf b/modules/oci-vault-kms/outputs.tf
@@ -3,5 +3,5 @@
 # 
 
 output "oci_vault_key_id" {
-  value     = var.use_encryption_from_oci_vault ? (var.create_new_encryption_key ? oci_kms_key.oke_key[0].id : var.existent_encryption_key_id) : null
+  value = var.use_encryption_from_oci_vault ? (var.create_new_encryption_key ? oci_kms_key.oke_key[0].id : var.existent_encryption_key_id) : null
 }
diff --git a/modules/oci-vault-kms/policies.tf b/modules/oci-vault-kms/policies.tf
@@ -3,38 +3,38 @@
 # 
 
 resource "oci_identity_dynamic_group" "app_dynamic_group" {
-  name           = "${local.app_name_normalized}-kms-dg-${var.app_details.app_deployment_id}"
-  description    = "${var.app_details.app_name} KMS for OKE Dynamic Group (${var.app_details.app_deployment_id})"
+  name           = "${local.app_name_normalized}-kms-dg-${local.deploy_id}"
+  description    = "${local.app_name} KMS for OKE Dynamic Group (${local.deploy_id})"
   compartment_id = var.tenancy_ocid
   matching_rule  = "ANY {${join(",", local.dynamic_group_matching_rules)}}"
 
   provider = oci.home_region
 
-  count = var.create_dynamic_group_for_nodes_in_compartment ? 1 : 0
+  count = (var.use_encryption_from_oci_vault && var.create_dynamic_group_for_nodes_in_compartment) ? 1 : 0
 }
 resource "oci_identity_policy" "app_compartment_policies" {
-  name           = "${local.app_name_normalized}-kms-compartment-policies-${var.app_details.app_deployment_id}"
-  description    = "${var.app_details.app_name} KMS for OKE Compartment Policies (${var.app_details.app_deployment_id})"
+  name           = "${local.app_name_normalized}-kms-compartment-policies-${local.deploy_id}"
+  description    = "${local.app_name} KMS for OKE Compartment Policies (${local.deploy_id})"
   compartment_id = var.oke_cluster_compartment_ocid
   statements     = local.app_compartment_statements
 
   depends_on = [oci_identity_dynamic_group.app_dynamic_group]
 
   provider = oci.home_region
 
-  count = var.create_compartment_policies ? 1 : 0
+  count = (var.use_encryption_from_oci_vault && var.create_compartment_policies) ? 1 : 0
 }
 resource "oci_identity_policy" "kms_user_group_compartment_policies" {
-  name           = "${local.app_name_normalized}-kms-compartment-policies-${var.app_details.app_deployment_id}"
-  description    = "${var.app_details.app_name} KMS User Group Compartment Policies (${var.app_details.app_deployment_id})"
+  name           = "${local.app_name_normalized}-kms-compartment-policies-${local.deploy_id}"
+  description    = "${local.app_name} KMS User Group Compartment Policies (${local.deploy_id})"
   compartment_id = var.oke_cluster_compartment_ocid
   statements     = local.kms_user_group_compartment_statements
 
   depends_on = [oci_identity_dynamic_group.app_dynamic_group]
 
   provider = oci.home_region
 
-  count = (var.create_compartment_policies && var.create_vault_policies_for_group) ? 1 : 0
+  count = (var.use_encryption_from_oci_vault && var.create_compartment_policies && var.create_vault_policies_for_group) ? 1 : 0
 }
 
 # Concat Matching Rules and Policy Statements
@@ -44,7 +44,7 @@ locals {
     local.clusters_in_compartment_rule
   )
   app_compartment_statements = concat(
-    var.use_encryption_from_oci_vault ? local.allow_oke_use_oci_vault_keys_statements : []
+    local.allow_oke_use_oci_vault_keys_statements
   )
   kms_user_group_compartment_statements = concat(
     local.allow_group_manage_vault_keys_statements
@@ -76,6 +76,8 @@ locals {
 
 # Conditional locals
 locals {
-  app_dynamic_group = var.create_dynamic_group_for_nodes_in_compartment ? oci_identity_dynamic_group.app_dynamic_group.0.name : "void"
-  app_name_normalized = var.app_details.app_name_normalized
+  app_dynamic_group   = var.create_dynamic_group_for_nodes_in_compartment ? oci_identity_dynamic_group.app_dynamic_group.0.name : "void"
+  app_name_normalized = substr(replace(lower(var.freeform_deployment_tags.AppName), " ", "-"), 0, 6)
+  app_name            = var.freeform_deployment_tags.AppName
+  deploy_id           = var.freeform_deployment_tags.DeploymentID
 }
diff --git a/modules/oci-vault-kms/variables.tf b/modules/oci-vault-kms/variables.tf
@@ -16,9 +16,9 @@ variable "existent_encryption_key_id" {
   description = "Use an existent master encryption key to encrypt boot volume and object storage bucket. NOTE: If the key resides in a different compartment or in a different tenancy, make sure you have the proper policies to access, or the provision of the worker nodes will fail"
 }
 
-# Deployment Details
-variable "app_details" {
-  description = "App Details"
+# Deployment Details + Freeform Tags
+variable "freeform_deployment_tags" {
+  description = "Tags to be added to the resources"
 }
 
 # OKE Variables
@@ -38,7 +38,7 @@ variable "user_admin_group_for_vault_policy" {
 }
 ## Create Dynamic Group and Policies
 variable "create_dynamic_group_for_nodes_in_compartment" {
-  default     = false 
+  default     = false
   description = "Creates dynamic group of Nodes in the compartment. Note: You need to have proper rights on the Tenancy. If you only have rights in a compartment, uncheck and ask you administrator to create the Dynamic Group for you"
 }
 variable "create_compartment_policies" {
@@ -48,12 +48,3 @@ variable "create_compartment_policies" {
 
 # OCI Provider
 variable "tenancy_ocid" {}
-
-# Deployment Tags
-locals {
-  freeform_deployment_tags = {
-    "DeploymentID" = "${var.app_details.app_deployment_id}",
-    "AppName"      = "${var.app_details.app_name}",
-    "Environment"  = "${var.app_details.app_deployment_environment}",
-  "DeploymentType" = "${var.app_details.app_deployment_type}" }
-}

Original file line number	Diff line number	Diff line change
`@@ -3,5 +3,5 @@`
`3`	`3`	`#`
`4`	`4`
`5`	`5`	`output "oci_vault_key_id" {`
`6`		`- value = var.use_encryption_from_oci_vault ? (var.create_new_encryption_key ? oci_kms_key.oke_key[0].id : var.existent_encryption_key_id) : null`
	`6`	`+ value = var.use_encryption_from_oci_vault ? (var.create_new_encryption_key ? oci_kms_key.oke_key[0].id : var.existent_encryption_key_id) : null`
`7`	`7`	`}`