OCI IAM Foundation (compartments + policies)

oci-iam-foundation

Tenancy landing-zone core: compartment hierarchy, groups, dynamic groups, policy statements and tag namespaces from a single map. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Secure defaults:

• Compartments are delete-protected (enable_delete = false) unless opted in
• Policies are explicit statement lists — nothing is granted implicitly
• Policies attach at the narrowest scope you name (a created compartment), falling back to the tenancy root only when no compartment_key is given
• Dynamic groups require a non-empty matching rule (validated)

Usage

module "iam" {
  source       = "./oci-iam-foundation"
  tenancy_ocid = "ocid1.tenancy.oc1..xxxx"

  compartments = {
    platform  = { description = "Shared platform services" }
    workloads = { description = "Application workloads" }
  }

  child_compartments = {
    prod = { parent_key = "workloads", description = "Production" }
    dev  = { parent_key = "workloads", description = "Development", enable_delete = true }
  }

  groups = {
    platform-admins = { description = "Operate shared platform services" }
  }

  dynamic_groups = {
    prod-instances = {
      description   = "All compute instances in prod"
      matching_rule = "ALL {instance.compartment.id = 'ocid1.compartment.oc1..xxxx'}"
    }
  }

  policies = {
    platform-admins = {
      description     = "Platform admins manage the platform compartment"
      compartment_key = "platform"
      statements      = ["Allow group platform-admins to manage all-resources in compartment platform"]
    }
  }

  tag_namespaces = {
    operations = {
      description = "Operational metadata"
      tags = {
        environment = { description = "Deployment environment", values = ["dev", "stage", "prod"] }
        cost-center = { description = "Charge-back code", is_cost_tracking = true }
      }
    }
  }
}

Inputs

Name	Type	Default	Description
tenancy_ocid	string	—	Tenancy OCID — root for compartments, groups, dynamic groups, tag namespaces (required)
compartments	map(object)	{}	Top-level compartments keyed by name: description, enable_delete
child_compartments	map(object)	{}	Second-level compartments keyed by name: parent_key (key of compartments), description, enable_delete
groups	map(object)	{}	IAM groups keyed by name: description
dynamic_groups	map(object)	{}	Dynamic groups keyed by name: description, matching_rule
policies	map(object)	{}	Policies keyed by name: description, statements (list), optional compartment_key to attach to a created compartment
tag_namespaces	map(object)	{}	Tag namespaces keyed by name: description, is_retired, tags map (description, is_cost_tracking, values for an ENUM validator)
freeform_tags	map(string)	{}	Freeform tags on every resource

Outputs

compartment_ids (parents + children), group_ids, dynamic_group_ids, policy_ids, tag_namespace_ids, tag_ids (keyed namespace.tag).

Notes

• Identity resources are written in the tenancy home region — point the provider at your home region and run with tenancy-admin credentials.
• Policy statements reference groups/dynamic groups by name; the module orders creation so statements can reference what it creates in the same run.
• Compartment deletion in OCI is asynchronous and slow; enable_delete = true lets destroy request it, but expect the compartment to linger while OCI drains it.
• Tag namespaces/keys cannot be hard-deleted quickly — they retire. Treat namespace names as long-lived.

Requirements

• Terraform or OpenTofu >= 1.6
• Provider oracle/oci >= 8.0, < 9.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).