In the file elz-exadata-workload/iam.tf, policies are defined to create both Exadata VM clusters as well as Autonomous VM clusters (for autonomous DB dedicated).
I think there are a few issues:
The group "exadata_infra_admin_group_name" does not get the permission to manage an autonomous vm cluster and the "database_admin_group_name" does not get the permission to use the autonomous vm cluster. The following policies should be added:
"Allow group ${local.identity_domain_name}/${local.group_names["exadata_infra_admin_group_name"]} to manage cloud-autonomous-vmclusters in compartment ${module.workload_compartment.compartment_name}"
"Allow group ${local.identity_domain_name}/${local.group_names["database_admin_group_name"]} to use cloud-autonomous-vmclusters in compartment ${module.workload_compartment.compartment_name}",
The group "exadata_infra_admin_group_name" gets the permission to "inspect autonomous-vmclusters", however this policy is valid for Oracle Exadata Cloud@Customer deployments only. The policy mentioned above already provides the permission for Oracle Public Cloud deployments, therefor this statement is no longer required.
It's not very clear why some of the policies related to exadata and databases depend on the enable_datasafe variable. Even if enable_datasafe is set to false, DBA's should be able to create and manage (autonomous) databases.
The following policy is giving DBA's too many permissions:
"Allow group ${local.identity_domain_name}/${local.group_names["database_admin_group_name"]} to manage database-family in compartment ${module.workload_compartment.compartment_name}"
This policy gives permissions to manage all of the following resouce types: cloud-exadata-infrastructures, cloud-vmclusters, db-nodes, db-homes, databases, pluggable-databases, db-backups, application-vips
This is conflicting with the statement made earlier where DBA's are not allowed to manage exadata-infrastrcuture and exadata-vmclusters. This would mean that DBA's need to get permissions on top of the permissions already provided (manage: db-nodes, db-homes, databases, db-backups) which are: manage: database-software-images, pluggable-databases, data-guard-association, key-stores, application-vips, oneoffPatch
DBA's should be able to create data guard associations for autonomous DB's as well. Policies need to be added to allow DBA's to manage the following resources : autonomousContainerDatabaseDataguardAssociations and AutonomousDatabaseDataguardAssociation
Hope this will help to improve the policies for exadata workload
In the file elz-exadata-workload/iam.tf, policies are defined to create both Exadata VM clusters as well as Autonomous VM clusters (for autonomous DB dedicated). I think there are a few issues:
The group "exadata_infra_admin_group_name" does not get the permission to manage an autonomous vm cluster and the "database_admin_group_name" does not get the permission to use the autonomous vm cluster. The following policies should be added: "Allow group ${local.identity_domain_name}/${local.group_names["exadata_infra_admin_group_name"]} to manage cloud-autonomous-vmclusters in compartment ${module.workload_compartment.compartment_name}" "Allow group ${local.identity_domain_name}/${local.group_names["database_admin_group_name"]} to use cloud-autonomous-vmclusters in compartment ${module.workload_compartment.compartment_name}",
The group "exadata_infra_admin_group_name" gets the permission to "inspect autonomous-vmclusters", however this policy is valid for Oracle Exadata Cloud@Customer deployments only. The policy mentioned above already provides the permission for Oracle Public Cloud deployments, therefor this statement is no longer required.
It's not very clear why some of the policies related to exadata and databases depend on the enable_datasafe variable. Even if enable_datasafe is set to false, DBA's should be able to create and manage (autonomous) databases.
The following policy is giving DBA's too many permissions:
"Allow group ${local.identity_domain_name}/${local.group_names["database_admin_group_name"]} to manage database-family in compartment ${module.workload_compartment.compartment_name}" This policy gives permissions to manage all of the following resouce types: cloud-exadata-infrastructures, cloud-vmclusters, db-nodes, db-homes, databases, pluggable-databases, db-backups, application-vips This is conflicting with the statement made earlier where DBA's are not allowed to manage exadata-infrastrcuture and exadata-vmclusters. This would mean that DBA's need to get permissions on top of the permissions already provided (manage: db-nodes, db-homes, databases, db-backups) which are: manage: database-software-images, pluggable-databases, data-guard-association, key-stores, application-vips, oneoffPatch
DBA's should be able to create data guard associations for autonomous DB's as well. Policies need to be added to allow DBA's to manage the following resources : autonomousContainerDatabaseDataguardAssociations and AutonomousDatabaseDataguardAssociation
Hope this will help to improve the policies for exadata workload