In the module elz-workload/iam.tf, permissions are provided for databases (amongst others).
There are few things related to database permissions:
Only if the variable enable_datasafe is true, the group "database_admin_group_name" gets permissions to manage (autonomous) databases, otherwise, this group only get's "read" permission for (autonomous) databases. The database permissions itself should not depend on datasafe.
the group "database_admin_group_name" gets permissions to manage "database-family", "autonomous-databases" and "autonomous-container-databases".
The resource "database-family" provides too many permissions, e.g. the permission to create exadata-infrastructure and exadata-vmclusters, which should not be given as the standard workload structure is not prepared for exadata worload.
The policies for autonomous databases are missing a few permissions. The policies missing are related to: autonomous-backups, autonomousContainerDatabaseDataguardAssociations and AutonomousDatabaseDataguardAssociation
In the module elz-workload/iam.tf, permissions are provided for databases (amongst others).
There are few things related to database permissions:
The resource "database-family" provides too many permissions, e.g. the permission to create exadata-infrastructure and exadata-vmclusters, which should not be given as the standard workload structure is not prepared for exadata worload. The policies for autonomous databases are missing a few permissions. The policies missing are related to: autonomous-backups, autonomousContainerDatabaseDataguardAssociations and AutonomousDatabaseDataguardAssociation