Release 0.2.8 (#37)

* Release 0.2.1

* Release 0.2.2

* feat: TF < 1.3.0 restriction removed

* feat: TF binary equal or greater than 1.3.0 requirement added

* chore: release notes and version bump

* chore: release notes, tag and SPECs updated

* fix typo in dynamic groups that refered to domain groups

* fix: version = "<= 5.16.0" removed

* chore: release notes, version and spec updated

* feat: OCI FW and ZPR IAM policies added

* feat: examples updated

* chore: release notes and version update

* chore: release notes updated.

* fix: attribute_sets = ["all"] added to oci_identity_domains_group

* chore: release notes and version increment

* fix: preventing username dupes to fail user lookup

* fix: ignoring username dupes that can be provided as input

* chore: release notes a version increment

* chore: release date updated

* feat: debug flag added

* fix: user lookup only checks ACTIVE users

* chore: release notes updated

* doc: SPEC.md updated

* feat: members checked against their respective identity domains.

* doc: spec updated

* chore: release notes

* fix: debug reporting removed

---------

Signed-off-by: Andre Correa <andre.correa@oracle.com>
Co-authored-by: Rory Nguyen <rory.nguyen@oracle.com>
Co-authored-by: josh_hammer <josh.hammer@oracle.com>

Author: 3 people

RELEASE-NOTES.md

@@ -1,3 +1,9 @@
+# March 25, 2025 Release Notes - 0.2.8
+## Updates
+1. [Identity Domains module](./identity-domains/)
+    - Only ACTIVE users are looked up for group membership assignments in identity domains.
+
+
 # January 10, 2025 Release Notes - 0.2.7
 ## Updates
 1. [Groups module](./groups/)

identity-domains/SPEC.md

@@ -51,10 +51,6 @@ No modules.
 | [oci_identity_region_subscriptions.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_region_subscriptions) | data source |
 | [oci_identity_regions.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_regions) | data source |
 | [oci_identity_tenancy.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_tenancy) | data source |
-| [oci_identity_domain.service_provider_domain](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_domain) | data source |
-| [oci_identity_domains_app_roles.client_app_roles](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_domains_app_roles) | data source |
-| [oci_identity_domains_group.granted_app_group](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_domains_group) | data source |
-| [http.sp_signing_cert](https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/op-admin-v1-signingcert-jwk-get.html) | data source |
 
 ## Inputs
 
@@ -76,7 +72,6 @@ No modules.
 | <a name="output_identity_domain_applications"></a> [identity\_domain\_applications](#output\_identity\_domain\_applications) | The identity domain applications |
 | <a name="output_identity_domain_dynamic_groups"></a> [identity\_domain\_dynamic\_groups](#output\_identity\_domain\_dynamic\_groups) | The identity domain groups |
 | <a name="output_identity_domain_groups"></a> [identity\_domain\_groups](#output\_identity\_domain\_groups) | The identity domain groups |
-| <a name="output_identity_domain_identity_providers"></a> [identity\_domain\_identity\_providers](#output\_identity\_domain\_identity\_providers) | The identity domain identity providers |
-| <a name="output_identity_domain_applications"></a> [identity\_domain\_applications](#output\_identity\_domain\_applicationss) | The identity domain applications |
+| <a name="output_identity_domain_identity_providers"></a> [identity\_domain\_identity\_providers](#output\_identity\_domain\_identity\_providers) | The identity domain groups |
 | <a name="output_identity_domain_saml_metadata"></a> [identity\_domain\_saml\_metadata](#output\_identity\_domain\_saml\_metadata) | n/a |
 | <a name="output_identity_domains"></a> [identity\_domains](#output\_identity\_domains) | The identity domains. |

identity-domains/examples/vision/variables.tf

@@ -17,9 +17,11 @@ variable "identity_domains_configuration" {
 variable "identity_domain_groups_configuration" {
   description = "The identity domain groups configuration."
   type = any
+  default = null
 }
 
 variable "identity_domain_dynamic_groups_configuration" {
   description = "The identity domain dynamic groups configuration."
   type = any
+  default = null
 }

identity-domains/groups.tf

@@ -7,10 +7,9 @@ data "oci_identity_domain" "grp_domain" {
 }
 
 data "oci_identity_domains_users" "these" {
-  
   for_each = var.identity_domain_groups_configuration != null ? (var.identity_domain_groups_configuration.groups != null ? var.identity_domain_groups_configuration.groups : {} ): {}
-     idcs_endpoint = contains(keys(oci_identity_domain.these),coalesce(each.value.identity_domain_id,"None")) ? oci_identity_domain.these[each.value.identity_domain_id].url : (contains(keys(oci_identity_domain.these),coalesce(var.identity_domain_groups_configuration.default_identity_domain_id,"None") ) ? oci_identity_domain.these[var.identity_domain_groups_configuration.default_identity_domain_id].url : data.oci_identity_domain.grp_domain[each.key].url)
-  
+    idcs_endpoint = contains(keys(oci_identity_domain.these),coalesce(each.value.identity_domain_id,"None")) ? oci_identity_domain.these[each.value.identity_domain_id].url : (contains(keys(oci_identity_domain.these),coalesce(var.identity_domain_groups_configuration.default_identity_domain_id,"None") ) ? oci_identity_domain.these[var.identity_domain_groups_configuration.default_identity_domain_id].url : data.oci_identity_domain.grp_domain[each.key].url)
+    user_filter = "active eq true" # Only active users are looked up. 
 
 }
 
@@ -22,33 +21,34 @@ locals {
 
 
 resource "oci_identity_domains_group" "these" {
-  for_each       = var.identity_domain_groups_configuration != null ? var.identity_domain_groups_configuration.groups : {}
+  for_each = var.identity_domain_groups_configuration != null ? var.identity_domain_groups_configuration.groups : {}
+    lifecycle {
+      precondition {
+        condition = length(setsubtract(toset(each.value.members),toset([for m in each.value.members : m if contains(keys(local.users[each.key]),m)]))) == 0
+        error_message = "VALIDATION FAILURE: following provided usernames in \"members\" attribute of group \"${each.key}\" do not exist or are not active\": ${join(", ",setsubtract(toset(each.value.members),toset([for m in each.value.members : m if contains(keys(local.users[each.key]),m)])))}. Please either correct their spelling or activate them."
+      }
+    }
 
     attribute_sets = ["all"]
     idcs_endpoint = contains(keys(oci_identity_domain.these),coalesce(each.value.identity_domain_id,"None")) ? oci_identity_domain.these[each.value.identity_domain_id].url : (contains(keys(oci_identity_domain.these),coalesce(var.identity_domain_groups_configuration.default_identity_domain_id,"None") ) ? oci_identity_domain.these[var.identity_domain_groups_configuration.default_identity_domain_id].url : data.oci_identity_domain.grp_domain[each.key].url)
 
     display_name            = each.value.name
     schemas = ["urn:ietf:params:scim:schemas:core:2.0:Group","urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group","urn:ietf:params:scim:schemas:extension:custom:2.0:Group"]
-
     urnietfparamsscimschemasoracleidcsextensiongroup_group {
         creation_mechanism = "api"
         description = each.value.description
     }
-
     urnietfparamsscimschemasoracleidcsextensionrequestable_group {
         requestable =  each.value.requestable
     }
-    
-    dynamic "members" {
+        dynamic "members" {
       for_each = each.value.members != null ? each.value.members : []
         content {
           type = "User"
           value = local.users[each.key][members["value"]]
-          
         }
     }
     urnietfparamsscimschemasoracleidcsextension_oci_tags {
-
         dynamic "defined_tags" {
             for_each = each.value.defined_tags != null ? each.value.defined_tags : (var.identity_domain_groups_configuration.default_defined_tags !=null ? var.identity_domain_groups_configuration.default_defined_tags : {})
                content {

identity-domains/outputs.tf

@@ -21,13 +21,11 @@ output "identity_domain_applications" {
   value = oci_identity_domains_app.these
 }
 
-
-
 output "identity_domain_identity_providers" {
   description = "The identity domain groups"
   value = oci_identity_domains_identity_provider.these
 }
 
 output "identity_domain_saml_metadata" {
   value = { for k,v in data.http.saml_metadata : k=> v.response_body }
-}
+}

release.txt

@@ -1 +1 @@
-0.2.7
+0.2.8