oracle.oci.oci_operator_access_control_access_request_actions – Perform actions on an AccessRequest resource in Oracle Cloud Infrastructure

Note

This plugin is part of the oracle.oci collection (version 4.14.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install oracle.oci.

To use it in a playbook, specify: oracle.oci.oci_operator_access_control_access_request_actions.

New in version 2.9.0: of oracle.oci

Synopsis

  • Perform actions on an AccessRequest resource in Oracle Cloud Infrastructure

  • For action=approve, approves an access request.

  • For action=interaction_request, posts query for additional information for the given access request.

  • For action=reject, rejects an access request.

  • For action=review, reviews the access request.

  • For action=revoke, revokes an already approved access request.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
access_request_id
string / required
unique AccessRequest identifier

aliases: id
action
string / required
    Choices:
  • approve
  • interaction_request
  • reject
  • review
  • revoke
The action to perform on the AccessRequest.
additional_message
string
Message that needs to be displayed to the Ops User.
Applicable only for action=approve.
api_user
string
The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the value of the OCI_USER_ID environment variable, if any, is used. This option is required if the user is not specified through a configuration file (See config_file_location). To get the user's OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm.
api_user_fingerprint
string
Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT environment variable, if any, is used. This option is required if the key fingerprint is not specified through a configuration file (See config_file_location). To get the key pair's fingerprint value please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm.
api_user_key_file
string
Full path and filename of the private key (in PEM format). If not set, then the value of the OCI_USER_KEY_FILE variable, if any, is used. This option is required if the private key is not specified through a configuration file (See config_file_location). If the key is encrypted with a pass-phrase, the api_user_key_pass_phrase option must also be provided.
api_user_key_pass_phrase
string
Passphrase used by the key referenced in api_user_key_file, if it is encrypted. If not set, then the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is used. This option is required if the key passphrase is not specified through a configuration file (See config_file_location).
approver_comment
string
Comment by the approver during approval.
Applicable only for action=approveaction=rejectaction=reviewaction=revoke.
audit_type
list / elements=string
Specifies the type of auditing to be enabled. There are two levels of auditing: command-level and keystroke-level. By default, auditing is enabled at the command level i.e., each command issued by the operator is audited. When keystroke-level is chosen, in addition to command level logging, key strokes are also logged.
Applicable only for action=approve.
auth_purpose
string
    Choices:
  • service_principal
The auth purpose which can be used in conjunction with 'auth_type=instance_principal'. The default auth_purpose for instance_principal is None.
auth_type
string
    Choices:
  • api_key ←
  • instance_principal
  • instance_obo_user
  • resource_principal
The type of authentication to use for making API requests. By default auth_type="api_key" based authentication is performed and the API key (see api_user_key_file) in your config file will be used. If this 'auth_type' module option is not specified, the value of the OCI_ANSIBLE_AUTH_TYPE, if any, is used. Use auth_type="instance_principal" to use instance principal based authentication when running ansible playbooks within an OCI compute instance.
cert_bundle
string
The full path to a CA certificate bundle to be used for SSL verification. This will override the default CA certificate bundle. If not set, then the value of the OCI_ANSIBLE_CERT_BUNDLE variable, if any, is used.
config_file_location
string
Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment variable, if any, is used. Otherwise, defaults to ~/.oci/config.
config_profile_name
string
The profile to load from the config file referenced by config_file_location. If not set, then the value of the OCI_CONFIG_PROFILE environment variable, if any, is used. Otherwise, defaults to the "DEFAULT" profile in config_file_location.
more_info_details
string
questions for asking to provide more information to operators.
Applicable only for action=interaction_request.
region
string
The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set, then the value of the OCI_REGION variable, if any, is used. This option is required if the region is not specified through a configuration file (See config_file_location). Please refer to https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm for more information on OCI regions.
tenancy
string
OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if any, is used. This option is required if the tenancy OCID is not specified through a configuration file (See config_file_location). To get the tenancy OCID, please refer https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm
time_of_user_creation
string
The time when access request is scheduled to be approved in RFC 3339 timestamp format.Example: '2020-05-22T21:10:29.600Z'
Applicable only for action=approve.
wait
boolean
    Choices:
  • no
  • yes ←
Whether to wait for create or delete operation to complete.
wait_timeout
integer
Time, in seconds, to wait when wait=yes. Defaults to 1200 for most of the services but some services might have a longer wait timeout.

Examples

- name: Perform action approve on access_request
  oci_operator_access_control_access_request_actions:
    # required
    access_request_id: "ocid1.accessrequest.oc1..xxxxxxEXAMPLExxxxxx"
    action: approve

    # optional
    audit_type: [ "audit_type_example" ]
    additional_message: additional_message_example
    time_of_user_creation: time_of_user_creation_example
    approver_comment: approver_comment_example

- name: Perform action interaction_request on access_request
  oci_operator_access_control_access_request_actions:
    # required
    access_request_id: "ocid1.accessrequest.oc1..xxxxxxEXAMPLExxxxxx"
    action: interaction_request

    # optional
    more_info_details: more_info_details_example

- name: Perform action reject on access_request
  oci_operator_access_control_access_request_actions:
    # required
    access_request_id: "ocid1.accessrequest.oc1..xxxxxxEXAMPLExxxxxx"
    action: reject

    # optional
    approver_comment: approver_comment_example

- name: Perform action review on access_request
  oci_operator_access_control_access_request_actions:
    # required
    access_request_id: "ocid1.accessrequest.oc1..xxxxxxEXAMPLExxxxxx"
    action: review

    # optional
    approver_comment: approver_comment_example

- name: Perform action revoke on access_request
  oci_operator_access_control_access_request_actions:
    # required
    access_request_id: "ocid1.accessrequest.oc1..xxxxxxEXAMPLExxxxxx"
    action: revoke

    # optional
    approver_comment: approver_comment_example

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
access_request
complex
on success
Details of the AccessRequest resource acted upon by the current operation

Sample:
{'access_reason_summary': 'access_reason_summary_example', 'action_requests_list': [], 'approver_comment': 'approver_comment_example', 'audit_type': [], 'closure_comment': 'closure_comment_example', 'compartment_id': 'ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx', 'defined_tags': {'Operations': {'CostCenter': 'US'}}, 'duration': 56, 'extend_duration': 56, 'freeform_tags': {'Department': 'Finance'}, 'id': 'ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx', 'is_auto_approved': True, 'lifecycle_details': 'lifecycle_details_example', 'lifecycle_state': 'CREATED', 'opctl_additional_message': 'opctl_additional_message_example', 'opctl_id': 'ocid1.opctl.oc1..xxxxxxEXAMPLExxxxxx', 'opctl_name': 'opctl_name_example', 'operator_id': 'ocid1.operator.oc1..xxxxxxEXAMPLExxxxxx', 'reason': 'reason_example', 'request_id': 'ocid1.request.oc1..xxxxxxEXAMPLExxxxxx', 'resource_id': 'ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx', 'resource_name': 'resource_name_example', 'resource_type': 'EXACC', 'severity': 'S1', 'system_message': 'system_message_example', 'time_of_creation': '2013-10-20T19:20:30+01:00', 'time_of_modification': '2013-10-20T19:20:30+01:00', 'time_of_user_creation': '2013-10-20T19:20:30+01:00', 'user_id': 'ocid1.user.oc1..xxxxxxEXAMPLExxxxxx', 'workflow_id': []}
 
access_reason_summary
string
on success
Summary comment by the operator creating the access request.

Sample:
access_reason_summary_example
 
action_requests_list
list / elements=string
on success
List of operator actions for which approval is sought by the operator user.

 
approver_comment
string
on success
The last recent Comment entered by the approver of the request.

Sample:
approver_comment_example
 
audit_type
list / elements=string
on success
Specifies the type of auditing to be enabled. There are two levels of auditing: command-level and keystroke-level. By default, auditing is enabled at the command level i.e., each command issued by the operator is audited. When keystroke-level is chosen, in addition to command level logging, key strokes are also logged.

 
closure_comment
string
on success
The comment entered by the operator while closing the request.

Sample:
closure_comment_example
 
compartment_id
string
on success
The OCID of the compartment that contains the access request.

Sample:
ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx
 
defined_tags
dictionary
on success
Defined tags for this resource. Each key is predefined and scoped to a namespace.

Sample:
{'Operations': {'CostCenter': 'US'}}
 
duration
integer
on success
Duration in hours for which access is sought on the target resource.

Sample:
56
 
extend_duration
integer
on success
Duration in hours for which extension access is sought on the target resource.

Sample:
56
 
freeform_tags
dictionary
on success
Simple key-value pair that is applied without any predefined name, type or scope. Exists for cross-compatibility only.

Sample:
{'Department': 'Finance'}
 
id
string
on success
The OCID of the access request.

Sample:
ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx
 
is_auto_approved
boolean
on success
Whether the access request was automatically approved.

Sample:
True
 
lifecycle_details
string
on success
more in detail about the lifeCycleState.

Sample:
lifecycle_details_example
 
lifecycle_state
string
on success
The current state of the AccessRequest.

Sample:
CREATED
 
opctl_additional_message
string
on success
Additional message specific to the access request that can be specified by the approver at the time of approval.

Sample:
opctl_additional_message_example
 
opctl_id
string
on success
The OCID of the operator control governing the target resource.

Sample:
ocid1.opctl.oc1..xxxxxxEXAMPLExxxxxx
 
opctl_name
string
on success
Name of the Operator control governing the target resource.

Sample:
opctl_name_example
 
operator_id
string
on success
A unique identifier associated with the operator who raised the request. This identifier can not be used directly to identify the operator. You need to provide this identifier if you would like Oracle to provide additional information about the operator action within Oracle tenancy.

Sample:
ocid1.operator.oc1..xxxxxxEXAMPLExxxxxx
 
reason
string
on success
Summary reason for which the operator is requesting access on the target resource.

Sample:
reason_example
 
request_id
string
on success
This is an automatic identifier generated by the system which is easier for human comprehension.

Sample:
ocid1.request.oc1..xxxxxxEXAMPLExxxxxx
 
resource_id
string
on success
The OCID of the target resource associated with the access request. The operator raises an access request to get approval to access the target resource.

Sample:
ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx
 
resource_name
string
on success
The name of the target resource.

Sample:
resource_name_example
 
resource_type
string
on success
resourceType for which the AccessRequest is applicable

Sample:
EXACC
 
severity
string
on success
Priority assigned to the access request by the operator

Sample:
S1
 
system_message
string
on success
System message that will be displayed to the operator at login to the target resource.

Sample:
system_message_example
 
time_of_creation
string
on success
Time when the access request was created in RFC 3339timestamp format. Example: '2020-05-22T21:10:29.600Z'

Sample:
2013-10-20T19:20:30+01:00
 
time_of_modification
string
on success
Time when the access request was last modified in RFC 3339timestamp format. Example: '2020-05-22T21:10:29.600Z'

Sample:
2013-10-20T19:20:30+01:00
 
time_of_user_creation
string
on success
The time when access request is scheduled to be approved in RFC 3339 timestamp format.Example: '2020-05-22T21:10:29.600Z'

Sample:
2013-10-20T19:20:30+01:00
 
user_id
string
on success
The OCID of the user that last modified the access request.

Sample:
ocid1.user.oc1..xxxxxxEXAMPLExxxxxx
 
workflow_id
list / elements=string
on success
The OCID of the workflow associated with the access request. This is needed if you want to contact Oracle Support for a stuck access request or for an access request that encounters an internal error.



Authors

  • Oracle (@oracle)