oci_identity_dynamic_group cant deploy to compartment #2484
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version and Provider Version
Terraform v1.13.5
on darwin_amd64
-provider registry.terraform.io/oracle/oci v7.25.0
Affected Resource(s)
oci_identity_dynamic_group
Terraform Configuration Files
resource "oci_identity_dynamic_group" "test_dynamic_group" {
#Required
compartment_id = var.tenancy_ocid
description = var.dynamic_group_description
matching_rule = var.dynamic_group_matching_rule
name = var.dynamic_group_name
#Optional
defined_tags = {"Operations.CostCenter"= "42"}
freeform_tags = {"Department"= "Finance"}
}
Debug Output
│ Error: 400-InvalidParameter, Dynamic group can only be created in the tenancy compartment
│ Suggestion: Please update the parameter(s) in the Terraform config as per error message Dynamic group can only be created in the tenancy compartment
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_dynamic_group
│ API Reference: https://docs.oracle.com/iaas/api/#/en/identity/20160918/DynamicGroup/CreateDynamicGroup
│ Request Target: POST https://identity.eu-frankfurt-1.oci.oraclecloud.com/20160918/dynamicGroups
│ Provider version: 7.26.1, released on 2025-11-13.
│ Service: Identity Dynamic Group
│ Operation Name: CreateDynamicGroup
Expected Behavior
You are able to create Dynamic Groups from the API in the compartment. Example code:
#!/bin/bash
DOMAIN_OCID="$(oci iam domain create \
--region ${OCI_TENANCY_HOME} \
--compartment-id "${OCI_COMPARTMENT_OCID}" \
--display-name "dtxplatform" \
--description "Compartment domain" \
--home-region "${OCI_CLI_REGION}" \
--license-type "free" \
--wait-for-state "SUCCEEDED" \
--wait-interval-seconds 5 \
| jq -r '.data.resources[0].identifier')"
# the url takes a while to populate into the result
while true; do
ENDPOINT="$(oci iam domain get --domain-id ${DOMAIN_OCID} | jq -r '.data.url')"
if [[ "${ENDPOINT:-null}" != "null" ]]; then break; else sleep 5; fi
done
oci identity-domains dynamic-resource-group create \
--display-name "certificate-authority" \
--matching-rule "ALL {resource.type='certificateauthority',identity.compartment.id='${OCI_COMPARTMENT_OCID}'}" \
--schemas "[\"urn:ietf:params:scim:schemas:oracle:idcs:DynamicResourceGroup\"]" \
--compartment-ocid ${OCI_COMPARTMENT_OCID} \
--domain-ocid ${DOMAIN_OCID} \
--endpoint ${ENDPOINT}
Actual Behavior
Terraform says "Dynamic group can only be created in the tenancy compartment"
References
https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_dynamic_group
The wording is incorrect when it says compartmentId should be the OCID of the tenancy:
https://docs.oracle.com/en-us/iaas/api/#/en/identity/20160918/datatypes/CreateDynamicGroupDetails