From 7feaa26e410da009ba125fd4166397a203f15018 Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Thu, 7 Dec 2023 12:09:26 +0530 Subject: [PATCH 01/21] Terraform Configuration to Enable Deployment of AG Instance and Cloud gateway connected system --- .../ag_si_creation_response.txt | 0 .../ag_si_deletion_response.txt | 0 .../agcs-resources-scripts/auth_util_ip.py | 161 +++++++++++ .../connected_system.py | 111 ++++++++ .../create-ag-service-instance.py | 72 +++++ .../delete-ag-service-instance.py | 31 +++ .../read_instance_file.py | 17 ++ .../agcs-resources-scripts/requirements.txt | 2 + .../agcs-resources-scripts/setup.py | 10 + modules/access-governance/cleanup.sh | 28 ++ modules/access-governance/data-source.tf | 25 ++ .../tfvars/all_variables.tfvarexample | 30 ++ .../local_existing_agcs_user.tfvarexample | 26 ++ .../tfvars/local_new_agcs_user.tfvarexample | 26 ++ .../identity-domain-user-resources.tf | 67 +++++ modules/access-governance/locals.tf | 4 + modules/access-governance/main.tf | 98 +++++++ modules/access-governance/outputs.tf | 23 ++ modules/access-governance/provider.tf | 15 + modules/access-governance/readme.md | 60 ++++ modules/access-governance/schema.yml | 222 +++++++++++++++ modules/access-governance/variable.tf | 166 +++++++++++ .../ag_si_creation_response.txt | 0 .../ag_si_deletion_response.txt | 0 .../elz-access-governance/agcs-module.tf | 33 +++ templates/elz-access-governance/cleanup.sh | 29 ++ .../tfvars/all_variables.tfvarexample | 30 ++ .../local_existing_agcs_user.tfvarexample | 26 ++ .../tfvars/local_new_agcs_user.tfvarexample | 26 ++ templates/elz-access-governance/outputs.tf | 3 + templates/elz-access-governance/provider.tf | 72 +++++ templates/elz-access-governance/readme.md | 60 ++++ templates/elz-access-governance/schema.yml | 222 +++++++++++++++ templates/elz-access-governance/variable.tf | 144 ++++++++++ .../access-governance-module-outputs.tf | 3 + .../access-governance-module-variables.tf | 164 +++++++++++ .../access-governance-module.tf | 34 +++ .../access-governance-variables.tf | 262 ++++++++++++++++++ .../enterprise-landing-zone/environment.tf | 53 ++++ .../enterprise-landing-zone/example.tfvars | 46 ++- templates/enterprise-landing-zone/outputs.tf | 2 + 41 files changed, 2402 insertions(+), 1 deletion(-) create mode 100644 modules/access-governance/ag_si_creation_response.txt create mode 100644 modules/access-governance/ag_si_deletion_response.txt create mode 100644 modules/access-governance/agcs-resources-scripts/auth_util_ip.py create mode 100644 modules/access-governance/agcs-resources-scripts/connected_system.py create mode 100644 modules/access-governance/agcs-resources-scripts/create-ag-service-instance.py create mode 100644 modules/access-governance/agcs-resources-scripts/delete-ag-service-instance.py create mode 100644 modules/access-governance/agcs-resources-scripts/read_instance_file.py create mode 100644 modules/access-governance/agcs-resources-scripts/requirements.txt create mode 100644 modules/access-governance/agcs-resources-scripts/setup.py create mode 100755 modules/access-governance/cleanup.sh create mode 100644 modules/access-governance/data-source.tf create mode 100644 modules/access-governance/examples/tfvars/all_variables.tfvarexample create mode 100644 modules/access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample create mode 100644 modules/access-governance/examples/tfvars/local_new_agcs_user.tfvarexample create mode 100644 modules/access-governance/identity-domain-user-resources.tf create mode 100644 modules/access-governance/locals.tf create mode 100644 modules/access-governance/main.tf create mode 100644 modules/access-governance/outputs.tf create mode 100644 modules/access-governance/provider.tf create mode 100644 modules/access-governance/readme.md create mode 100644 modules/access-governance/schema.yml create mode 100644 modules/access-governance/variable.tf create mode 100644 templates/elz-access-governance/ag_si_creation_response.txt create mode 100644 templates/elz-access-governance/ag_si_deletion_response.txt create mode 100644 templates/elz-access-governance/agcs-module.tf create mode 100755 templates/elz-access-governance/cleanup.sh create mode 100644 templates/elz-access-governance/examples/tfvars/all_variables.tfvarexample create mode 100644 templates/elz-access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample create mode 100644 templates/elz-access-governance/examples/tfvars/local_new_agcs_user.tfvarexample create mode 100644 templates/elz-access-governance/outputs.tf create mode 100644 templates/elz-access-governance/provider.tf create mode 100644 templates/elz-access-governance/readme.md create mode 100644 templates/elz-access-governance/schema.yml create mode 100644 templates/elz-access-governance/variable.tf create mode 100644 templates/elz-environment/access-governance-module-outputs.tf create mode 100644 templates/elz-environment/access-governance-module-variables.tf create mode 100644 templates/elz-environment/access-governance-module.tf create mode 100644 templates/enterprise-landing-zone/access-governance-variables.tf diff --git a/modules/access-governance/ag_si_creation_response.txt b/modules/access-governance/ag_si_creation_response.txt new file mode 100644 index 00000000..e69de29b diff --git a/modules/access-governance/ag_si_deletion_response.txt b/modules/access-governance/ag_si_deletion_response.txt new file mode 100644 index 00000000..e69de29b diff --git a/modules/access-governance/agcs-resources-scripts/auth_util_ip.py b/modules/access-governance/agcs-resources-scripts/auth_util_ip.py new file mode 100644 index 00000000..3bc972fa --- /dev/null +++ b/modules/access-governance/agcs-resources-scripts/auth_util_ip.py @@ -0,0 +1,161 @@ +import os +import oci +import requests +from requests.auth import HTTPBasicAuth + + +# def replace_space_with_new_line(str_input): +# result = str_input +# if str_input.count(' ') > 4: +# start = "-----BEGIN PRIVATE KEY-----" +# end = "-----END PRIVATE KEY-----" +# extract_key = str_input[str_input.find(start) + len(start):str_input.rfind(end)] +# extract_key = extract_key.replace(' ', "\\n") +# result = start + extract_key + end +# return result +# +# +# def init_agcs_user_pvt_keys(): +# parent_dir = os.path.realpath('.') +# si_key_filename = os.path.join(parent_dir, 'resource', 'user_si_pvt_key.pem') +# si_private_key = os.environ["ADMIN_PRIVATE_KEY_SERVICE_INSTANCE"] +# si_pvt_key_file = open(si_key_filename, "w+") +# if si_private_key and not si_private_key.isspace(): +# si_private_key = replace_space_with_new_line(si_private_key) +# si_pvt_key_file.write(si_private_key.encode('raw_unicode_escape').decode('unicode_escape')) +# else: +# files = os.listdir(os.path.join(parent_dir, 'private_key_si')) +# user_pvt_key_files = [file_ for file_ in files if file_.endswith('.pem')] +# if user_pvt_key_files: +# user_pvt_key_file = open(os.path.join(parent_dir, 'private_key_si', user_pvt_key_files[0]), "r") +# file_contents = user_pvt_key_file.read() +# user_pvt_key_file.close() +# si_pvt_key_file.write(file_contents) +# si_pvt_key_file.close() +# +# +# def init_admin_pvt_keys(): +# parent_dir = os.path.realpath('.') +# connected_system_key_filename = os.path.join(parent_dir, 'resource', 'user_connected_system_pvt_key.pem') +# connected_system_pvt_key_file = open(connected_system_key_filename, "w+") +# connected_system_user_private_key = os.environ["AGCS_USER_PRIVATE_KEY_OCI_SYSTEM"] +# if connected_system_user_private_key and not connected_system_user_private_key.isspace(): +# connected_system_user_private_key = replace_space_with_new_line(connected_system_user_private_key) +# connected_system_pvt_key_file.write(connected_system_user_private_key.encode('raw_unicode_escape') +# .decode('unicode_escape')) +# connected_system_pvt_key_file.close() +# +# def get_admin_pvt_keys(): +# parent_dir = os.path.realpath('.') +# admin_pvt_key_file = open(os.path.join(parent_dir, 'private-keys', 'admin_pvt_key.pem'), "r") +# content_cs = admin_pvt_key_file.read() +# admin_pvt_key_file.close() +# return content_cs + + +def get_si_signer_and_config(): + config = get_admin_config() + if not config: + config = {} + signer = oci.auth.signers.InstancePrincipalsDelegationTokenSigner(delegation_token=os.environ["OCI_obo_token"]) + else: + signer = oci.Signer.from_config(config) + return signer, config + + +def get_admin_config(): + admin_pvt_key_path = os.environ["ADMIN_PRIVATE_KEY_PATH"] + config = None + if admin_pvt_key_path and not admin_pvt_key_path.isspace(): + config = {"log_requests": False, "additional_user_agent": "", "pass_phrase": None, + 'user': os.environ["ADMIN_OCID_SERVICE_INSTANCE"], + 'tenancy': os.environ["ADMIN_TENANCY_OCID_SERVICE_INSTANCE"], + 'key_file': admin_pvt_key_path, + 'region': os.environ["ADMIN_REGION_SERVICE_INSTANCE"], + "fingerprint": os.environ["ADMIN_FINGERPRINT_SERVICE_INSTANCE"], + "service_endpoint": "https://access-governance." + os.environ["ADMIN_REGION_SERVICE_INSTANCE"] + + ".oci.oraclecloud.com" + } + elif config is None: + private_key_file = os.environ.get("TF_VAR_api_private_key_path") + private_key = os.environ.get("TF_VAR_api_private_key") + tenancy = os.environ.get("TF_VAR_tenancy_ocid") + user = os.environ.get("TF_VAR_current_user_ocid") + fingerprint = os.environ.get("TF_VAR_api_fingerprint") + region = os.environ.get("TF_VAR_region") + config = { + "log_requests": False, + "additional_user_agent": "", + "pass_phrase": None, + "user": user, + "fingerprint": fingerprint, + "tenancy": tenancy, + "region": region, + "service_endpoint": "https://access-governance." + region + ".oci.oraclecloud.com" + } + if private_key_file is not None and not private_key_file.isspace(): + config["key_file"] = private_key_file + elif private_key is not None and not private_key.isspace(): + config["key_content"] = private_key + + return config + + +def get_auth_url(): + return os.environ["IDCS_ENDPOINT"] + "/oauth2/v1/token" + + +def get_idcs_access_token(signer): + token_url = get_auth_url() + headers = {'Content-type': 'application/x-www-form-urlencoded'} + body = { + "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", + "scope": "urn:opc:idm:__myscopes__", + "requested_token_type": "urn:ietf:params:oauth:token-type:access_token" + } + response = requests.post(token_url, auth=signer, headers=headers, data=body) + response_json = response.json() + return response_json['access_token'] + + +def get_ag_authorization_token(user, password, ag_instance_url): + token_url = get_auth_url() + headers = {'Content-type': 'application/x-www-form-urlencoded'} + body = { + "grant_type": "client_credentials", + "scope": ag_instance_url + } + response = requests.post(token_url, auth=HTTPBasicAuth(user, password), headers=headers, data=body) + response_json = response.json() + + return response_json['access_token'] + + +def get_agcs_user_pvt_keys(): + use_existing_user = os.environ["USE_EXISTING_AGCS_USER"] + private_key = os.environ["AGCS_USER_PRIVATE_KEY"] + agcs_user_pvt_key_path = os.environ["AGCS_USER_PRIVATE_KEY_PATH"] + if use_existing_user.lower() == "true": + if agcs_user_pvt_key_path and not agcs_user_pvt_key_path.isspace(): + agcs_user_pvt_key_file = open(agcs_user_pvt_key_path, "r") + content_cs = agcs_user_pvt_key_file.read() + agcs_user_pvt_key_file.close() + else: + content_cs = private_key + else: + content_cs = private_key + + return content_cs + + +def should_verify_ssl(): + return not is_namespace_used() + + +def is_namespace_used(): + namespace_url = os.environ["NAMESPACE_SERVICE_ENDPOINT"] + if namespace_url and not namespace_url.isspace(): + return True + return False + + diff --git a/modules/access-governance/agcs-resources-scripts/connected_system.py b/modules/access-governance/agcs-resources-scripts/connected_system.py new file mode 100644 index 00000000..d309afff --- /dev/null +++ b/modules/access-governance/agcs-resources-scripts/connected_system.py @@ -0,0 +1,111 @@ +import json +import oci +import requests +import auth_util_ip +import os + + +def get_instance_app_ocid(ag_si_name): + signer, config = auth_util_ip.get_si_signer_and_config() + identity_domains_client_obj = oci.identity_domains.IdentityDomainsClient(config, + service_endpoint=os.environ[ + "IDCS_ENDPOINT"], signer=signer) + response = identity_domains_client_obj.list_apps(filter='displayName eq "AG-' + ag_si_name + '"') + if response.status == 200 and response.data and response.data.resources: + app_search_response = response.data.resources[0] + return app_search_response.ocid + else: + return "NO APPS RETURNED!!!" + + +def get_app_details(ag_si_name): + domain_app_id = get_instance_app_ocid(ag_si_name) + signer, config = auth_util_ip.get_si_signer_and_config() + identity_domains_client_obj = oci.identity_domains.IdentityDomainsClient(config=config, + service_endpoint=os.environ[ + "IDCS_ENDPOINT"], signer=signer) + response = identity_domains_client_obj.get_app(domain_app_id, + attributes='clientSecret,grantedAppRoles,scopes,audience') + # print(response.__dict__) + client_cred = None + if response.status == 200 and response.data and response.data.granted_app_roles and response.data.scopes: + scope_url = response.data.scopes[0].fqs + for app_role in response.data.granted_app_roles: + if app_role.admin_role and str(app_role.display) == "AG_Administrator": + client_cred = {"client_id": app_role.app_name, "client_secret": response.data.client_secret, + "scope_url": scope_url, "ag_service_instance_url": response.data.audience} + return client_cred + + +def execute_tms_api(url, token, body, method): + headers = {'Content-type': 'application/json', + "Authorization": "Bearer " + token} + + if method == "GET": + response = requests.get(url, headers=headers, data=None, verify=auth_util_ip.should_verify_ssl()) + else: + response = requests.post(url, headers=headers, data=json.dumps(body), verify=auth_util_ip.should_verify_ssl()) + + if response.status_code == 200 and response.text: + return json.loads(response.text) + + +def add_cloud_gateway_connector(ag_access_token, ag_si_url): + tms_base_url = ag_si_url + "target-management/20220518" + template_path = "/templates?category=CLOUD_SERVICE_PROVIDER&displayName=OCI_TMPL&lifecycleState=ACTIVE&limit=1" + add_target_path = "/targets" + templates_response = execute_tms_api(tms_base_url + template_path, ag_access_token, None, "GET") + if templates_response["items"]: + private_key_from_file = auth_util_ip.get_agcs_user_pvt_keys() + template_id = templates_response["items"][0]["id"] + body = { + "displayName": os.environ["OCI_SYSTEM_NAME"], + "description": os.environ["OCI_SYSTEM_DESCRIPTION"], + "scheduleCronExpression": "every 24 hour", + "targetTemplateId": template_id, + "targetParameters": { + "items": [ + { + "name": "apiKeyUserId", + "values": [ + os.environ["AGCS_USER_OCID_OCI_SYSTEM"] + ] + }, + { + "name": "apiKeyFingerprint", + "values": [ + os.environ["AGCS_USER_FINGERPRINT_OCI_SYSTEM"] + ] + }, + { + "name": "apiKeyPrivateKeyPEMValue", + "values": [ + private_key_from_file + ] + }, + { + "name": "apiKeyTenantId", + "values": [ + os.environ["AGCS_USER_TENANCY_OCID_OCI_SYSTEM"] + ] + }, + { + "name": "userRegion", + "values": [ + os.environ["AGCS_USER_REGION_OCI_SYSTEM"] + ] + } + ] + } + } + response = execute_tms_api(tms_base_url + add_target_path, ag_access_token, body, "POST") + if response and response["lifecycleState"] == "ACTIVE": + return response + + +def execute_add_connected_system(ag_si_name): + client_credentials = get_app_details(ag_si_name) + access_token = auth_util_ip.get_ag_authorization_token(client_credentials.get("client_id"), + client_credentials.get("client_secret"), + client_credentials.get("scope_url")) + return add_cloud_gateway_connector(access_token, client_credentials.get("ag_service_instance_url")) diff --git a/modules/access-governance/agcs-resources-scripts/create-ag-service-instance.py b/modules/access-governance/agcs-resources-scripts/create-ag-service-instance.py new file mode 100644 index 00000000..15b5831e --- /dev/null +++ b/modules/access-governance/agcs-resources-scripts/create-ag-service-instance.py @@ -0,0 +1,72 @@ +import os +import oci +from oci import exceptions +from requests.exceptions import SSLError + +import auth_util_ip +import connected_system +import json +import base64 + +ag_license_dict = {"Access Governance Premium": "AG_PREMIUM", + "Access Governance for Oracle Workloads": "AG_ORACLE_WORKLOADS", + "Access Governance for Oracle Cloud Infrastructure": "AG_OCI"} + + +def create_instance(ag_cp_composite_client, signer): + token = auth_util_ip.get_idcs_access_token(signer) + details = oci.access_governance_cp.models.CreateGovernanceInstanceDetails( + display_name=os.environ["SERVICE_INSTANCE_DISPLAY_NAME"], + description=os.environ["SERVICE_INSTANCE_DESCRIPTION"], + license_type=ag_license_dict[os.environ["AG_LICENSE_TYPE"]], + tenancy_namespace=get_name_space(), + compartment_id=os.environ["SERVICE_INSTANCE_COMPARTMENT_OCID"], + idcs_access_token=token) + si_name = None + output = None + try: + response = (ag_cp_composite_client + .create_governance_instance_and_wait_for_state(details, wait_for_states=["ACTIVE", + "NEEDS_ATTENTION"])) + json_res = json.dumps(str(response.__dict__['data']), indent=2) + output = json_res.encode() + si_name = response.__dict__['data'].display_name + # except exceptions.ServiceError as errorResponse: + # si_name = os.environ["SERVICE_INSTANCE_DISPLAY_NAME"] + # if errorResponse.code == "NotAuthorizedOrResourceAlreadyExists": + # si_list = (ag_cp_composite_client.client + # .list_governance_instances(os.environ["SERVICE_INSTANCE_COMPARTMENT_OCID"])) + # for instance_summary in si_list.data.items: + # if instance_summary.display_name and str(instance_summary.display_name) == si_name: + # output = {"id": instance_summary.id} + except SSLError: + pass + + should_create_connected_system = os.environ["SHOULD_CREATE_CONNECTED_SYSTEM"] + if should_create_connected_system == "true" and (si_name and not si_name.isspace()): + connected_system.execute_add_connected_system(si_name) + if output and not output.isspace(): + print(base64.b64encode(output).decode()) + + +def get_name_space(): + signer_obj, config_obj = auth_util_ip.get_si_signer_and_config() + object_storage_client = oci.object_storage.ObjectStorageClient(config=config_obj, signer=signer_obj) + namespace_response = object_storage_client.get_namespace() + return namespace_response.__dict__['data'] + + +if __name__ == '__main__': + service_endpoint = ("https://access-governance." + os.environ["ADMIN_REGION_SERVICE_INSTANCE"] + + ".oci.oraclecloud.com") + + if auth_util_ip.is_namespace_used(): + service_endpoint = os.environ["NAMESPACE_SERVICE_ENDPOINT"] + + signer_object, config_object = auth_util_ip.get_si_signer_and_config() + access_governance_cp_client = oci.access_governance_cp.AccessGovernanceCPClient(config=config_object, + signer=signer_object, + service_endpoint=service_endpoint) + agCompositeClient = oci.access_governance_cp.AccessGovernanceCPClientCompositeOperations( + access_governance_cp_client, config=config_object, signer=signer_object, service_endpoint=service_endpoint) + create_instance(agCompositeClient, signer_object) diff --git a/modules/access-governance/agcs-resources-scripts/delete-ag-service-instance.py b/modules/access-governance/agcs-resources-scripts/delete-ag-service-instance.py new file mode 100644 index 00000000..4428aba2 --- /dev/null +++ b/modules/access-governance/agcs-resources-scripts/delete-ag-service-instance.py @@ -0,0 +1,31 @@ +import oci +import os +import json +import base64 +import auth_util_ip + + +def delete_instance(ag_cp_composite_client): + governance_instance_id = os.environ["instanceOCID"] + response = ag_cp_composite_client.delete_governance_instance_and_wait_for_state(governance_instance_id, + wait_for_states=["DELETED", + "NEEDS_ATTENTION"]) + json_res = json.dumps(str(response.__dict__), indent=2) + output = base64.b64encode(json_res.encode()).decode() + print(output) + + +if __name__ == '__main__': + signer_object, config_object = auth_util_ip.get_si_signer_and_config() + service_endpoint = ("https://access-governance." + os.environ["ADMIN_REGION_SERVICE_INSTANCE"] + + ".oci.oraclecloud.com") + if auth_util_ip.is_namespace_used(): + service_endpoint = os.environ["NAMESPACE_SERVICE_ENDPOINT"] + access_governance_cp_client = oci.access_governance_cp.AccessGovernanceCPClient(config=config_object, + service_endpoint=service_endpoint, + signer=signer_object) + + agCompositeClient = oci.access_governance_cp.AccessGovernanceCPClientCompositeOperations( + access_governance_cp_client, config=config_object, service_endpoint=service_endpoint) + + delete_instance(agCompositeClient) diff --git a/modules/access-governance/agcs-resources-scripts/read_instance_file.py b/modules/access-governance/agcs-resources-scripts/read_instance_file.py new file mode 100644 index 00000000..65c9472d --- /dev/null +++ b/modules/access-governance/agcs-resources-scripts/read_instance_file.py @@ -0,0 +1,17 @@ +import json +import base64 +import os + +if __name__ == '__main__': + output = "{\"output\": \"NO_DATA\"}" + filePath = "./ag_si_creation_response.txt" + if os.stat(filePath).st_size != 0: + file = open(filePath) + line = file.readline() + service_instance_data = base64.b64decode(line) + json_data = json.loads(json.loads(service_instance_data)) + si_ocid = json_data["id"] + if not si_ocid: + si_ocid = "dummy" + output = "{\"output\": \"" + si_ocid + "\"}" + print(output) diff --git a/modules/access-governance/agcs-resources-scripts/requirements.txt b/modules/access-governance/agcs-resources-scripts/requirements.txt new file mode 100644 index 00000000..6d3dde48 --- /dev/null +++ b/modules/access-governance/agcs-resources-scripts/requirements.txt @@ -0,0 +1,2 @@ +oci +requests \ No newline at end of file diff --git a/modules/access-governance/agcs-resources-scripts/setup.py b/modules/access-governance/agcs-resources-scripts/setup.py new file mode 100644 index 00000000..62e8777d --- /dev/null +++ b/modules/access-governance/agcs-resources-scripts/setup.py @@ -0,0 +1,10 @@ +import subprocess +import sys + + +def install(): + subprocess.check_call([sys.executable, "-m", "pip3", "install -r", "requirements.txt"]) + + +if __name__ == '__main__': + install() \ No newline at end of file diff --git a/modules/access-governance/cleanup.sh b/modules/access-governance/cleanup.sh new file mode 100755 index 00000000..ab300903 --- /dev/null +++ b/modules/access-governance/cleanup.sh @@ -0,0 +1,28 @@ +#! /bin/bash +# Cleanup Terraform Files +# WARNING !!! This will remove Terraform State file along with other files and directories. +read -p "Do you really want to cleanup the terraform run files? " -n 1 -r +if [[ $REPLY =~ ^[Yy]$ ]]; then + tf_folder=".terraform" + tf_file1=".terraform.lock.hcl" + tf_file2="terraform.tfstate" + tf_file3="terraform.tfstate.backup" + response1="ag_si_creation_response.txt" + response2="ag_si_deletion_response.txt" + echo "Removing Terraform Folder: $tf_folder..." + rm -rf "$tf_folder" + files_to_delete=("$tf_file1" "$tf_file2" "$tf_file3") + echo "Removing Files: ${files_to_delete[*]}..." + for file in "${files_to_delete[@]}" + do + rm -rf "${file}" + done + rm -rf "scripts/__pycache__" + echo "Emptying files $response1, $response2..." + echo -n > $response1 + echo -n > $response2 + echo "Done." +else + echo + echo "Cleanup cancelled." +fi diff --git a/modules/access-governance/data-source.tf b/modules/access-governance/data-source.tf new file mode 100644 index 00000000..8bb2ac5d --- /dev/null +++ b/modules/access-governance/data-source.tf @@ -0,0 +1,25 @@ +data "oci_identity_domains" "admin_domain_data" { + compartment_id = var.tenancy_ocid + display_name = var.admin_domain_name +} + +data "oci_identity_domains" "ag_user_domain_data" { + count = var.use_existing_agcs_user ? 0 : 1 + compartment_id = local.agcs_tenancy + display_name = var.agcs_user_domain_name +} + +#data "external" "created_instance" { +# depends_on = [null_resource.si_creation_response] +# program = ["python3", "${path.module}/agcs-resources-scripts/read_instance_file.py"] +#} + +data "local_file" "si_creation_response_file" { + depends_on = [null_resource.si_creation_response] + filename = "${path.module}/ag_si_creation_response.txt" +} + +data "local_file" "si_deletion_response_file" { + depends_on = [null_resource.si_deletion_response] + filename = "${path.module}/ag_si_deletion_response.txt" +} \ No newline at end of file diff --git a/modules/access-governance/examples/tfvars/all_variables.tfvarexample b/modules/access-governance/examples/tfvars/all_variables.tfvarexample new file mode 100644 index 00000000..055a5487 --- /dev/null +++ b/modules/access-governance/examples/tfvars/all_variables.tfvarexample @@ -0,0 +1,30 @@ +#ADMINISTRATOR +private_key_path = "/Users/shamsulhaque/work-folder/workspace(synced)/configs/oci/groot002_2023-09-21T06_45_02.205Z.pem" +user_ocid = "ocid1.user.oc1..aaaaaaaapfby7iiixrjds7meokbokaigbyazyorb24ahycdestq2jcc74lha" +fingerprint = "5f:78:33:ce:06:ff:b5:fc:d9:7b:67:bc:0a:8d:23:da" +tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaazp2vvzjsn6newkqrpkwndxpdoixtqfgyhnf4y24h7d5ny27h6f3q" +region = "us-ashburn-1" + +# ACCESS GOVERNANCE SERVICE INSTANCE DETAILS +admin_domain_name = "Alpha" +ag_license_type = "Access Governance for Oracle Cloud Infrastructure" +service_instance_display_name = "groot002-26-03" +service_instance_description = "Landing zone testing Testing" +service_instance_compartment_ocid = "ocid1.compartment.oc1..aaaaaaaaj6fll47436jfexyuxxeeqjymrlu4yyy2rdsrhnadlh3urkupiqfa" + +# ACCESS GOVERNANCE USER COMMON DETAILS +use_existing_agcs_user = true + +# ACCESS GOVERNANCE EXISTING_USER +agcs_user_private_key_path = "/Users/shamsulhaque/work-folder/workspace(synced)/configs/oci/groot001_2023-08-25T05_17_48.401Z.pem" +agcs_user_ocid_oci_system = "ocid1.user.oc1..aaaaaaaaygrhvtke232qvqj5ommibgp7s7xry5gzntuiljaps2frlzskyvaq" +agcs_user_fingerprint_oci_system = "2d:0f:5d:85:bd:cf:83:46:84:1e:c3:e9:65:15:ba:12" + +# NEW AG USER +#agcs_user_group_display_name = "agcs_group_temp_002" +#agcs_user_name = "agcs_user" +#agcs_user_email = "something1@example.com" + +# OCI Connected System +oci_system_name = "Cloud Gateway 001" +oci_system_description = "Test OCI System" \ No newline at end of file diff --git a/modules/access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample b/modules/access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample new file mode 100644 index 00000000..dbe118c1 --- /dev/null +++ b/modules/access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample @@ -0,0 +1,26 @@ +#ADMINISTRATOR +private_key_path = "" +user_ocid = "" +fingerprint = "" +tenancy_ocid = "" +region = "us-ashburn-1" + + +# ACCESS GOVERNANCE SERVICE INSTANCE DETAILS, Optional Fields: admin_domain_name +admin_domain_name = "" +ag_license_type = "Access Governance for Oracle Cloud Infrastructure" +service_instance_display_name = "" +service_instance_description = "" +service_instance_compartment_ocid = "" + +# ACCESS GOVERNANCE USER COMMON DETAILS +use_existing_agcs_user = true + +# ACCESS GOVERNANCE EXISTING USER +agcs_user_private_key_path = "" +agcs_user_ocid_oci_system = "ocid1.user.oc1..xyz" +agcs_user_fingerprint_oci_system = "" + +# OCI Connected System +oci_system_name = "" +oci_system_description = "" \ No newline at end of file diff --git a/modules/access-governance/examples/tfvars/local_new_agcs_user.tfvarexample b/modules/access-governance/examples/tfvars/local_new_agcs_user.tfvarexample new file mode 100644 index 00000000..17b5e152 --- /dev/null +++ b/modules/access-governance/examples/tfvars/local_new_agcs_user.tfvarexample @@ -0,0 +1,26 @@ +#ADMINISTRATOR +private_key_path = "" +user_ocid = "" +fingerprint = "" +tenancy_ocid = "" +region = "us-ashburn-1" + + +# ACCESS GOVERNANCE SERVICE INSTANCE DETAILS, Optional Fields: admin_domain_name +admin_domain_name = "" +ag_license_type = "Access Governance for Oracle Cloud Infrastructure" +service_instance_display_name = "" +service_instance_description = "" +service_instance_compartment_ocid = "" + +# ACCESS GOVERNANCE USER COMMON DETAILS +use_existing_agcs_user = false + +# NEW ACCESS GOVERNANCE USER +agcs_user_group_display_name = "agcs_group" +agcs_user_name = "agcs_user" +agcs_user_email = "something@example.com" + +# OCI Connected System +oci_system_name = "" +oci_system_description = "" \ No newline at end of file diff --git a/modules/access-governance/identity-domain-user-resources.tf b/modules/access-governance/identity-domain-user-resources.tf new file mode 100644 index 00000000..01c67b2b --- /dev/null +++ b/modules/access-governance/identity-domain-user-resources.tf @@ -0,0 +1,67 @@ +# RSA key of size 4096 bits for AGCS User API Key +resource "tls_private_key" "private_keys" { + count = var.use_existing_agcs_user ? 0 : 1 + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "oci_identity_user" "agcs_user" { + count = var.use_existing_agcs_user ? 0 : 1 + depends_on = [tls_private_key.private_keys, data.oci_identity_domains.ag_user_domain_data] + compartment_id = var.tenancy_ocid + description = "Local User for AGCS access" + name = var.agcs_user_name + email = var.agcs_user_email + freeform_tags = { "AGCS" = "true" } +} + + +#AGCS User Capabilities +resource "oci_identity_user_capabilities_management" "agcs_user_tf_capabilities_management" { + count = var.use_existing_agcs_user ? 0 : 1 + depends_on = [oci_identity_user.agcs_user] + user_id = oci_identity_user.agcs_user[count.index].id + can_use_api_keys = "true" + can_use_auth_tokens = "false" + can_use_console_password = "false" + can_use_customer_secret_keys = "false" + can_use_smtp_credentials = "false" +} + +resource "oci_identity_api_key" "upload_api_key" { + count = var.use_existing_agcs_user ? 0 : 1 + depends_on = [oci_identity_user.agcs_user] + key_value = tls_private_key.private_keys[count.index].public_key_pem + user_id = oci_identity_user.agcs_user[count.index].id +} + +resource "oci_identity_group" "agcs_group" { + count = var.use_existing_agcs_user ? 0 : 1 + depends_on = [oci_identity_user.agcs_user] + description = "AGCS Users" + name = var.agcs_user_group_display_name + compartment_id = local.agcs_tenancy + freeform_tags = { "AGCS" = "true" } +} + +resource "oci_identity_policy" "ag-access-policy" { + count = var.use_existing_agcs_user ? 0 : 1 + depends_on = [oci_identity_group.agcs_group, data.oci_identity_domains.ag_user_domain_data] + description = "AGCS User Policies" + name = "${oci_identity_group.agcs_group[count.index].name}_policies" + statements = [ + "ALLOW GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to inspect all-resources IN TENANCY", + "ALLOW GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to manage policies IN TENANCY where all {request.permission in ('POLICY_UPDATE', 'POLICY_DELETE'), target.policy.name !='Tenant Admin Policy'}", + "Allow GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to read audit-events IN TENANCY", + "Allow GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to manage domains IN TENANCY", + ] + compartment_id = local.agcs_tenancy + freeform_tags = { "AGCS" = "true" } +} + +resource "oci_identity_user_group_membership" "agcs_user_to_agcs_group" { + depends_on = [oci_identity_policy.ag-access-policy] + count = var.use_existing_agcs_user ? 0 : 1 + group_id = oci_identity_group.agcs_group[count.index].id + user_id = oci_identity_user.agcs_user[count.index].id +} \ No newline at end of file diff --git a/modules/access-governance/locals.tf b/modules/access-governance/locals.tf new file mode 100644 index 00000000..f2f83d13 --- /dev/null +++ b/modules/access-governance/locals.tf @@ -0,0 +1,4 @@ +locals { + is_windows = substr(pathexpand("~"), 0, 1) == "/" ? false : true + agcs_tenancy = length(var.agcs_user_tenancy_ocid_oci_system) > 0 ? var.agcs_user_tenancy_ocid_oci_system : var.tenancy_ocid +} \ No newline at end of file diff --git a/modules/access-governance/main.tf b/modules/access-governance/main.tf new file mode 100644 index 00000000..969aecb0 --- /dev/null +++ b/modules/access-governance/main.tf @@ -0,0 +1,98 @@ +resource "null_resource" "si_creation_response" { + count = length(var.service_instance_display_name) > 0 ? 1 : 0 + depends_on = [oci_identity_user_group_membership.agcs_user_to_agcs_group, data.oci_identity_domains.admin_domain_data] + +# provisioner "local-exec" { +# interpreter = local.is_windows ? ["PowerShell", "-Command"] : [] +# command = local.is_windows ? "Clear-Content ag_si_creation_response.txt" : "> ag_si_creation_response.txt" +# } + +# provisioner "local-exec" { +# command = "> ag_si_creation_response.txt" +# } + + provisioner "local-exec" { + working_dir = path.module + command = "pip3 install -r ${path.module}/agcs-resources-scripts/requirements.txt" + on_failure = continue + } + + provisioner "local-exec" { + working_dir = path.module + command = "python3 ${path.module}/agcs-resources-scripts/create-ag-service-instance.py > ag_si_creation_response.txt" + environment = { + IDCS_ENDPOINT = data.oci_identity_domains.admin_domain_data.domains[0].url + ADMIN_OCID_SERVICE_INSTANCE = var.current_user_ocid + ADMIN_TENANCY_OCID_SERVICE_INSTANCE = var.tenancy_ocid + ADMIN_FINGERPRINT_SERVICE_INSTANCE = var.api_fingerprint + ADMIN_PRIVATE_KEY_PATH = var.api_private_key_path +# ADMIN_REGION_SERVICE_INSTANCE = length(var.admin_region_service_instance) > 0 ? var.admin_region_service_instance : var.region + ADMIN_REGION_SERVICE_INSTANCE = var.region + + AGCS_USER_OCID_OCI_SYSTEM = var.use_existing_agcs_user ? var.agcs_user_ocid_oci_system : oci_identity_user.agcs_user[count.index].id + AGCS_USER_TENANCY_OCID_OCI_SYSTEM = var.use_existing_agcs_user ? local.agcs_tenancy : oci_identity_user.agcs_user[count.index].compartment_id + AGCS_USER_FINGERPRINT_OCI_SYSTEM = var.use_existing_agcs_user ? var.agcs_user_fingerprint_oci_system : oci_identity_api_key.upload_api_key[count.index].fingerprint + AGCS_USER_PRIVATE_KEY_PATH = var.use_existing_agcs_user ? var.agcs_user_private_key_path: "" + AGCS_USER_PRIVATE_KEY = var.use_existing_agcs_user ? var.agcs_user_private_key : tls_private_key.private_keys[count.index].private_key_pem_pkcs8 + AGCS_USER_REGION_OCI_SYSTEM = length(var.agcs_user_region_oci_system) > 0 ? var.agcs_user_region_oci_system : var.region + + USE_EXISTING_AGCS_USER = var.use_existing_agcs_user + AG_LICENSE_TYPE = var.ag_license_type + SERVICE_INSTANCE_COMPARTMENT_OCID = var.service_instance_compartment_ocid + SERVICE_INSTANCE_DISPLAY_NAME = var.service_instance_display_name + SERVICE_INSTANCE_DESCRIPTION = var.service_instance_description + OCI_SYSTEM_NAME = var.oci_system_name + OCI_SYSTEM_DESCRIPTION = var.oci_system_description + + NAMESPACE_SERVICE_ENDPOINT = var.namespace_service_endpoint + SHOULD_CREATE_CONNECTED_SYSTEM = var.should_create_connected_system + } + } +} + +resource "null_resource" "si_deletion_response" { + lifecycle { + create_before_destroy = true + } + + depends_on = [data.oci_identity_domains.admin_domain_data] + + triggers = { + instanceOCIDTrigger = lookup(jsondecode(jsondecode(base64decode(data.local_file.si_creation_response_file.content))), "id") + # To Run from Terraform CLI + ADMIN_OCID_SERVICE_INSTANCE = var.current_user_ocid + ADMIN_OCID_SERVICE_INSTANCE = var.current_user_ocid + ADMIN_TENANCY_OCID_SERVICE_INSTANCE = var.tenancy_ocid + ADMIN_FINGERPRINT_SERVICE_INSTANCE = var.api_fingerprint + ADMIN_PRIVATE_KEY_PATH = var.api_private_key_path + IDCS_ENDPOINT = data.oci_identity_domains.admin_domain_data.domains[0].url +# ADMIN_REGION_SERVICE_INSTANCE = length(var.admin_region_service_instance) > 0 ? var.admin_region_service_instance : var.region + ADMIN_REGION_SERVICE_INSTANCE = var.region + NAMESPACE_SERVICE_ENDPOINT = var.namespace_service_endpoint + } + +# provisioner "local-exec" { +# when = destroy +# on_failure = continue +# command = "> ag_si_deletion_response.txt" +# } + + provisioner "local-exec" { + working_dir = path.module + when = destroy + on_failure = continue + command = "python3 ${path.module}/agcs-resources-scripts/delete-ag-service-instance.py > ag_si_deletion_response.txt" + environment = { + instanceOCID = self.triggers.instanceOCIDTrigger + IDCS_ENDPOINT = self.triggers.IDCS_ENDPOINT + # To Run from Terraform CLI + ADMIN_OCID_SERVICE_INSTANCE = self.triggers.ADMIN_OCID_SERVICE_INSTANCE + ADMIN_OCID_SERVICE_INSTANCE = self.triggers.ADMIN_OCID_SERVICE_INSTANCE + ADMIN_TENANCY_OCID_SERVICE_INSTANCE = self.triggers.ADMIN_TENANCY_OCID_SERVICE_INSTANCE + ADMIN_FINGERPRINT_SERVICE_INSTANCE = self.triggers.ADMIN_FINGERPRINT_SERVICE_INSTANCE + ADMIN_PRIVATE_KEY_PATH = self.triggers.ADMIN_PRIVATE_KEY_PATH + ADMIN_REGION_SERVICE_INSTANCE = self.triggers.ADMIN_REGION_SERVICE_INSTANCE + NAMESPACE_SERVICE_ENDPOINT = self.triggers.NAMESPACE_SERVICE_ENDPOINT + } + } +} \ No newline at end of file diff --git a/modules/access-governance/outputs.tf b/modules/access-governance/outputs.tf new file mode 100644 index 00000000..ca4e6523 --- /dev/null +++ b/modules/access-governance/outputs.tf @@ -0,0 +1,23 @@ +output "si_creation" { + depends_on = [null_resource.si_creation_response] + value = data.local_file.si_creation_response_file.content != "" ? jsondecode(base64decode(data.local_file.si_creation_response_file.content)) : base64decode(data.local_file.si_creation_response_file.content) +} +# +#output "si_deletion" { +# depends_on = [null_resource.si_deletion_response] +# value = data.local_file.si_deletion_response_file.content != "" ? jsondecode(base64decode(data.local_file.si_deletion_response_file.content)) : base64decode(data.local_file.si_deletion_response_file.content) +#} + +output "ag_user_domain" { + depends_on = [data.oci_identity_domains.ag_user_domain_data] + value = data.oci_identity_domains.ag_user_domain_data[*].domains[0] +} + +output "admin_domain" { + depends_on = [data.oci_identity_domains.admin_domain_data] + value = data.oci_identity_domains.admin_domain_data.domains[0] +} + +output "oci_identity_group" { + value = oci_identity_group.agcs_group[*] +} \ No newline at end of file diff --git a/modules/access-governance/provider.tf b/modules/access-governance/provider.tf new file mode 100644 index 00000000..13d1a7ed --- /dev/null +++ b/modules/access-governance/provider.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + oci = { + source = "oracle/oci" + } + } +} +# Enable/uncomment below lines to run access-governance module as root for terraform CLI +#provider "oci" { +# private_key_path = var.api_private_key_path +# user_ocid = var.current_user_ocid +# fingerprint = var.api_fingerprint +# region = var.region +# tenancy_ocid = var.tenancy_ocid +#} \ No newline at end of file diff --git a/modules/access-governance/readme.md b/modules/access-governance/readme.md new file mode 100644 index 00000000..aea462e8 --- /dev/null +++ b/modules/access-governance/readme.md @@ -0,0 +1,60 @@ +# Access Governance Landing Zone + +## Overview + +The terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and add OCI connected system. + + +## Variables +| Variable Name | Description | Required | Default Value | +|----------------------------------------|---------------------------------------------------------------------------------|----------|---------------| +| **user_ocid** | OCID of the Administrator. | Yes | None | +| **fingerprint** | Fingerprint of the Administrator. | Yes | None | +| **tenancy_ocid** | OCID of the Administrator's Tenancy. | Yes | None | +| **region** | Region of the Administrator. | Yes | None | +| **private_key_path** | Private Key Path of Administrator. | Yes | None | +| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | None | +| **namespace_service_endpoint** | If Access Governance instance needs to be created in a namespace. | Yes | None | +| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | None | +| **service_instance_description** | Access Governance Instance Description. | Yes | None | +| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | None | +| **ag_license_type** | Access Governance Instance License Type. | Yes | None | +| **agcs_user_domain_name** | Domain where Access Governance User will be created. | Yes | None | +| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | +| **agcs_user_name** | New Access Governance User's name. | Yes | None | +| **agcs_user_email** | Email address for the user. | Yes | None | +| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | +| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | +| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | +| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | +| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | +| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | +| **oci_system_description** | OCI Connected System Description. | Yes | None | +| **oci_system_name** | OCI Connected System Name. | Yes | None | + +## How to execute +### Via Resource Manager +1. [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-landing-zones/releases/tag/v2.2.0) +*If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.* +2. Under **Working directory** select the directory *templates/elz-access-governance* +3. Click Next. +4. Enter the values for required variables. +5. Click Next. +6. Click Next. +7. Click Apply. + +### Via Terraform CLI +1. Enter required variables in terraform.tfvars, for examples refer examples/tfvars. +2. terraform init. +3. terraform plan. +4. terraform apply. + +## License +Copyright (c) 2023, Oracle and/or its affiliates. + +Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +See [LICENSE](../../LICENSE) for more details. + +## Known Issues +None. \ No newline at end of file diff --git a/modules/access-governance/schema.yml b/modules/access-governance/schema.yml new file mode 100644 index 00000000..d2fdbb3c --- /dev/null +++ b/modules/access-governance/schema.yml @@ -0,0 +1,222 @@ +# Copyright (c) 2022 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +title: "CIS (Center for Internet Security) OCI Landing Zone Quick Start for Access Governance" +stackDescription: "A stack to Deploy Oracle Access Governance." +description: "This stack deploys Oracle Access Governance." +schemaVersion: 1.0.0 +version: "0.0.1" +locale: "en" + +#logoUrl: "https://objectstorage.us-ashburn-1.oraclecloud.com/p/taf6kC9fSJyQDNSYbxvqxS_JsdnSu56oFZ3-1h5vI7-WfJUv77mplChopLxZPePW/n/ociateam/b/cis-landing-zone/o/landing_zone_130.png" + +variableGroups: + + - title: "Service Instance Details" + variables: +# - "use_namespace" + - "namespace_service_endpoint" + - "admin_domain_name" + - "service_instance_display_name" + - "service_instance_description" + - "ag_license_type" + - "service_instance_compartment_ocid" + + - title: "Details to create Access Governance User" + variables: + - "agcs_user_group_display_name" + - "agcs_user_name" + - "agcs_user_email" + + - title: "OCI Connected System Details" + variables: + - "should_create_connected_system" + - "oci_system_name" + - "oci_system_description" + + - title: "Hidden Variables" + visible: false + variables: + - "agcs_user_private_key_path" + - "private_key_path" + - "admin_ocid_service_instance" + - "fingerprint" + - "tenancy_ocid" + - "user_ocid" + - "agcs_user_fingerprint_oci_system" + - "agcs_user_private_key" + - "agcs_user_ocid_oci_system" + - "use_existing_agcs_user" + - "agcs_user_given_name" + - "agcs_user_family_name" + - "agcs_user_region_oci_system" + - "region" + - "agcs_user_tenancy_ocid_oci_system" + - "tenancy_ocid" + - "admin_region_service_instance" + - "use_namespace" + - "agcs_user_username" + - "agcs_user_domain_name" + +variables: + service_instance_compartment_ocid: + type: oci:identity:compartment:id + title: "Access Governance Service Instance Compartment" + description: "Compartment, where Access Governance instance will be deployed." + required: true + + namespace_service_endpoint: + type: string + title: "Select A Namespace" + description: "Namespace where AG Instance will be deployed." + required: true + visible: use_namespace + + agcs_user_username: + type: string + title: "Access Governance User's User Name" + description: "User name for the new Access Governance User." + required: true + + agcs_user_email: + type: string + title: "Access Governance User's Email" + description: "Email of the New Access Governance User." + pattern: ^[^\s@]+@[^\s@]+\.[^\s@]+$ + required: true + + agcs_user_name: + type: string + title: "Access Governance User’s Name" + description: "Name for creating Access Governance User." + required: true + + agcs_user_group_display_name: + type: string + title: "Access Governance User's Group Name" + description: "User will become part of this group for policy assignment." + required: true + + agcs_user_domain_name: + type: string + title: "Access Governance User's Domain Name" + description: "User will be created in this domain." + required: true + pattern: ^[A-Za-z0-9_.-]+$ + + admin_domain_name: + type: string + title: "Administrator's Identity Domain Name" + description: "Administrator's Identity Domain Name for authorizing the IDCS APIs." + required: true + pattern: ^[A-Za-z0-9_.-]+$ + + service_instance_display_name: + type: string + title: "Access Governance Instance Display Name" + description: "Instance name will be used in instance URL." + pattern: ^[a-zA-Z0-9-_]+$ + required: true + + service_instance_description: + type: string + title: "Access Governance Instance Description" + description: "Description of the Access Governance Service Instance." + required: true + + ag_license_type: + type: enum + enum: + - "Access Governance Premium" + - "Access Governance for Oracle Workloads" + - "Access Governance for Oracle Cloud Infrastructure" + title: "Access Governance Instance License Type" + description: "License Type for Access Governance Instance." + default: "Access Governance for Oracle Cloud Infrastructure" + required: true + + oci_system_name: + type: string + title: "OCI Connected System Name" + description: "Display Name for the OCI Connected System in Access Governance." + required: true + visible: should_create_connected_system + + should_create_connected_system: + type: boolean + title: "Add OCI connected system to Instance deployed in a Namespace ?" + description: "This option is required when Instance needs to be deployed in a Namespace." + required: true + visible: use_namespace + + oci_system_description: + type: string + title: "OCI Connected System Description" + description: "Description of the Connected System." + required: true + visible: should_create_connected_system + +# Hidden Fields + + + agcs_user_ocid_oci_system: + type: string + title: "Access Governance User's OCID" + description: "OCID of Access Governance User to add Cloud gateway system." + required: false + + agcs_user_fingerprint_oci_system: + type: string + title: "Access Governance User's Fingerprint" + description: "Fingerprint of the Access Governance User to add cloud gateway system." + required: true + + agcs_user_private_key: + type: password + title: "Private Key for Access Governance User" + description: "Private Key of Access Governance User to add Cloud gateway system." + required: true + + use_existing_agcs_user: + type: boolean + title: "Use Existing AG User" + description: "Option to use existing user for OCI System." + required: false + default: false + + agcs_user_given_name: + type: string + title: "Access Governance User's Given Name" + description: "Given Name of the New Access Governance User." + required: false + + agcs_user_family_name: + type: string + title: "Access Governance User's Family Name" + description: "Family Name of the New Access Governance User." + required: false + + agcs_user_region_oci_system: + type: oci:identity:region:name + title: "Access Governance User Region" + description: "Region of the Access Governance to add cloud gateway system." + required: false + + agcs_user_tenancy_ocid_oci_system: + type: string + title: "Access Governance User's Tenancy OCID" + description: "Tenancy of the Access Governance User to add Cloud gateway system." + required: false + + admin_region_service_instance: + type: oci:identity:region:name + title: "Access Governance Service Instance Region" + description: "Region name for the Service URL of the AG instance." + required: false + + use_namespace: + type: boolean + title: "Use namespace to create Access Governance Instance ?" + description: "Use this option if you would like to create AG instance in a namespace instead of Production." + required: true + default: false \ No newline at end of file diff --git a/modules/access-governance/variable.tf b/modules/access-governance/variable.tf new file mode 100644 index 00000000..236d0fba --- /dev/null +++ b/modules/access-governance/variable.tf @@ -0,0 +1,166 @@ +######################################################### +# # +# DO NOT MODIFY ANYTHING HERE # +# # +######################################################### + +variable "api_private_key_path" { + default = "" + description = "Private Key Path of Administrator." +} + + variable "current_user_ocid" { + default = "" + description = "OCID of the Administrator." +} + +variable "api_fingerprint" { + default = "" + description = "Fingerprint of the Administrator." +} + +variable "tenancy_ocid" { + default = "" + description = "OCID of the Administrator's Tenancy." +} + +variable "region" { + description = "Region of the Administrator" + validation { + condition = length(trim(var.region, "")) > 0 + error_message = "Validation failed for region: value is required." + } +} + +#variable "admin_region_service_instance" { +# default = "" +# description = "Region of the Administrator" +#} + +variable "admin_domain_name" { + default = "Default" + description = "Administrator's Identity Domain Name." +} + +variable "use_existing_agcs_user" { + type = bool + default = false + description = "Set this value to either use existing Access Governance user or create new one." +} + +variable "agcs_user_private_key_path" { + sensitive = true + default = "" + description = "Private Key Path for Access Governance User." +} + +variable "agcs_user_private_key" { + sensitive = true + default = "" + description = "Private Key for Access Governance User" +} + +variable "agcs_user_ocid_oci_system" { + default = "" + description = "Access Governance User's OCID." +} + +variable "agcs_user_tenancy_ocid_oci_system" { + default = "" + description = "Access Governance User's Tenancy OCID." +} + +variable "agcs_user_fingerprint_oci_system" { + default = "" + description = "Access Governance User's Fingerprint." +} + +variable "namespace_service_endpoint" { + default = "" + description = "If Access Governance instance needs to be created in a namespace." +} + +variable "should_create_connected_system" { + type = bool + default = true + description = "If Namespace endpoint is given, select this option to add or skip OCI connected system." +} + +variable "agcs_user_region_oci_system" { + default = "" + description = "Region of the Access Governance User." +} + +variable "service_instance_display_name" { + description = "Access Governance Instance Display Name." + validation { + condition = can(regex("^[a-zA-Z0-9-_]+$", var.service_instance_display_name)) + error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." + } +} + +variable "service_instance_description" { + description = "Access Governance Instance Description." +} + +variable "ag_license_type" { + description = "Access Governance Instance License Type." + validation { + condition = can(regex("^(Access Governance Premium|Access Governance for Oracle Workloads|Access Governance for Oracle Cloud Infrastructure)$", var.ag_license_type)) + error_message = "Please select any value among Access Governance Premium, Access Governance for Oracle Workloads, Access Governance for Oracle Cloud Infrastructure." + } +} + +variable "service_instance_compartment_ocid" { + description = "Compartment OCID for Access Governance Instance." +} + +variable "oci_system_name" { + default = "" + description = "OCI Connected System Name." +} + +variable "oci_system_description" { + default = "" + description = "OCI Connected System Description." +} + +####################### New AG User ############################### +variable "agcs_user_domain_name" { + default = "Default" + description = "Domain where Access Governance User will be created." +} + +variable "agcs_user_group_display_name" { + description = "Group to create for Access Governance User." + default = "agcs_group" +} + +variable "agcs_user_username" { + default = "agcs_user" + description = "User name for the new Access Governance User." +} + +variable "agcs_user_family_name" { + default = "Access Governance User" + description = "Family name for the new AG User." +} + +variable "agcs_user_name" { + default = "agcs_user" + description = "New Access Governance User's name." +} + +variable "agcs_user_given_name" { + description = "Given name for the new AG User." + default = "AG" +} + +variable "agcs_user_email" { + default = "something@example.com" + description = "Email address for the user." + validation { + condition = can(regex("^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$", var.agcs_user_email)) + error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." + } +} \ No newline at end of file diff --git a/templates/elz-access-governance/ag_si_creation_response.txt b/templates/elz-access-governance/ag_si_creation_response.txt new file mode 100644 index 00000000..e69de29b diff --git a/templates/elz-access-governance/ag_si_deletion_response.txt b/templates/elz-access-governance/ag_si_deletion_response.txt new file mode 100644 index 00000000..e69de29b diff --git a/templates/elz-access-governance/agcs-module.tf b/templates/elz-access-governance/agcs-module.tf new file mode 100644 index 00000000..85779cd0 --- /dev/null +++ b/templates/elz-access-governance/agcs-module.tf @@ -0,0 +1,33 @@ +module "agcs-module" { + source = "../../modules/access-governance" + current_user_ocid = var.current_user_ocid + api_fingerprint = var.api_fingerprint + api_private_key_path = var.api_private_key_path + tenancy_ocid = var.ag_tenancy_ocid + region = var.ag_region + admin_domain_name = var.admin_domain_name + service_instance_compartment_ocid = var.service_instance_compartment_ocid + service_instance_description = var.service_instance_description + service_instance_display_name = var.service_instance_display_name + ag_license_type = var.ag_license_type + agcs_user_domain_name = var.agcs_user_domain_name + agcs_user_email = var.agcs_user_email + agcs_user_fingerprint_oci_system = var.agcs_user_fingerprint_oci_system + agcs_user_group_display_name = var.agcs_user_group_display_name + agcs_user_name = var.agcs_user_name + agcs_user_ocid_oci_system = var.agcs_user_ocid_oci_system + agcs_user_private_key = var.agcs_user_private_key + agcs_user_private_key_path = var.agcs_user_private_key_path + agcs_user_region_oci_system = var.agcs_user_region_oci_system + agcs_user_tenancy_ocid_oci_system = var.agcs_user_tenancy_ocid_oci_system + namespace_service_endpoint = var.namespace_service_endpoint + oci_system_description = var.oci_system_description + oci_system_name = var.oci_system_name + should_create_connected_system = var.should_create_connected_system + use_existing_agcs_user = var.use_existing_agcs_user + + providers = { + oci = oci + # oci.home_region = oci.home_region + } +} \ No newline at end of file diff --git a/templates/elz-access-governance/cleanup.sh b/templates/elz-access-governance/cleanup.sh new file mode 100755 index 00000000..7d071d55 --- /dev/null +++ b/templates/elz-access-governance/cleanup.sh @@ -0,0 +1,29 @@ +#! /bin/bash +# Cleanup Terraform Files +# WARNING !!! This will remove Terraform State file along with other files and directories. +read -p "Do you really want to cleanup the terraform run files? " -n 1 -r +if [[ $REPLY =~ ^[Yy]$ ]]; then + tf_folder=".terraform" + tf_file1=".terraform.lock.hcl" + tf_file2="terraform.tfstate" + tf_file3="terraform.tfstate.backup" + response1="ag_si_creation_response.txt" + response2="ag_si_deletion_response.txt" + echo + echo "Removing Terraform Folder: $tf_folder..." + rm -rf "$tf_folder" + files_to_delete=("$tf_file1" "$tf_file2" "$tf_file3") + echo "Removing Files: ${files_to_delete[*]}..." + for file in "${files_to_delete[@]}" + do + rm -rf "${file}" + done + rm -rf "scripts/__pycache__" + echo "Emptying files $response1, $response2..." + echo -n > $response1 + echo -n > $response2 + echo "Done." +else + echo + echo "Cleanup cancelled." +fi diff --git a/templates/elz-access-governance/examples/tfvars/all_variables.tfvarexample b/templates/elz-access-governance/examples/tfvars/all_variables.tfvarexample new file mode 100644 index 00000000..4993a6a2 --- /dev/null +++ b/templates/elz-access-governance/examples/tfvars/all_variables.tfvarexample @@ -0,0 +1,30 @@ +#ADMINISTRATOR +private_key_path = "" +user_ocid = "" +fingerprint = "" +tenancy_ocid = "" +region = "us-ashburn-1" + +# ACCESS GOVERNANCE SERVICE INSTANCE DETAILS +admin_domain_name = "" +ag_license_type = "Access Governance for Oracle Cloud Infrastructure" +service_instance_display_name = "" +service_instance_description = "" +service_instance_compartment_ocid = "" + +# ACCESS GOVERNANCE USER COMMON DETAILS +use_existing_agcs_user = true + +# ACCESS GOVERNANCE EXISTING_USER +agcs_user_private_key_path = "" +agcs_user_ocid_oci_system = "ocid1.user.oc1..xyz" +agcs_user_fingerprint_oci_system = "" + +# NEW AG USER +#agcs_user_group_display_name = "agcs_group" +#agcs_user_name = "agcs_user" +#agcs_user_email = "something@example.com" + +# OCI Connected System +oci_system_name = "OCI Connected System" +oci_system_description = "AG Connected System" \ No newline at end of file diff --git a/templates/elz-access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample b/templates/elz-access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample new file mode 100644 index 00000000..dbe118c1 --- /dev/null +++ b/templates/elz-access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample @@ -0,0 +1,26 @@ +#ADMINISTRATOR +private_key_path = "" +user_ocid = "" +fingerprint = "" +tenancy_ocid = "" +region = "us-ashburn-1" + + +# ACCESS GOVERNANCE SERVICE INSTANCE DETAILS, Optional Fields: admin_domain_name +admin_domain_name = "" +ag_license_type = "Access Governance for Oracle Cloud Infrastructure" +service_instance_display_name = "" +service_instance_description = "" +service_instance_compartment_ocid = "" + +# ACCESS GOVERNANCE USER COMMON DETAILS +use_existing_agcs_user = true + +# ACCESS GOVERNANCE EXISTING USER +agcs_user_private_key_path = "" +agcs_user_ocid_oci_system = "ocid1.user.oc1..xyz" +agcs_user_fingerprint_oci_system = "" + +# OCI Connected System +oci_system_name = "" +oci_system_description = "" \ No newline at end of file diff --git a/templates/elz-access-governance/examples/tfvars/local_new_agcs_user.tfvarexample b/templates/elz-access-governance/examples/tfvars/local_new_agcs_user.tfvarexample new file mode 100644 index 00000000..17b5e152 --- /dev/null +++ b/templates/elz-access-governance/examples/tfvars/local_new_agcs_user.tfvarexample @@ -0,0 +1,26 @@ +#ADMINISTRATOR +private_key_path = "" +user_ocid = "" +fingerprint = "" +tenancy_ocid = "" +region = "us-ashburn-1" + + +# ACCESS GOVERNANCE SERVICE INSTANCE DETAILS, Optional Fields: admin_domain_name +admin_domain_name = "" +ag_license_type = "Access Governance for Oracle Cloud Infrastructure" +service_instance_display_name = "" +service_instance_description = "" +service_instance_compartment_ocid = "" + +# ACCESS GOVERNANCE USER COMMON DETAILS +use_existing_agcs_user = false + +# NEW ACCESS GOVERNANCE USER +agcs_user_group_display_name = "agcs_group" +agcs_user_name = "agcs_user" +agcs_user_email = "something@example.com" + +# OCI Connected System +oci_system_name = "" +oci_system_description = "" \ No newline at end of file diff --git a/templates/elz-access-governance/outputs.tf b/templates/elz-access-governance/outputs.tf new file mode 100644 index 00000000..831ba502 --- /dev/null +++ b/templates/elz-access-governance/outputs.tf @@ -0,0 +1,3 @@ +output "service_instance" { + value = module.agcs-module.si_creation +} \ No newline at end of file diff --git a/templates/elz-access-governance/provider.tf b/templates/elz-access-governance/provider.tf new file mode 100644 index 00000000..5c1e8481 --- /dev/null +++ b/templates/elz-access-governance/provider.tf @@ -0,0 +1,72 @@ +# ----------------------------------------------------------------------------- +# Provider Requirements if using stack as a module +# ----------------------------------------------------------------------------- +#terraform { +# required_version = ">= 1.0.0" +# +# required_providers { +# oci = { +# source = "oracle/oci" +# version = "5.9.0" +# configuration_aliases = [oci, oci.home_region] +# } +# } +#} + +# # ----------------------------------------------------------------------------- +# # WARNING! +# # UNCOMMENT BELOW AND COMMENT EVERYTHING ABOVE IF YOU WISH TO USE THIS +# # STACK AS A STANDALONE - DO NOT TOUCH IF USING THIS STACK IN A MODULE CALL +# # Provider Requirements if using stack as standalone +# # +# # ----------------------------------------------------------------------------- + +terraform { + required_version = ">= 1.0.0" + + required_providers { + oci = { + source = "oracle/oci" + version = "5.9.0" + } + } +} + +provider "oci" { + tenancy_ocid = var.ag_tenancy_ocid + user_ocid = var.current_user_ocid + fingerprint = var.api_fingerprint + private_key_path = var.api_private_key_path + region = var.ag_region +} + +provider "oci" { + alias = "home_region" + tenancy_ocid = var.ag_tenancy_ocid + user_ocid = var.current_user_ocid + fingerprint = var.api_fingerprint + private_key_path = var.api_private_key_path + region = local.home_region[0] +} + +# # ----------------------------------------------------------------------------- +# # Provider / Python SDK Auth Variables +# # Do not remove/comment out this line as it is required for python script authentication +# # ----------------------------------------------------------------------------- +variable "current_user_ocid" { + type = string + description = "The OCID of the current user" + default = "" +} + +variable "api_fingerprint" { + type = string + description = "The fingerprint of API" + default = "" +} + +variable "api_private_key_path" { + type = string + description = "The local path to the API private key" + default = "" +} diff --git a/templates/elz-access-governance/readme.md b/templates/elz-access-governance/readme.md new file mode 100644 index 00000000..aea462e8 --- /dev/null +++ b/templates/elz-access-governance/readme.md @@ -0,0 +1,60 @@ +# Access Governance Landing Zone + +## Overview + +The terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and add OCI connected system. + + +## Variables +| Variable Name | Description | Required | Default Value | +|----------------------------------------|---------------------------------------------------------------------------------|----------|---------------| +| **user_ocid** | OCID of the Administrator. | Yes | None | +| **fingerprint** | Fingerprint of the Administrator. | Yes | None | +| **tenancy_ocid** | OCID of the Administrator's Tenancy. | Yes | None | +| **region** | Region of the Administrator. | Yes | None | +| **private_key_path** | Private Key Path of Administrator. | Yes | None | +| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | None | +| **namespace_service_endpoint** | If Access Governance instance needs to be created in a namespace. | Yes | None | +| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | None | +| **service_instance_description** | Access Governance Instance Description. | Yes | None | +| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | None | +| **ag_license_type** | Access Governance Instance License Type. | Yes | None | +| **agcs_user_domain_name** | Domain where Access Governance User will be created. | Yes | None | +| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | +| **agcs_user_name** | New Access Governance User's name. | Yes | None | +| **agcs_user_email** | Email address for the user. | Yes | None | +| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | +| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | +| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | +| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | +| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | +| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | +| **oci_system_description** | OCI Connected System Description. | Yes | None | +| **oci_system_name** | OCI Connected System Name. | Yes | None | + +## How to execute +### Via Resource Manager +1. [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-landing-zones/releases/tag/v2.2.0) +*If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.* +2. Under **Working directory** select the directory *templates/elz-access-governance* +3. Click Next. +4. Enter the values for required variables. +5. Click Next. +6. Click Next. +7. Click Apply. + +### Via Terraform CLI +1. Enter required variables in terraform.tfvars, for examples refer examples/tfvars. +2. terraform init. +3. terraform plan. +4. terraform apply. + +## License +Copyright (c) 2023, Oracle and/or its affiliates. + +Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +See [LICENSE](../../LICENSE) for more details. + +## Known Issues +None. \ No newline at end of file diff --git a/templates/elz-access-governance/schema.yml b/templates/elz-access-governance/schema.yml new file mode 100644 index 00000000..d2fdbb3c --- /dev/null +++ b/templates/elz-access-governance/schema.yml @@ -0,0 +1,222 @@ +# Copyright (c) 2022 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +title: "CIS (Center for Internet Security) OCI Landing Zone Quick Start for Access Governance" +stackDescription: "A stack to Deploy Oracle Access Governance." +description: "This stack deploys Oracle Access Governance." +schemaVersion: 1.0.0 +version: "0.0.1" +locale: "en" + +#logoUrl: "https://objectstorage.us-ashburn-1.oraclecloud.com/p/taf6kC9fSJyQDNSYbxvqxS_JsdnSu56oFZ3-1h5vI7-WfJUv77mplChopLxZPePW/n/ociateam/b/cis-landing-zone/o/landing_zone_130.png" + +variableGroups: + + - title: "Service Instance Details" + variables: +# - "use_namespace" + - "namespace_service_endpoint" + - "admin_domain_name" + - "service_instance_display_name" + - "service_instance_description" + - "ag_license_type" + - "service_instance_compartment_ocid" + + - title: "Details to create Access Governance User" + variables: + - "agcs_user_group_display_name" + - "agcs_user_name" + - "agcs_user_email" + + - title: "OCI Connected System Details" + variables: + - "should_create_connected_system" + - "oci_system_name" + - "oci_system_description" + + - title: "Hidden Variables" + visible: false + variables: + - "agcs_user_private_key_path" + - "private_key_path" + - "admin_ocid_service_instance" + - "fingerprint" + - "tenancy_ocid" + - "user_ocid" + - "agcs_user_fingerprint_oci_system" + - "agcs_user_private_key" + - "agcs_user_ocid_oci_system" + - "use_existing_agcs_user" + - "agcs_user_given_name" + - "agcs_user_family_name" + - "agcs_user_region_oci_system" + - "region" + - "agcs_user_tenancy_ocid_oci_system" + - "tenancy_ocid" + - "admin_region_service_instance" + - "use_namespace" + - "agcs_user_username" + - "agcs_user_domain_name" + +variables: + service_instance_compartment_ocid: + type: oci:identity:compartment:id + title: "Access Governance Service Instance Compartment" + description: "Compartment, where Access Governance instance will be deployed." + required: true + + namespace_service_endpoint: + type: string + title: "Select A Namespace" + description: "Namespace where AG Instance will be deployed." + required: true + visible: use_namespace + + agcs_user_username: + type: string + title: "Access Governance User's User Name" + description: "User name for the new Access Governance User." + required: true + + agcs_user_email: + type: string + title: "Access Governance User's Email" + description: "Email of the New Access Governance User." + pattern: ^[^\s@]+@[^\s@]+\.[^\s@]+$ + required: true + + agcs_user_name: + type: string + title: "Access Governance User’s Name" + description: "Name for creating Access Governance User." + required: true + + agcs_user_group_display_name: + type: string + title: "Access Governance User's Group Name" + description: "User will become part of this group for policy assignment." + required: true + + agcs_user_domain_name: + type: string + title: "Access Governance User's Domain Name" + description: "User will be created in this domain." + required: true + pattern: ^[A-Za-z0-9_.-]+$ + + admin_domain_name: + type: string + title: "Administrator's Identity Domain Name" + description: "Administrator's Identity Domain Name for authorizing the IDCS APIs." + required: true + pattern: ^[A-Za-z0-9_.-]+$ + + service_instance_display_name: + type: string + title: "Access Governance Instance Display Name" + description: "Instance name will be used in instance URL." + pattern: ^[a-zA-Z0-9-_]+$ + required: true + + service_instance_description: + type: string + title: "Access Governance Instance Description" + description: "Description of the Access Governance Service Instance." + required: true + + ag_license_type: + type: enum + enum: + - "Access Governance Premium" + - "Access Governance for Oracle Workloads" + - "Access Governance for Oracle Cloud Infrastructure" + title: "Access Governance Instance License Type" + description: "License Type for Access Governance Instance." + default: "Access Governance for Oracle Cloud Infrastructure" + required: true + + oci_system_name: + type: string + title: "OCI Connected System Name" + description: "Display Name for the OCI Connected System in Access Governance." + required: true + visible: should_create_connected_system + + should_create_connected_system: + type: boolean + title: "Add OCI connected system to Instance deployed in a Namespace ?" + description: "This option is required when Instance needs to be deployed in a Namespace." + required: true + visible: use_namespace + + oci_system_description: + type: string + title: "OCI Connected System Description" + description: "Description of the Connected System." + required: true + visible: should_create_connected_system + +# Hidden Fields + + + agcs_user_ocid_oci_system: + type: string + title: "Access Governance User's OCID" + description: "OCID of Access Governance User to add Cloud gateway system." + required: false + + agcs_user_fingerprint_oci_system: + type: string + title: "Access Governance User's Fingerprint" + description: "Fingerprint of the Access Governance User to add cloud gateway system." + required: true + + agcs_user_private_key: + type: password + title: "Private Key for Access Governance User" + description: "Private Key of Access Governance User to add Cloud gateway system." + required: true + + use_existing_agcs_user: + type: boolean + title: "Use Existing AG User" + description: "Option to use existing user for OCI System." + required: false + default: false + + agcs_user_given_name: + type: string + title: "Access Governance User's Given Name" + description: "Given Name of the New Access Governance User." + required: false + + agcs_user_family_name: + type: string + title: "Access Governance User's Family Name" + description: "Family Name of the New Access Governance User." + required: false + + agcs_user_region_oci_system: + type: oci:identity:region:name + title: "Access Governance User Region" + description: "Region of the Access Governance to add cloud gateway system." + required: false + + agcs_user_tenancy_ocid_oci_system: + type: string + title: "Access Governance User's Tenancy OCID" + description: "Tenancy of the Access Governance User to add Cloud gateway system." + required: false + + admin_region_service_instance: + type: oci:identity:region:name + title: "Access Governance Service Instance Region" + description: "Region name for the Service URL of the AG instance." + required: false + + use_namespace: + type: boolean + title: "Use namespace to create Access Governance Instance ?" + description: "Use this option if you would like to create AG instance in a namespace instead of Production." + required: true + default: false \ No newline at end of file diff --git a/templates/elz-access-governance/variable.tf b/templates/elz-access-governance/variable.tf new file mode 100644 index 00000000..c5726135 --- /dev/null +++ b/templates/elz-access-governance/variable.tf @@ -0,0 +1,144 @@ +######################################################### +# # +# DO NOT MODIFY ANYTHING IN THIS FILE # +# # +######################################################### + +variable "ag_tenancy_ocid" { + type = string + default = "" + description = "OCID of the Administrator's Tenancy." +} + +variable "ag_region" { + description = "Region of the Administrator" + validation { + condition = length(trim(var.ag_region, "")) > 0 + error_message = "Validation failed for region: value is required." + } +} + + +variable "namespace_service_endpoint" { + type = string + default = "" + description = "If Access Governance instance needs to be created in a namespace." +} + +variable "should_create_connected_system" { + type = bool + default = true + description = "If Namespace endpoint is given, select this option to add or skip OCI connected system." +} + +####################################### Required Variables ############################################################ + +variable "admin_domain_name" { + default = "Default" + description = "Administrator's Identity Domain Name." +} + +variable "ag_license_type" { + description = "Access Governance Instance License Type." + validation { + condition = can(regex("^(Access Governance Premium|Access Governance for Oracle Workloads|Access Governance for Oracle Cloud Infrastructure)$", var.ag_license_type)) + error_message = "Please select any value among Access Governance Premium, Access Governance for Oracle Workloads, Access Governance for Oracle Cloud Infrastructure." + } +} + +variable "service_instance_display_name" { + description = "Access Governance Instance Display Name." + validation { + condition = can(regex("^[a-zA-Z0-9-_]+$", var.service_instance_display_name)) + error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." + } +} + +variable "service_instance_description" { + description = "Access Governance Instance Description." +} + +variable "service_instance_compartment_ocid" { + description = "Compartment OCID for Access Governance Instance." +} + +variable "use_existing_agcs_user" { + type = bool + default = false + description = "Set this value to either use existing Access Governance user or create new one." +} + +variable "agcs_user_private_key_path" { + sensitive = true + type = string + default = "" + description = "Private Key Path for Access Governance User." +} + +variable "agcs_user_private_key" { + sensitive = true + type = string + default = "" + description = "Private Key for Access Governance User" +} + +variable "agcs_user_ocid_oci_system" { + type = string + default = "" + description = "Access Governance User's OCID." +} + +variable "agcs_user_tenancy_ocid_oci_system" { + type = string + default = "" + description = "Access Governance User's Tenancy OCID." +} + +variable "agcs_user_fingerprint_oci_system" { + type = string + default = "" + description = "Access Governance User's Fingerprint." +} + +variable "agcs_user_region_oci_system" { + type = string + default = "" + description = "Region of the Access Governance User." +} + +variable "oci_system_name" { + type = string + default = "" + description = "OCI Connected System Name." +} + +variable "oci_system_description" { + type = string + default = "" + description = "OCI Connected System Description." +} + +####################### New AG User ############################### +variable "agcs_user_domain_name" { + default = "Default" + description = "Domain where Access Governance User will be created." +} + +variable "agcs_user_group_display_name" { + description = "Group to create for Access Governance User." + default = "agcs_group" +} + +variable "agcs_user_name" { + default = "agcs_user" + description = "New Access Governance User's name." +} + +variable "agcs_user_email" { + default = "something@example.com" + description = "Email address for the user." + validation { + condition = can(regex("^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$", var.agcs_user_email)) + error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." + } +} \ No newline at end of file diff --git a/templates/elz-environment/access-governance-module-outputs.tf b/templates/elz-environment/access-governance-module-outputs.tf new file mode 100644 index 00000000..8cd57564 --- /dev/null +++ b/templates/elz-environment/access-governance-module-outputs.tf @@ -0,0 +1,3 @@ +output "access_governance_service_instance" { + value = module.elz-access-governance[*].service_instance +} \ No newline at end of file diff --git a/templates/elz-environment/access-governance-module-variables.tf b/templates/elz-environment/access-governance-module-variables.tf new file mode 100644 index 00000000..19209c8a --- /dev/null +++ b/templates/elz-environment/access-governance-module-variables.tf @@ -0,0 +1,164 @@ +######################################################### +# # +# DO NOT MODIFY ANYTHING IN THIS FILE # +# # +######################################################### + +variable "enable_access_governance" { + type = bool + default = true +} + +variable "ag_api_private_key_path" { + type = string + default = "" + description = "Private Key Path of Administrator." +} + +variable "ag_current_user_ocid" { + type = string + default = "" + description = "OCID of the Administrator." +} + +variable "ag_api_fingerprint" { + type = string + default = "" + description = "Fingerprint of the Administrator." +} + +variable "ag_region" { + type = string + default = "" + description = "Fingerprint of the Administrator." +} + +variable "ag_tenancy_ocid" { + type = string + default = "" + description = "Fingerprint of the Administrator." +} + +variable "namespace_service_endpoint" { + type = string + default = "" + description = "If Access Governance instance needs to be created in a namespace." +} + +variable "should_create_connected_system" { + type = bool + default = true + description = "If Namespace endpoint is given, select this option to add or skip OCI connected system." +} + +####################################### Required Variables ############################################################ + +variable "admin_domain_name" { + default = "Default" + description = "Administrator's Identity Domain Name." +} + +variable "ag_license_type" { + description = "Access Governance Instance License Type." + validation { + condition = can(regex("^(Access Governance Premium|Access Governance for Oracle Workloads|Access Governance for Oracle Cloud Infrastructure)$", var.ag_license_type)) + error_message = "Please select any value among Access Governance Premium, Access Governance for Oracle Workloads, Access Governance for Oracle Cloud Infrastructure." + } +} + +variable "service_instance_display_name" { + description = "Access Governance Instance Display Name." + validation { + condition = can(regex("^[a-zA-Z0-9-_]+$", var.service_instance_display_name)) + error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." + } +} + +variable "service_instance_description" { + description = "Access Governance Instance Description." +} + +#variable "service_instance_compartment_ocid" { +# description = "Compartment OCID for Access Governance Instance." +#} + +variable "use_existing_agcs_user" { + type = bool + default = false + description = "Set this value to either use existing Access Governance user or create new one." +} + +variable "agcs_user_private_key_path" { + sensitive = true + type = string + default = "" + description = "Private Key Path for Access Governance User." +} + +variable "agcs_user_private_key" { + sensitive = true + type = string + default = "" + description = "Private Key for Access Governance User" +} + +variable "agcs_user_ocid_oci_system" { + type = string + default = "" + description = "Access Governance User's OCID." +} + +variable "agcs_user_tenancy_ocid_oci_system" { + type = string + default = "" + description = "Access Governance User's Tenancy OCID." +} + +variable "agcs_user_fingerprint_oci_system" { + type = string + default = "" + description = "Access Governance User's Fingerprint." +} + +variable "agcs_user_region_oci_system" { + type = string + default = "" + description = "Region of the Access Governance User." +} + +variable "oci_system_name" { + type = string + default = "" + description = "OCI Connected System Name." +} + +variable "oci_system_description" { + type = string + default = "" + description = "OCI Connected System Description." +} + +####################### New AG User ############################### +variable "agcs_user_domain_name" { + default = "Default" + description = "Domain where Access Governance User will be created." +} + +variable "agcs_user_group_display_name" { + description = "Group to create for Access Governance User." + default = "agcs_group" +} + +variable "agcs_user_name" { + default = "agcs_user" + description = "New Access Governance User's name." +} + +variable "agcs_user_email" { + default = "something@example.com" + description = "Email address for the user." + validation { + condition = can(regex("^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$", var.agcs_user_email)) + error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." + } +} \ No newline at end of file diff --git a/templates/elz-environment/access-governance-module.tf b/templates/elz-environment/access-governance-module.tf new file mode 100644 index 00000000..ddb12c31 --- /dev/null +++ b/templates/elz-environment/access-governance-module.tf @@ -0,0 +1,34 @@ +module "elz-access-governance" { + source = "../elz-access-governance" + count = var.enable_access_governance ? 1 : 0 + current_user_ocid = var.ag_current_user_ocid + api_fingerprint = var.ag_api_fingerprint + api_private_key_path = var.ag_api_private_key_path + ag_tenancy_ocid = var.tenancy_ocid + ag_region = var.ag_region + admin_domain_name = var.admin_domain_name + service_instance_compartment_ocid = module.compartment.compartments.security.id + service_instance_description = var.service_instance_description + service_instance_display_name = var.service_instance_display_name + ag_license_type = var.ag_license_type + agcs_user_domain_name = var.agcs_user_domain_name + agcs_user_email = var.agcs_user_email + agcs_user_fingerprint_oci_system = var.agcs_user_fingerprint_oci_system + agcs_user_group_display_name = var.agcs_user_group_display_name + agcs_user_name = var.agcs_user_name + agcs_user_ocid_oci_system = var.agcs_user_ocid_oci_system + agcs_user_private_key = var.agcs_user_private_key + agcs_user_private_key_path = var.agcs_user_private_key_path + agcs_user_region_oci_system = var.agcs_user_region_oci_system + agcs_user_tenancy_ocid_oci_system = var.agcs_user_tenancy_ocid_oci_system + namespace_service_endpoint = var.namespace_service_endpoint + oci_system_description = var.oci_system_description + oci_system_name = var.oci_system_name + should_create_connected_system = var.should_create_connected_system + use_existing_agcs_user = var.use_existing_agcs_user + + providers = { + oci = oci + oci.home_region = oci.home_region + } +} \ No newline at end of file diff --git a/templates/enterprise-landing-zone/access-governance-variables.tf b/templates/enterprise-landing-zone/access-governance-variables.tf new file mode 100644 index 00000000..f60e3323 --- /dev/null +++ b/templates/enterprise-landing-zone/access-governance-variables.tf @@ -0,0 +1,262 @@ +######################################################### +# # +# DO NOT MODIFY ANYTHING IN THIS FILE # +# # +######################################################### + +variable "prod_enable_access_governance" { + type = bool + default = true +} + +variable "nonprod_enable_access_governance" { + type = bool + default = true +} + +#variable "private_key_path" { +# type = string +# default = "" +# description = "Private Key Path of Administrator." +#} +# +#variable "user_ocid" { +# type = string +# default = "" +# description = "OCID of the Administrator." +#} +# +#variable "fingerprint" { +# type = string +# default = "" +# description = "Fingerprint of the Administrator." +#} + +variable "namespace_service_endpoint" { + type = string + default = "" + description = "If Access Governance instance needs to be created in a namespace." +} + +variable "should_create_connected_system" { + type = bool + default = true + description = "If Namespace endpoint is given, select this option to add or skip OCI connected system." +} + +####################################### Required Variables ###################################### + +variable "admin_domain_name" { + default = "Default" + description = "Administrator's Identity Domain Name." +} +################################## Prod Details ########################################### +variable "prod_ag_license_type" { + description = "Access Governance Instance License Type." + validation { + condition = can(regex("^(Access Governance Premium|Access Governance for Oracle Workloads|Access Governance for Oracle Cloud Infrastructure)$", var.prod_ag_license_type)) + error_message = "Please select any value among Access Governance Premium, Access Governance for Oracle Workloads, Access Governance for Oracle Cloud Infrastructure." + } +} + +variable "prod_service_instance_display_name" { + description = "Access Governance Instance Display Name." + validation { + condition = can(regex("^[a-zA-Z0-9-_]+$", var.prod_service_instance_display_name)) + error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." + } +} + +variable "prod_service_instance_description" { + description = "Access Governance Instance Description." +} + +#variable "prod_service_instance_compartment_ocid" { +# description = "Compartment OCID for Access Governance Instance." +#} + +variable "prod_use_existing_agcs_user" { + type = bool + default = false + description = "Set this value to either use existing Access Governance user or create new one." +} + +variable "prod_agcs_user_private_key_path" { + sensitive = true + type = string + default = "" + description = "Private Key Path for Access Governance User." +} + +variable "prod_agcs_user_private_key" { + sensitive = true + type = string + default = "" + description = "Private Key for Access Governance User" +} + +variable "prod_agcs_user_ocid_oci_system" { + type = string + default = "" + description = "Access Governance User's OCID." +} + +variable "prod_agcs_user_tenancy_ocid_oci_system" { + type = string + default = "" + description = "Access Governance User's Tenancy OCID." +} + +variable "prod_agcs_user_fingerprint_oci_system" { + type = string + default = "" + description = "Access Governance User's Fingerprint." +} + +variable "prod_agcs_user_region_oci_system" { + type = string + default = "" + description = "Region of the Access Governance User." +} + +variable "prod_oci_system_name" { + type = string + default = "" + description = "OCI Connected System Name." +} + +variable "prod_oci_system_description" { + type = string + default = "" + description = "OCI Connected System Description." +} + +####################### New Prod AG User ############################### +variable "prod_agcs_user_domain_name" { + default = "Default" + description = "Domain where Access Governance User will be created." +} + +variable "prod_agcs_user_group_display_name" { + description = "Group to create for Access Governance User." + default = "agcs_group" +} + +variable "prod_agcs_user_name" { + default = "agcs_user" + description = "New Access Governance User's name." +} + +variable "prod_agcs_user_email" { + default = "something_prod@example.com" + description = "Email address for the user." + validation { + condition = can(regex("^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$", var.prod_agcs_user_email)) + error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." + } +} +################################## Non Prod Details########################################### +variable "nonprod_ag_license_type" { + description = "Access Governance Instance License Type." + validation { + condition = can(regex("^(Access Governance Premium|Access Governance for Oracle Workloads|Access Governance for Oracle Cloud Infrastructure)$", var.nonprod_ag_license_type)) + error_message = "Please select any value among Access Governance Premium, Access Governance for Oracle Workloads, Access Governance for Oracle Cloud Infrastructure." + } +} + +variable "nonprod_service_instance_display_name" { + description = "Access Governance Instance Display Name." + validation { + condition = can(regex("^[a-zA-Z0-9-_]+$", var.nonprod_service_instance_display_name)) + error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." + } +} + +variable "nonprod_service_instance_description" { + description = "Access Governance Instance Description." +} + +#variable "nonprod_service_instance_compartment_ocid" { +# description = "Compartment OCID for Access Governance Instance." +#} + +variable "nonprod_use_existing_agcs_user" { + type = bool + default = false + description = "Set this value to either use existing Access Governance user or create new one." +} + +variable "nonprod_agcs_user_private_key_path" { + sensitive = true + type = string + default = "" + description = "Private Key Path for Access Governance User." +} + +variable "nonprod_agcs_user_private_key" { + sensitive = true + type = string + default = "" + description = "Private Key for Access Governance User" +} + +variable "nonprod_agcs_user_ocid_oci_system" { + type = string + default = "" + description = "Access Governance User's OCID." +} + +variable "nonprod_agcs_user_tenancy_ocid_oci_system" { + type = string + default = "" + description = "Access Governance User's Tenancy OCID." +} + +variable "nonprod_agcs_user_fingerprint_oci_system" { + type = string + default = "" + description = "Access Governance User's Fingerprint." +} + +variable "nonprod_agcs_user_region_oci_system" { + type = string + default = "" + description = "Region of the Access Governance User." +} + +variable "nonprod_oci_system_name" { + type = string + default = "" + description = "OCI Connected System Name." +} + +variable "nonprod_oci_system_description" { + type = string + default = "" + description = "OCI Connected System Description." +} + +####################### New Nonprod AG User ############################### +variable "nonprod_agcs_user_domain_name" { + default = "Default" + description = "Domain where Access Governance User will be created." +} + +variable "nonprod_agcs_user_group_display_name" { + description = "Group to create for Access Governance User." + default = "agcs_group" +} + +variable "nonprod_agcs_user_name" { + default = "agcs_user" + description = "New Access Governance User's name." +} + +variable "nonprod_agcs_user_email" { + default = "something_nonprod@example.com" + description = "Email address for the user." + validation { + condition = can(regex("^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$", var.nonprod_agcs_user_email)) + error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." + } +} \ No newline at end of file diff --git a/templates/enterprise-landing-zone/environment.tf b/templates/enterprise-landing-zone/environment.tf index 9420796f..c67db207 100644 --- a/templates/enterprise-landing-zone/environment.tf +++ b/templates/enterprise-landing-zone/environment.tf @@ -125,6 +125,33 @@ module "prod_environment" { workload_name_prefix = var.workload_name_prefix additional_workload_subnets_cidr_blocks = var.prod_additional_workload_subnets_cidr_blocks + # Access Governance Variables + + ag_current_user_ocid = var.current_user_ocid + ag_api_fingerprint = var.api_fingerprint + ag_region = var.region + ag_tenancy_ocid = var.tenancy_ocid + ag_api_private_key_path = var.api_private_key_path + admin_domain_name = var.admin_domain_name + + enable_access_governance = var.prod_enable_access_governance + service_instance_description = var.prod_service_instance_description + service_instance_display_name = var.prod_service_instance_display_name + ag_license_type = var.prod_ag_license_type + agcs_user_domain_name = var.prod_agcs_user_domain_name + agcs_user_email = var.prod_agcs_user_email + agcs_user_fingerprint_oci_system = var.prod_agcs_user_fingerprint_oci_system + agcs_user_group_display_name = var.prod_agcs_user_group_display_name + agcs_user_name = var.prod_agcs_user_name + agcs_user_ocid_oci_system = var.prod_agcs_user_ocid_oci_system + agcs_user_private_key = var.prod_agcs_user_private_key + agcs_user_private_key_path = var.prod_agcs_user_private_key_path + agcs_user_region_oci_system = var.prod_agcs_user_region_oci_system + agcs_user_tenancy_ocid_oci_system = var.prod_agcs_user_tenancy_ocid_oci_system + oci_system_description = var.prod_oci_system_description + oci_system_name = var.prod_oci_system_name + use_existing_agcs_user = var.prod_use_existing_agcs_user + providers = { oci = oci oci.home_region = oci.home_region @@ -270,6 +297,32 @@ module "nonprod_environment" { workload_name_prefix = var.workload_name_prefix additional_workload_subnets_cidr_blocks = var.nonprod_additional_workload_subnets_cidr_blocks + # Access Governance Variables + ag_current_user_ocid = var.current_user_ocid + ag_api_fingerprint = var.api_fingerprint + ag_region = var.region + ag_tenancy_ocid = var.tenancy_ocid + ag_api_private_key_path = var.api_private_key_path + admin_domain_name = var.admin_domain_name + + enable_access_governance = var.nonprod_enable_access_governance + service_instance_description = var.nonprod_service_instance_description + service_instance_display_name = var.nonprod_service_instance_display_name + ag_license_type = var.nonprod_ag_license_type + agcs_user_domain_name = var.nonprod_agcs_user_domain_name + agcs_user_email = var.nonprod_agcs_user_email + agcs_user_fingerprint_oci_system = var.nonprod_agcs_user_fingerprint_oci_system + agcs_user_group_display_name = var.nonprod_agcs_user_group_display_name + agcs_user_name = var.nonprod_agcs_user_name + agcs_user_ocid_oci_system = var.nonprod_agcs_user_ocid_oci_system + agcs_user_private_key = var.nonprod_agcs_user_private_key + agcs_user_private_key_path = var.nonprod_agcs_user_private_key_path + agcs_user_region_oci_system = var.nonprod_agcs_user_region_oci_system + agcs_user_tenancy_ocid_oci_system = var.nonprod_agcs_user_tenancy_ocid_oci_system + oci_system_description = var.nonprod_oci_system_description + oci_system_name = var.nonprod_oci_system_name + use_existing_agcs_user = var.nonprod_use_existing_agcs_user + providers = { oci = oci oci.home_region = oci.home_region diff --git a/templates/enterprise-landing-zone/example.tfvars b/templates/enterprise-landing-zone/example.tfvars index a7382700..fe62897b 100644 --- a/templates/enterprise-landing-zone/example.tfvars +++ b/templates/enterprise-landing-zone/example.tfvars @@ -96,4 +96,48 @@ nonprod_workload_topic_endpoints = [] prod_additional_workload_subnets_cidr_blocks = [] nonprod_additional_workload_subnets_cidr_blocks = [] prod_workload_compartment_names = [] -nonprod_workload_compartment_names = [] \ No newline at end of file +nonprod_workload_compartment_names = [] + + +####################################### Access Governance ################################################### +prod_enable_access_governance = true +nonprod_enable_access_governance = true +admin_domain_name = "Default" + +# ACCESS GOVERNANCE SERVICE INSTANCE DETAILS +prod_ag_license_type = "Access Governance for Oracle Cloud Infrastructure" +prod_service_instance_display_name = "" +prod_service_instance_description = "Prod OAG instance" + +nonprod_ag_license_type = "Access Governance for Oracle Cloud Infrastructure" +nonprod_service_instance_display_name = "" +nonprod_service_instance_description = "Non Prod OAG instance" + +# ACCESS GOVERNANCE USER COMMON DETAILS +prod_use_existing_agcs_user = false +nonprod_use_existing_agcs_user = false + +# ACCESS GOVERNANCE EXISTING_USER +#prod_agcs_user_private_key_path = "" +#prod_agcs_user_ocid_oci_system = "" +#prod_agcs_user_fingerprint_oci_system = "" +# +#nonprod_agcs_user_private_key_path = "" +#nonprod_agcs_user_ocid_oci_system = "" +#nonprod_agcs_user_fingerprint_oci_system = "" + +# NEW AG USER +prod_agcs_user_group_display_name = "prod_agcs_group" +prod_agcs_user_name = "prod_agcs_user" +prod_agcs_user_email = "prod_something@example.com" + +nonprod_agcs_user_group_display_name = "nonprod_agcs_group" +nonprod_agcs_user_name = "nonprod_agcs_user" +nonprod_agcs_user_email = "nonprod_something@example.com" + +# OCI Connected System +prod_oci_system_name = "Prod Cloud Gateway" +prod_oci_system_description = "Prod OCI System" + +nonprod_oci_system_name = "Non Prod Cloud Gateway" +nonprod_oci_system_description = "Non Prod OCI System" \ No newline at end of file diff --git a/templates/enterprise-landing-zone/outputs.tf b/templates/enterprise-landing-zone/outputs.tf index 85f15e62..9e329e71 100644 --- a/templates/enterprise-landing-zone/outputs.tf +++ b/templates/enterprise-landing-zone/outputs.tf @@ -28,6 +28,7 @@ output "prod_environment" { workload_compartment_name = module.prod_environment.workload_compartment_name workload_compartment_id = module.prod_environment.workload_compartment_id workload_subnet_cidr_blocks = module.prod_environment.workload_subnet_cidr_blocks + access_governance_service_instance = module.prod_environment.access_governance_service_instance } } @@ -44,5 +45,6 @@ output "nonprod_environment" { workload_compartment_name = module.nonprod_environment.workload_compartment_name workload_compartment_id = module.nonprod_environment.workload_compartment_id workload_subnet_cidr_blocks = module.nonprod_environment.workload_subnet_cidr_blocks + access_governance_service_instance = module.nonprod_environment.access_governance_service_instance } } \ No newline at end of file From fdd8978e29363d7ce25ab7e79f0a638507639dc4 Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Sat, 9 Dec 2023 10:50:19 +0530 Subject: [PATCH 02/21] Updated policy statement --- modules/access-governance/identity-domain-user-resources.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/access-governance/identity-domain-user-resources.tf b/modules/access-governance/identity-domain-user-resources.tf index 01c67b2b..2b891da3 100644 --- a/modules/access-governance/identity-domain-user-resources.tf +++ b/modules/access-governance/identity-domain-user-resources.tf @@ -51,7 +51,7 @@ resource "oci_identity_policy" "ag-access-policy" { name = "${oci_identity_group.agcs_group[count.index].name}_policies" statements = [ "ALLOW GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to inspect all-resources IN TENANCY", - "ALLOW GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to manage policies IN TENANCY where all {request.permission in ('POLICY_UPDATE', 'POLICY_DELETE'), target.policy.name !='Tenant Admin Policy'}", + "ALLOW GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}", "Allow GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to read audit-events IN TENANCY", "Allow GROUP ${data.oci_identity_domains.ag_user_domain_data[count.index].domains[0].display_name}/${oci_identity_group.agcs_group[count.index].name} to manage domains IN TENANCY", ] From edd1016bd7d3fb0c427ccac53b7410a1d5500688 Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Wed, 10 Jan 2024 12:53:53 +0530 Subject: [PATCH 03/21] Updated documentation, example tfvars, and default values. --- .../IMPLEMENTATION.md | 78 +++++++++++++++++++ .../{tfvars => }/all_variables.tfvarexample | 2 +- .../local_existing_agcs_user.tfvarexample | 2 +- .../local_new_agcs_user.tfvarexample | 2 +- .../enterprise-landing-zone/example.tfvars | 8 +- 5 files changed, 85 insertions(+), 7 deletions(-) create mode 100644 Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md rename templates/elz-access-governance/examples/{tfvars => }/all_variables.tfvarexample (96%) rename templates/elz-access-governance/examples/{tfvars => }/local_existing_agcs_user.tfvarexample (96%) rename templates/elz-access-governance/examples/{tfvars => }/local_new_agcs_user.tfvarexample (95%) diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md new file mode 100644 index 00000000..8d6d8669 --- /dev/null +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -0,0 +1,78 @@ +# Oracle Enterprise Landing Zone Access Governance Feature + +## Overview + +The terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy. + +## Prerequisites + +To deploy the Oracle Enterprise Landing Zone Workload Expansion from the terraform cli you will need the following prerequisites. +- [Latest Version of Terrafom](https://developer.hashicorp.com/terraform/downloads) +- [OCI Terraform provider](https://registry.terraform.io/providers/oracle/oci/latest/docs) v4.109.0 or later +- [oci - cli](https://github.com/oracle/oci-cli) + +## Variables +| Variable Name | Description | Required | Default Value | +|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|---------------| +| **user_ocid** | OCID of the Administrator. | Yes | None | +| **fingerprint** | Fingerprint of the Administrator. | Yes | None | +| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | +| **region** | Region of the Administrator. | Yes | None | +| **private_key_path** | Private Key Path of Administrator. | Yes | None | +| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | +| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | None | +| **service_instance_description** | Access Governance Instance Description. | Yes | None | +| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | None | +| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None | +| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | +| **agcs_user_name** | New Access Governance User's name. | Yes | None | +| **agcs_user_email** | Email address for the user. | Yes | None | +| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | +| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | +| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | +| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | +| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | +| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | +| **oci_system_description** | OCI Connected System Description. | Yes | None | +| **oci_system_name** | OCI Connected System Name. | Yes | None | + +## How to execute + +## How to execute +### Via Resource Manager +1. [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-landing-zones/releases/tag/v2.2.0) +*If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.* +2. Under **Working directory** select the directory *templates/elz-access-governance* +3. Click Next. +4. Enter the values for required variables. +5. Click Next. +6. Click Next. +7. Click Apply. + +### Via Terraform CLI +1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples. +2. terraform init. +3. terraform plan. +4. terraform apply. + +While using CLI mode, user have option to user existing user to add the OCI system, below snippet indicates how to use existing user +`use_existing_agcs_user` = `true`
+`agcs_user_private_key_path` = `""`
+`agcs_user_ocid_oci_system` = `"ocid1.user.oc1..xyz"`
+`agcs_user_fingerprint_oci_system` = `""`
+ +To create new user and use it to add OCI connected system, set `use_existing_agcs_user` value to `false`. + +### Outcome of the Execution +1. An Access Governance Service instance will be deployed in selected compartment +2. Cloud gateway system will be added as connected system to the service instance. + +## License +Copyright (c) 2023, Oracle and/or its affiliates. + +Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +See [LICENSE](../../LICENSE) for more details. + +## Known Issues +None. \ No newline at end of file diff --git a/templates/elz-access-governance/examples/tfvars/all_variables.tfvarexample b/templates/elz-access-governance/examples/all_variables.tfvarexample similarity index 96% rename from templates/elz-access-governance/examples/tfvars/all_variables.tfvarexample rename to templates/elz-access-governance/examples/all_variables.tfvarexample index 4993a6a2..e0143441 100644 --- a/templates/elz-access-governance/examples/tfvars/all_variables.tfvarexample +++ b/templates/elz-access-governance/examples/all_variables.tfvarexample @@ -6,7 +6,7 @@ tenancy_ocid = "" region = "us-ashburn-1" # ACCESS GOVERNANCE SERVICE INSTANCE DETAILS -admin_domain_name = "" +admin_domain_name = "Default" ag_license_type = "Access Governance for Oracle Cloud Infrastructure" service_instance_display_name = "" service_instance_description = "" diff --git a/templates/elz-access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample b/templates/elz-access-governance/examples/local_existing_agcs_user.tfvarexample similarity index 96% rename from templates/elz-access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample rename to templates/elz-access-governance/examples/local_existing_agcs_user.tfvarexample index dbe118c1..78be6722 100644 --- a/templates/elz-access-governance/examples/tfvars/local_existing_agcs_user.tfvarexample +++ b/templates/elz-access-governance/examples/local_existing_agcs_user.tfvarexample @@ -7,7 +7,7 @@ region = "us-ashburn-1" # ACCESS GOVERNANCE SERVICE INSTANCE DETAILS, Optional Fields: admin_domain_name -admin_domain_name = "" +admin_domain_name = "Default" ag_license_type = "Access Governance for Oracle Cloud Infrastructure" service_instance_display_name = "" service_instance_description = "" diff --git a/templates/elz-access-governance/examples/tfvars/local_new_agcs_user.tfvarexample b/templates/elz-access-governance/examples/local_new_agcs_user.tfvarexample similarity index 95% rename from templates/elz-access-governance/examples/tfvars/local_new_agcs_user.tfvarexample rename to templates/elz-access-governance/examples/local_new_agcs_user.tfvarexample index 17b5e152..23ffc865 100644 --- a/templates/elz-access-governance/examples/tfvars/local_new_agcs_user.tfvarexample +++ b/templates/elz-access-governance/examples/local_new_agcs_user.tfvarexample @@ -7,7 +7,7 @@ region = "us-ashburn-1" # ACCESS GOVERNANCE SERVICE INSTANCE DETAILS, Optional Fields: admin_domain_name -admin_domain_name = "" +admin_domain_name = "Default" ag_license_type = "Access Governance for Oracle Cloud Infrastructure" service_instance_display_name = "" service_instance_description = "" diff --git a/templates/enterprise-landing-zone/example.tfvars b/templates/enterprise-landing-zone/example.tfvars index a71bef40..eac8dded 100644 --- a/templates/enterprise-landing-zone/example.tfvars +++ b/templates/enterprise-landing-zone/example.tfvars @@ -120,18 +120,18 @@ nfw_instance_policy_prod = "nfw_policy_name" enable_network_firewall_nonprod = "false" ####################################### Access Governance ################################################### -prod_enable_access_governance = true -nonprod_enable_access_governance = true +prod_enable_access_governance = false +nonprod_enable_access_governance = false admin_domain_name = "Default" # ACCESS GOVERNANCE SERVICE INSTANCE DETAILS prod_ag_license_type = "Access Governance for Oracle Cloud Infrastructure" prod_service_instance_display_name = "" -prod_service_instance_description = "Prod OAG instance" +prod_service_instance_description = "Prod OAG service instance" nonprod_ag_license_type = "Access Governance for Oracle Cloud Infrastructure" nonprod_service_instance_display_name = "" -nonprod_service_instance_description = "Non Prod OAG instance" +nonprod_service_instance_description = "Non Prod OAG service instance" # ACCESS GOVERNANCE USER COMMON DETAILS prod_use_existing_agcs_user = false From 793c38de80c497e377ea947869694ddc3d1390d7 Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Wed, 10 Jan 2024 16:27:39 +0530 Subject: [PATCH 04/21] Removed unwanted file. --- .../IMPLEMENTATION.md | 12 ++++---- templates/elz-access-governance/cleanup.sh | 29 ------------------- 2 files changed, 6 insertions(+), 35 deletions(-) delete mode 100755 templates/elz-access-governance/cleanup.sh diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md index 8d6d8669..cbee0893 100644 --- a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -50,16 +50,16 @@ To deploy the Oracle Enterprise Landing Zone Workload Expansion from the terrafo 7. Click Apply. ### Via Terraform CLI -1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples. +1. Enter required variables in terraform.tfvars in the directory *templates/elz-access-governance*, for examples refer templates/elz-access-governance/examples. 2. terraform init. 3. terraform plan. 4. terraform apply. -While using CLI mode, user have option to user existing user to add the OCI system, below snippet indicates how to use existing user -`use_existing_agcs_user` = `true`
-`agcs_user_private_key_path` = `""`
-`agcs_user_ocid_oci_system` = `"ocid1.user.oc1..xyz"`
-`agcs_user_fingerprint_oci_system` = `""`
+While using CLI mode, user have option to use an existing user to add the OCI system, below snippet indicates how to use existing user.
+`use_existing_agcs_user` = `true`
+`agcs_user_private_key_path` = `""`
+`agcs_user_ocid_oci_system` = `"ocid1.user.oc1..xyz"`
+`agcs_user_fingerprint_oci_system` = `""`
To create new user and use it to add OCI connected system, set `use_existing_agcs_user` value to `false`. diff --git a/templates/elz-access-governance/cleanup.sh b/templates/elz-access-governance/cleanup.sh deleted file mode 100755 index 7d071d55..00000000 --- a/templates/elz-access-governance/cleanup.sh +++ /dev/null @@ -1,29 +0,0 @@ -#! /bin/bash -# Cleanup Terraform Files -# WARNING !!! This will remove Terraform State file along with other files and directories. -read -p "Do you really want to cleanup the terraform run files? " -n 1 -r -if [[ $REPLY =~ ^[Yy]$ ]]; then - tf_folder=".terraform" - tf_file1=".terraform.lock.hcl" - tf_file2="terraform.tfstate" - tf_file3="terraform.tfstate.backup" - response1="ag_si_creation_response.txt" - response2="ag_si_deletion_response.txt" - echo - echo "Removing Terraform Folder: $tf_folder..." - rm -rf "$tf_folder" - files_to_delete=("$tf_file1" "$tf_file2" "$tf_file3") - echo "Removing Files: ${files_to_delete[*]}..." - for file in "${files_to_delete[@]}" - do - rm -rf "${file}" - done - rm -rf "scripts/__pycache__" - echo "Emptying files $response1, $response2..." - echo -n > $response1 - echo -n > $response2 - echo "Done." -else - echo - echo "Cleanup cancelled." -fi From 1355d9accfcc004e5ce61ea66613248e5c66c801 Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Wed, 10 Jan 2024 17:34:15 +0530 Subject: [PATCH 05/21] removed unwanted file --- modules/access-governance/cleanup.sh | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100755 modules/access-governance/cleanup.sh diff --git a/modules/access-governance/cleanup.sh b/modules/access-governance/cleanup.sh deleted file mode 100755 index ab300903..00000000 --- a/modules/access-governance/cleanup.sh +++ /dev/null @@ -1,28 +0,0 @@ -#! /bin/bash -# Cleanup Terraform Files -# WARNING !!! This will remove Terraform State file along with other files and directories. -read -p "Do you really want to cleanup the terraform run files? " -n 1 -r -if [[ $REPLY =~ ^[Yy]$ ]]; then - tf_folder=".terraform" - tf_file1=".terraform.lock.hcl" - tf_file2="terraform.tfstate" - tf_file3="terraform.tfstate.backup" - response1="ag_si_creation_response.txt" - response2="ag_si_deletion_response.txt" - echo "Removing Terraform Folder: $tf_folder..." - rm -rf "$tf_folder" - files_to_delete=("$tf_file1" "$tf_file2" "$tf_file3") - echo "Removing Files: ${files_to_delete[*]}..." - for file in "${files_to_delete[@]}" - do - rm -rf "${file}" - done - rm -rf "scripts/__pycache__" - echo "Emptying files $response1, $response2..." - echo -n > $response1 - echo -n > $response2 - echo "Done." -else - echo - echo "Cleanup cancelled." -fi From 38a19351c2f0c510be080be2de9ed34acda7b2e9 Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Tue, 23 Jan 2024 17:05:38 +0530 Subject: [PATCH 06/21] improved documentation --- .../IMPLEMENTATION.md | 14 ++++ templates/elz-access-governance/provider.tf | 74 +++++++++---------- 2 files changed, 51 insertions(+), 37 deletions(-) diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md index cbee0893..3be0aef3 100644 --- a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -11,6 +11,20 @@ To deploy the Oracle Enterprise Landing Zone Workload Expansion from the terrafo - [OCI Terraform provider](https://registry.terraform.io/providers/oracle/oci/latest/docs) v4.109.0 or later - [oci - cli](https://github.com/oracle/oci-cli) +## User + +The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an api key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble. + +```text +[DEFAULT] +user=ocid1.xxxxxx.xxxxxx.xxxxxx..... #ocid of the user +fingerprint=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx #user api key fingerprint +tenancy=ocid1.xxxxxx.xxxxxx.xxxxxx..... #tenancy ocid +region=us-phoenix-1 #or desired region +key_file= # TODO +``` + + ## Variables | Variable Name | Description | Required | Default Value | |----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|---------------| diff --git a/templates/elz-access-governance/provider.tf b/templates/elz-access-governance/provider.tf index 5c1e8481..5282fd80 100644 --- a/templates/elz-access-governance/provider.tf +++ b/templates/elz-access-governance/provider.tf @@ -1,53 +1,53 @@ # ----------------------------------------------------------------------------- # Provider Requirements if using stack as a module # ----------------------------------------------------------------------------- -#terraform { -# required_version = ">= 1.0.0" -# -# required_providers { -# oci = { -# source = "oracle/oci" -# version = "5.9.0" -# configuration_aliases = [oci, oci.home_region] -# } -# } -#} - -# # ----------------------------------------------------------------------------- -# # WARNING! -# # UNCOMMENT BELOW AND COMMENT EVERYTHING ABOVE IF YOU WISH TO USE THIS -# # STACK AS A STANDALONE - DO NOT TOUCH IF USING THIS STACK IN A MODULE CALL -# # Provider Requirements if using stack as standalone -# # -# # ----------------------------------------------------------------------------- - terraform { required_version = ">= 1.0.0" required_providers { oci = { - source = "oracle/oci" - version = "5.9.0" + source = "oracle/oci" + version = "5.9.0" + configuration_aliases = [oci, oci.home_region] } } } -provider "oci" { - tenancy_ocid = var.ag_tenancy_ocid - user_ocid = var.current_user_ocid - fingerprint = var.api_fingerprint - private_key_path = var.api_private_key_path - region = var.ag_region -} +# # ----------------------------------------------------------------------------- +# # WARNING! +# # UNCOMMENT BELOW AND COMMENT EVERYTHING ABOVE IF YOU WISH TO USE THIS +# # STACK AS A STANDALONE - DO NOT TOUCH IF USING THIS STACK IN A MODULE CALL +# # Provider Requirements if using stack as standalone +# # +# # ----------------------------------------------------------------------------- -provider "oci" { - alias = "home_region" - tenancy_ocid = var.ag_tenancy_ocid - user_ocid = var.current_user_ocid - fingerprint = var.api_fingerprint - private_key_path = var.api_private_key_path - region = local.home_region[0] -} +#terraform { +# required_version = ">= 1.0.0" +# +# required_providers { +# oci = { +# source = "oracle/oci" +# version = "5.9.0" +# } +# } +#} +# +#provider "oci" { +# tenancy_ocid = var.ag_tenancy_ocid +# user_ocid = var.current_user_ocid +# fingerprint = var.api_fingerprint +# private_key_path = var.api_private_key_path +# region = var.ag_region +#} +# +#provider "oci" { +# alias = "home_region" +# tenancy_ocid = var.ag_tenancy_ocid +# user_ocid = var.current_user_ocid +# fingerprint = var.api_fingerprint +# private_key_path = var.api_private_key_path +# region = local.home_region[0] +#} # # ----------------------------------------------------------------------------- # # Provider / Python SDK Auth Variables From 52cbaae72a634530d877b980b339ea3798c6756b Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Thu, 1 Feb 2024 09:49:26 +0530 Subject: [PATCH 07/21] Added default values to fix problem when ag is disabled --- .../enterprise-landing-zone/access-governance-variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/templates/enterprise-landing-zone/access-governance-variables.tf b/templates/enterprise-landing-zone/access-governance-variables.tf index f60e3323..cf875c0d 100644 --- a/templates/enterprise-landing-zone/access-governance-variables.tf +++ b/templates/enterprise-landing-zone/access-governance-variables.tf @@ -52,6 +52,7 @@ variable "admin_domain_name" { } ################################## Prod Details ########################################### variable "prod_ag_license_type" { + default = "Access Governance for Oracle Cloud Infrastructure" description = "Access Governance Instance License Type." validation { condition = can(regex("^(Access Governance Premium|Access Governance for Oracle Workloads|Access Governance for Oracle Cloud Infrastructure)$", var.prod_ag_license_type)) @@ -60,6 +61,7 @@ variable "prod_ag_license_type" { } variable "prod_service_instance_display_name" { + default = "prod-instance" description = "Access Governance Instance Display Name." validation { condition = can(regex("^[a-zA-Z0-9-_]+$", var.prod_service_instance_display_name)) @@ -68,6 +70,7 @@ variable "prod_service_instance_display_name" { } variable "prod_service_instance_description" { + default = "" description = "Access Governance Instance Description." } @@ -158,6 +161,7 @@ variable "prod_agcs_user_email" { ################################## Non Prod Details########################################### variable "nonprod_ag_license_type" { description = "Access Governance Instance License Type." + default = "Access Governance for Oracle Cloud Infrastructure" validation { condition = can(regex("^(Access Governance Premium|Access Governance for Oracle Workloads|Access Governance for Oracle Cloud Infrastructure)$", var.nonprod_ag_license_type)) error_message = "Please select any value among Access Governance Premium, Access Governance for Oracle Workloads, Access Governance for Oracle Cloud Infrastructure." @@ -166,6 +170,7 @@ variable "nonprod_ag_license_type" { variable "nonprod_service_instance_display_name" { description = "Access Governance Instance Display Name." + default = "nonprod-instance" validation { condition = can(regex("^[a-zA-Z0-9-_]+$", var.nonprod_service_instance_display_name)) error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." @@ -173,6 +178,7 @@ variable "nonprod_service_instance_display_name" { } variable "nonprod_service_instance_description" { + default = "" description = "Access Governance Instance Description." } From 79433ec9e609ac8743e78e27b929babd6e4a3a6e Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Fri, 9 Feb 2024 22:42:00 +0530 Subject: [PATCH 08/21] Feature/agcs 8397 oag integration (#158) * Added another field to ask compartment for Admin's Domain * Implemented AG instance application name change. * Implemented new Control Plane changes and improved documentation. --- .../IMPLEMENTATION.md | 113 ++++++++++++------ .../create-ag-service-instance.py | 4 +- modules/access-governance/data-source.tf | 2 +- modules/access-governance/schema.yml | 20 ++-- modules/access-governance/variable.tf | 6 + .../ag_si_creation_response.txt | 0 .../ag_si_deletion_response.txt | 0 .../elz-access-governance/agcs-module.tf | 1 + .../examples/all_variables.tfvarexample | 30 ----- ...xample => existing_agcs_user.tfvarexample} | 0 ...fvarexample => new_agcs_user.tfvarexample} | 0 templates/elz-access-governance/provider.tf | 11 +- templates/elz-access-governance/schema.yml | 20 ++-- templates/elz-access-governance/variable.tf | 5 + .../access-governance-module-variables.tf | 5 + .../access-governance-module.tf | 1 + .../access-governance-variables.tf | 13 +- .../enterprise-landing-zone/environment.tf | 2 + .../enterprise-landing-zone/example.tfvars | 1 + 19 files changed, 138 insertions(+), 96 deletions(-) delete mode 100644 templates/elz-access-governance/ag_si_creation_response.txt delete mode 100644 templates/elz-access-governance/ag_si_deletion_response.txt delete mode 100644 templates/elz-access-governance/examples/all_variables.tfvarexample rename templates/elz-access-governance/examples/{local_existing_agcs_user.tfvarexample => existing_agcs_user.tfvarexample} (100%) rename templates/elz-access-governance/examples/{local_new_agcs_user.tfvarexample => new_agcs_user.tfvarexample} (100%) diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md index 3be0aef3..d9c0de4d 100644 --- a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -26,60 +26,97 @@ key_file= # TODO ## Variables -| Variable Name | Description | Required | Default Value | -|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|---------------| -| **user_ocid** | OCID of the Administrator. | Yes | None | -| **fingerprint** | Fingerprint of the Administrator. | Yes | None | -| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | -| **region** | Region of the Administrator. | Yes | None | -| **private_key_path** | Private Key Path of Administrator. | Yes | None | -| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | -| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | None | -| **service_instance_description** | Access Governance Instance Description. | Yes | None | -| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | None | -| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None | -| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | -| **agcs_user_name** | New Access Governance User's name. | Yes | None | -| **agcs_user_email** | Email address for the user. | Yes | None | -| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | -| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | -| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | -| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | -| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | -| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | -| **oci_system_description** | OCI Connected System Description. | Yes | None | -| **oci_system_name** | OCI Connected System Name. | Yes | None | +| Variable Name | Description | Required | Default Value | +|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------------------| +| **user_ocid** | OCID of the Administrator. | Yes | None | +| **fingerprint** | Fingerprint of the Administrator. | Yes | None | +| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | +| **region** | Region of the Administrator. | Yes | None | +| **private_key_path** | Private Key Path of Administrator. | Yes | None | +| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | +| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None | +| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | None | +| **service_instance_description** | Access Governance Instance Description. | Yes | None | +| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | None | +| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None | +| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | +| **agcs_user_name** | New Access Governance User's name. | Yes | None | +| **agcs_user_email** | Email address for the user. | Yes | None | +| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | +| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | +| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | +| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | +| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | +| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | +| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System | +| **oci_system_name** | OCI Connected System Name. | Yes | OCI System | ## How to execute ## How to execute -### Via Resource Manager -1. [![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-landing-zones/releases/tag/v2.2.0) -*If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.* -2. Under **Working directory** select the directory *templates/elz-access-governance* -3. Click Next. -4. Enter the values for required variables. +### Via Resource Manager (Standalone Deployment) +Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in +
Only new AGCS User scenario is supported via Resource Manager Deployment
+ +1. Under **Working directory** select the directory *templates/elz-access-governance* +2. Click Next. +3. Enter the values for required variables. +4. Click Next. 5. Click Next. -6. Click Next. -7. Click Apply. +6. Click Apply. -### Via Terraform CLI -1. Enter required variables in terraform.tfvars in the directory *templates/elz-access-governance*, for examples refer templates/elz-access-governance/examples. +### Via Terraform CLI +#### Deployment Scenario 1: use_existing_agcs_user = false +1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples/existing_agcs_user.tfvarexample +2. terraform init. +3. terraform plan. +4. terraform apply. + +### Oracle Access Governance Deployment: Access Governance Service Instance +An Access Governance Service instance will be deployed in security compartment + +### Oracle Access Governance Deployment: AGCS Group +A group will be created called AGCS Group, which is meant to have AGCS user and policies related to Access Governance functionalities. + +### Oracle Access Governance Deployment: AGCS User +AGCS User which will be created in Default domain as the user needs visibility into all domains and their resources for policy review and group review. This is the primary user used for governing the OCI IAM + +### Oracle Access Governance Deployment: AGCS User Group Policy statements +1. `ALLOW GROUP / to inspect all-resources IN TENANCY` +2. `ALLOW GROUP / to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}` +3. `Allow GROUP / to read audit-events IN TENANCY` +4. `Allow GROUP / to manage domains IN TENANCY` + +### Oracle Access Governance Deployment: OCI system on Access Governance Instance +Cloud gateway system will be added as connected system to the service instance. + + + + +#### Deployment Scenario 2: use_existing_agcs_user = true +1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples/new_agcs_user.tfvarexample 2. terraform init. 3. terraform plan. 4. terraform apply. -While using CLI mode, user have option to use an existing user to add the OCI system, below snippet indicates how to use existing user.
`use_existing_agcs_user` = `true`
`agcs_user_private_key_path` = `""`
`agcs_user_ocid_oci_system` = `"ocid1.user.oc1..xyz"`
`agcs_user_fingerprint_oci_system` = `""`
-To create new user and use it to add OCI connected system, set `use_existing_agcs_user` value to `false`. +
The above user needs to be in Default domain with below policy statements.
+ +1. `ALLOW GROUP / to inspect all-resources IN TENANCY` +2. `ALLOW GROUP / to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}` +3. `Allow GROUP / to read audit-events IN TENANCY` +4. `Allow GROUP / to manage domains IN TENANCY` + + +### Oracle Access Governance Deployment: Access Governance Service Instance +An Access Governance Service instance will be deployed in security compartment -### Outcome of the Execution -1. An Access Governance Service instance will be deployed in selected compartment -2. Cloud gateway system will be added as connected system to the service instance. +### Oracle Access Governance Deployment: OCI system on Access Governance Instance +Cloud gateway system will be added as connected system to the service instance. ## License Copyright (c) 2023, Oracle and/or its affiliates. diff --git a/modules/access-governance/agcs-resources-scripts/create-ag-service-instance.py b/modules/access-governance/agcs-resources-scripts/create-ag-service-instance.py index 15b5831e..4f4fec8f 100644 --- a/modules/access-governance/agcs-resources-scripts/create-ag-service-instance.py +++ b/modules/access-governance/agcs-resources-scripts/create-ag-service-instance.py @@ -23,6 +23,7 @@ def create_instance(ag_cp_composite_client, signer): compartment_id=os.environ["SERVICE_INSTANCE_COMPARTMENT_OCID"], idcs_access_token=token) si_name = None + si_id = None output = None try: response = (ag_cp_composite_client @@ -31,6 +32,7 @@ def create_instance(ag_cp_composite_client, signer): json_res = json.dumps(str(response.__dict__['data']), indent=2) output = json_res.encode() si_name = response.__dict__['data'].display_name + si_id = "-" + response.__dict__['data'].id[len(response.__dict__['data'].id) - 10:] # except exceptions.ServiceError as errorResponse: # si_name = os.environ["SERVICE_INSTANCE_DISPLAY_NAME"] # if errorResponse.code == "NotAuthorizedOrResourceAlreadyExists": @@ -44,7 +46,7 @@ def create_instance(ag_cp_composite_client, signer): should_create_connected_system = os.environ["SHOULD_CREATE_CONNECTED_SYSTEM"] if should_create_connected_system == "true" and (si_name and not si_name.isspace()): - connected_system.execute_add_connected_system(si_name) + connected_system.execute_add_connected_system(si_name+si_id) if output and not output.isspace(): print(base64.b64encode(output).decode()) diff --git a/modules/access-governance/data-source.tf b/modules/access-governance/data-source.tf index 8bb2ac5d..a3c94a98 100644 --- a/modules/access-governance/data-source.tf +++ b/modules/access-governance/data-source.tf @@ -1,5 +1,5 @@ data "oci_identity_domains" "admin_domain_data" { - compartment_id = var.tenancy_ocid + compartment_id = var.admin_domain_compartment_ocid display_name = var.admin_domain_name } diff --git a/modules/access-governance/schema.yml b/modules/access-governance/schema.yml index d2fdbb3c..ab5fb916 100644 --- a/modules/access-governance/schema.yml +++ b/modules/access-governance/schema.yml @@ -1,12 +1,8 @@ -# Copyright (c) 2022 Oracle and/or its affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. - -title: "CIS (Center for Internet Security) OCI Landing Zone Quick Start for Access Governance" -stackDescription: "A stack to Deploy Oracle Access Governance." -description: "This stack deploys Oracle Access Governance." +title: Oracle Enterprise Landing Zone 2.0 +description: Oracle Enterprise Landing Zone 2.0 developed by OCI schemaVersion: 1.0.0 -version: "0.0.1" -locale: "en" +version: "1.0.0" +locale: en #logoUrl: "https://objectstorage.us-ashburn-1.oraclecloud.com/p/taf6kC9fSJyQDNSYbxvqxS_JsdnSu56oFZ3-1h5vI7-WfJUv77mplChopLxZPePW/n/ociateam/b/cis-landing-zone/o/landing_zone_130.png" @@ -17,6 +13,7 @@ variableGroups: # - "use_namespace" - "namespace_service_endpoint" - "admin_domain_name" + - "admin_domain_compartment_ocid" - "service_instance_display_name" - "service_instance_description" - "ag_license_type" @@ -41,6 +38,7 @@ variableGroups: - "private_key_path" - "admin_ocid_service_instance" - "fingerprint" + - "private_key_password" - "tenancy_ocid" - "user_ocid" - "agcs_user_fingerprint_oci_system" @@ -65,6 +63,12 @@ variables: description: "Compartment, where Access Governance instance will be deployed." required: true + admin_domain_compartment_ocid: + type: oci:identity:compartment:id + title: "Compartment of Administrator's Domain" + description: "The Compartment where Administrator's Domain belongs." + required: true + namespace_service_endpoint: type: string title: "Select A Namespace" diff --git a/modules/access-governance/variable.tf b/modules/access-governance/variable.tf index 236d0fba..410dd423 100644 --- a/modules/access-governance/variable.tf +++ b/modules/access-governance/variable.tf @@ -42,6 +42,12 @@ variable "admin_domain_name" { description = "Administrator's Identity Domain Name." } +variable "admin_domain_compartment_ocid" { + default = "" + description = "Administrator's Identity Domain's Compartment." +} + + variable "use_existing_agcs_user" { type = bool default = false diff --git a/templates/elz-access-governance/ag_si_creation_response.txt b/templates/elz-access-governance/ag_si_creation_response.txt deleted file mode 100644 index e69de29b..00000000 diff --git a/templates/elz-access-governance/ag_si_deletion_response.txt b/templates/elz-access-governance/ag_si_deletion_response.txt deleted file mode 100644 index e69de29b..00000000 diff --git a/templates/elz-access-governance/agcs-module.tf b/templates/elz-access-governance/agcs-module.tf index 85779cd0..1d0a7a0f 100644 --- a/templates/elz-access-governance/agcs-module.tf +++ b/templates/elz-access-governance/agcs-module.tf @@ -6,6 +6,7 @@ module "agcs-module" { tenancy_ocid = var.ag_tenancy_ocid region = var.ag_region admin_domain_name = var.admin_domain_name + admin_domain_compartment_ocid = var.admin_domain_compartment_ocid service_instance_compartment_ocid = var.service_instance_compartment_ocid service_instance_description = var.service_instance_description service_instance_display_name = var.service_instance_display_name diff --git a/templates/elz-access-governance/examples/all_variables.tfvarexample b/templates/elz-access-governance/examples/all_variables.tfvarexample deleted file mode 100644 index e0143441..00000000 --- a/templates/elz-access-governance/examples/all_variables.tfvarexample +++ /dev/null @@ -1,30 +0,0 @@ -#ADMINISTRATOR -private_key_path = "" -user_ocid = "" -fingerprint = "" -tenancy_ocid = "" -region = "us-ashburn-1" - -# ACCESS GOVERNANCE SERVICE INSTANCE DETAILS -admin_domain_name = "Default" -ag_license_type = "Access Governance for Oracle Cloud Infrastructure" -service_instance_display_name = "" -service_instance_description = "" -service_instance_compartment_ocid = "" - -# ACCESS GOVERNANCE USER COMMON DETAILS -use_existing_agcs_user = true - -# ACCESS GOVERNANCE EXISTING_USER -agcs_user_private_key_path = "" -agcs_user_ocid_oci_system = "ocid1.user.oc1..xyz" -agcs_user_fingerprint_oci_system = "" - -# NEW AG USER -#agcs_user_group_display_name = "agcs_group" -#agcs_user_name = "agcs_user" -#agcs_user_email = "something@example.com" - -# OCI Connected System -oci_system_name = "OCI Connected System" -oci_system_description = "AG Connected System" \ No newline at end of file diff --git a/templates/elz-access-governance/examples/local_existing_agcs_user.tfvarexample b/templates/elz-access-governance/examples/existing_agcs_user.tfvarexample similarity index 100% rename from templates/elz-access-governance/examples/local_existing_agcs_user.tfvarexample rename to templates/elz-access-governance/examples/existing_agcs_user.tfvarexample diff --git a/templates/elz-access-governance/examples/local_new_agcs_user.tfvarexample b/templates/elz-access-governance/examples/new_agcs_user.tfvarexample similarity index 100% rename from templates/elz-access-governance/examples/local_new_agcs_user.tfvarexample rename to templates/elz-access-governance/examples/new_agcs_user.tfvarexample diff --git a/templates/elz-access-governance/provider.tf b/templates/elz-access-governance/provider.tf index 5282fd80..d9430a90 100644 --- a/templates/elz-access-governance/provider.tf +++ b/templates/elz-access-governance/provider.tf @@ -1,6 +1,7 @@ # ----------------------------------------------------------------------------- # Provider Requirements if using stack as a module # ----------------------------------------------------------------------------- + terraform { required_version = ">= 1.0.0" @@ -15,10 +16,8 @@ terraform { # # ----------------------------------------------------------------------------- # # WARNING! -# # UNCOMMENT BELOW AND COMMENT EVERYTHING ABOVE IF YOU WISH TO USE THIS +# # UNCOMMENT BELOW SECTION AND COMMENT EVERYTHING ABOVE IF YOU WISH TO USE THIS # # STACK AS A STANDALONE - DO NOT TOUCH IF USING THIS STACK IN A MODULE CALL -# # Provider Requirements if using stack as standalone -# # # # ----------------------------------------------------------------------------- #terraform { @@ -49,10 +48,10 @@ terraform { # region = local.home_region[0] #} -# # ----------------------------------------------------------------------------- +# # -----------------------------DO NOT MODIFY ANY THING BEYOND HERE------------------------ # # Provider / Python SDK Auth Variables -# # Do not remove/comment out this line as it is required for python script authentication -# # ----------------------------------------------------------------------------- +# # Do not remove/comment out these lines as it is required for python script authentication +# # ---------------------------------------------------------------------------------------- variable "current_user_ocid" { type = string description = "The OCID of the current user" diff --git a/templates/elz-access-governance/schema.yml b/templates/elz-access-governance/schema.yml index d2fdbb3c..ab5fb916 100644 --- a/templates/elz-access-governance/schema.yml +++ b/templates/elz-access-governance/schema.yml @@ -1,12 +1,8 @@ -# Copyright (c) 2022 Oracle and/or its affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. - -title: "CIS (Center for Internet Security) OCI Landing Zone Quick Start for Access Governance" -stackDescription: "A stack to Deploy Oracle Access Governance." -description: "This stack deploys Oracle Access Governance." +title: Oracle Enterprise Landing Zone 2.0 +description: Oracle Enterprise Landing Zone 2.0 developed by OCI schemaVersion: 1.0.0 -version: "0.0.1" -locale: "en" +version: "1.0.0" +locale: en #logoUrl: "https://objectstorage.us-ashburn-1.oraclecloud.com/p/taf6kC9fSJyQDNSYbxvqxS_JsdnSu56oFZ3-1h5vI7-WfJUv77mplChopLxZPePW/n/ociateam/b/cis-landing-zone/o/landing_zone_130.png" @@ -17,6 +13,7 @@ variableGroups: # - "use_namespace" - "namespace_service_endpoint" - "admin_domain_name" + - "admin_domain_compartment_ocid" - "service_instance_display_name" - "service_instance_description" - "ag_license_type" @@ -41,6 +38,7 @@ variableGroups: - "private_key_path" - "admin_ocid_service_instance" - "fingerprint" + - "private_key_password" - "tenancy_ocid" - "user_ocid" - "agcs_user_fingerprint_oci_system" @@ -65,6 +63,12 @@ variables: description: "Compartment, where Access Governance instance will be deployed." required: true + admin_domain_compartment_ocid: + type: oci:identity:compartment:id + title: "Compartment of Administrator's Domain" + description: "The Compartment where Administrator's Domain belongs." + required: true + namespace_service_endpoint: type: string title: "Select A Namespace" diff --git a/templates/elz-access-governance/variable.tf b/templates/elz-access-governance/variable.tf index c5726135..32ae89e3 100644 --- a/templates/elz-access-governance/variable.tf +++ b/templates/elz-access-governance/variable.tf @@ -38,6 +38,11 @@ variable "admin_domain_name" { description = "Administrator's Identity Domain Name." } +variable "admin_domain_compartment_ocid" { + default = "" + description = "Administrator's Identity Domain's Compartment." +} + variable "ag_license_type" { description = "Access Governance Instance License Type." validation { diff --git a/templates/elz-environment/access-governance-module-variables.tf b/templates/elz-environment/access-governance-module-variables.tf index 19209c8a..6b989c4f 100644 --- a/templates/elz-environment/access-governance-module-variables.tf +++ b/templates/elz-environment/access-governance-module-variables.tf @@ -58,6 +58,11 @@ variable "admin_domain_name" { description = "Administrator's Identity Domain Name." } +variable "admin_domain_compartment_ocid" { + default = "" + description = "Administrator's Identity Domain's Compartment." +} + variable "ag_license_type" { description = "Access Governance Instance License Type." validation { diff --git a/templates/elz-environment/access-governance-module.tf b/templates/elz-environment/access-governance-module.tf index ddb12c31..66e10b71 100644 --- a/templates/elz-environment/access-governance-module.tf +++ b/templates/elz-environment/access-governance-module.tf @@ -7,6 +7,7 @@ module "elz-access-governance" { ag_tenancy_ocid = var.tenancy_ocid ag_region = var.ag_region admin_domain_name = var.admin_domain_name + admin_domain_compartment_ocid = var.admin_domain_compartment_ocid service_instance_compartment_ocid = module.compartment.compartments.security.id service_instance_description = var.service_instance_description service_instance_display_name = var.service_instance_display_name diff --git a/templates/enterprise-landing-zone/access-governance-variables.tf b/templates/enterprise-landing-zone/access-governance-variables.tf index cf875c0d..2768aed6 100644 --- a/templates/enterprise-landing-zone/access-governance-variables.tf +++ b/templates/enterprise-landing-zone/access-governance-variables.tf @@ -50,6 +50,11 @@ variable "admin_domain_name" { default = "Default" description = "Administrator's Identity Domain Name." } + +variable "admin_domain_compartment_ocid" { + default = "" + description = "Administrator's Identity Domain's Compartment." +} ################################## Prod Details ########################################### variable "prod_ag_license_type" { default = "Access Governance for Oracle Cloud Infrastructure" @@ -61,7 +66,7 @@ variable "prod_ag_license_type" { } variable "prod_service_instance_display_name" { - default = "prod-instance" + default = "prod-access-governance-instance" description = "Access Governance Instance Display Name." validation { condition = can(regex("^[a-zA-Z0-9-_]+$", var.prod_service_instance_display_name)) @@ -124,13 +129,13 @@ variable "prod_agcs_user_region_oci_system" { variable "prod_oci_system_name" { type = string - default = "" + default = "OCI Connected System" description = "OCI Connected System Name." } variable "prod_oci_system_description" { type = string - default = "" + default = "OCI Connected System" description = "OCI Connected System Description." } @@ -170,7 +175,7 @@ variable "nonprod_ag_license_type" { variable "nonprod_service_instance_display_name" { description = "Access Governance Instance Display Name." - default = "nonprod-instance" + default = "nonprod-access-governance-instance" validation { condition = can(regex("^[a-zA-Z0-9-_]+$", var.nonprod_service_instance_display_name)) error_message = "Must be unique, start with a letter and contain only alphanumeric characters without any space. Hyphen (-) and underscore ( _ ) are allowed only." diff --git a/templates/enterprise-landing-zone/environment.tf b/templates/enterprise-landing-zone/environment.tf index 527486f7..4fa17b5b 100644 --- a/templates/enterprise-landing-zone/environment.tf +++ b/templates/enterprise-landing-zone/environment.tf @@ -146,6 +146,7 @@ module "prod_environment" { ag_tenancy_ocid = var.tenancy_ocid ag_api_private_key_path = var.api_private_key_path admin_domain_name = var.admin_domain_name + admin_domain_compartment_ocid = var.admin_domain_compartment_ocid enable_access_governance = var.prod_enable_access_governance service_instance_description = var.prod_service_instance_description @@ -325,6 +326,7 @@ module "nonprod_environment" { ag_tenancy_ocid = var.tenancy_ocid ag_api_private_key_path = var.api_private_key_path admin_domain_name = var.admin_domain_name + admin_domain_compartment_ocid = var.admin_domain_compartment_ocid enable_access_governance = var.nonprod_enable_access_governance service_instance_description = var.nonprod_service_instance_description diff --git a/templates/enterprise-landing-zone/example.tfvars b/templates/enterprise-landing-zone/example.tfvars index 55e0fefd..856b2e70 100644 --- a/templates/enterprise-landing-zone/example.tfvars +++ b/templates/enterprise-landing-zone/example.tfvars @@ -128,6 +128,7 @@ enable_network_firewall_nonprod = "false" prod_enable_access_governance = false nonprod_enable_access_governance = false admin_domain_name = "Default" +admin_domain_compartment_ocid = "" # ACCESS GOVERNANCE SERVICE INSTANCE DETAILS prod_ag_license_type = "Access Governance for Oracle Cloud Infrastructure" From 73f22ff8db60ae9aaa0c0be6cfbcd2f49941efd7 Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Mon, 12 Feb 2024 22:33:23 +0530 Subject: [PATCH 09/21] Feature/agcs 8397 oag integration (#159) * Added another field to ask compartment for Admin's Domain * Implemented AG instance application name change. * Implemented new Control Plane changes and improved documentation. * Added OAG variables in schema to support resource manager deployment and added few default values. * Updated Documentation --- .../IMPLEMENTATION.md | 75 ++++--- .../access-governance-variables.tf | 20 +- templates/enterprise-landing-zone/schema.yaml | 190 +++++++++++++++++- 3 files changed, 234 insertions(+), 51 deletions(-) diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md index d9c0de4d..7f9fe572 100644 --- a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -26,74 +26,69 @@ key_file= # TODO ## Variables -| Variable Name | Description | Required | Default Value | -|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------------------| -| **user_ocid** | OCID of the Administrator. | Yes | None | -| **fingerprint** | Fingerprint of the Administrator. | Yes | None | -| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | -| **region** | Region of the Administrator. | Yes | None | -| **private_key_path** | Private Key Path of Administrator. | Yes | None | -| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | -| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None | -| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | None | -| **service_instance_description** | Access Governance Instance Description. | Yes | None | -| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | None | -| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None | -| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | -| **agcs_user_name** | New Access Governance User's name. | Yes | None | -| **agcs_user_email** | Email address for the user. | Yes | None | -| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | -| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | -| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | -| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | -| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | -| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | -| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System | -| **oci_system_name** | OCI Connected System Name. | Yes | OCI System | +| Variable Name | Description | Required | Default Value | +|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------| +| **user_ocid** | OCID of the Administrator. | Yes | None | +| **fingerprint** | Fingerprint of the Administrator. | Yes | None | +| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | +| **region** | Region of the Administrator. | Yes | None | +| **private_key_path** | Private Key Path of Administrator. | Yes | None | +| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | +| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None | +| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | None | +| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Servce Instance. | +| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | access-governance-instance | +| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None | +| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | +| **agcs_user_name** | New Access Governance User's name. | Yes | None | +| **agcs_user_email** | Email address for the user. | Yes | None | +| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | +| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | +| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | +| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | +| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | +| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | +| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. | +| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System | ## How to execute ## How to execute -### Via Resource Manager (Standalone Deployment) +### Via Resource Manager Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in
Only new AGCS User scenario is supported via Resource Manager Deployment
-1. Under **Working directory** select the directory *templates/elz-access-governance* +1. Under **Working directory** select the directory *templates/enterprise-landing-zone* 2. Click Next. 3. Enter the values for required variables. 4. Click Next. 5. Click Next. 6. Click Apply. -### Via Terraform CLI -#### Deployment Scenario 1: use_existing_agcs_user = false +### Via Terraform CLI (Two Deployment Scenarios) +#### Deployment Scenario 1: use_existing_agcs_user = false: 1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples/existing_agcs_user.tfvarexample 2. terraform init. 3. terraform plan. 4. terraform apply. -### Oracle Access Governance Deployment: Access Governance Service Instance +##### Oracle Access Governance Deployment: Access Governance Service Instance: An Access Governance Service instance will be deployed in security compartment -### Oracle Access Governance Deployment: AGCS Group +##### Oracle Access Governance Deployment: AGCS Group: A group will be created called AGCS Group, which is meant to have AGCS user and policies related to Access Governance functionalities. -### Oracle Access Governance Deployment: AGCS User +##### Oracle Access Governance Deployment: AGCS User: AGCS User which will be created in Default domain as the user needs visibility into all domains and their resources for policy review and group review. This is the primary user used for governing the OCI IAM -### Oracle Access Governance Deployment: AGCS User Group Policy statements +##### Oracle Access Governance Deployment: AGCS User Group Policy statements: 1. `ALLOW GROUP / to inspect all-resources IN TENANCY` 2. `ALLOW GROUP / to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}` 3. `Allow GROUP / to read audit-events IN TENANCY` 4. `Allow GROUP / to manage domains IN TENANCY` -### Oracle Access Governance Deployment: OCI system on Access Governance Instance -Cloud gateway system will be added as connected system to the service instance. - - - -#### Deployment Scenario 2: use_existing_agcs_user = true +#### Deployment Scenario 2: use_existing_agcs_user = true: 1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples/new_agcs_user.tfvarexample 2. terraform init. 3. terraform plan. @@ -112,10 +107,10 @@ Cloud gateway system will be added as connected system to the service instance. 4. `Allow GROUP / to manage domains IN TENANCY` -### Oracle Access Governance Deployment: Access Governance Service Instance +##### Oracle Access Governance Deployment: Access Governance Service Instance: An Access Governance Service instance will be deployed in security compartment -### Oracle Access Governance Deployment: OCI system on Access Governance Instance +##### Oracle Access Governance Deployment: OCI system on Access Governance Instance: Cloud gateway system will be added as connected system to the service instance. ## License diff --git a/templates/enterprise-landing-zone/access-governance-variables.tf b/templates/enterprise-landing-zone/access-governance-variables.tf index 2768aed6..28fc3b76 100644 --- a/templates/enterprise-landing-zone/access-governance-variables.tf +++ b/templates/enterprise-landing-zone/access-governance-variables.tf @@ -75,7 +75,7 @@ variable "prod_service_instance_display_name" { } variable "prod_service_instance_description" { - default = "" + default = "Oracle Access Governance Service Instance in Prod." description = "Access Governance Instance Description." } @@ -129,13 +129,13 @@ variable "prod_agcs_user_region_oci_system" { variable "prod_oci_system_name" { type = string - default = "OCI Connected System" + default = "Local-OCI-System-Prod" description = "OCI Connected System Name." } variable "prod_oci_system_description" { type = string - default = "OCI Connected System" + default = "OCI Connected System in Prod." description = "OCI Connected System Description." } @@ -147,11 +147,11 @@ variable "prod_agcs_user_domain_name" { variable "prod_agcs_user_group_display_name" { description = "Group to create for Access Governance User." - default = "agcs_group" + default = "prod_agcs_group" } variable "prod_agcs_user_name" { - default = "agcs_user" + default = "prod_agcs_user" description = "New Access Governance User's name." } @@ -183,7 +183,7 @@ variable "nonprod_service_instance_display_name" { } variable "nonprod_service_instance_description" { - default = "" + default = "Oracle Access Governance Service Instance in Non-Prod." description = "Access Governance Instance Description." } @@ -237,13 +237,13 @@ variable "nonprod_agcs_user_region_oci_system" { variable "nonprod_oci_system_name" { type = string - default = "" + default = "Local-OCI-System-Non-Prod" description = "OCI Connected System Name." } variable "nonprod_oci_system_description" { type = string - default = "" + default = "OCI Connected System in Non-Prod." description = "OCI Connected System Description." } @@ -255,11 +255,11 @@ variable "nonprod_agcs_user_domain_name" { variable "nonprod_agcs_user_group_display_name" { description = "Group to create for Access Governance User." - default = "agcs_group" + default = "non_prod_agcs_group" } variable "nonprod_agcs_user_name" { - default = "agcs_user" + default = "non_prod_agcs_user" description = "New Access Governance User's name." } diff --git a/templates/enterprise-landing-zone/schema.yaml b/templates/enterprise-landing-zone/schema.yaml index dd74bfc6..748d7051 100644 --- a/templates/enterprise-landing-zone/schema.yaml +++ b/templates/enterprise-landing-zone/schema.yaml @@ -195,6 +195,29 @@ variableGroups: - prod_additional_workload_subnets_cidr_blocks - nonprod_workload_compartment_names - nonprod_additional_workload_subnets_cidr_blocks + - title: Oracle Access Governance Variables + visible: true + variables: + - prod_enable_access_governance + - nonprod_enable_access_governance + - admin_domain_name + - admin_domain_compartment_ocid + - prod_ag_license_type + - prod_service_instance_display_name + - prod_service_instance_description + - prod_agcs_user_name + - prod_agcs_user_group_display_name + - prod_agcs_user_email + - prod_oci_system_name + - prod_oci_system_description + - nonprod_ag_license_type + - nonprod_service_instance_display_name + - nonprod_service_instance_description + - nonprod_agcs_user_name + - nonprod_agcs_user_group_display_name + - nonprod_agcs_user_email + - nonprod_oci_system_name + - nonprod_oci_system_description - title: Invisible Variables visible: false variables: @@ -223,6 +246,24 @@ variableGroups: - domain_license_type - is_baseline_deploy - is_create_alarms + - nonprod_use_existing_agcs_user + - prod_use_existing_agcs_user + - prod_agcs_user_private_key + - nonprod_agcs_user_private_key + - prod_agcs_user_private_key_path + - nonprod_agcs_user_private_key_path + - prod_agcs_user_ocid_oci_system + - nonprod_agcs_user_ocid_oci_system + - prod_agcs_user_tenancy_ocid_oci_system + - nonprod_agcs_user_tenancy_ocid_oci_system + - prod_agcs_user_fingerprint_oci_system + - nonprod_agcs_user_fingerprint_oci_system + - prod_agcs_user_region_oci_system + - nonprod_agcs_user_region_oci_system + - namespace_service_endpoint + - should_create_connected_system + - nonprod_agcs_user_domain_name + - prod_agcs_user_domain_name variables: @@ -1315,4 +1356,151 @@ variables: type: string required: false title: Additional Workload Subnets CIDR Blocks in Non-Prod - description: "A list of subnets cidr blocks in additional workload expansion stack in Non-Prod" \ No newline at end of file + description: "A list of subnets cidr blocks in additional workload expansion stack in Non-Prod" + + # Access Governance Variables + prod_enable_access_governance: + type: boolean + description: "Option to enable Oracle Access Governance in Prod." + default: true + required: true + title: Enable Oracle Access Governance in Prod + nonprod_enable_access_governance: + type: boolean + description: "Option to enable Oracle Access Governance in Non-Prod." + default: true + required: true + title: Enable Oracle Access Governance in Non-Prod + admin_domain_name: + type: string + title: "Administrator's Identity Domain Name" + description: "Administrator's Identity Domain Name for authorizing the IDCS APIs." + required: true + pattern: ^[A-Za-z0-9_.-]+$ + visible: + or: + - prod_enable_access_governance + - nonprod_enable_access_governance + admin_domain_compartment_ocid: + type: oci:identity:compartment:id + title: "Compartment of Administrator's Domain" + description: "The Compartment where Administrator's Domain belongs." + required: true + visible: + or: + - prod_enable_access_governance + - nonprod_enable_access_governance + prod_service_instance_display_name: + type: string + title: "Access Governance Instance Display Name in Prod." + description: "Instance name will be used in instance URL." + pattern: ^[a-zA-Z0-9-_]+$ + required: true + visible: prod_enable_access_governance + prod_service_instance_description: + type: string + title: "Access Governance Instance Description in Prod." + description: "Description of the Access Governance Service Instance." + required: true + visible: prod_enable_access_governance + prod_ag_license_type: + type: enum + enum: + - "Access Governance Premium" + - "Access Governance for Oracle Workloads" + - "Access Governance for Oracle Cloud Infrastructure" + title: "Access Governance Instance License Type in Prod." + description: "License Type for Access Governance Instance" + default: "Access Governance for Oracle Cloud Infrastructure" + required: true + visible: prod_enable_access_governance + prod_agcs_user_email: + type: string + title: "Access Governance User's Email in Prod." + description: "Email of the New Access Governance User." + pattern: ^[^\s@]+@[^\s@]+\.[^\s@]+$ + required: true + visible: prod_enable_access_governance + prod_agcs_user_name: + type: string + title: "Access Governance User’s Name in Prod." + description: "Name for creating Access Governance User" + required: true + visible: prod_enable_access_governance + prod_agcs_user_group_display_name: + type: string + title: "Access Governance User's Group Name in Prod." + description: "User will become part of this group for policy assignment." + required: true + visible: prod_enable_access_governance + prod_oci_system_name: + type: string + title: "OCI Connected System Name in Prod." + description: "Display Name for the OCI Connected System in Access Governance." + required: true + default: "Local-OCI-System-Prod" + visible: prod_enable_access_governance + prod_oci_system_description: + type: string + title: "OCI Connected System Description in Prod." + description: "Description of the Connected System." + required: true + default: "Prod OCI Connected System." + visible: prod_enable_access_governance + nonprod_service_instance_display_name: + type: string + title: "Access Governance Instance Display Name in Non-Prod." + description: "Instance name will be used in instance URL." + pattern: ^[a-zA-Z0-9-_]+$ + required: true + visible: nonprod_enable_access_governance + nonprod_service_instance_description: + type: string + title: "Access Governance Instance Description in Non-Prod." + description: "Description of the Access Governance Service Instance." + required: true + visible: nonprod_enable_access_governance + nonprod_ag_license_type: + type: enum + enum: + - "Access Governance Premium" + - "Access Governance for Oracle Workloads" + - "Access Governance for Oracle Cloud Infrastructure" + title: "Access Governance Instance License Type in Non-Prod." + description: "License Type for Access Governance Instance" + default: "Access Governance for Oracle Cloud Infrastructure" + required: true + visible: nonprod_enable_access_governance + nonprod_agcs_user_email: + type: string + title: "Access Governance User's Email in Non-Prod." + description: "Email of the New Access Governance User." + pattern: ^[^\s@]+@[^\s@]+\.[^\s@]+$ + required: true + visible: nonprod_enable_access_governance + nonprod_agcs_user_name: + type: string + title: "Access Governance User’s Name in Non-Prod." + description: "Name for creating Access Governance User" + required: true + visible: nonprod_enable_access_governance + nonprod_agcs_user_group_display_name: + type: string + title: "Access Governance User's Group Name in Non-Prod." + description: "User will become part of this group for policy assignment." + required: true + visible: nonprod_enable_access_governance + nonprod_oci_system_name: + type: string + title: "OCI Connected System Name in Non-Prod." + description: "Display Name for the OCI Connected System in Access Governance." + required: true + default: "Local-OCI-System-Non-Prod" + visible: nonprod_enable_access_governance + nonprod_oci_system_description: + type: string + title: "OCI Connected System Description in Non-Prod." + description: "Description of the Connected System." + required: true + default: "Non-Prod OCI Connected System." + visible: nonprod_enable_access_governance \ No newline at end of file From 7bce23f15b4a1e0751f743b97c3af7baca8b91f6 Mon Sep 17 00:00:00 2001 From: Rory Nguyen Date: Tue, 13 Feb 2024 09:33:55 -0800 Subject: [PATCH 10/21] Added backup region provider block (#157) --- templates/enterprise-landing-zone/example.tfvars | 15 +++------------ templates/enterprise-landing-zone/provider.tf | 10 ++++++++++ 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/templates/enterprise-landing-zone/example.tfvars b/templates/enterprise-landing-zone/example.tfvars index 856b2e70..0cde7650 100644 --- a/templates/enterprise-landing-zone/example.tfvars +++ b/templates/enterprise-landing-zone/example.tfvars @@ -10,7 +10,6 @@ #api_fingerprint = "## YOUR OCI API KEY FINGERPRINT ##" #api_private_key_path = "## YOUR OCI API PRIVATE KEY FILE ##" - # iam resource_label = "DEMO" prod_domain_admin_email = "an-example-email-address@oracle.com" @@ -98,8 +97,7 @@ nonprod_platform_topic_endpoints = [] nonprod_identity_topic_endpoints = [] nonprod_workload_topic_endpoints = [] -#Logging - +# Logging onboard_log_analytics = false # Workload Expansion @@ -108,13 +106,6 @@ nonprod_additional_workload_subnets_cidr_blocks = [] prod_workload_compartment_names = [] nonprod_workload_compartment_names = [] - - -======= -prod_workload_compartment_names = [] -nonprod_workload_compartment_names = [] - - #Network Firewall can be only deployed in Prod or Non_prod Enviornment enable_network_firewall_prod = true @@ -122,7 +113,7 @@ enable_traffic_threat_log_prod = true nfw_subnet_type_prod = "public" nfw_instance_name_prod = "nfw_name" nfw_instance_policy_prod = "nfw_policy_name" -enable_network_firewall_nonprod = "false" +enable_network_firewall_nonprod = "false" ####################################### Access Governance ################################################### prod_enable_access_governance = false @@ -166,4 +157,4 @@ prod_oci_system_name = "Prod Cloud Gateway" prod_oci_system_description = "Prod OCI System" nonprod_oci_system_name = "Non Prod Cloud Gateway" -nonprod_oci_system_description = "Non Prod OCI System" +nonprod_oci_system_description = "Non Prod OCI System" \ No newline at end of file diff --git a/templates/enterprise-landing-zone/provider.tf b/templates/enterprise-landing-zone/provider.tf index cb138648..751e0116 100644 --- a/templates/enterprise-landing-zone/provider.tf +++ b/templates/enterprise-landing-zone/provider.tf @@ -58,6 +58,16 @@ provider "oci" { region = local.home_region[0] } +provider "oci" { + alias = "backup_region" + tenancy_ocid = var.tenancy_ocid + user_ocid = var.current_user_ocid + fingerprint = var.api_fingerprint + private_key = var.api_private_key + private_key_path = var.api_private_key_path + region = var.backup_region +} + # ----------------------------------------------------------------------------- # Provider Variables # ----------------------------------------------------------------------------- From a73a0eccf11f74a8bfbd9bab61270d0fa3265a04 Mon Sep 17 00:00:00 2001 From: vinaykumar-oci Date: Tue, 13 Feb 2024 18:09:37 -0800 Subject: [PATCH 11/21] Create schema.yaml Updated DR/MR Schema YAML File. --- .../elz-backup-environment/schema.yaml | 449 ++++++++++++++++++ 1 file changed, 449 insertions(+) create mode 100644 templates/elz-backup/elz-backup-environment/schema.yaml diff --git a/templates/elz-backup/elz-backup-environment/schema.yaml b/templates/elz-backup/elz-backup-environment/schema.yaml new file mode 100644 index 00000000..89148bf5 --- /dev/null +++ b/templates/elz-backup/elz-backup-environment/schema.yaml @@ -0,0 +1,449 @@ +title: Oracle Enterprise Landing Zone v2 - DR/MR Feature +description: Oracle Enterprise Landing Zone v2 - DR/MR Feature +schemaVersion: 1.0.0 +version: "1.0.0" +locale: en +variableGroups: + - title: Provider Variables + visible: false + variables: + - api_fingerprint + - api_private_key_path + - region + - tenancy_ocid + - current_user_ocid + - title: Backup Region Variables + visible: true + variables: + - backup_region + - resource_label + - environment_prefix + - title: Compartment Variables + visible: true + variables: + - environment_compartment_id + - home_compartment_name + - home_compartment_id + - security_compartment_id + - network_compartment_id + - workload_compartment_id + - logging_compartment_id + - title: Monitoring Variables + visible: true + variables: + - network_topic_endpoints + - secops_topic_endpoints + - platform_topic_endpoints + - identity_topic_endpoints + - workload_topic_endpoints + - is_create_alarms + - enable_security_monitoring_alarms + - enable_network_monitoring_alarms + - enable_workload_monitoring_alarms + - title: Network Variables + visible: true + variables: + - enable_internet_gateway_hub + - enable_nat_gateway_hub + - enable_service_gateway_hub + - vcn_cidr_block + - public_subnet_cidr_block + - private_subnet_cidr_block + - private_spoke_subnet_web_cidr_block + - private_spoke_subnet_app_cidr_block + - private_spoke_subnet_db_cidr_block + - spoke_vcn_cidr + - enable_nat_gateway_spoke + - enable_service_gateway_spoke + - enable_network_firewall + - enable_traffic_threat_log + - nfw_subnet_type + - nfw_instance_name + - nfw_instance_policy + - title: Network Extension Variables + visible: true + variables: + - enable_vpn_or_fastconnect + - enable_vpn_on_environment + - cpe_ip_address + - cpe_display_name + - cpe_vendor + - ipsec_connection_static_routes + - remote_peering_connection_peer_id + - region_key + - title: Security Variables + visible: true + variables: + - bastion_client_cidr_block_allow_list + - title: Invisible Variables + visible: false + variables: + - retention_policy_duration_amount + - retention_policy_duration_time_unit + - create_master_encryption_key + - enable_replication + - replica_region + - vault_type + - igw_hub_check + - nat_gw_hub_check + - tunnel_a_display_name + - customer_bgp_asn + - bgp_cust_tunnela_ip + - bgp_oci_tunnela_ip + - shared_secret + - fastconnect_provider + - virtual_circuit_bandwidth_shape + - virtual_circuit_display_name + - provider_service_key_name + - fastconnect_routing_policy + - virtual_circuit_type + - customer_primary_bgp_peering_ip + - oracle_primary_bgp_peering_ip + - customer_secondary_bgp_peering_ip + - oracle_secondary_bgp_peering_ip + - virtual_circuit_customer_asn + - virtual_circuit_is_bfd_enabled + - bgp_md5auth_key + - enable_fastconnect_on_environment + - remote_peering_connection_peer_region_name + - customer_onprem_ip_cidr + - additional_workload_subnets_cidr_blocks + - is_baseline_deploy + - nfw_use_existing_network + - service_gw_hub_check + - ipsec_display_name + - routing + - tunnel_b_display_name + - add_ssh_to_security_list +variables: + #Provider Variables + api_fingerprint: + type: string + description: The fingerprint of API + default: "Value not required in Oracle Resource Manager." + title: Api Fingerprint + api_private_key_path: + type: string + description: The local path to the API private key + default: "Value not required in Oracle Resource Manager." + title: Api Private Key Path + region: + type: string + description: "the OCI region LZ is deployed to." + title: Region + required: true + tenancy_ocid: + type: string + description: "The OCID of tenancy" + title: Tenancy OCID + current_user_ocid: + type: string + description: "OCID of the current user" + title: Current User OCID + #Backup Region Variables + backup_region: + type: string + description: "The name of Backup Region." + title: Backup Region + required: true + default: "" + resource_label: + type: string + description: "Unique Resource Identifier." + title: Resource Identifier + required: true + default: "" + environment_prefix: + type: string + description: "The unique prefix of environment compartment P or NP." + title: Environment Prefix + required: true + default: "" + #Compartment Related Variables + environment_compartment_id: + type: string + description: "Environment Compartment OCID Value" + title: Environment Compartment OCID + required: true + default: "" + home_compartment_name: + type: string + description: "Home Compartment Name" + title: Home Compartment Name + required: true + default: "" + home_compartment_id: + type: string + description: "Home Compartment OCID Value" + title: Home Compartment OCID + required: true + default: "" + security_compartment_id: + type: string + description: "Security Compartment OCID Value" + title: Security Compartment OCID + required: true + default: "" + network_compartment_id: + type: string + description: "Network Compartment OCID Value" + title: Network Compartment OCID + required: true + default: "" + workload_compartment_id: + type: string + description: "Workload Compartment OCID Value" + title: Workload Compartment OCID + required: true + default: "" + logging_compartment_id: + type: string + description: "Logging Compartment OCID Value" + title: Logging Compartment OCID + required: true + default: "" + #Monitoring Variables + network_topic_endpoints: + type: array + items: + type: string + pattern: ^[^\s@]+@([^\s@.,]+\.)+[^\s@.,]{2,}$ + description: "List of email addresses for Network Warning and Critical notifications." + required: false + default: [] + title: Network Warning and Critical Notification Recipient Email List" + secops_topic_endpoints: + type: array + items: + type: string + pattern: ^[^\s@]+@([^\s@.,]+\.)+[^\s@.,]{2,}$ + description: "List of email addresses for Security Warning and Critical notifications." + required: false + default: [] + title: Security Warning and Critical Notification Recipient Email List" + platform_topic_endpoints: + type: array + items: + type: string + pattern: ^[^\s@]+@([^\s@.,]+\.)+[^\s@.,]{2,}$ + description: "List of email addresses for Platform Warning and Critical notifications." + required: false + default: [] + title: Platform Warning and Critical Notification Recipient Email List" + identity_topic_endpoints: + type: array + items: + type: string + pattern: ^[^\s@]+@([^\s@.,]+\.)+[^\s@.,]{2,}$ + description: "List of email addresses for Identity Warning and Critical notifications." + required: false + default: [] + title: Identity Warning and Critical Notification Recipient Email List" + workload_topic_endpoints: + type: array + items: + type: string + pattern: ^[^\s@]+@([^\s@.,]+\.)+[^\s@.,]{2,}$ + description: "List of email addresses for Workload Warning and Critical notifications." + required: false + default: [] + title: Workload Warning and Critical Notification Recipient Email List" + is_create_alarms: + type: boolean + description: "Option to Enable Alarms." + default: true + required: true + title: Enable Alarms + enable_security_monitoring_alarms: + type: boolean + description: "Option to Enable Monitoring Security Alarms." + default: true + required: true + title: Enable Monitoring Security Alarm + enable_network_monitoring_alarms: + type: boolean + description: "Option to Enable Monitoring Network Alarms." + default: true + required: true + title: Enable Monitoring Network Alarms + enable_workload_monitoring_alarms: + type: boolean + description: "Option to Enable Monitoring Workload Alarms." + default: true + required: true + title: Enable Monitoring Workload Alarms + # Network Variables + enable_internet_gateway_hub: + type: boolean + description: "Option to enable internet gateway in Backup Region" + default: true + required: true + title: Enable Internet Gateway in Backup Region + enable_nat_gateway_hub: + type: boolean + description: "Option to enable NAT gateway in Backup Region" + default: true + required: true + title: Enable NAT Gateway in Backup Region + enable_service_gateway_hub: + type: boolean + description: "Option to enable Service gateway in Backup Region" + default: true + required: true + title: Enable Service Gateway in Backup Region + vcn_cidr_block: + type: string + description: "VCN CIDR Block" + required: true + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1][0-9]|[2][0-9]))$ + title: VCN CIDR Block + default: "" + public_subnet_cidr_block: + type: string + description: "Public subnet CIDR block" + required: true + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1][0-9]|[2][0-9]))$ + title: Public Subnet CIDR Block + default: "" + private_subnet_cidr_block: + type: string + description: "Private subnet CIDR block" + required: true + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1][0-9]|[2][0-9]))$ + title: Private Subnet CIDR Block + default: "" + private_spoke_subnet_web_cidr_block: + type: string + description: "Web subnet CIDR block" + required: true + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1][0-9]|[2][0-9]))$ + title: Web Subnet CIDR Block + default: "" + private_spoke_subnet_app_cidr_block: + type: string + description: "App subnet CIDR block" + required: true + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1][0-9]|[2][0-9]))$ + title: APP Subnet CIDR Block + default: "" + private_spoke_subnet_db_cidr_block: + type: string + description: "DB subnet CIDR block" + required: true + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1][0-9]|[2][0-9]))$ + title: DB Subnet CIDR Block + default: "" + spoke_vcn_cidr: + type: string + description: "Spoke VCN CIDR block" + required: true + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1][0-9]|[2][0-9]))$ + title: Spoke VCN CIDR block + default: "" + enable_nat_gateway_spoke: + type: boolean + description: "Option to Enable NAT gateway" + default: true + required: true + title: Enable NAT Gateway + enable_service_gateway_spoke: + type: boolean + description: "Option to Enable Service Gateway" + default: true + required: true + title: Enable Service Gateway + enable_network_firewall: + type: boolean + description: "Enable Network Firewall on Backup Region" + required: true + default: false + title: Enable Network Firewall on Backup Region + enable_traffic_threat_log: + type: boolean + description: "Option to Enable Network Firewall Traffic and Threat log" + default: false + required: true + title: Enable Network Firewall Traffic and Threat log + nfw_subnet_type: + type: string + description: "Option to select network firewall subnet type" + default: "private" + required: true + title: Select network firewall subnet type public or private + nfw_instance_name: + type: string + description: "Network firewall Instance Name" + default: "" + required: false + title: Network firewall Instance Name in Prod + nfw_instance_policy: + type: string + description: "Network firewall Policy Name" + default: "" + required: false + title: Network firewall Policy Name in Prod + #Network Extension Variables + enable_vpn_or_fastconnect: + type: enum + description: "Enable VPN or FASTCONNECT. Options: NONE, VPN, FASTCONNECT" + enum: + - "NONE" + - "VPN" + - "FASTCONNECT" + required: true + default: "NONE" + title: Enable VPN or Fastconnect + enable_vpn_on_environment: + type: boolean + description: "Enable VPN on Backup Region" + required: true + default: false + title: Enable VPN on Backup Region + cpe_ip_address: + type: string + description: "Customer Premises Equipment IP address" + required: false + default: "" + title: CPE IP Address in Backup Region + cpe_display_name: + type: string + description: "Customer Premises Equipment name in backup region" + required: false + default: "" + title: CPE Display Name in Backup Region + cpe_vendor: + type: number + description: "Type corresponding number as your CPE vendor: Yamaha-RTX1210 0, Other 1, Cisco-9.7.1-or-later 2, Yamaha-RTX830 3, Libreswan 4, Fortinet 5, NEC 6, Cisco-8.5+ 7, Cisco-IOS 8, WatchGuard 9, Juniper-MX 10, Juniper-SRX 11, Furukawa 12, Check_Point 13, Palo_Alto 14" + required: false + default: 4 + title: CPE Vendor + ipsec_connection_static_routes: + type: string + description: "BGP dynamic routing, STATIC routing. Type BGP or STATIC" + required: false + default: STATIC + title: IPsec Routing Type in Backup Region + remote_peering_connection_peer_id: + type: string + description: "Remote Peering ID" + required: false + default: "" + title: Remote Peering ID + region_key: + type: string + description: "RPC Region key" + required: false + default: "" + title: RPC Region key + #Security Variables + bastion_client_cidr_block_allow_list: + type: array + items: + type: string + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1][0-9]|[2][0-9]))$ + description: "A list of address ranges in CIDR notation that bastion is allowed to connect" + required: true + title: Bastion Client CIDR Block Allow List + default: "" + + From a14c5954ce72ec68dbef06afc1ae20f4a90b54c8 Mon Sep 17 00:00:00 2001 From: Rory Nguyen Date: Thu, 15 Feb 2024 13:00:22 -0800 Subject: [PATCH 12/21] Cloud guard target tenancy variable update (#163) * set default value false for cloud guard variable * updated variable description and tfvars * removed target tenancy variable * updated documentation --- .../OELZ_Baseline_Deployment/CONFIGURATION.md | 3 +- templates/elz-environment/README.md | 1 - templates/elz-environment/main.tf | 1 - templates/elz-environment/variables.tf | 5 ---- templates/elz-security/README.md | 1 - templates/elz-security/main.tf | 6 ++-- templates/elz-security/variables.tf | 5 ---- templates/enterprise-landing-zone/README.md | 1 - .../enterprise-landing-zone/environment.tf | 30 +++++++++---------- .../enterprise-landing-zone/example.tfvars | 11 ++++--- templates/enterprise-landing-zone/schema.yaml | 7 ----- templates/enterprise-landing-zone/security.tf | 11 ++----- .../enterprise-landing-zone/variables.tf | 6 ---- 13 files changed, 24 insertions(+), 64 deletions(-) diff --git a/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md b/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md index b301ba7b..c82e7bd2 100644 --- a/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md +++ b/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md @@ -544,7 +544,7 @@ The OELZ deploys configurations for multiple security services. VSS (Vulnerabili CloudGuard can monitor for a multitude of security conditions. The OELZ configures CloudGuard with several Oracle-managed security recipes for up-to-date best practice security monitoring. -By default, CloudGuard is configured to monitor just the resources deployed in the OELZ Home compartment, and compartments within that. An option is for CloudGuard to monitor the entire tenancy is there and it is controlled by the [cloud_guard_target_tenancy](../../templates/enterprise-landing-zone/README.md#inputs) variable. This is a Boolean variable that defaults to `false`. If it is set to `true` CloudGuard will be configured to monitor the entire tenancy, instead of just the OELZ Home compartment. +By default, CloudGuard is configured to monitor just the resources deployed in the OELZ Home compartment, and compartments within that. Cloud Guard Target will be deployed in base compartment of both L2-Prod and L2-Non-Prod environments along with related IAM policies. All Oracle managed responder recipes will reside in L4 Security compartment of each environment. @@ -563,7 +563,6 @@ For further details on CloudGuard, see the [Cloud Guard documentation](https://d | Name | Description | Type | Default | Required | | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------ | ------- | :------: | | [enable\_cloud\_guard](#input\_enable\_cloud\_guard) | true if you don't have cloud guard enabled, false if you've already have cloud guard enabled. | `bool` | `true` | no | - | [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to OELZ home compartment | `bool` | `false` | no | ### Bastion Sub Module diff --git a/templates/elz-environment/README.md b/templates/elz-environment/README.md index 10ad228e..b2b13217 100644 --- a/templates/elz-environment/README.md +++ b/templates/elz-environment/README.md @@ -50,7 +50,6 @@ | [budget\_alert\_rule\_recipients](#input\_budget\_alert\_rule\_recipients) | The delimited list of email addresses to receive the alert when it triggers. Delimiter characters can be a comma, space, TAB, or semicolon | `string` | `""` | no | | [budget\_alert\_rule\_threshold](#input\_budget\_alert\_rule\_threshold) | The threshold for the budget alert. | `string` | `""` | no | | [budget\_amount](#input\_budget\_amount) | The amount of the budget expressed as a whole number in the currency of the customer's rate card. | `string` | `""` | no | -| [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment | `bool` | n/a | yes | | [cost\_center\_tagging](#input\_cost\_center\_tagging) | Cost Center Varible | `string` | n/a | yes | | [cpe\_display\_name](#input\_cpe\_display\_name) | n/a | `string` | n/a | yes | | [cpe\_ip\_address](#input\_cpe\_ip\_address) | Customer Premises Equipment (CPE) IP address | `string` | n/a | yes | diff --git a/templates/elz-environment/main.tf b/templates/elz-environment/main.tf index 97dfca10..5ab84fc8 100644 --- a/templates/elz-environment/main.tf +++ b/templates/elz-environment/main.tf @@ -94,7 +94,6 @@ module "security" { enable_cloud_guard = var.enable_cloud_guard resource_label = var.resource_label home_compartment_id = var.home_compartment_id - cloud_guard_target_tenancy = var.cloud_guard_target_tenancy tenancy_ocid = var.tenancy_ocid environment_prefix = var.environment_prefix home_compartment_name = var.home_compartment_name diff --git a/templates/elz-environment/variables.tf b/templates/elz-environment/variables.tf index 2567ef2f..5f451b85 100644 --- a/templates/elz-environment/variables.tf +++ b/templates/elz-environment/variables.tf @@ -172,11 +172,6 @@ variable "enable_cloud_guard" { description = "true if you don't have cloud guard enabled, false if you've already have cloud guard enabled." } -variable "cloud_guard_target_tenancy" { - type = bool - description = "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment" -} - # ----------------------------------------------------------------------------- # Tagging Variables # ----------------------------------------------------------------------------- diff --git a/templates/elz-security/README.md b/templates/elz-security/README.md index ac7b28c1..86bd3e86 100644 --- a/templates/elz-security/README.md +++ b/templates/elz-security/README.md @@ -38,7 +38,6 @@ |------|-------------|------|---------|:--------:| | [bastion\_client\_cidr\_block\_allow\_list](#input\_bastion\_client\_cidr\_block\_allow\_list) | A list of address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion. | `list(string)` | n/a | yes | | [bastion\_target\_subnet\_id](#input\_bastion\_target\_subnet\_id) | The OCID of the subnet that the bastion connects to | `string` | n/a | yes | -| [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment | `bool` | n/a | yes | | [create\_master\_encryption\_key](#input\_create\_master\_encryption\_key) | Option create master encryption key | `bool` | n/a | yes | | [enable\_bastion](#input\_enable\_bastion) | Option to enable bastion service | `bool` | n/a | yes | | [enable\_cloud\_guard](#input\_enable\_cloud\_guard) | true if you don't have cloud guard enabled, false if you've already have cloud guard enabled. | `bool` | n/a | yes | diff --git a/templates/elz-security/main.tf b/templates/elz-security/main.tf index 9f4db930..a9d23bec 100644 --- a/templates/elz-security/main.tf +++ b/templates/elz-security/main.tf @@ -13,8 +13,6 @@ locals { activity_detector_recipe_display_name = "OCI Activity Detector Recipe" threat_detector_recipe_display_name = "OCI Threat Detector Recipe" responder_recipe_display_name = "OCI Responder Recipe" - compartment_id = var.cloud_guard_target_tenancy ? var.tenancy_ocid : var.environment_compartment_id - target_resource_id = var.cloud_guard_target_tenancy ? var.tenancy_ocid : var.environment_compartment_id } vss = { @@ -62,9 +60,9 @@ module "cloud_guard" { tenancy_ocid = var.tenancy_ocid region = var.region status = local.cloud_guard.status - compartment_id = local.cloud_guard.compartment_id + compartment_id = var.environment_compartment_id display_name = local.cloud_guard.display_name - target_resource_id = local.cloud_guard.target_resource_id + target_resource_id = var.environment_compartment_id target_resource_type = local.cloud_guard.target_resource_type description = local.cloud_guard.description configuration_detector_recipe_display_name = local.cloud_guard.configuration_detector_recipe_display_name diff --git a/templates/elz-security/variables.tf b/templates/elz-security/variables.tf index ccc6d881..653ba04b 100644 --- a/templates/elz-security/variables.tf +++ b/templates/elz-security/variables.tf @@ -33,11 +33,6 @@ variable "tenancy_ocid" { description = "The OCID of tenancy" } -variable "cloud_guard_target_tenancy" { - type = bool - description = "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment" -} - variable "region" { type = string description = "The OCI region" diff --git a/templates/enterprise-landing-zone/README.md b/templates/enterprise-landing-zone/README.md index a3f8275f..e78b217d 100644 --- a/templates/enterprise-landing-zone/README.md +++ b/templates/enterprise-landing-zone/README.md @@ -70,7 +70,6 @@ Version 2 of Oracle Enterprise Landing Zone | [archive\_log\_retention\_policy\_duration\_time\_unit](#input\_archive\_log\_retention\_policy\_duration\_time\_unit) | The unit that should be used to interpret timeAmount. | `string` | `"DAYS"` | no | | [bgp\_md5auth\_key](#input\_bgp\_md5auth\_key) | The key for BGP MD5 authentication. Only applicable if your system requires MD5 authentication | `string` | `""` | no | | [break\_glass\_user\_email\_list](#input\_break\_glass\_user\_email\_list) | Unique list of break glass user email addresses that do not exist in the tenancy. These users are added to the Administrator group. | `list(string)` | `[]` | no | -| [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment | `bool` | `false` | no | | [current\_user\_ocid](#input\_current\_user\_ocid) | The OCID of the current user | `string` | `""` | no | | [customer\_onprem\_ip\_cidr](#input\_customer\_onprem\_ip\_cidr) | n/a | `list(string)` | `[]` | no | | [customer\_primary\_bgp\_peering\_ip](#input\_customer\_primary\_bgp\_peering\_ip) | The primary BGP IPv4 address of the customer's router | `string` | `""` | no | diff --git a/templates/enterprise-landing-zone/environment.tf b/templates/enterprise-landing-zone/environment.tf index 4fa17b5b..de3ef293 100644 --- a/templates/enterprise-landing-zone/environment.tf +++ b/templates/enterprise-landing-zone/environment.tf @@ -45,7 +45,6 @@ module "prod_environment" { budget_alert_rule_message = var.prod_budget_alert_rule_message budget_alert_rule_recipients = var.prod_budget_alert_rule_recipients enable_cloud_guard = var.enable_cloud_guard - cloud_guard_target_tenancy = var.cloud_guard_target_tenancy is_create_alarms = var.is_create_alarms is_service_connector_limit = var.is_service_connector_limit domain_license_type = var.domain_license_type @@ -140,13 +139,13 @@ module "prod_environment" { # Access Governance Variables - ag_current_user_ocid = var.current_user_ocid - ag_api_fingerprint = var.api_fingerprint - ag_region = var.region - ag_tenancy_ocid = var.tenancy_ocid - ag_api_private_key_path = var.api_private_key_path - admin_domain_name = var.admin_domain_name - admin_domain_compartment_ocid = var.admin_domain_compartment_ocid + ag_current_user_ocid = var.current_user_ocid + ag_api_fingerprint = var.api_fingerprint + ag_region = var.region + ag_tenancy_ocid = var.tenancy_ocid + ag_api_private_key_path = var.api_private_key_path + admin_domain_name = var.admin_domain_name + admin_domain_compartment_ocid = var.admin_domain_compartment_ocid enable_access_governance = var.prod_enable_access_governance service_instance_description = var.prod_service_instance_description @@ -224,7 +223,6 @@ module "nonprod_environment" { is_service_connector_limit = var.is_service_connector_limit domain_license_type = var.domain_license_type enable_cloud_guard = var.enable_cloud_guard - cloud_guard_target_tenancy = var.cloud_guard_target_tenancy home_compartment_name = var.home_compartment_name enable_vpn_or_fastconnect = var.enable_vpn_or_fastconnect cpe_ip_address = var.nonprod_cpe_ip_address @@ -320,13 +318,13 @@ module "nonprod_environment" { additional_workload_subnets_cidr_blocks = var.nonprod_additional_workload_subnets_cidr_blocks # Access Governance Variables - ag_current_user_ocid = var.current_user_ocid - ag_api_fingerprint = var.api_fingerprint - ag_region = var.region - ag_tenancy_ocid = var.tenancy_ocid - ag_api_private_key_path = var.api_private_key_path - admin_domain_name = var.admin_domain_name - admin_domain_compartment_ocid = var.admin_domain_compartment_ocid + ag_current_user_ocid = var.current_user_ocid + ag_api_fingerprint = var.api_fingerprint + ag_region = var.region + ag_tenancy_ocid = var.tenancy_ocid + ag_api_private_key_path = var.api_private_key_path + admin_domain_name = var.admin_domain_name + admin_domain_compartment_ocid = var.admin_domain_compartment_ocid enable_access_governance = var.nonprod_enable_access_governance service_instance_description = var.nonprod_service_instance_description diff --git a/templates/enterprise-landing-zone/example.tfvars b/templates/enterprise-landing-zone/example.tfvars index 0cde7650..b2de49a2 100644 --- a/templates/enterprise-landing-zone/example.tfvars +++ b/templates/enterprise-landing-zone/example.tfvars @@ -18,7 +18,6 @@ enable_compartment_delete = false # security enable_cloud_guard = true -cloud_guard_target_tenancy = false nonprod_enable_bastion = true prod_enable_bastion = true prod_bastion_client_cidr_block_allow_list = ["10.0.0.0/16", "10.0.0.0/24"] @@ -98,13 +97,13 @@ nonprod_identity_topic_endpoints = [] nonprod_workload_topic_endpoints = [] # Logging -onboard_log_analytics = false +onboard_log_analytics = false # Workload Expansion prod_additional_workload_subnets_cidr_blocks = [] nonprod_additional_workload_subnets_cidr_blocks = [] -prod_workload_compartment_names = [] -nonprod_workload_compartment_names = [] +prod_workload_compartment_names = [] +nonprod_workload_compartment_names = [] #Network Firewall can be only deployed in Prod or Non_prod Enviornment @@ -123,11 +122,11 @@ admin_domain_compartment_ocid = "" # ACCESS GOVERNANCE SERVICE INSTANCE DETAILS prod_ag_license_type = "Access Governance for Oracle Cloud Infrastructure" -prod_service_instance_display_name = "" +#prod_service_instance_display_name = "" prod_service_instance_description = "Prod OAG service instance" nonprod_ag_license_type = "Access Governance for Oracle Cloud Infrastructure" -nonprod_service_instance_display_name = "" +#nonprod_service_instance_display_name = "" nonprod_service_instance_description = "Non Prod OAG service instance" # ACCESS GOVERNANCE USER COMMON DETAILS diff --git a/templates/enterprise-landing-zone/schema.yaml b/templates/enterprise-landing-zone/schema.yaml index 748d7051..d480bed2 100644 --- a/templates/enterprise-landing-zone/schema.yaml +++ b/templates/enterprise-landing-zone/schema.yaml @@ -45,7 +45,6 @@ variableGroups: visible: true variables: - enable_cloud_guard - - cloud_guard_target_tenancy - prod_enable_bastion - prod_bastion_client_cidr_block_allow_list - nonprod_enable_bastion @@ -492,12 +491,6 @@ variables: default: true required: true title: Enable Cloud Guard - cloud_guard_target_tenancy: - type: boolean - description: "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment." - default: false - required: true - title: Cloud Guard Target Tenancy prod_enable_bastion: type: boolean description: "Option to enable bastion service in prod" diff --git a/templates/enterprise-landing-zone/security.tf b/templates/enterprise-landing-zone/security.tf index 40bfdb5e..b2756c7d 100644 --- a/templates/enterprise-landing-zone/security.tf +++ b/templates/enterprise-landing-zone/security.tf @@ -37,14 +37,7 @@ locals { name = "${var.resource_label}-OCI-ELZ-CGTarget-Policy" description = "OCI Enterprise Landing Zone Cloud Guard Target Policy" - statements = var.cloud_guard_target_tenancy ? [ - "Allow service cloudguard to manage instance-family in tenancy", - "Allow service cloudguard to manage object-family in tenancy", - "Allow service cloudguard to manage buckets in tenancy", - "Allow service cloudguard to manage users in tenancy", - "Allow service cloudguard to manage policies in tenancy", - "Allow service cloudguard to manage keys in tenancy" - ] : [ + statements = [ "Allow service cloudguard to manage instance-family in compartment ${var.home_compartment_name}", "Allow service cloudguard to manage object-family in compartment ${var.home_compartment_name}", "Allow service cloudguard to manage buckets in compartment ${var.home_compartment_name}", @@ -135,7 +128,7 @@ module "cloud_guard_root_policy" { module "cloud_guard_target_policy" { count = var.enable_cloud_guard ? 1 : 0 source = "../../modules/policies" - compartment_ocid = var.cloud_guard_target_tenancy ? var.tenancy_ocid : module.home_compartment.compartment_id + compartment_ocid = module.home_compartment.compartment_id policy_name = local.cloud_guard_target_policy.name description = local.cloud_guard_target_policy.description statements = local.cloud_guard_target_policy.statements diff --git a/templates/enterprise-landing-zone/variables.tf b/templates/enterprise-landing-zone/variables.tf index f4d7ae23..10adae37 100644 --- a/templates/enterprise-landing-zone/variables.tf +++ b/templates/enterprise-landing-zone/variables.tf @@ -251,12 +251,6 @@ variable "enable_cloud_guard" { description = "true if you don't have cloud guard enabled, false if you've already have cloud guard enabled." } -variable "cloud_guard_target_tenancy" { - type = bool - default = false - description = "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment" -} - variable "prod_bastion_client_cidr_block_allow_list" { type = list(string) default = ["0.0.0.0/0"] From d19f39d24fa64fa698bafb458c8b97c241fa375a Mon Sep 17 00:00:00 2001 From: Yupei Yang Date: Fri, 16 Feb 2024 11:41:12 -0800 Subject: [PATCH 13/21] refactor bastion module from security to workload --- templates/elz-environment/main.tf | 3 --- templates/elz-environment/workload.tf | 3 +++ templates/elz-security/main.tf | 13 ------------- templates/elz-security/outputs.tf | 4 ---- templates/elz-security/variables.tf | 16 ---------------- templates/elz-workload/security.tf | 15 +++++++++++++++ templates/elz-workload/variables.tf | 18 ++++++++++++++++++ .../elz-workload/workload_extension.tfvars | 7 +++++++ 8 files changed, 43 insertions(+), 36 deletions(-) diff --git a/templates/elz-environment/main.tf b/templates/elz-environment/main.tf index 5ab84fc8..0c74b093 100644 --- a/templates/elz-environment/main.tf +++ b/templates/elz-environment/main.tf @@ -100,9 +100,6 @@ module "security" { region = var.region environment_compartment_id = module.compartment.compartments.environment.id security_compartment_id = module.compartment.compartments.security.id - enable_bastion = var.enable_bastion - bastion_target_subnet_id = module.network.spoke_web_subnet_ocid - bastion_client_cidr_block_allow_list = var.bastion_client_cidr_block_allow_list vault_type = var.vault_type replica_region = var.vault_replica_region enable_replication = var.enable_vault_replication diff --git a/templates/elz-environment/workload.tf b/templates/elz-environment/workload.tf index ebdbbe93..9fbe4509 100644 --- a/templates/elz-environment/workload.tf +++ b/templates/elz-environment/workload.tf @@ -50,6 +50,9 @@ module "workload" { workload_spoke_vcn_cidr = var.spoke_vcn_cidr enable_datasafe = var.enable_datasafe idcs_endpoint = module.identity.idcs_endpoint + enable_bastion = var.enable_bastion + bastion_target_subnet_id = module.network.spoke_web_subnet_ocid + bastion_client_cidr_block_allow_list = var.bastion_client_cidr_block_allow_list providers = { oci = oci diff --git a/templates/elz-security/main.tf b/templates/elz-security/main.tf index a9d23bec..67dfc6f9 100644 --- a/templates/elz-security/main.tf +++ b/templates/elz-security/main.tf @@ -24,10 +24,6 @@ locals { vss_scan_schedule = "DAILY" } - bastion = { - name = "${var.resource_label}-OCI-ELZ-BAS-${var.environment_prefix}" - } - vault = { name = "${var.resource_label}-OCI-ELZ-VAL-${var.environment_prefix}" } @@ -88,15 +84,6 @@ module "vss" { host_scan_target_display_name = local.vss.host_scan_target_display_name } -module "bastion" { - source = "../../modules/bastion" - count = var.enable_bastion ? 1 : 0 - target_subnet_id = var.bastion_target_subnet_id - bastion_client_cidr_block_allow_list = var.bastion_client_cidr_block_allow_list - bastion_name = local.bastion.name - compartment_id = var.security_compartment_id -} - module "vault" { source = "../../modules/vault" # vault_type = "NONE" is used for testing. diff --git a/templates/elz-security/outputs.tf b/templates/elz-security/outputs.tf index 2f02a5d9..c23bf524 100644 --- a/templates/elz-security/outputs.tf +++ b/templates/elz-security/outputs.tf @@ -7,10 +7,6 @@ output "key_id" { value = local.create_key ? module.key[0].key_ocid : null } -output "bastion_id" { - value = var.enable_bastion ? module.bastion[0].bastion_ocid : null -} - output "vault_id" { value = var.vault_type != "NONE" ? module.vault[0].management_endpoint : null } \ No newline at end of file diff --git a/templates/elz-security/variables.tf b/templates/elz-security/variables.tf index 653ba04b..780777db 100644 --- a/templates/elz-security/variables.tf +++ b/templates/elz-security/variables.tf @@ -48,22 +48,6 @@ variable "environment_compartment_id" { description = "The OCID of environment compartment" } -// Bastion Variables -variable "bastion_target_subnet_id" { - type = string - description = "The OCID of the subnet that the bastion connects to" -} - -variable "bastion_client_cidr_block_allow_list" { - type = list(string) - description = "A list of address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion." -} - -variable "enable_bastion" { - type = bool - description = "Option to enable bastion service" -} - // Vault & Key Variables variable "vault_type" { type = string diff --git a/templates/elz-workload/security.tf b/templates/elz-workload/security.tf index ffd2c59d..1f19bcac 100644 --- a/templates/elz-workload/security.tf +++ b/templates/elz-workload/security.tf @@ -24,6 +24,12 @@ locals { "Allow dynamic-group ${module.workload_osms_dynamic_group.name} to use osms-managed-instances in compartment ${module.workload_compartment.compartment_name}" ] } + + bastion = { + name = "${var.resource_label}-OCI-ELZ-BAS-${var.environment_prefix}" + bastion_target_subnet_id = var.workload_expansion_flag ? module.workload_expansion_spoke[0].spoke_web_subnet_ocid : var.bastion_target_subnet_id + } + } module "workload_osms_dynamic_group" { source = "../../modules/dynamic-group" @@ -40,4 +46,13 @@ module "workload_osms_dg_policy" { policy_name = local.osms_dg_policy_workload.name description = local.osms_dg_policy_workload.description statements = local.osms_dg_policy_workload.statements +} + +module "bastion" { + source = "../../modules/bastion" + count = var.enable_bastion ? 1 : 0 + target_subnet_id = local.bastion.bastion_target_subnet_id + bastion_client_cidr_block_allow_list = var.bastion_client_cidr_block_allow_list + bastion_name = local.bastion.name + compartment_id = var.security_compartment_id } \ No newline at end of file diff --git a/templates/elz-workload/variables.tf b/templates/elz-workload/variables.tf index 91f6b220..e77e6ca8 100644 --- a/templates/elz-workload/variables.tf +++ b/templates/elz-workload/variables.tf @@ -236,4 +236,22 @@ variable "environment_compartment_name" { type = string description = "the name of the compartment where the environment was created." default = "" +} + +# ----------------------------------------------------------------------------- +# Bastion Variables +# ----------------------------------------------------------------------------- +variable "bastion_target_subnet_id" { + type = string + description = "The OCID of the subnet that the bastion connects to" +} + +variable "bastion_client_cidr_block_allow_list" { + type = list(string) + description = "A list of address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion." +} + +variable "enable_bastion" { + type = bool + description = "Option to enable bastion service" } \ No newline at end of file diff --git a/templates/elz-workload/workload_extension.tfvars b/templates/elz-workload/workload_extension.tfvars index bea4121c..e78ed61b 100644 --- a/templates/elz-workload/workload_extension.tfvars +++ b/templates/elz-workload/workload_extension.tfvars @@ -69,5 +69,12 @@ enable_network_monitoring_alarms = false enable_security_monitoring_alarms = false enable_workload_monitoring_alarms = false +##################################################### +# Workload Expansion Security Variables +##################################################### +enable_bastion = true +bastion_client_cidr_block_allow_list = ["10.0.0.0/16", "10.0.0.0/24"] + + # Workload Expansion #baseline_spoke_subnets_cidr_blocks = [] From a2950108f8b88428509c6987647ff8d52cefe53a Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Wed, 21 Feb 2024 00:05:02 +0530 Subject: [PATCH 14/21] Feature/agcs 8397 oag integration (#161) * Added another field to ask compartment for Admin's Domain * Implemented AG instance application name change. * Implemented new Control Plane changes and improved documentation. * Added OAG variables in schema to support resource manager deployment and added few default values. * Updated Documentation * Improved documentation --- .../IMPLEMENTATION.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md index 7f9fe572..9435ae3b 100644 --- a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -1,6 +1,17 @@ # Oracle Enterprise Landing Zone Access Governance Feature -## Overview +## Feature Overview +Oracle Access Governance is a cloud-native Identity Governance and Administration (IGA) solution that provides insights-based access reviews, identity analytics, and intelligence capabilities for businesses. + +Oracle Access Governance provides features including: + +- Visibility of enterprise compliance by providing details on who has access to what. +- Ability for reviewers to optimize user privileges through intelligent access review campaigns. +- Actionable identity intelligence by building deep insights into potential security violations that enable rapid remediation of identity and access challenges. +- Continuous compliance to meet governance and compliance requirements across many applications, workloads, infrastructures, and identity platforms. +To learn more, visit: https://docs.oracle.com/en/cloud/paas/access-governance/agoye/index.html + +## Deployment Overview The terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy. From 4ed7c9f6697060850c4575738be8354c74a82bb5 Mon Sep 17 00:00:00 2001 From: Yupei Yang Date: Wed, 21 Feb 2024 07:26:19 -0800 Subject: [PATCH 15/21] add documentation and schema for bastion module --- .../OELZ_Workload_Deployment/CONFIGURATION.md | 12 +++++++++++ templates/elz-workload/schema.yaml | 20 +++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/Official_Documentation/OELZ_Workload_Deployment/CONFIGURATION.md b/Official_Documentation/OELZ_Workload_Deployment/CONFIGURATION.md index 7cf6ef64..550d4887 100644 --- a/Official_Documentation/OELZ_Workload_Deployment/CONFIGURATION.md +++ b/Official_Documentation/OELZ_Workload_Deployment/CONFIGURATION.md @@ -117,6 +117,18 @@ These are the configuration options for Workload Monitoring: | [enable_security_monitoring_alarms](#input\_workload\_name) | Enable security alarm in workload expansion | `bool` | `false` | no | | [enable_enable_workload_monitoring_alarms](#input\_workload\_name) | Enable workload alarm in workload expansion | `bool` | `false` | no | +## Security Module + +Bastion service is created in the L4 Security Compartment. + +* **Required Arguments/Parameters Under Bastion Module**: + + | Name | Description | Type | Default | Required | + | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------- | ------- | :------: | + | [enable\_bastion](#input\_enable\_bastion) | Option to enable bastion service | `bool` | n/a | yes | + | [bastion\_client\_cidr\_block\_allow\_list](#input\_bastion\_client\_cidr\_block\_allow\_list) | A list of address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion. | `list(string)` | n/a | yes | + + ## Workload Expansion DataSafe These are the configuration options for Workload Expansion ExaData Datasafe: diff --git a/templates/elz-workload/schema.yaml b/templates/elz-workload/schema.yaml index cc062ec8..cea07754 100644 --- a/templates/elz-workload/schema.yaml +++ b/templates/elz-workload/schema.yaml @@ -70,6 +70,11 @@ variableGroups: visible: true variables: - baseline_spoke_subnets_cidr_blocks + - title: Security Module + visible: true + variables: + - enable_basion + - bastion_client_cidr_block_allow_list - title: Invisible Variables visible: false variables: @@ -336,3 +341,18 @@ variables: required: false title: Baseline Spoke VCN CIDR Block description: "A list of Baseline Spoke VCN CIDR Block" + enable_bastion: + type: boolean + description: "Option to enable bastion service" + default: true + required: true + title: Enable Bastion + bastion_client_cidr_block_allow_list: + type: array + items: + type: string + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1][0-9]|[2][0-9]))$ + description: "A list of address ranges in CIDR notation that bastion is allowed to connect" + required: true + visible: enable_bastion + title: Bastion Client CIDR Block Allow List From f87db81c279f1dc387cd85fab698a2928c6a6a5d Mon Sep 17 00:00:00 2001 From: Gregg MacKeigan Date: Wed, 21 Feb 2024 14:01:19 -0700 Subject: [PATCH 16/21] Update IMPLEMENTATION.md (#165) Minor edits, general clean up --- .../IMPLEMENTATION.md | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md index 9435ae3b..1361531e 100644 --- a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -13,18 +13,18 @@ To learn more, visit: https://docs.oracle.com/en/cloud/paas/access-governance/ag ## Deployment Overview -The terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy. +The Terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy. ## Prerequisites -To deploy the Oracle Enterprise Landing Zone Workload Expansion from the terraform cli you will need the following prerequisites. -- [Latest Version of Terrafom](https://developer.hashicorp.com/terraform/downloads) +To deploy the Oracle Enterprise Landing Zone Workload Expansion from the Terraform CLI you will need the following prerequisites. +- [Latest Version of Terraform](https://developer.hashicorp.com/terraform/downloads) v1.7.3 or later - [OCI Terraform provider](https://registry.terraform.io/providers/oracle/oci/latest/docs) v4.109.0 or later - [oci - cli](https://github.com/oracle/oci-cli) ## User -The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an api key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble. +The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an API key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble: ```text [DEFAULT] @@ -32,7 +32,7 @@ user=ocid1.xxxxxx.xxxxxx.xxxxxx..... #ocid of the user fingerprint=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx #user api key fingerprint tenancy=ocid1.xxxxxx.xxxxxx.xxxxxx..... #tenancy ocid region=us-phoenix-1 #or desired region -key_file= # TODO +key_file= #your specific path ``` @@ -62,11 +62,10 @@ key_file= # TODO | **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. | | **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System | -## How to execute -## How to execute +## How to Execute ### Via Resource Manager -Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in +Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in.
Only new AGCS User scenario is supported via Resource Manager Deployment
1. Under **Working directory** select the directory *templates/enterprise-landing-zone* @@ -84,13 +83,13 @@ Use the Deploy to Oracle Cloud button which will take you directly to OCI Resour 4. terraform apply. ##### Oracle Access Governance Deployment: Access Governance Service Instance: -An Access Governance Service instance will be deployed in security compartment +An Access Governance Service instance will be deployed in security compartment. ##### Oracle Access Governance Deployment: AGCS Group: A group will be created called AGCS Group, which is meant to have AGCS user and policies related to Access Governance functionalities. ##### Oracle Access Governance Deployment: AGCS User: -AGCS User which will be created in Default domain as the user needs visibility into all domains and their resources for policy review and group review. This is the primary user used for governing the OCI IAM +AGCS User which will be created in Default domain as the user needs visibility into all domains and their resources for policy review and group review. This is the primary user used for governing the OCI IAM. ##### Oracle Access Governance Deployment: AGCS User Group Policy statements: 1. `ALLOW GROUP / to inspect all-resources IN TENANCY` @@ -114,12 +113,12 @@ AGCS User which will be created in Default domain as the user needs visibility i 1. `ALLOW GROUP / to inspect all-resources IN TENANCY` 2. `ALLOW GROUP / to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}` -3. `Allow GROUP / to read audit-events IN TENANCY` -4. `Allow GROUP / to manage domains IN TENANCY` +3. `ALLOW GROUP / to read audit-events IN TENANCY` +4. `ALLOW GROUP / to manage domains IN TENANCY` ##### Oracle Access Governance Deployment: Access Governance Service Instance: -An Access Governance Service instance will be deployed in security compartment +An Access Governance Service instance will be deployed in security compartment. ##### Oracle Access Governance Deployment: OCI system on Access Governance Instance: Cloud gateway system will be added as connected system to the service instance. @@ -132,4 +131,4 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or See [LICENSE](../../LICENSE) for more details. ## Known Issues -None. \ No newline at end of file +None. From 72c3a7341f734a835103ea4e64fca55921c4128b Mon Sep 17 00:00:00 2001 From: Shamsul Haque Date: Thu, 22 Feb 2024 22:33:12 +0530 Subject: [PATCH 17/21] Feature/agcs 8397 oag integration (#166) * Added another field to ask compartment for Admin's Domain * Implemented AG instance application name change. * Implemented new Control Plane changes and improved documentation. * Added OAG variables in schema to support resource manager deployment and added few default values. * Updated Documentation * Improved documentation * Disabled non prod deployment. * disabled non prod deployment of OAG and mentioned same in the implementation document. --- .../IMPLEMENTATION.md | 53 ++++++++++--------- .../access-governance-variables.tf | 24 ++------- .../enterprise-landing-zone/example.tfvars | 19 +------ templates/enterprise-landing-zone/schema.yaml | 4 +- 4 files changed, 37 insertions(+), 63 deletions(-) diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md index 1361531e..776bdc36 100644 --- a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -37,33 +37,36 @@ key_file= #your specific path ## Variables -| Variable Name | Description | Required | Default Value | -|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------| -| **user_ocid** | OCID of the Administrator. | Yes | None | -| **fingerprint** | Fingerprint of the Administrator. | Yes | None | -| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | -| **region** | Region of the Administrator. | Yes | None | -| **private_key_path** | Private Key Path of Administrator. | Yes | None | -| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | -| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None | -| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | None | -| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Servce Instance. | -| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | access-governance-instance | -| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None | -| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | -| **agcs_user_name** | New Access Governance User's name. | Yes | None | -| **agcs_user_email** | Email address for the user. | Yes | None | -| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | -| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | -| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | -| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | -| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | -| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | -| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. | -| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System | +| Variable Name | Description | Required | Default Value | +|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------------------------------------------------------| +| **user_ocid** | OCID of the Administrator. | Yes | None | +| **fingerprint** | Fingerprint of the Administrator. | Yes | None | +| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | +| **region** | Region of the Administrator. | Yes | None | +| **private_key_path** | Private Key Path of Administrator. | Yes | None | +| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | +| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None | +| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | | +| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Servce Instance. | +| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | access-governance-instance | +| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None | +| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | +| **agcs_user_name** | New Access Governance User's name. | Yes | None | +| **agcs_user_email** | Email address for the user. | Yes | None | +| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | +| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | +| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | +| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | +| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | +| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | +| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. | +| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System | ## How to Execute + +
Currently only production deployment is supported via stack deployment, to deploy in non-production environment, run the Access Governance Module as standalone deployment. Please change the working directory to oci-landing-zones/modules/access-governance and enable the provider lines and disable remaining lines, fill the terraform.tfvars and follow terraform CLI commands
+ ### Via Resource Manager Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in.
Only new AGCS User scenario is supported via Resource Manager Deployment
@@ -77,7 +80,7 @@ Use the Deploy to Oracle Cloud button which will take you directly to OCI Resour ### Via Terraform CLI (Two Deployment Scenarios) #### Deployment Scenario 1: use_existing_agcs_user = false: -1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples/existing_agcs_user.tfvarexample +1. Enter required variables in terraform.tfvars, for examples refer examples.tfvars file 2. terraform init. 3. terraform plan. 4. terraform apply. diff --git a/templates/enterprise-landing-zone/access-governance-variables.tf b/templates/enterprise-landing-zone/access-governance-variables.tf index 28fc3b76..6706a5d7 100644 --- a/templates/enterprise-landing-zone/access-governance-variables.tf +++ b/templates/enterprise-landing-zone/access-governance-variables.tf @@ -11,27 +11,13 @@ variable "prod_enable_access_governance" { variable "nonprod_enable_access_governance" { type = bool - default = true + default = false + validation { + condition = var.nonprod_enable_access_governance == false + error_message = "Access Governance Deployment is not supported in Non production environment." + } } -#variable "private_key_path" { -# type = string -# default = "" -# description = "Private Key Path of Administrator." -#} -# -#variable "user_ocid" { -# type = string -# default = "" -# description = "OCID of the Administrator." -#} -# -#variable "fingerprint" { -# type = string -# default = "" -# description = "Fingerprint of the Administrator." -#} - variable "namespace_service_endpoint" { type = string default = "" diff --git a/templates/enterprise-landing-zone/example.tfvars b/templates/enterprise-landing-zone/example.tfvars index b2de49a2..5d118543 100644 --- a/templates/enterprise-landing-zone/example.tfvars +++ b/templates/enterprise-landing-zone/example.tfvars @@ -116,44 +116,27 @@ enable_network_firewall_nonprod = "false" ####################################### Access Governance ################################################### prod_enable_access_governance = false -nonprod_enable_access_governance = false admin_domain_name = "Default" admin_domain_compartment_ocid = "" # ACCESS GOVERNANCE SERVICE INSTANCE DETAILS prod_ag_license_type = "Access Governance for Oracle Cloud Infrastructure" -#prod_service_instance_display_name = "" +#prod_service_instance_display_name = "prod-access-governance-instance" prod_service_instance_description = "Prod OAG service instance" -nonprod_ag_license_type = "Access Governance for Oracle Cloud Infrastructure" -#nonprod_service_instance_display_name = "" -nonprod_service_instance_description = "Non Prod OAG service instance" - # ACCESS GOVERNANCE USER COMMON DETAILS prod_use_existing_agcs_user = false -nonprod_use_existing_agcs_user = false # ACCESS GOVERNANCE EXISTING_USER #prod_agcs_user_private_key_path = "" #prod_agcs_user_ocid_oci_system = "" #prod_agcs_user_fingerprint_oci_system = "" -# -#nonprod_agcs_user_private_key_path = "" -#nonprod_agcs_user_ocid_oci_system = "" -#nonprod_agcs_user_fingerprint_oci_system = "" # NEW AG USER prod_agcs_user_group_display_name = "prod_agcs_group" prod_agcs_user_name = "prod_agcs_user" prod_agcs_user_email = "prod_something@example.com" -nonprod_agcs_user_group_display_name = "nonprod_agcs_group" -nonprod_agcs_user_name = "nonprod_agcs_user" -nonprod_agcs_user_email = "nonprod_something@example.com" - # OCI Connected System prod_oci_system_name = "Prod Cloud Gateway" prod_oci_system_description = "Prod OCI System" - -nonprod_oci_system_name = "Non Prod Cloud Gateway" -nonprod_oci_system_description = "Non Prod OCI System" \ No newline at end of file diff --git a/templates/enterprise-landing-zone/schema.yaml b/templates/enterprise-landing-zone/schema.yaml index d480bed2..db203047 100644 --- a/templates/enterprise-landing-zone/schema.yaml +++ b/templates/enterprise-landing-zone/schema.yaml @@ -263,6 +263,7 @@ variableGroups: - should_create_connected_system - nonprod_agcs_user_domain_name - prod_agcs_user_domain_name + - nonprod_enable_access_governance variables: @@ -1361,8 +1362,9 @@ variables: nonprod_enable_access_governance: type: boolean description: "Option to enable Oracle Access Governance in Non-Prod." - default: true + default: false required: true + visible: false title: Enable Oracle Access Governance in Non-Prod admin_domain_name: type: string From 636cd382805a567cf041e775fbf1c6cb4590d486 Mon Sep 17 00:00:00 2001 From: vinaykumar-oci Date: Fri, 23 Feb 2024 17:01:00 -0800 Subject: [PATCH 18/21] Added Flag to deploy Non_Prod Environment Added Flag to deploy Non_Prod Environment , if flag "is_nonprod_env_deploy" is set to true then Non_Prod Environment will deploy. --- templates/elz-environment/main.tf | 5 ++ templates/elz-environment/variables.tf | 21 +++++++ templates/elz-network/main.tf | 15 ++--- templates/elz-network/variables.tf | 22 +++++++ .../enterprise-landing-zone/backup-main.tf | 14 ++--- .../enterprise-landing-zone/environment.tf | 15 ++++- .../enterprise-landing-zone/example.tfvars | 11 ++++ templates/enterprise-landing-zone/logging.tf | 35 ++++++----- templates/enterprise-landing-zone/outputs.tf | 22 +++---- templates/enterprise-landing-zone/security.tf | 14 +++-- .../enterprise-landing-zone/variables.tf | 60 +++++++++++++++++++ 11 files changed, 185 insertions(+), 49 deletions(-) diff --git a/templates/elz-environment/main.tf b/templates/elz-environment/main.tf index 0c74b093..ead559e3 100644 --- a/templates/elz-environment/main.tf +++ b/templates/elz-environment/main.tf @@ -148,7 +148,12 @@ module "network" { private_spoke_subnet_web_cidr_block = var.private_spoke_subnet_web_cidr_block private_spoke_subnet_app_cidr_block = var.private_spoke_subnet_app_cidr_block private_spoke_subnet_db_cidr_block = var.private_spoke_subnet_db_cidr_block + hub_public_subnet_dns_label = var.hub_public_subnet_dns_label + hub_private_subnet_dns_label = var.hub_private_subnet_dns_label spoke_vcn_cidr = var.spoke_vcn_cidr + subnet_app_dns_label = var.subnet_app_dns_label + subnet_db_dns_label = var.subnet_db_dns_label + subnet_web_dns_label = var.subnet_web_dns_label ipsec_connection_static_routes = var.ipsec_connection_static_routes enable_vpn_or_fastconnect = var.enable_vpn_or_fastconnect enable_vpn_on_environment = var.enable_vpn_on_environment diff --git a/templates/elz-environment/variables.tf b/templates/elz-environment/variables.tf index 5f451b85..5665e826 100644 --- a/templates/elz-environment/variables.tf +++ b/templates/elz-environment/variables.tf @@ -226,6 +226,27 @@ variable "create_master_encryption_key" { # Network Variables # ----------------------------------------------------------------------------- +variable "hub_public_subnet_dns_label" { + type = string + description = "Hub Public Subnet DNS Label." +} +variable "hub_private_subnet_dns_label" { + type = string + description = "Hub Private Subnet DNS Label." +} +variable "subnet_app_dns_label" { + type = string + description = "Spoke App Subnet DNS Label." +} +variable "subnet_db_dns_label" { + type = string + description = "Spoke DB Subnet DNS Label." +} +variable "subnet_web_dns_label" { + type = string + description = "Spoke Web Subnet DNS Label." +} + variable "enable_internet_gateway_hub" { type = string description = "Option to enable true and Disable false." diff --git a/templates/elz-network/main.tf b/templates/elz-network/main.tf index 398c328b..10e5c804 100644 --- a/templates/elz-network/main.tf +++ b/templates/elz-network/main.tf @@ -14,10 +14,8 @@ locals { vcn-hub-info = { hub_public_subnet_display_name = "OCI-ELZ-SUB-${var.environment_prefix}-HUB-${local.region_key[0]}001" hub_public_subnet_description = "Hub Public Subnet" - hub_public_subnet_dns_label = "publabel" hub_private_subnet_display_name = "OCI-ELZ-SUB-${var.environment_prefix}-HUB-${local.region_key[0]}002" hub_private_subnet_description = "Hub Private Subnet" - hub_private_subnet_dns_label = "prilabel" hub_security_list_display_name = "OCI-ELZ-${var.environment_prefix}-Hub-Security-List" igw_gateway_display_name = "OCI-ELZ-IGW-${var.environment_prefix}-HUB" nat_gateway_display_name = "OCI-ELZ-NGW-${var.environment_prefix}-HUB" @@ -56,10 +54,10 @@ module "hub" { hub_vcn_dns_label = local.vcn_hub.dns_label hub_public_subnet_display_name = local.vcn-hub-info.hub_public_subnet_display_name hub_public_subnet_description = local.vcn-hub-info.hub_public_subnet_description - hub_public_subnet_dns_label = local.vcn-hub-info.hub_public_subnet_dns_label + hub_public_subnet_dns_label = var.hub_public_subnet_dns_label hub_private_subnet_display_name = local.vcn-hub-info.hub_private_subnet_display_name hub_private_subnet_description = local.vcn-hub-info.hub_private_subnet_description - hub_private_subnet_dns_label = local.vcn-hub-info.hub_private_subnet_dns_label + hub_private_subnet_dns_label = var.hub_private_subnet_dns_label igw_gateway_display_name = local.vcn-hub-info.igw_gateway_display_name nat_gateway_display_name = local.vcn-hub-info.nat_gateway_display_name srv_gateway_display_name = local.vcn-hub-info.srv_gateway_display_name @@ -94,9 +92,6 @@ locals { route_table_display_name = "OCI-ELZ-RTPRV-${var.environment_prefix}-SPK001" nat_gateway_display_name = "OCI-ELZ-NGW-${var.environment_prefix}-SPK" service_gateway_display_name = "OCI-ELZ-SGW-${var.environment_prefix}-SPK" - subnet_app_dns_label = "appdnslabel" - subnet_db_dns_label = "dbdnslabel" - subnet_web_dns_label = "webdnslabel" subnet_web_display_name = "OCI-ELZ-SUB-${var.environment_prefix}-SPK-${local.region_key[0]}001" subnet_app_display_name = "OCI-ELZ-SUB-${var.environment_prefix}-SPK-${local.region_key[0]}002" subnet_db_display_name = "OCI-ELZ-SUB-${var.environment_prefix}-SPK-${local.region_key[0]}003" @@ -124,13 +119,13 @@ module "spoke" { workload_compartment_id = var.workload_compartment_id workload_private_spoke_subnet_app_cidr_block = var.private_spoke_subnet_app_cidr_block workload_private_spoke_subnet_app_display_name = local.vcn-spoke-info.subnet_app_display_name - workload_private_spoke_subnet_app_dns_label = local.vcn-spoke-info.subnet_app_dns_label + workload_private_spoke_subnet_app_dns_label = var.subnet_app_dns_label workload_private_spoke_subnet_db_cidr_block = var.private_spoke_subnet_db_cidr_block workload_private_spoke_subnet_db_display_name = local.vcn-spoke-info.subnet_db_display_name - workload_private_spoke_subnet_db_dns_label = local.vcn-spoke-info.subnet_db_dns_label + workload_private_spoke_subnet_db_dns_label = var.subnet_db_dns_label workload_private_spoke_subnet_web_cidr_block = var.private_spoke_subnet_web_cidr_block workload_private_spoke_subnet_web_display_name = local.vcn-spoke-info.subnet_web_display_name - workload_private_spoke_subnet_web_dns_label = local.vcn-spoke-info.subnet_web_dns_label + workload_private_spoke_subnet_web_dns_label = var.subnet_web_dns_label workload_spoke_vcn_cidr = var.spoke_vcn_cidr enable_vpn_or_fastconnect = var.enable_vpn_or_fastconnect enable_vpn_on_environment = var.enable_vpn_on_environment diff --git a/templates/elz-network/variables.tf b/templates/elz-network/variables.tf index a410ae57..c3c3531a 100644 --- a/templates/elz-network/variables.tf +++ b/templates/elz-network/variables.tf @@ -135,6 +135,28 @@ variable "add_ssh_to_security_list" { default = false } +variable "hub_public_subnet_dns_label" { + type = string + description = "Hub Public Subnet DNS Label." +} +variable "hub_private_subnet_dns_label" { + type = string + description = "Hub Private Subnet DNS Label." +} +variable "subnet_app_dns_label" { + type = string + description = "Spoke App Subnet DNS Label." +} +variable "subnet_db_dns_label" { + type = string + description = "Spoke DB Subnet DNS Label." +} +variable "subnet_web_dns_label" { + type = string + description = "Spoke Web Subnet DNS Label." +} + + # ----------------------------------------------------------------------------- # VPN Variables # ----------------------------------------------------------------------------- diff --git a/templates/enterprise-landing-zone/backup-main.tf b/templates/enterprise-landing-zone/backup-main.tf index 77e926b9..b50d8767 100644 --- a/templates/enterprise-landing-zone/backup-main.tf +++ b/templates/enterprise-landing-zone/backup-main.tf @@ -112,11 +112,11 @@ module "backup_prod_environment" { module "backup_nonprod_environment" { source = "../elz-backup/elz-backup-environment" - count = var.enable_landing_zone_replication ? 1 : 0 + count = var.enable_landing_zone_replication && var.is_nonprod_env_deploy ? 1 : 0 environment_prefix = local.nonprod_environment.environment_prefix spoke_vcn_cidr = var.backup_nonprod_workload_cidr - workload_compartment_id = module.nonprod_environment.workload_compartment_id + workload_compartment_id = module.nonprod_environment[0].workload_compartment_id backup_region = var.backup_region tenancy_ocid = var.tenancy_ocid region = var.region @@ -127,7 +127,7 @@ module "backup_nonprod_environment" { igw_hub_check = var.backup_igw_hub_check nat_gw_hub_check = var.backup_nat_gw_hub_check service_gw_hub_check = var.backup_service_gw_hub_check - network_compartment_id = module.nonprod_environment.compartment.network.id + network_compartment_id = module.nonprod_environment[0].compartment.network.id vcn_cidr_block = var.backup_nonprod_hub_vcn_cidr_block public_subnet_cidr_block = var.backup_nonprod_public_subnet_cidr_block private_subnet_cidr_block = var.backup_nonprod_private_subnet_cidr_block @@ -152,17 +152,17 @@ module "backup_nonprod_environment" { enable_replication = var.backup_nonprod_vault_enable_replication replica_region = var.backup_nonprod_vault_replica_region resource_label = var.resource_label - security_compartment_id = module.nonprod_environment.compartment.security.id + security_compartment_id = module.nonprod_environment[0].compartment.security.id vault_type = var.backup_nonprod_vault_type home_compartment_id = module.home_compartment.compartment_id home_compartment_name = var.home_compartment_name - logging_compartment_id = module.nonprod_environment.compartment.logging.id + logging_compartment_id = module.nonprod_environment[0].compartment.logging.id retention_policy_duration_amount = var.backup_nonprod_retention_policy_duration_amount retention_policy_duration_time_unit = var.backup_nonprod_retention_policy_duration_time_unit bastion_client_cidr_block_allow_list = var.backup_nonprod_bastion_client_cidr_block_allow_list - environment_compartment_id = module.nonprod_environment.compartment.environment.id + environment_compartment_id = module.nonprod_environment[0].compartment.environment.id is_create_alarms = var.is_create_alarms_backup network_topic_endpoints = var.nonprod_network_topic_endpoints_backup @@ -206,7 +206,7 @@ module "backup_nonprod_environment" { enable_fastconnect_on_environment = var.backup_nonprod_enable_fastconnect customer_onprem_ip_cidr = var.backup_customer_onprem_ip_cidr - depends_on = [module.nonprod_environment] + depends_on = [module.nonprod_environment[0]] providers = { oci = oci diff --git a/templates/enterprise-landing-zone/environment.tf b/templates/enterprise-landing-zone/environment.tf index de3ef293..6c795277 100644 --- a/templates/enterprise-landing-zone/environment.tf +++ b/templates/enterprise-landing-zone/environment.tf @@ -101,6 +101,11 @@ module "prod_environment" { private_spoke_subnet_web_cidr_block = var.prod_spoke_subnet_web_cidr_block private_spoke_subnet_app_cidr_block = var.prod_spoke_subnet_app_cidr_block private_spoke_subnet_db_cidr_block = var.prod_spoke_subnet_db_cidr_block + hub_public_subnet_dns_label = var.prod_hub_public_subnet_dns_label + hub_private_subnet_dns_label = var.prod_hub_private_subnet_dns_label + subnet_app_dns_label = var.prod_subnet_app_dns_label + subnet_db_dns_label = var.prod_subnet_db_dns_label + subnet_web_dns_label = var.prod_subnet_web_dns_label enable_network_firewall = var.enable_network_firewall_prod enable_traffic_threat_log = var.enable_traffic_threat_log_prod @@ -190,7 +195,8 @@ locals { } module "nonprod_environment" { - source = "../elz-environment" + count = var.is_nonprod_env_deploy ? 1 : 0 + source = "../elz-environment" tenancy_ocid = var.tenancy_ocid region = var.region @@ -275,6 +281,11 @@ module "nonprod_environment" { private_spoke_subnet_web_cidr_block = var.nonprod_spoke_subnet_web_cidr_block private_spoke_subnet_app_cidr_block = var.nonprod_spoke_subnet_app_cidr_block private_spoke_subnet_db_cidr_block = var.nonprod_spoke_subnet_db_cidr_block + hub_public_subnet_dns_label = var.nonprod_hub_public_subnet_dns_label + hub_private_subnet_dns_label = var.nonprod_hub_private_subnet_dns_label + subnet_app_dns_label = var.nonprod_subnet_app_dns_label + subnet_db_dns_label = var.nonprod_subnet_db_dns_label + subnet_web_dns_label = var.nonprod_subnet_web_dns_label enable_network_firewall = var.enable_network_firewall_nonprod enable_traffic_threat_log = var.enable_traffic_threat_log_nonprod @@ -309,7 +320,7 @@ module "nonprod_environment" { enable_workload_monitoring_alarms = var.nonprod_enable_workload_monitoring_alarms enable_datasafe = var.enable_datasafe - #workload_compartment_id = module.nonprod_environment.workload_compartment_id + #workload_compartment_id = module.nonprod_environment[0].workload_compartment_id remote_peering_connection_peer_id = var.enable_vpn_or_fastconnect == "FASTCONNECT" ? module.prod_environment.rpc_id : null remote_peering_connection_peer_region_name = var.region diff --git a/templates/enterprise-landing-zone/example.tfvars b/templates/enterprise-landing-zone/example.tfvars index 5d118543..b8bce8ab 100644 --- a/templates/enterprise-landing-zone/example.tfvars +++ b/templates/enterprise-landing-zone/example.tfvars @@ -15,6 +15,7 @@ resource_label = "DEMO" prod_domain_admin_email = "an-example-email-address@oracle.com" nonprod_domain_admin_email = "an-example-email-address@oracle.com" enable_compartment_delete = false +is_nonprod_env_deploy = true # security enable_cloud_guard = true @@ -60,20 +61,30 @@ nonprod_enable_service_gateway_spoke = "true" prod_hub_vcn_cidr_block = "10.1.0.0/16" prod_hub_public_subnet_cidr_block = "10.1.1.0/24" prod_hub_private_subnet_cidr_block = "10.1.2.0/24" +prod_hub_public_subnet_dns_label = "ppublabel" +prod_hub_private_subnet_dns_label = "prilabel" prod_spoke_vcn_cidr = "10.2.0.0/16" prod_spoke_subnet_web_cidr_block = "10.2.1.0/24" prod_spoke_subnet_app_cidr_block = "10.2.2.0/24" prod_spoke_subnet_db_cidr_block = "10.2.3.0/24" +prod_subnet_app_dns_label = "papplabel" +prod_subnet_db_dns_label = "pdblabel" +prod_subnet_web_dns_label = "pweblabel" nonprod_hub_vcn_cidr_block = "10.3.0.0/16" nonprod_hub_public_subnet_cidr_block = "10.3.1.0/24" nonprod_hub_private_subnet_cidr_block = "10.3.2.0/24" +nonprod_hub_public_subnet_dns_label = "npublabel" +nonprod_hub_private_subnet_dns_label = "nprilabel" nonprod_spoke_vcn_cidr = "10.4.0.0/16" nonprod_spoke_subnet_web_cidr_block = "10.4.1.0/24" nonprod_spoke_subnet_app_cidr_block = "10.4.2.0/24" nonprod_spoke_subnet_db_cidr_block = "10.4.3.0/24" +nonprod_subnet_app_dns_label = "napplabel" +nonprod_subnet_db_dns_label = "ndblabel" +nonprod_subnet_web_dns_label = "nweblabel" # Tagging prod_enable_tagging = true diff --git a/templates/enterprise-landing-zone/logging.tf b/templates/enterprise-landing-zone/logging.tf index 0a9b3582..f7224efc 100644 --- a/templates/enterprise-landing-zone/logging.tf +++ b/templates/enterprise-landing-zone/logging.tf @@ -4,6 +4,9 @@ ########################################################################################################## locals { + nonprod_sec_id = try(module.nonprod_environment[0].compartment.security.id, "") + nonprod_stream_id = try(module.nonprod_environment[0].stream_id, "") + nonprod_logg_id = try(module.nonprod_environment[0].compartment.logging.id, "") service_connector_policy = { name = "${var.resource_label}-OCI-ELZ-SC-Policy" description = "OCI ELZ Service Connector Policy" @@ -11,11 +14,11 @@ locals { "Allow any-user to read log-content in compartment id ${module.home_compartment.compartment_id} where all {request.principal.type='serviceconnector'}", "Allow any-user to read log-groups in compartment id ${module.home_compartment.compartment_id} where all {request.principal.type='serviceconnector'}", "Allow any-user to {STREAM_READ, STREAM_CONSUME} in compartment id ${module.prod_environment.compartment.security.id} where all {request.principal.type='serviceconnector', target.stream.id='${module.prod_environment.stream_id}', request.principal.compartment.id='${module.prod_environment.compartment.security.id}'}", - "Allow any-user to {STREAM_READ, STREAM_CONSUME} in compartment id ${module.nonprod_environment.compartment.security.id} where all {request.principal.type='serviceconnector', target.stream.id='${module.nonprod_environment.stream_id}', request.principal.compartment.id='${module.nonprod_environment.compartment.security.id}'}", + "Allow any-user to {STREAM_READ, STREAM_CONSUME} in compartment id ${local.nonprod_sec_id} where all {request.principal.type='serviceconnector', target.stream.id='${local.nonprod_stream_id}', request.principal.compartment.id='${local.nonprod_sec_id}'}", "Allow any-user to manage objects in compartment id ${module.prod_environment.compartment.logging.id} where all {request.principal.type='serviceconnector', target.bucket.name='*_standard', request.principal.compartment.id='${module.prod_environment.compartment.security.id}'}", - "Allow any-user to manage objects in compartment id ${module.nonprod_environment.compartment.logging.id} where all {request.principal.type='serviceconnector', target.bucket.name='*_standard', request.principal.compartment.id='${module.nonprod_environment.compartment.security.id}'}", + "Allow any-user to manage objects in compartment id ${local.nonprod_logg_id} where all {request.principal.type='serviceconnector', target.bucket.name='*_standard', request.principal.compartment.id='${local.nonprod_sec_id}'}", "Allow any-user to manage objects in compartment id ${module.prod_environment.compartment.logging.id} where all {request.principal.type='serviceconnector', any{target.bucket.name='${var.resource_label}_${local.prod_environment.environment_prefix}_auditLogs_standard', target.bucket.name='${var.resource_label}_${local.prod_environment.environment_prefix}_defaultLogs_standard', target.bucket.name='${var.resource_label}_${local.prod_environment.environment_prefix}_serviceEvents_standard'}, request.principal.compartment.id='${module.prod_environment.compartment.security.id}'}", - "Allow any-user to manage objects in compartment id ${module.nonprod_environment.compartment.logging.id} where all {request.principal.type='serviceconnector', any{target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_auditLogs_standard', target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_defaultLogs_standard', target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_serviceEvents_standard'}, request.principal.compartment.id='${module.nonprod_environment.compartment.security.id}'}" + "Allow any-user to manage objects in compartment id ${local.nonprod_logg_id} where all {request.principal.type='serviceconnector', any{target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_auditLogs_standard', target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_defaultLogs_standard', target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_serviceEvents_standard'}, request.principal.compartment.id='${local.nonprod_sec_id}'}" ] } @@ -140,7 +143,7 @@ module "service_connector_policy" { description = local.service_connector_policy.description statements = local.service_connector_policy.statements - depends_on = [module.prod_environment, module.nonprod_environment, module.home_compartment] + depends_on = [module.prod_environment, module.nonprod_environment[0], module.home_compartment] } module "service_connector_archive_policy" { @@ -150,7 +153,7 @@ module "service_connector_archive_policy" { description = local.service_connector_archive_policy.description statements = local.service_connector_archive_policy.statements - depends_on = [module.prod_environment, module.nonprod_environment, module.home_compartment] + depends_on = [module.prod_environment, module.nonprod_environment[0], module.home_compartment] } module "archive_key" { @@ -172,7 +175,7 @@ module "key_archive_policy" { description = local.key_archive_policy.description statements = local.key_archive_policy.statements - depends_on = [module.prod_environment, module.nonprod_environment, module.home_compartment] + depends_on = [module.prod_environment, module.nonprod_environment[0], module.home_compartment] } module "archive_bucket" { @@ -187,7 +190,7 @@ module "archive_bucket" { retention_policy_duration_time_unit = local.archive_log_bucket.retention_policy_duration_time_unit namespace = data.oci_objectstorage_namespace.ns.namespace - depends_on = [module.prod_environment, module.nonprod_environment, module.home_compartment, module.archive_key, module.key_archive_policy] + depends_on = [module.prod_environment, module.nonprod_environment[0], module.home_compartment, module.archive_key, module.key_archive_policy] } module "prod_archive_audit_log_service_connector" { @@ -205,9 +208,10 @@ module "prod_archive_audit_log_service_connector" { } module "nonprod_archive_audit_log_service_connector" { + count = var.is_nonprod_env_deploy ? 1 : 0 source = "../../modules/service-connector" tenancy_ocid = var.tenancy_ocid - compartment_id = module.nonprod_environment.compartment.security.id + compartment_id = module.nonprod_environment[0].compartment.security.id source_compartment_id = module.home_compartment.compartment_id display_name = local.nonprod_archive_audit_log_service_connector.display_name source_kind = local.nonprod_archive_audit_log_service_connector.source_kind @@ -233,14 +237,15 @@ module "prod_archive_default_log_service_connector" { } module "nonprod_archive_default_log_service_connector" { + count = var.is_nonprod_env_deploy ? 1 : 0 source = "../../modules/service-connector" tenancy_ocid = var.tenancy_ocid - compartment_id = module.nonprod_environment.compartment.security.id - source_compartment_id = module.nonprod_environment.compartment.security.id + compartment_id = module.nonprod_environment[0].compartment.security.id + source_compartment_id = module.nonprod_environment[0].compartment.security.id display_name = local.nonprod_archive_default_log_service_connector.display_name source_kind = local.nonprod_archive_default_log_service_connector.source_kind target_kind = local.nonprod_archive_default_log_service_connector.target_kind - log_group_id = module.nonprod_environment.default_group_id + log_group_id = module.nonprod_environment[0].default_group_id target_bucket = local.nonprod_archive_default_log_service_connector.target_bucket depends_on = [module.archive_bucket, module.service_connector_archive_policy] @@ -262,14 +267,15 @@ module "prod_archive_service_events_service_connector" { } module "nonprod_archive_service_events_service_connector" { + count = var.is_nonprod_env_deploy ? 1 : 0 source = "../../modules/service-connector" tenancy_ocid = var.tenancy_ocid - compartment_id = module.nonprod_environment.compartment.security.id - source_compartment_id = module.nonprod_environment.compartment.security.id + compartment_id = module.nonprod_environment[0].compartment.security.id + source_compartment_id = module.nonprod_environment[0].compartment.security.id display_name = local.nonprod_archive_service_events_service_connector.display_name source_kind = local.nonprod_archive_service_events_service_connector.source_kind target_kind = local.nonprod_archive_service_events_service_connector.target_kind - stream_id = module.nonprod_environment.stream_id + stream_id = module.nonprod_environment[0].stream_id cursor_kind = local.nonprod_archive_service_events_service_connector.cursor_kind target_bucket = local.nonprod_archive_service_events_service_connector.target_bucket @@ -287,6 +293,7 @@ module "prod_platform_admin_policy" { } module "nonprod_platform_admin_policy" { + count = var.is_nonprod_env_deploy ? 1 : 0 source = "../../modules/policies" compartment_ocid = module.home_compartment.compartment_id policy_name = local.nonprod_platform_admin_policy.name diff --git a/templates/enterprise-landing-zone/outputs.tf b/templates/enterprise-landing-zone/outputs.tf index 46e804d6..d8b256d1 100644 --- a/templates/enterprise-landing-zone/outputs.tf +++ b/templates/enterprise-landing-zone/outputs.tf @@ -45,17 +45,17 @@ output "prod_environment" { output "nonprod_environment" { value = { environment_prefix = local.nonprod_environment.environment_prefix - compartments = module.nonprod_environment.compartment - subnets = module.nonprod_environment.subnets - hub_vcn = module.nonprod_environment.vcn - hub_public_subnet_cidr = module.nonprod_environment.hub_public_subnet_cidr - hub_private_subnet_cidr = module.nonprod_environment.hub_private_subnet_cidr - drg_id = module.nonprod_environment.drg_id - identity_domain = module.nonprod_environment.identity_domain - workload_compartment_name = module.nonprod_environment.workload_compartment_name - workload_compartment_id = module.nonprod_environment.workload_compartment_id - workload_subnet_cidr_blocks = module.nonprod_environment.workload_subnet_cidr_blocks - access_governance_service_instance = module.nonprod_environment.access_governance_service_instance + compartments = try(module.nonprod_environment[0].compartment, null) + subnets = try(module.nonprod_environment[0].subnets, null) + hub_vcn = try(module.nonprod_environment[0].vcn, null) + hub_public_subnet_cidr = try(module.nonprod_environment[0].hub_public_subnet_cidr, null) + hub_private_subnet_cidr = try(module.nonprod_environment[0].hub_private_subnet_cidr, null) + drg_id = try(module.nonprod_environment[0].drg_id, null) + identity_domain = try(module.nonprod_environment[0].identity_domain, null) + workload_compartment_name = try(module.nonprod_environment[0].workload_compartment_name, null) + workload_compartment_id = try(module.nonprod_environment[0].workload_compartment_id, null) + workload_subnet_cidr_blocks = try(module.nonprod_environment[0].workload_subnet_cidr_blocks, null) + access_governance_service_instance = try(module.nonprod_environment[0].access_governance_service_instance, null) } description = "Non-Production Environment Information." } \ No newline at end of file diff --git a/templates/enterprise-landing-zone/security.tf b/templates/enterprise-landing-zone/security.tf index b2756c7d..79ac6aa3 100644 --- a/templates/enterprise-landing-zone/security.tf +++ b/templates/enterprise-landing-zone/security.tf @@ -4,6 +4,10 @@ ########################################################################################################## locals { + nonprod_security_id = try(module.nonprod_environment[0].compartment.security.id, "") + nonprod_network_id = try(module.nonprod_environment[0].compartment.network.id, "") + nonprod_workload_cmp_id = try(module.nonprod_environment[0].workload_compartment_id, "") + nonprod_logging_id = try(module.nonprod_environment[0].compartment.logging.id, "") cloud_guard_policy = { name = "${var.resource_label}-OCI-ELZ-CG-Policy" description = "OCI Enterprise Landing Zone Cloud Guard Policy" @@ -76,11 +80,11 @@ locals { instance.compartment.id = '${module.prod_environment.compartment.security.id}', instance.compartment.id = '${module.prod_environment.compartment.network.id}', instance.compartment.id = '${module.prod_environment.workload_compartment_id}', - instance.compartment.id = '${module.nonprod_environment.compartment.security.id}', - instance.compartment.id = '${module.nonprod_environment.compartment.network.id}', - instance.compartment.id = '${module.nonprod_environment.workload_compartment_id}', + instance.compartment.id = '${local.nonprod_security_id}', + instance.compartment.id = '${local.nonprod_network_id}', + instance.compartment.id = '${local.nonprod_workload_cmp_id}', instance.compartment.id = '${module.prod_environment.compartment.logging.id}', - instance.compartment.id = '${module.nonprod_environment.compartment.logging.id}', + instance.compartment.id = '${local.nonprod_logging_id}', instance.compartment.id = '${module.home_compartment.compartment_id}' } EOT @@ -163,7 +167,7 @@ module "osms_dynamic_group" { name = local.osms_dynamic_group.dynamic_group_name matching_rule = local.osms_dynamic_group.general_matching_rule - depends_on = [module.prod_environment, module.nonprod_environment, module.home_compartment] + depends_on = [module.prod_environment, module.nonprod_environment[0], module.home_compartment] } module "osms_policy" { diff --git a/templates/enterprise-landing-zone/variables.tf b/templates/enterprise-landing-zone/variables.tf index 10adae37..6e12fe99 100644 --- a/templates/enterprise-landing-zone/variables.tf +++ b/templates/enterprise-landing-zone/variables.tf @@ -25,6 +25,12 @@ variable "is_baseline_deploy" { description = "TagNameSpace Optimization: Set to True(if the deployment is baseline) to disable dependent module TagNameSpace Tag Creation." } +variable "is_nonprod_env_deploy" { + type = bool + default = true + description = "Deploy Non-Production Enviornment" +} + # ----------------------------------------------------------------------------- # Compartment Variables # ----------------------------------------------------------------------------- @@ -501,6 +507,60 @@ variable "nonprod_spoke_vcn_cidr" { description = "Non-Production Enivornment Spoke VCN CIDR Block." } +variable "prod_hub_public_subnet_dns_label" { + default = "ppublabel" + type = string + description = "Production Enivornment Hub Public Subnet DNS Label." +} +variable "nonprod_hub_public_subnet_dns_label" { + default = "npublabel" + type = string + description = "Non-Production Enivornment Hub Public Subnet DNS Label." +} +variable "prod_hub_private_subnet_dns_label" { + default = "pprilabel" + type = string + description = "Production Enivornment Hub Public Subnet DNS Label." +} +variable "nonprod_hub_private_subnet_dns_label" { + default = "nprilabel" + type = string + description = "Non-Production Enivornment Hub Public Subnet DNS Label." +} + +variable "prod_subnet_app_dns_label" { + default = "papplabel" + type = string + description = "Production Enivornment Spoke App Subnet DNS Label." +} +variable "nonprod_subnet_app_dns_label" { + default = "napplabel" + type = string + description = "Non-Production Enivornment Spoke App Subnet DNS Label." +} + +variable "prod_subnet_db_dns_label" { + default = "pdblabel" + type = string + description = "Production Enivornment Spoke DB Subnet DNS Label." +} +variable "nonprod_subnet_db_dns_label" { + default = "ndblabel" + type = string + description = "Non-Production Enivornment Spoke DB Subnet DNS Label." +} + +variable "prod_subnet_web_dns_label" { + default = "pweblabel" + type = string + description = "Production Enivornment Spoke Web Subnet DNS Label." +} +variable "nonprod_subnet_web_dns_label" { + default = "nweblabel" + type = string + description = "Non-Production Enivornment Spoke Web Subnet DNS Label." +} + #Tagging #nonprod_enable_tagging From 202f58d04730c0c95e0de91fc722f006afc9043e Mon Sep 17 00:00:00 2001 From: Rory Nguyen Date: Mon, 26 Feb 2024 09:08:24 -0800 Subject: [PATCH 19/21] Access Governance documentation (#167) * updated default values * minor changes * minor changes --- .../IMPLEMENTATION.md | 76 +++++++++---------- 1 file changed, 34 insertions(+), 42 deletions(-) diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md index 776bdc36..d4881b62 100644 --- a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -13,7 +13,7 @@ To learn more, visit: https://docs.oracle.com/en/cloud/paas/access-governance/ag ## Deployment Overview -The Terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy. +The Terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloud gateway connected system. This workload supports only Identity Domain Tenancy. ## Prerequisites @@ -24,7 +24,7 @@ To deploy the Oracle Enterprise Landing Zone Workload Expansion from the Terrafo ## User -The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an API key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble: +The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user needs to have an API key entry defined as described [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble below: ```text [DEFAULT] @@ -37,30 +37,30 @@ key_file= #your specific path ## Variables -| Variable Name | Description | Required | Default Value | -|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------------------------------------------------------| -| **user_ocid** | OCID of the Administrator. | Yes | None | -| **fingerprint** | Fingerprint of the Administrator. | Yes | None | -| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | -| **region** | Region of the Administrator. | Yes | None | -| **private_key_path** | Private Key Path of Administrator. | Yes | None | -| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | -| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None | -| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | | -| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Servce Instance. | -| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | access-governance-instance | -| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None | -| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | -| **agcs_user_name** | New Access Governance User's name. | Yes | None | -| **agcs_user_email** | Email address for the user. | Yes | None | -| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | -| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | -| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | -| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | -| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | -| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | -| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. | -| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System | +| Variable Name | Description | Required | Default Value | +|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|--------------------------------------------------------------------| +| **user_ocid** | OCID of the Administrator. | Yes | None | +| **fingerprint** | Fingerprint of the Administrator. | Yes | None | +| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | +| **region** | Region of the Administrator. | Yes | None | +| **private_key_path** | Private Key Path of Administrator. | Yes | None | +| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | +| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None | +| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | OCID of the Security compartment created by baseline Landing Zone. | +| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Service Instance. | +| **service_instance_display_name** | Unique Access Governance Instance Display Name. | Yes | access-governance-instance | +| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" | Yes | None | +| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | +| **agcs_user_name** | New Access Governance User's name. | Yes | prod_agcs_user | +| **agcs_user_email** | Email address for the user. | Yes | None | +| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | prod_agcs_group | +| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | +| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | +| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | +| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | +| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | +| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. | +| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System | ## How to Execute @@ -68,25 +68,17 @@ key_file= #your specific path
Currently only production deployment is supported via stack deployment, to deploy in non-production environment, run the Access Governance Module as standalone deployment. Please change the working directory to oci-landing-zones/modules/access-governance and enable the provider lines and disable remaining lines, fill the terraform.tfvars and follow terraform CLI commands
### Via Resource Manager -Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in. -
Only new AGCS User scenario is supported via Resource Manager Deployment
- -1. Under **Working directory** select the directory *templates/enterprise-landing-zone* -2. Click Next. -3. Enter the values for required variables. -4. Click Next. -5. Click Next. -6. Click Apply. +Deployment via Resource Manager is currently not supported. ### Via Terraform CLI (Two Deployment Scenarios) #### Deployment Scenario 1: use_existing_agcs_user = false: -1. Enter required variables in terraform.tfvars, for examples refer examples.tfvars file +1. Enter required variables in terraform.tfvars, for examples refer to templates/elz-access-governance/examples/new_agcs_user.tfvarexample 2. terraform init. 3. terraform plan. 4. terraform apply. ##### Oracle Access Governance Deployment: Access Governance Service Instance: -An Access Governance Service instance will be deployed in security compartment. +An Access Governance Service instance will be deployed in the security compartment. ##### Oracle Access Governance Deployment: AGCS Group: A group will be created called AGCS Group, which is meant to have AGCS user and policies related to Access Governance functionalities. @@ -97,12 +89,12 @@ AGCS User which will be created in Default domain as the user needs visibility i ##### Oracle Access Governance Deployment: AGCS User Group Policy statements: 1. `ALLOW GROUP / to inspect all-resources IN TENANCY` 2. `ALLOW GROUP / to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}` -3. `Allow GROUP / to read audit-events IN TENANCY` -4. `Allow GROUP / to manage domains IN TENANCY` +3. `ALLOW GROUP / to read audit-events IN TENANCY` +4. `ALLOW GROUP / to manage domains IN TENANCY` #### Deployment Scenario 2: use_existing_agcs_user = true: -1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples/new_agcs_user.tfvarexample +1. Enter required variables in terraform.tfvars, for examples refer to templates/elz-access-governance/examples/existing_agcs_user.tfvarexample 2. terraform init. 3. terraform plan. 4. terraform apply. @@ -121,7 +113,7 @@ AGCS User which will be created in Default domain as the user needs visibility i ##### Oracle Access Governance Deployment: Access Governance Service Instance: -An Access Governance Service instance will be deployed in security compartment. +An Access Governance Service instance will be deployed in the security compartment. ##### Oracle Access Governance Deployment: OCI system on Access Governance Instance: Cloud gateway system will be added as connected system to the service instance. @@ -134,4 +126,4 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or See [LICENSE](../../LICENSE) for more details. ## Known Issues -None. +None. \ No newline at end of file From 939baad6451a1a83aea5e3150fd395b4f69a6b15 Mon Sep 17 00:00:00 2001 From: vinaykumar-oci Date: Thu, 29 Feb 2024 10:40:51 -0800 Subject: [PATCH 20/21] Official Document Changes as per New Refactoring Official Document Changes as per New Refactoring --- .../Architecture_Guide.md | 28 +++++++++++-------- .../OELZ_Baseline_Deployment/CONFIGURATION.md | 7 +++++ .../IMPLEMENTATION.md | 2 +- README.md | 2 +- RELEASE.md | 9 +++++- 5 files changed, 33 insertions(+), 15 deletions(-) diff --git a/Official_Documentation/OELZ_Baseline_Deployment/Architecture_Guide.md b/Official_Documentation/OELZ_Baseline_Deployment/Architecture_Guide.md index 84e32ffa..f8dba978 100644 --- a/Official_Documentation/OELZ_Baseline_Deployment/Architecture_Guide.md +++ b/Official_Documentation/OELZ_Baseline_Deployment/Architecture_Guide.md @@ -421,7 +421,7 @@ The following OCI cloud-native services will be implemented by OELZv2 to help yo - Cloud Guard - Vulnerability Scanning Service (VSS) - Vault (Key Management) -- Bastion + **Cloud Guard** @@ -455,19 +455,17 @@ OCI Vault is our cloud-native encryption management service that will be used in Please refer to [Vault (Key Management)](https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm) for more details. -**Bastion** - -OCI Bastions provides restricted and time-limited access to target resources that don't have public endpoints, letting authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions. This Landing Zone deployment will also include the OCI Bastion service which allows privileged users to connect from specified IP Addresses to target resources over Secure Shell (SSH). When connected via Bastion, users can interact with the target OCI resource by using any software or protocol supported by SSH. For example, you can use the Remote Desktop Protocol (RDP) to connect to a Windows host or use Oracle Net Services to connect to a database. The Bastion Service is associated with a single VCN and there is a limit of 5 Bastions per region. - -For more information, please see [OCI Bastion](https://docs.oracle.com/en-us/iaas/Content/Bastion/Concepts/bastionoverview.htm). ## **_Workload Module_** The workload expansion module is responsible for deploying the resources for an empty workload. It will deploy following resources: -* Compartment -* Network (Spoke) -* Logging -* Monitoring -* Policies and workload group + +- Compartment +- Network (Spoke) +- Logging +- Monitoring +- Policies and workload group +- Bastion + **Compartment** @@ -496,7 +494,13 @@ Same as the default workload, the monitoring structure contains following elemen - Monitor OCI service incidents and action required from OCI maintenance by subscribing to Console Announcements - Monitor Cloud Guard status (e.g. problemthresholdreached) by subscribing Cloud Guard events - Monitor VSS and Cloud Guard detected problem by subscribing Cloud Guard events -- Enable metrics-based monitoring of Network, Security, Logging and Workload compartments by creating sample alarm rules for the deployed service metrics namespaces +- Enable metrics-based monitoring of Network, Security, Logging and Workload compartments by creating sample alarm rules for the deployed service metrics namespaces. + +**Bastion** + +OCI Bastions provides restricted and time-limited access to target resources that don't have public endpoints, letting authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions. This Landing Zone deployment will also include the OCI Bastion service which allows privileged users to connect from specified IP Addresses to target resources over Secure Shell (SSH). When connected via Bastion, users can interact with the target OCI resource by using any software or protocol supported by SSH. For example, you can use the Remote Desktop Protocol (RDP) to connect to a Windows host or use Oracle Net Services to connect to a database. The Bastion Service is associated with a single VCN and there is a limit of 5 Bastions per region. + +For more information, please see [OCI Bastion](https://docs.oracle.com/en-us/iaas/Content/Bastion/Concepts/bastionoverview.htm). **Policies and workload group** diff --git a/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md b/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md index c82e7bd2..5c9ccb47 100644 --- a/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md +++ b/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md @@ -24,6 +24,13 @@ The required provider variables for the OELZ: | [region](#input\_region) | The OCI region to deploy the OELZ resources to. | `string` | n/a | yes | | [resource\_label](#input\_resource\_label) | The prefix used to avoid naming conflict | `string` | n/a | no | +## Environment Module + +By default, OELZ will deploy both the Production and Non-Production Environments. From Release v2.3.1 onwards, if end users don't need the Non-Proudction Environment, they can use the flag "is_nonprod_env_deploy" and set it to "false". + +| Name | Description | Type | Default | Required | +| ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | -------- | ------- | :------: | +| [is\_nonprod\_env\_deploy](#is\_nonprod\_env\_deploy) | Deployment of Non-Production Environment. | `bool` | `"true"` | yes (In case Non-Prod Env not needed) | ## Compartment Module diff --git a/Official_Documentation/OELZ_Baseline_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Baseline_Deployment/IMPLEMENTATION.md index 17cd3509..4d37d6ec 100644 --- a/Official_Documentation/OELZ_Baseline_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Baseline_Deployment/IMPLEMENTATION.md @@ -144,7 +144,7 @@ Environments are each full infrastructure deployments with their own hub-and-spo They are designed to ensure isolation between each environment. They can each contain multiple Workloads. -The Oracle Enterprise Landing Zone will initially set up two Environments: `Prod` and `Nonprod`. Infrastructure resources within each Environment will have a single letter abbreviation (such as `N` or `P`) to indicate which environment they are part of. +The Oracle Enterprise Landing Zone will initially set up two Environments: `Prod` and `Nonprod`. Infrastructure resources within each Environment will have a single letter abbreviation (such as `N` or `P`) to indicate which environment they are part of. From Release v2.3.1 onwards, if end users don't need the Non-Proudction Environment, they can use the flag "is_nonprod_env_deploy" and set it to "false". In the future, the `elz-environment` template will allow you to easily add new Environments to an existing Oracle Enterprise Landing Zone. diff --git a/README.md b/README.md index 83db571f..9c7a0926 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ at [Official_Documentation/OELZ_Workload_Deployment](./Official_Documentation/OE ## Deploy Using Oracle Resource Manager 1. Click to deploy the stack -[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-landing-zones/archive/refs/tags/v2.3.0.zip) +[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-landing-zones/archive/refs/tags/v2.3.1.zip) If you aren't already signed in, when prompted, enter the tenancy and user credentials. Review and accept the terms and conditions. diff --git a/RELEASE.md b/RELEASE.md index bdd66cd4..bc252349 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,6 +1,13 @@ # Release Notes -## v2.2.2 - 2023-1-19 +## v2.3.1 - 2024-2-29 +- Move Bastion resources to workload stack module. +- Added Flag to deploy Non-Production Environment as per customer need. +- Removed cloud guard target tenancy variable and changed default to Environment Home Compartment OCID. +- Added Access Governance Module on OELZ. + + +## v2.3.0 - 2024-1-19 - Added Multi-Region and Disaster Recovery Module. - Cloud Guard Key Replication from the Home Region to the Backup Region or vice-verse is currently not supported(Work in Progress). From a0999f7319900b157957b25c13a43af64d97893d Mon Sep 17 00:00:00 2001 From: vinaykumar-oci Date: Thu, 29 Feb 2024 13:19:33 -0800 Subject: [PATCH 21/21] Workload Admin Group Name Changes Workload Admin Group Name Changes --- templates/elz-identity/iam.tf | 2 +- templates/elz-workload/iam.tf | 22 +++++++++------------- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/templates/elz-identity/iam.tf b/templates/elz-identity/iam.tf index a9dd8ba0..3e71a183 100644 --- a/templates/elz-identity/iam.tf +++ b/templates/elz-identity/iam.tf @@ -8,7 +8,7 @@ # ----------------------------------------------------------------------------- locals { identity_domain = { - domain_display_name = "${var.resource_label}-OCI-ELZ-${var.environment_prefix}-IDT" + domain_display_name = "${var.resource_label}-OCI-ELZ-${var.environment_prefix}-${local.region_key[0]}" domain_description = "OCI Landing Zone ${var.environment_prefix} Identity Domain" domain_license_type = var.domain_license_type domain_admin_user_name = "domainadmin" diff --git a/templates/elz-workload/iam.tf b/templates/elz-workload/iam.tf index c7400296..0528f722 100644 --- a/templates/elz-workload/iam.tf +++ b/templates/elz-workload/iam.tf @@ -8,7 +8,7 @@ # ----------------------------------------------------------------------------- locals { workload_compartment = { - name = var.workload_compartment_name != "" ? var.workload_compartment_name : "OCI-ELZ-${var.environment_prefix}-${var.workload_name}-${local.region_key[0]}" + name = var.workload_compartment_name != "" ? var.workload_compartment_name : "OCI-ELZ-${var.environment_prefix}-${var.workload_prefix}-${local.region_key[0]}" description = "Workload Compartment" } @@ -16,23 +16,22 @@ locals { workload_admin_group_name : var.workload_admin_group_name != "" ? var.workload_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_prefix}-WRK-ADMIN", application_admin_group_name : var.application_admin_group_name != "" ? var.application_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_prefix}-APP-ADMIN", database_admin_group_name : var.database_admin_group_name != "" ? var.database_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_prefix}-DB-ADMIN", - database_admin_group_name : var.database_admin_group_name != "" ? var.database_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_name}-DB-ADMIN", - datasafe_admin_group_name : var.datasafe_admin_group_name != "" ? var.datasafe_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_name}-DTSAFE-ADMIN", - datasafe_reports_group_name : var.datasafe_reports_group_name != "" ? var.datasafe_reports_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_name}-DTSAFE-REPORTS", + datasafe_admin_group_name : var.datasafe_admin_group_name != "" ? var.datasafe_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_prefix}-DTSAFE-ADMIN", + datasafe_reports_group_name : var.datasafe_reports_group_name != "" ? var.datasafe_reports_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_prefix}-DTSAFE-REPORTS", } : { - workload_admin_group_name : var.workload_admin_group_name != "" ? var.workload_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-WRK-ADMIN", - application_admin_group_name : var.application_admin_group_name != "" ? var.application_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-APP-ADMIN", - database_admin_group_name : var.database_admin_group_name != "" ? var.database_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-DB-ADMIN", + workload_admin_group_name : var.workload_admin_group_name != "" ? var.workload_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_prefix}-WRK-ADMIN", + application_admin_group_name : var.application_admin_group_name != "" ? var.application_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_prefix}-APP-ADMIN", + database_admin_group_name : var.database_admin_group_name != "" ? var.database_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-${var.workload_prefix}-DB-ADMIN", } base_group_names = { network_admin_group_name : var.network_admin_group_name != "" ? var.network_admin_group_name : "OOCI-ELZ-UGP-${var.environment_prefix}-${var.workload_prefix}-NET-ADMIN", } - identity_domain_name = var.identity_domain_name != "" ? var.identity_domain_name : "OCI-ELZ-${var.environment_prefix}-IDT" + identity_domain_name = var.identity_domain_name != "" ? var.identity_domain_name : "OCI-ELZ-${var.environment_prefix}-${var.workload_prefix}-${local.region_key[0]}" parent_compartment_names = { - security_compartment_name : var.security_compartment_name != "" ? var.security_compartment_name : "OCI-ELZ-${var.environment_prefix}-SRD-SEC" - environment_compartment_name : var.environment_compartment_name != "" ? var.environment_compartment_name : "OCI-ELZ-${var.environment_prefix}-CMP" + security_compartment_name : var.security_compartment_name != "" ? var.security_compartment_name : "OCI-ELZ-${var.environment_prefix}-${var.workload_prefix}-SRD-SEC" + environment_compartment_name : var.environment_compartment_name != "" ? var.environment_compartment_name : "OCI-ELZ-${var.environment_prefix}-${var.workload_prefix}-CMP" } workload_expansion_policy = { @@ -64,9 +63,6 @@ locals { "Allow group ${local.identity_domain_name}/${local.group_names["database_admin_group_name"]} to manage database-family in compartment ${module.workload_compartment.compartment_name}", "Allow group ${local.identity_domain_name}/${local.group_names["database_admin_group_name"]} to manage autonomous-databases in compartment ${module.workload_compartment.compartment_name}", "Allow group ${local.identity_domain_name}/${local.group_names["database_admin_group_name"]} to manage autonomous-container-databases in compartment ${module.workload_compartment.compartment_name}", - "Allow group ${local.identity_domain_name}/${local.group_names["exadata_infra_admin_group_name"]} to inspect autonomous-vmclusters in compartment ${module.workload_compartment.compartment_name}", - # "Allow group ${local.identity_domain_name}/${local.group_names["exadata_infra_admin_group_name"]} to inspect vmcluster-network in compartment ${module.workload_compartment.compartment_name}", - "Allow group ${local.identity_domain_name}/${local.group_names["exadata_infra_admin_group_name"]} to manage virtual-network-family in compartment ${module.workload_compartment.compartment_name}", "Allow group ${local.identity_domain_name}/${local.group_names["datasafe_reports_group_name"]} to manage data-safe-assessment-family in compartment ${module.workload_compartment.compartment_name}", "Allow group ${local.identity_domain_name}/${local.group_names["datasafe_reports_group_name"]} to read data-safe-report-definitions in compartment ${module.workload_compartment.compartment_name}",