From b94671b555951654775a16fa4223c3b43fe2724e Mon Sep 17 00:00:00 2001 From: Josh Hammer Date: Mon, 27 Nov 2023 17:41:34 -0500 Subject: [PATCH 01/19] fix: Changed tenancy_id to tenancy_ocid and user_id to user_ocid and added default value for user_ocid for ORM --- .../generic_workload_compartments/schema.yml | 12 +++-- .../variables.tf | 49 ++----------------- 2 files changed, 11 insertions(+), 50 deletions(-) diff --git a/workloads/generic_workload_compartments/schema.yml b/workloads/generic_workload_compartments/schema.yml index 4b0ceb33..441e9c15 100644 --- a/workloads/generic_workload_compartments/schema.yml +++ b/workloads/generic_workload_compartments/schema.yml @@ -10,6 +10,7 @@ locale: "en" variableGroups: - title: "Environment" variables: + - "region" - "service_label" - "existing_lz_enclosing_compartment_ocid" - "existing_lz_security_compartment_ocid" @@ -26,8 +27,8 @@ variableGroups: - title: "Hidden Variables" visible: false variables: - - "tenancy_id" - - "user_id" + - "tenancy_ocid" + - "user_ocid" - "fingerprint" - "private_key_path" - "private_key_password" @@ -85,10 +86,13 @@ variables: title: "Create Workload Dynamic Groups" # Variables not required to display to user - tenancy_id: + tenancy_ocid: type: string - user_id: + region: + type: string + + user_ocid: type: string fingerprint: diff --git a/workloads/generic_workload_compartments/variables.tf b/workloads/generic_workload_compartments/variables.tf index 1d94faa6..cb6b5e59 100644 --- a/workloads/generic_workload_compartments/variables.tf +++ b/workloads/generic_workload_compartments/variables.tf @@ -4,7 +4,9 @@ # ----- Environment # ------------------------------------------------------ variable "tenancy_ocid" {} -variable "user_ocid" {} +variable "user_ocid" { + default = "" +} variable "fingerprint" { default = "" } @@ -21,51 +23,6 @@ variable "region" { } } -#------------------------------------------------------------- -#-- Arbitrary compartments topology -#------------------------------------------------------------- -# variable "compartments" { -# description = "The compartments structure, given as a map of objects nested up to 6 levels." -# type = map(object({ -# name = string -# description = string -# parent_id = string -# defined_tags = map(string) -# freeform_tags = map(string) -# children = map(object({ -# name = string -# description = string -# defined_tags = map(string) -# freeform_tags = map(string) -# children = map(object({ -# name = string -# description = string -# defined_tags = map(string) -# freeform_tags = map(string) -# children = map(object({ -# name = string -# description = string -# defined_tags = map(string) -# freeform_tags = map(string) -# children = map(object({ -# name = string -# description = string -# defined_tags = map(string) -# freeform_tags = map(string) -# children = map(object({ -# name = string -# description = string -# defined_tags = map(string) -# freeform_tags = map(string) -# })) -# })) -# })) -# })) -# })) -# })) -# default = {} -# } - variable "service_label" { description = "Prefix used in your CIS Landing Zone deployment." type = string From 8656cb8fc3d949b432f27161a67cf50b47e20152 Mon Sep 17 00:00:00 2001 From: "Chris Johnson (A-Team)" Date: Mon, 4 Dec 2023 18:28:38 +0000 Subject: [PATCH 02/19] Landing Zone logo SVG as black and white --- images/landing_zone__bw_.svg | 117 +++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 images/landing_zone__bw_.svg diff --git a/images/landing_zone__bw_.svg b/images/landing_zone__bw_.svg new file mode 100644 index 00000000..f6acadba --- /dev/null +++ b/images/landing_zone__bw_.svg @@ -0,0 +1,117 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + From e799a3f7c326a191d28356537a0a1a20d5e94790 Mon Sep 17 00:00:00 2001 From: "Chris Johnson (A-Team)" Date: Mon, 4 Dec 2023 18:29:25 +0000 Subject: [PATCH 03/19] Landing Zone logo SVG as in black, grey, and white --- images/landing_zone__gs_.svg | 117 +++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 images/landing_zone__gs_.svg diff --git a/images/landing_zone__gs_.svg b/images/landing_zone__gs_.svg new file mode 100644 index 00000000..33983a2c --- /dev/null +++ b/images/landing_zone__gs_.svg @@ -0,0 +1,117 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 12478ea6da968218eb4c051d1370c6d880945b0a Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Mon, 4 Dec 2023 19:17:57 -0300 Subject: [PATCH 04/19] feat: policy for oke clusters added --- config/iam_service_policies.tf | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/config/iam_service_policies.tf b/config/iam_service_policies.tf index 059f9474..61f0112f 100644 --- a/config/iam_service_policies.tf +++ b/config/iam_service_policies.tf @@ -18,6 +18,15 @@ module "lz_services_policy" { policies_configuration = local.services_policies_configuration } +module "lz_oke_service_policy" { + depends_on = [null_resource.wait_on_compartments] + count = var.extend_landing_zone_to_new_region == false && var.enable_template_policies == false ? 1 : 0 + source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.1.7" + providers = { oci = oci.home } + tenancy_ocid = var.tenancy_ocid + policies_configuration = local.oke_service_policy_configuration +} + locals { #-------------------------------------------------------------------------- #-- These variables are NOT meant to be overriden. @@ -60,4 +69,25 @@ locals { enable_cis_benchmark_checks : true supplied_policies : local.services_policy } + + oke_service_statements = ["Allow any-user to manage instances in compartment ${local.appdev_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", + "Allow any-user to use private-ips in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", + "Allow any-user to use network-security-groups in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", + "Allow any-user to use subnets in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }"] + + oke_service_policy = { + ("${var.service_label}-oke-service-policy") : { + compartment_ocid = local.enclosing_compartment_id + name = "${var.service_label}-oke-service-policy" + description = "CIS Landing Zone policy for OKE service. It allows OKE clusters auto scale and use network resources in the network compartment." + statements = local.oke_service_statements + defined_tags = local.service_policy_defined_tags + freeform_tags = local.service_policy_freeform_tags + } + } + + oke_service_policy_configuration = { + enable_cis_benchmark_checks : true + supplied_policies : local.oke_service_policy + } } From 6957b01e2f1669488d1ad2fc6e4190e4dbeec516 Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Mon, 4 Dec 2023 19:26:16 -0300 Subject: [PATCH 05/19] chore: policy description update and policy statement case --- config/iam_service_policies.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/iam_service_policies.tf b/config/iam_service_policies.tf index 61f0112f..96a52d48 100644 --- a/config/iam_service_policies.tf +++ b/config/iam_service_policies.tf @@ -70,16 +70,16 @@ locals { supplied_policies : local.services_policy } - oke_service_statements = ["Allow any-user to manage instances in compartment ${local.appdev_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", - "Allow any-user to use private-ips in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", - "Allow any-user to use network-security-groups in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", - "Allow any-user to use subnets in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }"] + oke_service_statements = ["allow any-user to manage instances in compartment ${local.appdev_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", + "allow any-user to use private-ips in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", + "allow any-user to use network-security-groups in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", + "allow any-user to use subnets in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }"] oke_service_policy = { ("${var.service_label}-oke-service-policy") : { compartment_ocid = local.enclosing_compartment_id name = "${var.service_label}-oke-service-policy" - description = "CIS Landing Zone policy for OKE service. It allows OKE clusters auto scale and use network resources in the network compartment." + description = "Landing Zone policy for OKE service. It allows OKE clusters to auto scale and to use network resources in the network compartment." statements = local.oke_service_statements defined_tags = local.service_policy_defined_tags freeform_tags = local.service_policy_freeform_tags From 88355ae54c2992a0b48f97f92a697cc81537837f Mon Sep 17 00:00:00 2001 From: Josh Hammer Date: Tue, 5 Dec 2023 14:00:31 -0500 Subject: [PATCH 06/19] feat: Added click to deploy links for OC2 and OC3 --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 6a057427..8b1f8d8b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ [![Deploy_To_OCI](images/DeployToOCI.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) +* [*Deploy to other realms](#otherrealms) *If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.*
@@ -25,6 +26,7 @@ 1. [Compliance Checking](compliance-script.md) 1. [Blog Posts](#documentation) 1. [CIS OCI Foundations Benchmark Modules Collection](#modules) +1. [Deploy to other Realms](#otherrealms) 1. [Feedback](#feedback) 1. [Known Issues](#known-issues) 1. [Contribute](CONTRIBUTING.md) @@ -135,6 +137,21 @@ The modules in this collection are designed for flexibility, are straightforward Using these modules does not require a user extensive knowledge of Terraform or OCI resource types usage. Users declare a JSON object describing the OCI resources according to each module’s specification and minimal Terraform code to invoke the modules. The modules generate outputs that can be consumed by other modules as inputs, allowing for the creation of independently managed operational stacks to automate your entire OCI infrastructure. + +## Deploy to Other regions + +**OC2 Realms** +- [us-langley-1](https://console.us-langley-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) +- [us-luke-1](https://console.us-luke-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) + + +**OC3 Realms** +- [us-gov-ashburn-1](https://console.us-gov-ashburn-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) +- [us-gov-chicago-1](https://console.us-gov-chicago-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) +- [us-gov-phoenix-1](https://console.us-gov-phoenix-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) + + + ## Feedback We welcome your feedback. To post feedback, submit feature ideas or report bugs, please use the Issues section on this repository. From 6dd09b3ed8eb4a1c357511f3a88d4a45037c62e6 Mon Sep 17 00:00:00 2001 From: Josh Hammer Date: Tue, 5 Dec 2023 14:59:43 -0500 Subject: [PATCH 07/19] feat: Added drop down to deploy to other realms --- README.md | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 8b1f8d8b..6f6f5949 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,26 @@ -[![Deploy_To_OCI](images/DeployToOCI.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) -* [*Deploy to other realms](#otherrealms) +[![Deploy_To_OCI](images/DeployToOCI.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+*If you are logged into your OCI tenancy in the Commercial Realm (OC1), the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.* +
+
To deploy to non-commercial realms and regions click here + +**OC2 Realm** +- [ Deploy to us-langley-1](https://console.us-langley-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) +- [Deploy to us-luke-1](https://console.us-luke-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) + + +**OC3 Realm** +- [Deploy to us-gov-ashburn-1](https://console.us-gov-ashburn-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) +- [Deploy to us-gov-chicago-1](https://console.us-gov-chicago-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) +- [Deploy to us-gov-phoenix-1](https://console.us-gov-phoenix-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) -*If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.* +**OC4 Realm** +- [Deploy to uk-gov-london-1](https://console.uk-gov-london-1.oraclegovcloud.uk/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) +- [Deploy to uk-gov-cardiff-1](https://console.uk-gov-cardiff-1.oraclegovcloud.uk/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) + +**OC10 Realm** +- [Deploy to ap-dcc-canberra-1](https://oc10.cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) + +


  Check [CIS Landing Zone course](https://mylearn.oracle.com/ou/course/oci-landing-zone/123962/193003) in Oracle University for a comprehensive introduction. @@ -10,6 +29,7 @@   Also check our [Live Lab](https://apexapps.oracle.com/pls/apex/r/dbpm/livelabs/view-workshop?wid=3662) for key use cases and hands on deployment experience.

+ # CIS OCI Landing Zone Quick Start Template ![Landing_Zone_Logo](images/landing%20zone_300.png) ## Table of Contents @@ -138,11 +158,12 @@ Using these modules does not require a user extensive knowledge of Terraform or -## Deploy to Other regions +## Deploy to Other Realms + **OC2 Realms** -- [us-langley-1](https://console.us-langley-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) -- [us-luke-1](https://console.us-luke-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) +- [ Deploy to us-langley-1](https://console.us-langley-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) +- [Deploy to us-luke-1](https://console.us-luke-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) **OC3 Realms** From 4573c1748193178db3eb9e098e67ec94c729ad41 Mon Sep 17 00:00:00 2001 From: Josh Hammer Date: Tue, 5 Dec 2023 15:04:39 -0500 Subject: [PATCH 08/19] fix: Removed the deploy to other realms TOC item --- README.md | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/README.md b/README.md index 6f6f5949..6ce112a7 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,6 @@ 1. [Compliance Checking](compliance-script.md) 1. [Blog Posts](#documentation) 1. [CIS OCI Foundations Benchmark Modules Collection](#modules) -1. [Deploy to other Realms](#otherrealms) 1. [Feedback](#feedback) 1. [Known Issues](#known-issues) 1. [Contribute](CONTRIBUTING.md) @@ -157,22 +156,6 @@ The modules in this collection are designed for flexibility, are straightforward Using these modules does not require a user extensive knowledge of Terraform or OCI resource types usage. Users declare a JSON object describing the OCI resources according to each module’s specification and minimal Terraform code to invoke the modules. The modules generate outputs that can be consumed by other modules as inputs, allowing for the creation of independently managed operational stacks to automate your entire OCI infrastructure. - -## Deploy to Other Realms - - -**OC2 Realms** -- [ Deploy to us-langley-1](https://console.us-langley-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) -- [Deploy to us-luke-1](https://console.us-luke-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) - - -**OC3 Realms** -- [us-gov-ashburn-1](https://console.us-gov-ashburn-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) -- [us-gov-chicago-1](https://console.us-gov-chicago-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) -- [us-gov-phoenix-1](https://console.us-gov-phoenix-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip) - - - ## Feedback We welcome your feedback. To post feedback, submit feature ideas or report bugs, please use the Issues section on this repository. From f9fdde4e6a60d1733eab3737d1b608b5976b9e89 Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Wed, 6 Dec 2023 09:37:52 -0300 Subject: [PATCH 09/19] chore: variables names and policy description changed --- config/iam_service_policies.tf | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/config/iam_service_policies.tf b/config/iam_service_policies.tf index 96a52d48..ed5d5331 100644 --- a/config/iam_service_policies.tf +++ b/config/iam_service_policies.tf @@ -18,13 +18,13 @@ module "lz_services_policy" { policies_configuration = local.services_policies_configuration } -module "lz_oke_service_policy" { +module "lz_oke_clusters_policy" { depends_on = [null_resource.wait_on_compartments] count = var.extend_landing_zone_to_new_region == false && var.enable_template_policies == false ? 1 : 0 source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.1.7" providers = { oci = oci.home } tenancy_ocid = var.tenancy_ocid - policies_configuration = local.oke_service_policy_configuration + policies_configuration = local.oke_clusters_policy_configuration } locals { @@ -70,24 +70,27 @@ locals { supplied_policies : local.services_policy } - oke_service_statements = ["allow any-user to manage instances in compartment ${local.appdev_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", + # Grants allowing OKE clusters to use Native Pod Networking (NPN) and to use network resources in the Network compartment. + # In CIS Landing Zone, OKE clusters are defined in the AppDev compartment, while the network resources are defined in the Network compartment. + # Reference: https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpodnetworking_topic-OCI_CNI_plugin.htm + oke_clusters_statements = ["allow any-user to manage instances in compartment ${local.appdev_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", "allow any-user to use private-ips in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", "allow any-user to use network-security-groups in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }", "allow any-user to use subnets in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }"] - oke_service_policy = { - ("${var.service_label}-oke-service-policy") : { + oke_clusters_policy = { + ("${var.service_label}-oke-clusters-policy") : { compartment_ocid = local.enclosing_compartment_id - name = "${var.service_label}-oke-service-policy" - description = "Landing Zone policy for OKE service. It allows OKE clusters to auto scale and to use network resources in the network compartment." - statements = local.oke_service_statements + name = "${var.service_label}-oke-clusters-policy" + description = "Landing Zone policy for OKE clusters. It allows OKE clusters to use Native Pod Networking (NPN) and to use network resources in the Network compartment." + statements = local.oke_clusters_statements defined_tags = local.service_policy_defined_tags freeform_tags = local.service_policy_freeform_tags } } - oke_service_policy_configuration = { + oke_clusters_policy_configuration = { enable_cis_benchmark_checks : true - supplied_policies : local.oke_service_policy + supplied_policies : local.oke_clusters_policy } } From fd29d0a0657e53e36bbf492364527676867fb696 Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Fri, 8 Dec 2023 10:44:41 -0300 Subject: [PATCH 10/19] fix: getting tenancy wide audit logs with "_Audit_Include_Subcompartment" --- config/data_sources.tf | 10 +--------- config/mon_service_connector.tf | 6 +++--- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/config/data_sources.tf b/config/data_sources.tf index 23590ed0..4c4fa93b 100644 --- a/config/data_sources.tf +++ b/config/data_sources.tf @@ -177,12 +177,4 @@ data "oci_identity_compartments" "exainfra" { data "oci_identity_tag_namespaces" "this" { compartment_id = var.tenancy_ocid -} - -data "oci_identity_compartments" "all" { - depends_on = [module.lz_compartments] - compartment_id = var.tenancy_ocid - compartment_id_in_subtree = true - access_level = "ACCESSIBLE" - state = "ACTIVE" -} +} \ No newline at end of file diff --git a/config/mon_service_connector.tf b/config/mon_service_connector.tf index 51ddfe68..1c90f41d 100644 --- a/config/mon_service_connector.tf +++ b/config/mon_service_connector.tf @@ -21,9 +21,9 @@ locals { custom_policy_defined_tags = null custom_policy_freeform_tags = null - audit_logs_sources = !var.extend_landing_zone_to_new_region ? [for cmp in data.oci_identity_compartments.all.compartments : { - compartment_id = cmp.id - log_group_id = "_Audit" + audit_logs_sources = !var.extend_landing_zone_to_new_region ? [{ + compartment_id = var.tenancy_ocid + log_group_id = "_Audit_Include_Subcompartment" log_id = "" }] : [] oss_logs_sources = [for k, v in module.lz_oss_logs.logs : { From cedd19c2d66615548c222bddcfefc8da17246610 Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Fri, 8 Dec 2023 13:19:40 -0300 Subject: [PATCH 11/19] chore: typo fix --- config/schema.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/schema.yml b/config/schema.yml index 14fdc5dd..9c771d7e 100644 --- a/config/schema.yml +++ b/config/schema.yml @@ -921,7 +921,7 @@ variables: enum: - STRICT - MEDIUM - - LIGHTWEIGTH + - LIGHTWEIGHT - NONE visible: and: From fb2d0a385f14f95bb30651c98bc99def444b48d0 Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Fri, 8 Dec 2023 13:19:59 -0300 Subject: [PATCH 12/19] doc: release notes and release bump --- release-notes.md | 12 ++++++++++++ release.txt | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/release-notes.md b/release-notes.md index e5c646d3..1d264d4a 100644 --- a/release-notes.md +++ b/release-notes.md @@ -1,3 +1,15 @@ +# December 8, 2023 Release Notes - 2.7.1 +1. [Links to Deploy on non-commercial regions](#2-7-1-deploy-links) +1. [Terraform Updates](#2-7-1-tf-updates) + +## Links to Deploy on non-commercial regions +Links have been added to [README.md](./README.md) allowing the initiation of Terraform deployments in **non-commercial** regions through OCI Resource Manager service. The existing "Deploy to Oracle Cloud" button is unchanged, initiating deployments to commercial regions only. Use the links when deploying to Gov cloud. + +## Terraform Updates +* *tenancy_ocid*, *user_ocid* and *region* variables are now hidden in [generic_workload_compartments](./workloads/generic_workload_compartments/) RMS UI. +* IAM policies have been added to allow OKE clusters deployment with NPN (Native Pod Networking) and split compartment topology (i.e., networking in Network compartment and cluster in AppDev compartment). +* Tenancy wide audit logs for Service Connector Hub are now collected using "_Audit_Include_Subcompartment" construct instead of explicitly looping through all tenancy compartments. + # November 17, 2023 Release Notes - 2.7.0 1. [CIS Compliance Script Gets Network Topology](#2-7-0-script-network-topology) 1. [CIS Compliance Script Gets All Resources](#2-7-0-script-all-resources) diff --git a/release.txt b/release.txt index 1cec3486..fa026c72 100644 --- a/release.txt +++ b/release.txt @@ -1 +1 @@ -2.7.0 +2.7.1 From 3a9b99350be72ee43447e7e9bea9e3a4c584084f Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Fri, 8 Dec 2023 16:37:09 -0300 Subject: [PATCH 13/19] fix: auditor grants in pre-config aligned with config --- pre-config/lz_groups_policies.tf | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/pre-config/lz_groups_policies.tf b/pre-config/lz_groups_policies.tf index bf988696..ac29bccc 100644 --- a/pre-config/lz_groups_policies.tf +++ b/pre-config/lz_groups_policies.tf @@ -158,13 +158,19 @@ module "lz_groups_read_only_policy" { statements = [ # Auditor "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to inspect all-resources in tenancy", - "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read repos in tenancy", - "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read objectstorage-namespaces in tenancy", - "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read app-catalog-listing in tenancy", - "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read instance-images in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read instances in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read load-balancers in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read buckets in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read nat-gateways in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read public-ips in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read file-family in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read instance-configurations in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read network-security-groups in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read resource-availability in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read audit-events in tenancy", "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read users in tenancy", - "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to inspect buckets in tenancy", "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to use cloud-shell in tenancy", + "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read vss-family in tenancy", "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read usage-budgets in tenancy", "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read usage-reports in tenancy", "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read data-safe-family in tenancy" From 8572e404a61fa8998ca9fc90e2213f36580c0da8 Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Fri, 8 Dec 2023 17:55:44 -0300 Subject: [PATCH 14/19] feat: policy module version bumped --- config/iam_template_policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/iam_template_policies.tf b/config/iam_template_policies.tf index 4b8bc32a..f62ea05e 100644 --- a/config/iam_template_policies.tf +++ b/config/iam_template_policies.tf @@ -18,7 +18,7 @@ locals { module "lz_template_policies" { depends_on = [module.lz_top_compartment, module.lz_compartments, module.lz_groups, module.lz_dynamic_groups] count = var.extend_landing_zone_to_new_region == false && var.enable_template_policies == true ? 1 : 0 - source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.1.7" + source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.1.8" providers = { oci = oci.home } tenancy_ocid = var.tenancy_ocid policies_configuration = local.template_policies_configuration From 0a39126a35d920a03a6de1d579ed111823285f19 Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Fri, 8 Dec 2023 17:55:58 -0300 Subject: [PATCH 15/19] doc: release notes updated --- release-notes.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/release-notes.md b/release-notes.md index 1d264d4a..e867ccb9 100644 --- a/release-notes.md +++ b/release-notes.md @@ -1,15 +1,19 @@ -# December 8, 2023 Release Notes - 2.7.1 -1. [Links to Deploy on non-commercial regions](#2-7-1-deploy-links) +# December 10, 2023 Release Notes - 2.7.1 +1. [Links to Deploy in Non-commercial Regions](#2-7-1-deploy-links) 1. [Terraform Updates](#2-7-1-tf-updates) -## Links to Deploy on non-commercial regions +## Links to Deploy in Non-commercial Regions Links have been added to [README.md](./README.md) allowing the initiation of Terraform deployments in **non-commercial** regions through OCI Resource Manager service. The existing "Deploy to Oracle Cloud" button is unchanged, initiating deployments to commercial regions only. Use the links when deploying to Gov cloud. ## Terraform Updates +**config module** * *tenancy_ocid*, *user_ocid* and *region* variables are now hidden in [generic_workload_compartments](./workloads/generic_workload_compartments/) RMS UI. * IAM policies have been added to allow OKE clusters deployment with NPN (Native Pod Networking) and split compartment topology (i.e., networking in Network compartment and cluster in AppDev compartment). * Tenancy wide audit logs for Service Connector Hub are now collected using "_Audit_Include_Subcompartment" construct instead of explicitly looping through all tenancy compartments. +**pre-config module** +* Auditor grants in pre-config module aligned with auditor grants in config module. + # November 17, 2023 Release Notes - 2.7.0 1. [CIS Compliance Script Gets Network Topology](#2-7-0-script-network-topology) 1. [CIS Compliance Script Gets All Resources](#2-7-0-script-all-resources) From f2cf9dc84c568944acbacf120284b91195424e48 Mon Sep 17 00:00:00 2001 From: Josh Hammer Date: Thu, 4 Jan 2024 14:56:52 -0500 Subject: [PATCH 16/19] fix: Fixed edge case in __search_resources_in_root_compartment, added debugging and error output to the case as well --- scripts/cis_reports.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/scripts/cis_reports.py b/scripts/cis_reports.py index 1affa4a7..b4ac65cd 100644 --- a/scripts/cis_reports.py +++ b/scripts/cis_reports.py @@ -3375,13 +3375,17 @@ def __search_resources_in_root_compartment(self): for item in structured_search_all_resources: # ignoring global resources like IAM - if item.identifier.split('.')[3]: - record = { - "display_name": item.display_name, - "id": item.identifier, - "region": region_key - } - self.cis_foundations_benchmark_1_2['5.2']['Total'].append(item) + try: + if item.identifier.split('.')[3]: + record = { + "display_name": item.display_name, + "id": item.identifier, + "region": region_key + } + self.cis_foundations_benchmark_1_2['5.2']['Total'].append(item) + except: + self.__errors.append({"id" : "search_resources_in_root_compartment Invalid OCID", "error" : str(item)}) + debug(f'__search_resources_in_root_compartment: Invalid OCID: {str(item)}') except Exception as e: raise RuntimeError( From f759407b3ed16aaf4a3a1b66b6714104fdc281bd Mon Sep 17 00:00:00 2001 From: Josh Hammer Date: Thu, 4 Jan 2024 17:35:04 -0500 Subject: [PATCH 17/19] doc: Updated release version, release date, and SDK tested on --- scripts/cis_reports.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/scripts/cis_reports.py b/scripts/cis_reports.py index 1affa4a7..dde8f76a 100644 --- a/scripts/cis_reports.py +++ b/scripts/cis_reports.py @@ -27,7 +27,6 @@ import re import requests import pickle -#test try: from xlsxwriter.workbook import Workbook @@ -36,9 +35,9 @@ except Exception: OUTPUT_TO_XLSX = False -RELEASE_VERSION = "2.7.0" -PYTHON_SDK_VERSION = "2.115.1" -UPDATED_DATE = "November 20, 2023" +RELEASE_VERSION = "2.7.1" +PYTHON_SDK_VERSION = "2.118.0" +UPDATED_DATE = "January 05, 2024" ########################################################################## From dc96dfed5a021e1f28366a26445e8e03dba1120e Mon Sep 17 00:00:00 2001 From: Josh Hammer Date: Thu, 4 Jan 2024 17:35:42 -0500 Subject: [PATCH 18/19] doc: Added release notes for resolution of issue 134 --- release-notes.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/release-notes.md b/release-notes.md index e867ccb9..3d9129ad 100644 --- a/release-notes.md +++ b/release-notes.md @@ -1,6 +1,7 @@ -# December 10, 2023 Release Notes - 2.7.1 +# January 10, 2024 Release Notes - 2.7.1 1. [Links to Deploy in Non-commercial Regions](#2-7-1-deploy-links) 1. [Terraform Updates](#2-7-1-tf-updates) +1. [Script Updates](#2-7-1-script-updates) ## Links to Deploy in Non-commercial Regions Links have been added to [README.md](./README.md) allowing the initiation of Terraform deployments in **non-commercial** regions through OCI Resource Manager service. The existing "Deploy to Oracle Cloud" button is unchanged, initiating deployments to commercial regions only. Use the links when deploying to Gov cloud. @@ -11,6 +12,10 @@ Links have been added to [README.md](./README.md) allowing the initiation of Ter * IAM policies have been added to allow OKE clusters deployment with NPN (Native Pod Networking) and split compartment topology (i.e., networking in Network compartment and cluster in AppDev compartment). * Tenancy wide audit logs for Service Connector Hub are now collected using "_Audit_Include_Subcompartment" construct instead of explicitly looping through all tenancy compartments. +## Script Updates +- Fixes: + - Added additional error handling in `__search_resources_in_root_compartment` to resolve [issue 134](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/issues/134) + **pre-config module** * Auditor grants in pre-config module aligned with auditor grants in config module. From ca5129f10fe2e4b000c601c430cf8deb0945cc0e Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Fri, 5 Jan 2024 10:52:25 -0300 Subject: [PATCH 19/19] doc: minor updates --- release-notes.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/release-notes.md b/release-notes.md index 3d9129ad..052b5f0c 100644 --- a/release-notes.md +++ b/release-notes.md @@ -1,4 +1,4 @@ -# January 10, 2024 Release Notes - 2.7.1 +# January 5, 2024 Release Notes - 2.7.1 1. [Links to Deploy in Non-commercial Regions](#2-7-1-deploy-links) 1. [Terraform Updates](#2-7-1-tf-updates) 1. [Script Updates](#2-7-1-script-updates) @@ -12,13 +12,13 @@ Links have been added to [README.md](./README.md) allowing the initiation of Ter * IAM policies have been added to allow OKE clusters deployment with NPN (Native Pod Networking) and split compartment topology (i.e., networking in Network compartment and cluster in AppDev compartment). * Tenancy wide audit logs for Service Connector Hub are now collected using "_Audit_Include_Subcompartment" construct instead of explicitly looping through all tenancy compartments. -## Script Updates -- Fixes: - - Added additional error handling in `__search_resources_in_root_compartment` to resolve [issue 134](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/issues/134) - **pre-config module** * Auditor grants in pre-config module aligned with auditor grants in config module. +## Script Updates +- Fixes: + - Added additional error handling in `__search_resources_in_root_compartment` to resolve [issue 134](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/issues/134). + # November 17, 2023 Release Notes - 2.7.0 1. [CIS Compliance Script Gets Network Topology](#2-7-0-script-network-topology) 1. [CIS Compliance Script Gets All Resources](#2-7-0-script-all-resources)