Release 2.8.5 (#152)

* doc: Cleaned up OAG documentation in deployment guide

* bug: Fixed with debug statements for certificates appearing without debugging enabled

* Updates for "observations" texts.

* Dict cis_monitoring_checks updated.

* Added repos for network & database admins

* no message

* feat:Reduced adb function lines

* feat:Reduced adb function lines

* feat: Added debugging to __ons_read_subscriptions

* fix: Add additional policy to allow auditor group to review CIS and OBP

* fix: Added read for serviceconnectors to support OBP checks

* doc: Updated with the new Auditor Policy to support CIS and OBP checks

* feat: Added error logging for Tag defaults and ADB

* fix: Removed debug statement and reenabled pagination

* doc: Updated Release Version and Tested SDK

* doc: Added date place holder

* doc: Added Cloud Guard Detector and Security Zone Rule Mapping

* doc: Updated release notes for release 2.8.3

* Revert "doc: Added Cloud Guard Detector and Security Zone Rule Mapping"

This reverts commit ee5e951.

* doc: Added Cloud Guard Detector and Security Zones Rule mapping

* doc: Updated release date

* Release 2.8.4

* Fixed issue and did some minor fixes in HTML code. Applied refactoring for duplicate code snippets, too.

* Small fix for using wrong quotes.

* Regression fixed.

* fix: Fix for hanging DRGs with no virtual circuits

* fix: Fixed a typo issue 148 in Github

* feat: Updated OSS Log retention to 90 days to align with CIS Safe Guard 8.10

* feat: Updated flow log retention to 90 days to align to CIS Safeguard 8.10

* fix: Added Try catch for hanging DRGs

* chore: Flake8 fix

* Updates for Issue 587

* feat: added policies for ZPR and OCI FW

* fix: IAM ZPR statements updated

* fix: zpr-security-attribute renamed to security-attribute-namespace in zpr statements

* fix: zpr-configuration added to ZPR policies

* feat: Ignoring PNG files

* doc: Updated CIS Benchmark version number to current number

* doc: Updated version of CIS OCI Benchmark to current

* Doc: Added release notes

* doc: Updated landing zone terraform version

* pipeline: added upgrading oci sdk for testing purposes

* fix: quote error CI/CD

* Update release-notes.md

* removing ci pipeline

---------

Co-authored-by: Andre Correa <[email protected]>
Co-authored-by: Olaf Heimburger <[email protected]>
Co-authored-by: KC Flynn <[email protected]>
Co-authored-by: Samratha S P <[email protected]>

.gitignore

@@ -16,4 +16,5 @@ test/**
 **/creds/**
 **/tfvars/**
 **/scripts/**/*.json
-**/scripts/**/*.pkl
+**/scripts/**/*.pkl
+**/scripts/**/*.png

README.md

@@ -44,7 +44,7 @@
     1. [IAM](#arch-iam)
     1. [Network](#arch-network)
     1. [Diagram](#arch-diagram)
-    1. [Mapping to CIS OCI Benchmark v1.2](cis-architecture-mapping.md)
+    1. [Mapping to CIS OCI Benchmark v2.0.0](cis-architecture-mapping.md)
 1. [Deployment Guide](DEPLOYMENT-GUIDE.md)
 1. [Executing Instructions](#instructions)
     1. [Terraform Configuration](terraform.md)
@@ -57,7 +57,7 @@
 1. [Frequently Asked Questions](FAQ.md)
 
 ## <a name="overview"></a>Overview
-This Landing Zone template deploys a standardized environment in an Oracle Cloud Infrastructure (OCI) tenancy that helps organizations to comply with the [CIS OCI Foundations Benchmark v1.2](https://www.cisecurity.org/benchmark/oracle_cloud/).    
+This Landing Zone template deploys a standardized environment in an Oracle Cloud Infrastructure (OCI) tenancy that helps organizations to comply with the [CIS OCI Foundations Benchmark v2.0.0](https://www.cisecurity.org/benchmark/oracle_cloud/).    
 
 The template uses multiple compartments, groups, and IAM policies to segregate access to resources based on job function. The resources within the template are configured to meet the CIS OCI Foundations Benchmark settings related to:
 

compliance-script.md

@@ -61,6 +61,16 @@ pip3 install oci
 pip3 install pytz
 pip3 install requests
 ```
+1. Libraries for Dashboard Graphics (optional)
+```
+pip3 install numpy
+pip3 install matplotlib
+```
+
+1. Libraries for XLSX Output (optional) 
+```
+pip3 install xlsxwriter
+```
 
 ### Setup the script to run in a Cloud Shell Environment without a Python virtual environment
 1. Download cis_reports.py: [https://raw.githubusercontent.com/oracle-quickstart/oci-cis-landingzone-quickstart/main/scripts/cis_reports.py](https://raw.githubusercontent.com/oracle-quickstart/oci-cis-landingzone-quickstart/main/scripts/cis_reports.py)
@@ -81,8 +91,16 @@ pip3 install oci
 pip3 install pytz
 pip3 install requests
 ```
+1. Libraries for Dashboard Graphics (optional)
+```
+pip3 install numpy
+pip3 install matplotlib
+```
 
-
+1. Libraries for XLSX Output (optional) 
+```
+pip3 install xlsxwriter
+```
 
 ## <a name="output"></a>Output
 The script loops through all regions used by the tenancy and all resource types referenced in the CIS OCI Foundations Benchmark and outputs a summary compliance report. Each report row corresponds to a recommendation in the OCI Foundations Benchmark and identifies if the tenancy is in compliance as well as the number of offending findings. The report summary columns read as:
@@ -437,3 +455,18 @@ To run on a local machine with the default profile and output raw data as well a
     `Allow group SYSADMINS_PROD to manage object-family in compartment PROD where request.permission!='OBJECT_DELETE'`
 
     The SYSADMIN_PROD group has access to [object-family](https://docs.oracle.com/en-us/iaas/Content/Identity/policyreference/objectstoragepolicyreference.htm#Details_for_Object_Storage_Archive_Storage_and_Data_Transfer) which includes buckets and objects. This means they would be able to delete a bucket violating the intent of the rule.  Even though you can't delete a bucket with objects in it if you don't have permissions to the underlying objects you could delete an empty you created thus violating the intent.
+1. Why are there no dashboard graphics in the HTML page?
+   * Creating dashboard graphics is optional and requires the presence of the Python library `matplotlib`. To get the dashboard
+     graphics, install the library.
+1. Why is the XLSX file not created?
+   * Writing an XLSX file is optional and requires the presence of Python library `xslxwriter`. To get an XLSX ooutput file, install
+     the library.
+
+## Known Issues
+1. XLSX write will fail when cell values are too big
+   * This is a known limitation of Excel and will only happen if the xlsxwriter library has been installed. The XLSX writing
+     routine will be executed after the tenancy has been checked and all findings are written to CSV files. This issue does
+     not impact the overall verification result of script.
+1. Diagrams are not part of the HTML page.
+   * This may be because of broken `numpy` installation. The following command should resolve this:
+   `pip3 install --upgrade --force-reinstall --user numpy`

config/iam_groups.tf

@@ -237,8 +237,8 @@ locals {
   #------------------------------------------------------------------------
   #-- Access Governance Group 
   #------------------------------------------------------------------------
-  access_governance_group_key = "${var.service_label}-access-gorvernance-group"
-  default_access_governance_group_name = "access-gorvernance-group"
+  access_governance_group_key = "${var.service_label}-access-governance-group"
+  default_access_governance_group_name = "access-governance-group"
   provided_access_governance_group_name = local.custom_access_governance_group_name != null ? local.custom_access_governance_group_name : "${var.service_label}-${local.default_access_governance_group_name}"
 
   access_governance_group = length(var.existing_access_governance_group_name) == 0 && length(trimspace(var.rm_existing_access_governance_group_name)) == 0 && var.enable_access_governance_policies ? {