Skip to content

Commit

Permalink
Release 0.2.5 (#33)
Browse files Browse the repository at this point in the history
* Release 0.2.1

* Release 0.2.2

* feat: TF < 1.3.0 restriction removed

* feat: TF binary equal or greater than 1.3.0 requirement added

* chore: release notes and version bump

* chore: release notes, tag and SPECs updated

* fix typo in dynamic groups that refered to domain groups

* fix: version = "<= 5.16.0" removed

* chore: release notes, version and spec updated

* feat: OCI FW and ZPR IAM policies added

* feat: examples updated

* chore: release notes and version update

* chore: release notes updated.

---------

Signed-off-by: Andre Correa <[email protected]>
Co-authored-by: Rory Nguyen <[email protected]>
Co-authored-by: josh_hammer <[email protected]>
  • Loading branch information
3 people authored Nov 1, 2024
1 parent 6a5a73b commit 64297a2
Show file tree
Hide file tree
Showing 9 changed files with 87 additions and 35 deletions.
8 changes: 8 additions & 0 deletions RELEASE-NOTES.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
# November 01, 2024 Release Notes - 0.2.5
## Updates
1. [Policies module](./policies/)
- Added IAM policies for OCI Network Firewall and ZPR.
- OCI Network Firewall granted manage permissions to Network admins.
- ZPR granted manage permissions to Security admins.


# October 07, 2024 Release Notes - 0.2.4
## Updates
1. [Identity Domains module](./identity-domains/)
Expand Down
4 changes: 3 additions & 1 deletion compartments/examples/vision/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# OCI Landing Zones IAM Compartments Module Example - Vision compartments

This example shows how to deploy Identity and Access Management (IAM) compartments in Oracle Cloud Infrastructure (OCI) for a hypothetical Vision entity. The sample topology is the same one deployed by [OCI Base Landing Zone](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart).
This example shows how to deploy Identity and Access Management (IAM) compartments in Oracle Cloud Infrastructure (OCI) for a hypothetical Vision entity. The sample topology is the same one deployed by [OCI Core Landing Zone](https://github.com/oci-landing-zones/terraform-oci-core-landingzone).

It creates the compartment topology as shown in the picture below:

Expand All @@ -23,6 +23,8 @@ Refer to [compartment's module README.md](../../README.md) for overall attribute

*TOP-CMP* defines two tag defaults. *COST-CENTER-TAG-DEFAULT* will automatically apply value "a1" to any resources created in *TOP-CMP* compartment and sub-compartments. *ENVIRONMENT-TAG-DEFAULT* will automatically require that users provide a value when creating resources in *TOP-CMP* compartment and sub-compartments.

The *cislz* and *cislz-cmp-type* freeform tags assigned to each compartment are used as lookups by [Template Policies Example](https://github.com/oci-landing-zones/terraform-oci-modules-iam/tree/main/policies/examples/template-policies).

**Note**: If the *automation_config* variable is provided, the example writes the compartments output to the specified OCI Object Storage bucket (write permissions are required on the bucket). The example can be easily changed to write the output to a local file instead. The output can be further used by another module that depends on these compartments.

3. In this folder, run the typical Terraform workflow:
Expand Down
32 changes: 28 additions & 4 deletions compartments/examples/vision/input.auto.tfvars.template
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ compartments_configuration = {
TOP-CMP = {
name = "vision-top-cmp",
description = "Vision Enclosing compartment",
freeform_tags = {
cislz = "template-policies-example",
cislz-cmp-type = "enclosing"
}
#parent_id = null,
tag_defaults = {
COST-CENTER-TAG-DEFAULT = {
Expand All @@ -54,22 +58,42 @@ compartments_configuration = {
NETWORK-CMP = {
name = "vision-network-cmp",
description = "Vision Network compartment",
freeform_tags = {
cislz = "template-policies-example",
cislz-cmp-type = "network"
}
},
SECURITY-CMP = {
name = "vision-security-cmp",
description = "Vision Security compartment",
description = "Vision Security compartment",
freeform_tags = {
cislz = "template-policies-example",
cislz-cmp-type = "security"
}
},
APP-CMP = {
name = "vision-application-cmp",
description = "Vision Application compartment",
description = "Vision Application compartment",
freeform_tags = {
cislz = "template-policies-example",
cislz-cmp-type = "application"
}
},
DB-CMP = {
name = "vision-database-cmp",
description = "Vision Database compartment",
description = "Vision Database compartment",
freeform_tags = {
cislz = "template-policies-example",
cislz-cmp-type = "database"
}
},
EXACS-CMP = {
name = "vision-exainfra-cmp",
description = "Vision Exadata Cloud Service compartment",
description = "Vision Exadata Cloud Service compartment",
freeform_tags = {
cislz = "template-policies-example",
cislz-cmp-type = "exainfra"
}
}
}
}
Expand Down
2 changes: 2 additions & 0 deletions identity-domains/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,11 @@ This module requires Terraform binary version 1.3.0 or greater, as it relies on
### IAM Permissions

This module requires the following OCI IAM permission:

```
Allow group <group> to manage domains in tenancy
```

## <a name="invoke">How to Invoke the Module</a>

Terraform modules can be invoked locally or remotely.
Expand Down
4 changes: 2 additions & 2 deletions policies/examples/template-policies/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@

## Introduction

This example shows how to use [OCI Landing Zones IAM policy module](../..) to manage policies that are generated based on metadata that is associated to existing compartments. A matching compartments example is available at https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam-modules/compartments/examples/vision.
This example shows how to use [OCI Landing Zones IAM policy module](../..) to manage policies that are generated based on metadata that is associated to existing compartments. A matching compartments example is available at https://github.com/oci-landing-zones/terraform-oci-modules-iam/tree/main/compartments/examples/vision.

For compartment level policies (excluding Root compartment), the target compartments are obtained from a data source whose output is filtered based on freeform tag "cislz" with value "vision". The returned compartments are passed to the policy module via the *supplied_compartments* attribute. Each returned compartment is associated with metadata for appropriate policy generation based on the freeform tag "cislz-cmp-type" applied to each compartment.
For compartment level policies (excluding Root compartment), the target compartments are obtained from a data source whose output is filtered based on freeform tag "cislz" with value "template-policies-example". The returned compartments are passed to the policy module via the *supplied_compartments* attribute. Each returned compartment is associated with metadata for appropriate policy generation based on the freeform tag "cislz-cmp-type" applied to each compartment.

For tenancy level policies (policies attached to Root compartment), a list of group names with their respective roles are passed to the module via the *groups_with_tenancy_level_roles* attribute.

Expand Down
4 changes: 2 additions & 2 deletions policies/examples/template-policies/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,8 @@ locals {
name : cmp.name,
id : cmp.id,
cislz_metadata : local.cislz_compartments_metadata[cmp.freeform_tags["cislz-cmp-type"]] #-- This example expects compartments to be freeform tagged with "cislz-cmp-type", so it can figure out the compartments intent and associate it with the appropriate metadata.
}
if lookup(cmp.freeform_tags, "cislz","") == "vision" #-- The compartments we are interested are freeform tagged as {"cislz" : "vision"} but you could identify the compartments through some other attributes that makes sense to your deployment.
}
if lookup(cmp.freeform_tags, "cislz","") == "template-policies-example" #-- The compartments we are interested are freeform tagged as {"cislz" : "template-policies-example"} but you could identify the compartments through some other attributes that makes sense to your deployment.
}

policies_configuration = {
Expand Down
6 changes: 4 additions & 2 deletions policies/network_cmp_policy.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ locals {
"allow group ${values["net-group"]} to manage metrics in compartment ${values["name"]}",
"allow group ${values["net-group"]} to manage keys in compartment ${values["name"]}",
"allow group ${values["net-group"]} to use key-delegate in compartment ${values["name"]}",
"allow group ${values["net-group"]} to manage secret-family in compartment ${values["name"]}"
"allow group ${values["net-group"]} to manage secret-family in compartment ${values["name"]}",
"allow group ${values["net-group"]} to manage network-firewall-family in compartment ${values["name"]}"
#"allow group ${values["net-group"]} to read instance-agent-plugins in compartment ${values["name"]}"
] : []
}
Expand All @@ -61,7 +62,8 @@ locals {
#-- Security admin grants on Network compartment
security_admin_grants_on_network_cmp_map = {
for k, values in local.cmp_name_to_cislz_tag_map : k => (contains(split(",",values["cmp-type"]),"network") && values["sec-group"] != null) ? [
"allow group ${values["sec-group"]} to read keys in compartment ${values["name"]}"
"allow group ${values["sec-group"]} to read keys in compartment ${values["name"]}",
"allow group ${values["sec-group"]} to use network-firewall-family in compartment ${values["name"]}"
] : []
}

Expand Down
60 changes: 37 additions & 23 deletions policies/root_cmp_policy.tf
Original file line number Diff line number Diff line change
Expand Up @@ -94,10 +94,19 @@ locals {
security_admin_grants_on_root_cmp = contains(keys(local.group_name_map_transpose),local.security_role) ? [
"allow group ${local.security_group_names} to manage cloudevents-rules in tenancy",
"allow group ${local.security_group_names} to manage cloud-guard-family in tenancy",
"allow group ${local.security_group_names} to read tenancies in tenancy"
"allow group ${local.security_group_names} to read tenancies in tenancy",
"allow group ${local.security_group_names} to manage zpr-configuration in tenancy",
"allow group ${local.security_group_names} to manage zpr-policy in tenancy",
"allow group ${local.security_group_names} to manage security-attribute-namespace in tenancy"
#"allow group ${local.security_group_names} to read objectstorage-namespaces in tenancy"
] : []

network_admin_grants_on_root_cmp = contains(keys(local.group_name_map_transpose),local.network_role) ? [
"allow group ${local.network_group_names} to read zpr-configuration in tenancy",
"allow group ${local.network_group_names} to read zpr-policy in tenancy",
"allow group ${local.network_group_names} to read security-attribute-namespace in tenancy"
] : []

objectstorage_read_grantees = compact(
concat(contains(keys(local.group_name_map_transpose),local.network_role) ? [local.network_group_names] : [],
contains(keys(local.group_name_map_transpose),local.security_role) ? [local.security_group_names] : [],
Expand Down Expand Up @@ -126,27 +135,31 @@ locals {
] : []

auditor_grants = contains(keys(local.group_name_map_transpose),local.auditor_role) ? [
"allow group ${local.auditor_group_names} to inspect all-resources in tenancy",
"allow group ${local.auditor_group_names} to read instances in tenancy",
"allow group ${local.auditor_group_names} to read load-balancers in tenancy",
"allow group ${local.auditor_group_names} to read buckets in tenancy",
"allow group ${local.auditor_group_names} to read nat-gateways in tenancy",
"allow group ${local.auditor_group_names} to read public-ips in tenancy",
"allow group ${local.auditor_group_names} to read file-family in tenancy",
"allow group ${local.auditor_group_names} to read instance-configurations in tenancy",
"allow group ${local.auditor_group_names} to read network-security-groups in tenancy",
"allow group ${local.auditor_group_names} to read resource-availability in tenancy",
"allow group ${local.auditor_group_names} to read audit-events in tenancy",
"allow group ${local.auditor_group_names} to read users in tenancy",
"allow group ${local.auditor_group_names} to use cloud-shell in tenancy",
"allow group ${local.auditor_group_names} to read vss-family in tenancy",
"allow group ${local.auditor_group_names} to read usage-budgets in tenancy",
"allow group ${local.auditor_group_names} to read usage-reports in tenancy",
"allow group ${local.auditor_group_names} to read data-safe-family in tenancy",
"allow group ${local.auditor_group_names} to read vaults in tenancy",
"allow group ${local.auditor_group_names} to read keys in tenancy",
"allow group ${local.auditor_group_names} to read tag-namespaces in tenancy",
"allow group ${local.auditor_group_names} to use ons-family in tenancy where any {request.operation!=/Create*/, request.operation!=/Update*/, request.operation!=/Delete*/, request.operation!=/Change*/}"
"allow group ${local.auditor_group_names} to inspect all-resources in tenancy",
"allow group ${local.auditor_group_names} to read instances in tenancy",
"allow group ${local.auditor_group_names} to read load-balancers in tenancy",
"allow group ${local.auditor_group_names} to read buckets in tenancy",
"allow group ${local.auditor_group_names} to read nat-gateways in tenancy",
"allow group ${local.auditor_group_names} to read public-ips in tenancy",
"allow group ${local.auditor_group_names} to read file-family in tenancy",
"allow group ${local.auditor_group_names} to read instance-configurations in tenancy",
"allow group ${local.auditor_group_names} to read network-security-groups in tenancy",
"allow group ${local.auditor_group_names} to read resource-availability in tenancy",
"allow group ${local.auditor_group_names} to read audit-events in tenancy",
"allow group ${local.auditor_group_names} to read users in tenancy",
"allow group ${local.auditor_group_names} to use cloud-shell in tenancy",
"allow group ${local.auditor_group_names} to read vss-family in tenancy",
"allow group ${local.auditor_group_names} to read usage-budgets in tenancy",
"allow group ${local.auditor_group_names} to read usage-reports in tenancy",
"allow group ${local.auditor_group_names} to read data-safe-family in tenancy",
"allow group ${local.auditor_group_names} to read vaults in tenancy",
"allow group ${local.auditor_group_names} to read keys in tenancy",
"allow group ${local.auditor_group_names} to read tag-namespaces in tenancy",
"allow group ${local.auditor_group_names} to use ons-family in tenancy where any {request.operation!=/Create*/, request.operation!=/Update*/, request.operation!=/Delete*/, request.operation!=/Change*/}",
"allow group ${local.auditor_group_names} to read zpr-configuration in tenancy",
"allow group ${local.auditor_group_names} to read zpr-policy in tenancy",
"allow group ${local.auditor_group_names} to read security-attribute-namespace in tenancy",
"allow group ${local.auditor_group_names} to read network-firewall-family in tenancy"
] : []

announcement_reader_grants = contains(keys(local.group_name_map_transpose),local.announcement_reader_role) ? [
Expand All @@ -155,7 +168,8 @@ locals {

root_cmp_admin_grants = concat(local.cost_admin_grants_on_root_cmp,local.iam_admin_grants_on_root_cmp,
local.iam_admin_grants_on_enclosing_cmp,local.cred_admin_grants_on_root_cmp,
local.security_admin_grants_on_root_cmp,local.security_admin_grants_on_enclosing_cmp)
local.security_admin_grants_on_root_cmp,local.security_admin_grants_on_enclosing_cmp,
local.network_admin_grants_on_root_cmp)

root_cmp_nonadmin_grants = concat(local.basic_grants_on_root_cmp,local.application_admin_grants_on_enclosing_cmp,
local.auditor_grants,local.announcement_reader_grants, local.objectstorage_read_on_root_cmp)
Expand Down
2 changes: 1 addition & 1 deletion release.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.2.4
0.2.5

0 comments on commit 64297a2

Please sign in to comment.