Release 0.1.5 (#7)

* Replace README.md * Update README.md * Update README.md * Release 0.1.4 * fix: dynamic runtime dependency issue in local.target_host_scan_cmps * feat: tenancy_ocid attr moved to standalone variable. reporting_region defaults to tenancy home region * doc: updates * doc: release notes and version bump * doc: updates * Add vault replication * add example for vault replica * update example of vault replicas * update vault replica config to one variable * doc: updates --------- Signed-off-by: Andre Correa <[email protected]> Co-authored-by: CINTHIA JIMENEZ <[email protected]> Co-authored-by: Yupei Yang <[email protected]>
oci-landing-zones · May 22, 2024 · a20b002 · a20b002
1 parent 11975b0
commit a20b002
Show file tree

Hide file tree

Showing 24 changed files with 174 additions and 53 deletions.
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -1,9 +1,24 @@
+# May 22, 2024 Release Notes - 0.1.5
+
+## Updates
+1. [Vaults module](./vaults/)
+    - Virtual private vaults can now be configured for cross-region replication via the newly added *replica-region* attribute. Only applicable to virtual private vaults (VPVs).
+2. [Security Zones module](./security-zones/)
+    - *tenancy_ocid* attribute, once required in the *security_zones_configuration*, becomes a variable of its own.
+    - *reporting_region* attribute of *security_zones_configuration* defaults to tenancy home region if not defined.
+
+## Fixes
+1. [VSS module](./vss/)
+    - dynamic runtime dependency issue in *local.target_host_scan_cmps*. [Issue 541](https://orahub.oci.oraclecorp.com/nace-shared-services/cis-oci-landing-zone/-/issues/541).
+
+
 # April 16, 2024 Release Notes - 0.1.4
 
 ## Updates
 1. [Cloud Guard module](./cloud-guard/): ability to use "TENANCY-ROOT" key for referring to tenancy OCID in *cloud_guard_configuration*. *tenancy_ocid* becomes a variable of its own.
 2. All modules: all dependency variables are now strongly typed, enhancing usage guidance.
 
+
 # March 20, 2024 Release Notes - 0.1.3
 
 ## New
@@ -13,14 +28,15 @@
 1. Examples code in all modules updated with remote source references.
 2. Examples documentation in all modules updated with remote link references.
 
+
 # January 08, 2024 Release Notes - 0.1.2
 
 ## Updates
 ### All Modules
 1. All modules now accept null value as the input variable assignment. This allows for easier automation of composed solutions.
 
 ## Updates
-1. [VSS Module](#0-1-1-vss-updates)
+1. [VSS module](#0-1-1-vss-updates)
 
 ### <a name="0-1-1-vss-updates">VSS Module</a>
 1. *image_count* attribute in *container_recipes* defaulted to 1.
@@ -30,6 +46,7 @@
 5. *host_recipe_id* can be assigned either a literal OCID or a referring key from *host_recipes*.
 6. *container_recipe_id* can be assigned either a literal OCID or a referring key from *container_recipes*.
 
+
 # July 03, 2023 Release Notes - 0.1.0
 
 ## New

diff --git a/cloud-guard/README.md b/cloud-guard/README.md
@@ -71,10 +71,9 @@ For referring to a specific module version, append *ref=\<version\>* to the *sou
 ## <a name="functioning">Module Functioning</a>
 
 In this module, Cloud Guard settings are defined using the *cloud_guard_configuration* object, that supports the following attributes:
-- **tenancy_ocid**: the tenancy OCID.
-- **default_defined_tags**: the default defined tags that are applied to all resources managed by this module. It can be overriden by *defined_tags* attribute in each resource.
-- **default_freeform_tags**: the default freeform tags that are applied to all resources managed by this module. It can be overriden by *freeform_tags* attribute in each resource.
-- **reporting_region**: the Cloud Guard reporting region, where all API calls, except reads, are made on. You can choose the reporting region among the available regions when enabling Cloud Guard. After Cloud Guard is enabled, you cannot change the reporting region without disabling and re-enabling Cloud Guard. Setting this attribute is required if Cloud Guard is enabled by this module.
+- **default_defined_tags**: the default defined tags that are applied to all resources managed by this module. It can be overridden by *defined_tags* attribute in each resource.
+- **default_freeform_tags**: the default freeform tags that are applied to all resources managed by this module. It can be overridden by *freeform_tags* attribute in each resource.
+- **reporting_region**: the Cloud Guard reporting region, where all API calls, except reads, are made on. You can choose the reporting region among the available regions when enabling Cloud Guard. After Cloud Guard is enabled, you cannot change the reporting region without disabling and re-enabling Cloud Guard. Setting this attribute is required if Cloud Guard is enabled by this module. It defaults to tenancy home region if undefined.
 - **self_manage_resources**: whether Oracle managed resources are created by customers. Default: false.
 - **cloned_recipes_prefix**: a prefix to cloned recipe names. Default: "oracle-cloned-".
 - **targets**: the Cloud Guard targets.
@@ -101,8 +100,7 @@ The *targets* attribute supports the following attributes:
 The following snippet enables Cloud Guard service (if not already enabled), setting Ashburn as the reporting region and defining two targets. Both targets monitor compartments under *resource_ocid* compartment and are created in *resource_ocid* compartment. First target (*CLOUD-GUARD-TARGET-1*) uses Oracle provided recipes while the second one (*CLOUD-GUARD-TARGET-2*) uses cloned recipes.
 ```
 cloud_guard_configuration = {
-  tenancy_ocid = "ocid1.tenancy.oc1..aaaaaa...nuq"
-  reporting_region = "us-ashburn-1"
+  reporting_region = "us-ashburn-1" # It defaults to tenancy home region if undefined.
   
   targets = {
     CLOUD-GUARD-TARGET-1 = {
@@ -127,7 +125,7 @@ Rewriting the example above with the external dependency:
 
 ```
 cloud_guard_configuration = {
-  reporting_region = "us-ashburn-1"
+  reporting_region = "us-ashburn-1" # It defaults to tenancy home region if undefined.
   
   targets = {
     CLOUD-GUARD-TARGET-1 = {

diff --git a/release.txt b/release.txt
@@ -1 +1 @@
-0.1.4
+0.1.5
diff --git a/security-zones/README.md b/security-zones/README.md
@@ -71,12 +71,11 @@ For referring to a specific module version, append *ref=\<version\>* to the *sou
 ## <a name="functioning">Module Functioning</a>
 
 In this module, Security Zones settings are defined using the *security_zones_configuration* object, that supports the following attributes:
-- **tenancy_ocid**: the tenancy OCID.
 - **default_cis_level**: the default CIS level setting for all recipes with an unspecified *cis_level* attribute. Valid values: "1" and "2". Default: "1". See [CIS Level Setting](#cis_level_setting) for details.
 - **default_defined_tags**: the default defined tags that are applied to all resources managed by this module. It can be overriden by *defined_tags* attribute in each resource.
 - **default_freeform_tags**: the default freeform tags that are applied to all resources managed by this module. It can be overriden by *freeform_tags* attribute in each resource.
 - **default_security_policies_ocids**: a list of default security zone policies OCIDs for all recipes with an unspecified *security_policies_ocids* attribute. These are merged with CIS security zone policies driven off *cis_level* attribute.
-- **reporting_region**: the Cloud Guard reporting region, where all API calls, except reads, are made on. You can choose the reporting region among the available regions when enabling Cloud Guard. After Cloud Guard is enabled, you cannot change the reporting region without disabling and re-enabling Cloud Guard. Setting this attribute is required if Cloud Guard is enabled by this module.
+- **reporting_region**: the Cloud Guard reporting region, where all API calls, except reads, are made on. You can choose the reporting region among the available regions when enabling Cloud Guard. After Cloud Guard is enabled, you cannot change the reporting region without disabling and re-enabling Cloud Guard. Setting this attribute is required if Cloud Guard is enabled by this module. It defaults to tenancy home region if undefined.
 - **self_manage_resources**: whether Oracle managed resources are created by customers. Default: false.
 - **recipes**: the Security Zone recipes. A recipe is a set of policies.
 - **security_zones**: the Security Zones. 
@@ -131,8 +130,7 @@ The following snippet enables Cloud Guard service (if not already enabled), sett
 
 ```
 security_zones_configuration = {
-  tenancy_ocid = "ocid1.tenancy.oc1..aaaaaa...nuq"
-  reporting_region = "us-ashburn-1"
+  reporting_region = "us-ashburn-1" # It defaults to tenancy home region if undefined.
   
   recipes = {
     CIS-L1-RECIPE = {
@@ -166,9 +164,7 @@ Rewriting the example above with the external dependency:
 
 ```
 security_zones_configuration = {
-  tenancy_ocid = "ocid1.tenancy.oc1..aaaaaa...nuq"
-  reporting_region = "us-ashburn-1"
-  
+  reporting_region = "us-ashburn-1" # It defaults to tenancy home region if undefined.
   recipes = {
     CIS-L1-RECIPE = {
       name = "vision-security-zone-cis-level-1-recipe"

diff --git a/security-zones/SPEC.md b/security-zones/SPEC.md
@@ -23,6 +23,8 @@ No modules.
 | [oci_cloud_guard_security_zone.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/cloud_guard_security_zone) | resource |
 | [oci_cloud_guard_cloud_guard_configuration.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/cloud_guard_cloud_guard_configuration) | data source |
 | [oci_cloud_guard_security_policies.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/cloud_guard_security_policies) | data source |
+| [oci_identity_regions.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_regions) | data source |
+| [oci_identity_tenancy.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_tenancy) | data source |
 
 ## Inputs
 
@@ -31,7 +33,8 @@ No modules.
 | <a name="input_compartments_dependency"></a> [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type. | <pre>map(object({<br>    id = string # the compartment OCID<br>  }))</pre> | `null` | no |
 | <a name="input_enable_output"></a> [enable\_output](#input\_enable\_output) | Whether Terraform should enable module output. | `bool` | `true` | no |
 | <a name="input_module_name"></a> [module\_name](#input\_module\_name) | The module name. | `string` | `"security-zones"` | no |
-| <a name="input_security_zones_configuration"></a> [security\_zones\_configuration](#input\_security\_zones\_configuration) | Security Zones configuration. | <pre>object({<br>    tenancy_ocid = string # The tenancy OCID<br>    default_cis_level = optional(string) # The default CIS level for all recipes with an unspecified cis_level. Valid values: "1" and "2". Default: "1"<br>    default_security_policies_ocids = optional(list(string)) # The list of default Security Zone policies OCIDs for all recipes with an unspecified security_policies_ocids. These are merged with CIS Security Zone policies driven off cis_level.<br>    default_defined_tags = optional(map(string))<br>    default_freeform_tags = optional(map(string))<br>    reporting_region = optional(string) # the reporting region.<br>    self_manage_resources = optional(bool) # whether Oracle managed resources are created by customers. Default: false.<br>    <br>    recipes = optional(map(object({<br>      name = string<br>      compartment_id = string # the compartment where the Security Zone Recipe is created. It can be either the compartment OCID or a reference (a key) to the compartment OCID.<br>      description = optional(string)<br>      cis_level = optional(string) # Valid values: "1" and "2". Default: "1"<br>      security_policies_ocids = optional(list(string)) # List of default Security Zone policies OCIDs that are merged with CIS Security Zone policies. These are merged with CIS Security Zone policies driven off cis_level.<br>      defined_tags = optional(map(string))<br>      freeform_tags = optional(map(string))<br>    })))<br><br>    security_zones = map(object({<br>      name = string # The Security Zone name.<br>      compartment_id = string # The Security Zone compartment. It can be either the compartment OCID or a reference (a key) to the compartment OCID. Any existing Cloud Guard target for this compartment is replaced with the security zone. The security zone includes the default Oracle-managed configuration and activity detector recipes in Cloud Guard, and also scans resources in the zone for policy violations.<br>      recipe_key = string # The recipe key in recipes attribute.<br>      description = optional(string) # The security zone description.<br>      defined_tags = optional(map(string))<br>      freeform_tags = optional(map(string))<br>    })) <br>  })</pre> | `null` | no |
+| <a name="input_security_zones_configuration"></a> [security\_zones\_configuration](#input\_security\_zones\_configuration) | Security Zones configuration. | <pre>object({<br>    default_cis_level = optional(string) # The default CIS level for all recipes with an unspecified cis_level. Valid values: "1" and "2". Default: "1"<br>    default_security_policies_ocids = optional(list(string)) # The list of default Security Zone policies OCIDs for all recipes with an unspecified security_policies_ocids. These are merged with CIS Security Zone policies driven off cis_level.<br>    default_defined_tags = optional(map(string))<br>    default_freeform_tags = optional(map(string))<br>    reporting_region = optional(string) # the reporting region.<br>    self_manage_resources = optional(bool) # whether Oracle managed resources are created by customers. Default: false.<br>    <br>    recipes = optional(map(object({<br>      name = string<br>      compartment_id = string # the compartment where the Security Zone Recipe is created. It can be either the compartment OCID or a reference (a key) to the compartment OCID.<br>      description = optional(string)<br>      cis_level = optional(string) # Valid values: "1" and "2". Default: "1"<br>      security_policies_ocids = optional(list(string)) # List of default Security Zone policies OCIDs that are merged with CIS Security Zone policies. These are merged with CIS Security Zone policies driven off cis_level.<br>      defined_tags = optional(map(string))<br>      freeform_tags = optional(map(string))<br>    })))<br><br>    security_zones = map(object({<br>      name = string # The Security Zone name.<br>      compartment_id = string # The Security Zone compartment. It can be either the compartment OCID or a reference (a key) to the compartment OCID. Any existing Cloud Guard target for this compartment is replaced with the security zone. The security zone includes the default Oracle-managed configuration and activity detector recipes in Cloud Guard, and also scans resources in the zone for policy violations.<br>      recipe_key = string # The recipe key in recipes attribute.<br>      description = optional(string) # The security zone description.<br>      defined_tags = optional(map(string))<br>      freeform_tags = optional(map(string))<br>    })) <br>  })</pre> | `null` | no |
+| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | The tenancy OCID. | `string` | n/a | yes |
 
 ## Outputs
 

diff --git a/security-zones/data_sources.tf b/security-zones/data_sources.tf
@@ -1,10 +1,16 @@
 # Copyright (c) 2023 Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
+data "oci_identity_regions" "these" {}
+
+data "oci_identity_tenancy" "this" {
+  tenancy_id = var.tenancy_ocid
+}
+
 data "oci_cloud_guard_security_policies" "these" {
-  compartment_id = var.security_zones_configuration != null ? var.security_zones_configuration.tenancy_ocid : "void"
+  compartment_id = var.security_zones_configuration != null ? var.tenancy_ocid : "__void__"
 }
 
 data "oci_cloud_guard_cloud_guard_configuration" "this" {
-  compartment_id = var.security_zones_configuration != null ? var.security_zones_configuration.tenancy_ocid : "Void"
+  compartment_id = var.security_zones_configuration != null ? var.tenancy_ocid : "__void__"
 }
diff --git a/security-zones/examples/external_dependency/README.md b/security-zones/examples/external_dependency/README.md
@@ -18,7 +18,6 @@ allow group <group> to read objects in compartment <bucket-compartment-name> whe
 1. Rename *input.auto.tfvars.template* to *\<project-name\>.auto.tfvars*, where *\<project-name\>* is any name of your choice.
 
 2. Within *\<project-name\>.auto.tfvars*, provide tenancy connectivity information and adjust the *security_zones_configuration* input variable, by making the appropriate substitutions:
-   - Replace *\<REPLACE-BY-TENANCY-OCID\>* placeholder by the tenancy OCID. 
    - Replace *\<REPLACE-BY-REPORTING-REGION-NAME\>* placeholder by the actual reporting region name. Example: "us-ashburn-1".
    - Replace *\<REPLACE-BY-SECURITY-ZONE-COMPARTMENT-REFERENCE\>* placeholder by the appropriate security zone compartment reference, expected to be found in the OCI Object Storage object referred by *\<REPLACE-BY-OBJECT-NAME\>*. 
    - Replace *\<REPLACE-BY-SECURITY-ZONE-RECIPE-COMPARTMENT-REFERENCE\>* placeholders by the appropriate security zone recipe compartment references, expected to be found in the OCI Object Storage object referred by *\<REPLACE-BY-OBJECT-NAME\>*.

diff --git a/security-zones/examples/external_dependency/input.auto.tfvars.template b/security-zones/examples/external_dependency/input.auto.tfvars.template
@@ -4,14 +4,13 @@
 #---------------------------------------------------------------------------------------------------------------------------------------------------
 # 1. Rename this file to <project-name>.auto.tfvars, where <project-name> is a name of your choice.
 # 2. Provide values for "Tenancy Connectivity Variables".
-# 3. Replace <REPLACE-BY-TENANCY-OCID> placeholder by the appropriate compartment OCID. 
-# 4. Replace <REPLACE-BY-REPORTING-REGION-NAME> placeholder by the reporting region name. Example: "us-ashburn-1".
-# 5. Replace <REPLACE-BY-SECURITY-ZONE-COMPARTMENT-REFERENCE> placeholder by the appropriate security zone compartment reference, 
+# 3. Replace <REPLACE-BY-REPORTING-REGION-NAME> placeholder by the reporting region name. Example: "us-ashburn-1".
+# 4. Replace <REPLACE-BY-SECURITY-ZONE-COMPARTMENT-REFERENCE> placeholder by the appropriate security zone compartment reference, 
 #    expected to be found in the OCI Object Storage object referred by <REPLACE-BY-OBJECT-NAME>.
-# 6. Replace <REPLACE-BY-SECURITY-ZONE-RECIPE-COMPARTMENT-REFERENCE> placeholders by the appropriate security zone recipe compartment references, 
+# 5. Replace <REPLACE-BY-SECURITY-ZONE-RECIPE-COMPARTMENT-REFERENCE> placeholders by the appropriate security zone recipe compartment references, 
 #    expected to be found in the OCI Object Storage object referred by <REPLACE-BY-OBJECT-NAME>.
-# 7. Replace <REPLACE-BY-BUCKET-NAME> placeholder by the OCI Object Storage bucket that contains the object referred by <REPLACE-BY-OBJECT-NAME>.
-# 8. Replace <REPLACE-BY-OBJECT-NAME> placeholder by the OCI Object Storage object that has the compartment references. This object is supposedly 
+# 6. Replace <REPLACE-BY-BUCKET-NAME> placeholder by the OCI Object Storage bucket that contains the object referred by <REPLACE-BY-OBJECT-NAME>.
+# 7. Replace <REPLACE-BY-OBJECT-NAME> placeholder by the OCI Object Storage object that has the compartment references. This object is supposedly 
 #    stored in OCI Object Storage by the module that manages compartments.
 #---------------------------------------------------------------------------------------------------------------------------------------------------
 
@@ -31,8 +30,7 @@ region               = "<your tenancy region>"      # This is your region, where
 #---------------------------------------
 
 security_zones_configuration = {
-  tenancy_ocid     = "<REPLACE-BY-TENANCY-OCID>"
-  reporting_region = "<REPLACE-BY-REPORTING-REGION-NAME>"
+  reporting_region = "<REPLACE-BY-REPORTING-REGION-NAME>" # It defaults to tenancy home region if undefined.
 
   security_zones = {
     SECURITY-ZONE = {

diff --git a/security-zones/examples/external_dependency/main.tf b/security-zones/examples/external_dependency/main.tf
@@ -15,6 +15,7 @@ data "oci_objectstorage_object" "compartments" {
 
 module "vision_security_zones" {
   source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-security/security_zones"
+  tenancy_ocid = var.tenancy_ocid
   security_zones_configuration = var.security_zones_configuration
   enable_output = true
   compartments_dependency = var.oci_compartments_dependency != null ? jsondecode(data.oci_objectstorage_object.compartments[0].content) : null