Skip to content

Commit

Permalink
updated default values
Browse files Browse the repository at this point in the history
  • Loading branch information
@rrywhen
rrywhen committed Feb 22, 2024
1 parent 72c3a73 commit 40268a2
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 42 deletions.
76 changes: 34 additions & 42 deletions Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ To learn more, visit: https://docs.oracle.com/en/cloud/paas/access-governance/ag

## Deployment Overview

The Terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy.
The Terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloud gateway connected system. This workload supports only Identity Domain Tenancy.

## Prerequisites

Expand All @@ -24,7 +24,7 @@ To deploy the Oracle Enterprise Landing Zone Workload Expansion from the Terrafo

## User

The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an API key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble:
The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user needs to have an api key entry defined as described [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble below:

```text
[DEFAULT]
Expand All @@ -37,56 +37,48 @@ key_file=<path to your private keyfile> #your specific path


## Variables
| Variable Name | Description | Required | Default Value |
|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------------------------------------------------------|
| **user_ocid** | OCID of the Administrator. | Yes | None |
| **fingerprint** | Fingerprint of the Administrator. | Yes | None |
| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None |
| **region** | Region of the Administrator. | Yes | None |
| **private_key_path** | Private Key Path of Administrator. | Yes | None |
| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default |
| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None |
| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | <Security compartment created by Landing zone baseline.> |
| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Servce Instance. |
| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | access-governance-instance |
| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None |
| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false |
| **agcs_user_name** | New Access Governance User's name. | Yes | None |
| **agcs_user_email** | Email address for the user. | Yes | None |
| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None |
| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None |
| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None |
| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None |
| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None |
| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None |
| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. |
| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System |
| Variable Name | Description | Required | Default Value |
|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|--------------------------------------------------------------------|
| **user_ocid** | OCID of the Administrator. | Yes | None |
| **fingerprint** | Fingerprint of the Administrator. | Yes | None |
| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None |
| **region** | Region of the Administrator. | Yes | None |
| **private_key_path** | Private Key Path of Administrator. | Yes | None |
| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default |
| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None |
| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | OCID of the Security compartment created by baseline Landing Zone. |
| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Service Instance. |
| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | access-governance-instance |
| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" | Yes | None |
| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false |
| **agcs_user_name** | New Access Governance User's name. | Yes | prod_agcs_user |
| **agcs_user_email** | Email address for the user. | Yes | None |
| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | prod_agcs_group |
| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None |
| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None |
| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None |
| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None |
| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None |
| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. |
| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System |


## How to Execute

<blockquote> Currently only <b>production</b> deployment is supported via stack deployment, to deploy in <b>non-production</b> environment, run the Access Governance Module as standalone deployment. Please change the working directory to <i>oci-landing-zones/modules/access-governance</i> and enable the provider lines and disable remaining lines, fill the terraform.tfvars and follow terraform CLI commands</blockquote>

### Via Resource Manager
Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in.
<blockquote> Only new AGCS User scenario is supported via Resource Manager Deployment</blockquote>

1. Under **Working directory** select the directory *templates/enterprise-landing-zone*
2. Click Next.
3. Enter the values for required variables.
4. Click Next.
5. Click Next.
6. Click Apply.
Deployment via Resource Manager is currently not supported.

### Via Terraform CLI (Two Deployment Scenarios)
#### Deployment Scenario 1: use_existing_agcs_user = false:
1. Enter required variables in terraform.tfvars, for examples refer examples.tfvars file
1. Enter required variables in terraform.tfvars, for examples refer to templates/elz-access-governance/examples/new_agcs_user.tfvarexample
2. terraform init.
3. terraform plan.
4. terraform apply.

##### Oracle Access Governance Deployment: Access Governance Service Instance:
An Access Governance Service instance will be deployed in security compartment.
An Access Governance Service instance will be deployed in the security compartment.

##### Oracle Access Governance Deployment: AGCS Group:
A group will be created called AGCS Group, which is meant to have AGCS user and policies related to Access Governance functionalities.
Expand All @@ -97,12 +89,12 @@ AGCS User which will be created in Default domain as the user needs visibility i
##### Oracle Access Governance Deployment: AGCS User Group Policy statements:
1. `ALLOW GROUP <domain>/<group> to inspect all-resources IN TENANCY`
2. `ALLOW GROUP <domain>/<group> to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}`
3. `Allow GROUP <domain>/<group> to read audit-events IN TENANCY`
4. `Allow GROUP <domain>/<group> to manage domains IN TENANCY`
3. `ALLOW GROUP <domain>/<group> to read audit-events IN TENANCY`
4. `ALLOW GROUP <domain>/<group> to manage domains IN TENANCY`


#### Deployment Scenario 2: use_existing_agcs_user = true:
1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples/new_agcs_user.tfvarexample
1. Enter required variables in terraform.tfvars, for examples refer to templates/elz-access-governance/examples/existing_agcs_user.tfvarexample
2. terraform init.
3. terraform plan.
4. terraform apply.
Expand All @@ -121,7 +113,7 @@ AGCS User which will be created in Default domain as the user needs visibility i


##### Oracle Access Governance Deployment: Access Governance Service Instance:
An Access Governance Service instance will be deployed in security compartment.
An Access Governance Service instance will be deployed in the security compartment.

##### Oracle Access Governance Deployment: OCI system on Access Governance Instance:
Cloud gateway system will be added as connected system to the service instance.
Expand All @@ -134,4 +126,4 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or
See [LICENSE](../../LICENSE) for more details.

## Known Issues
None.
None.
0 templates/elz-access-governance/variable.tf → templates/elz-access-governance/variables.tf
View file
File renamed without changes.

0 comments on commit 40268a2

Please sign in to comment.