From 410c057bf3cd3e77d803ab3cb2ea6f0b4ec34448 Mon Sep 17 00:00:00 2001 From: Gregg MacKeigan Date: Wed, 21 Feb 2024 13:06:58 -0700 Subject: [PATCH] Update IMPLEMENTATION.md Minor edits, general clean up --- .../IMPLEMENTATION.md | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md index 9435ae3..1361531 100644 --- a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -13,18 +13,18 @@ To learn more, visit: https://docs.oracle.com/en/cloud/paas/access-governance/ag ## Deployment Overview -The terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy. +The Terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy. ## Prerequisites -To deploy the Oracle Enterprise Landing Zone Workload Expansion from the terraform cli you will need the following prerequisites. -- [Latest Version of Terrafom](https://developer.hashicorp.com/terraform/downloads) +To deploy the Oracle Enterprise Landing Zone Workload Expansion from the Terraform CLI you will need the following prerequisites. +- [Latest Version of Terraform](https://developer.hashicorp.com/terraform/downloads) v1.7.3 or later - [OCI Terraform provider](https://registry.terraform.io/providers/oracle/oci/latest/docs) v4.109.0 or later - [oci - cli](https://github.com/oracle/oci-cli) ## User -The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an api key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble. +The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an API key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble: ```text [DEFAULT] @@ -32,7 +32,7 @@ user=ocid1.xxxxxx.xxxxxx.xxxxxx..... #ocid of the user fingerprint=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx #user api key fingerprint tenancy=ocid1.xxxxxx.xxxxxx.xxxxxx..... #tenancy ocid region=us-phoenix-1 #or desired region -key_file= # TODO +key_file= #your specific path ``` @@ -62,11 +62,10 @@ key_file= # TODO | **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. | | **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System | -## How to execute -## How to execute +## How to Execute ### Via Resource Manager -Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in +Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in.
Only new AGCS User scenario is supported via Resource Manager Deployment
1. Under **Working directory** select the directory *templates/enterprise-landing-zone* @@ -84,13 +83,13 @@ Use the Deploy to Oracle Cloud button which will take you directly to OCI Resour 4. terraform apply. ##### Oracle Access Governance Deployment: Access Governance Service Instance: -An Access Governance Service instance will be deployed in security compartment +An Access Governance Service instance will be deployed in security compartment. ##### Oracle Access Governance Deployment: AGCS Group: A group will be created called AGCS Group, which is meant to have AGCS user and policies related to Access Governance functionalities. ##### Oracle Access Governance Deployment: AGCS User: -AGCS User which will be created in Default domain as the user needs visibility into all domains and their resources for policy review and group review. This is the primary user used for governing the OCI IAM +AGCS User which will be created in Default domain as the user needs visibility into all domains and their resources for policy review and group review. This is the primary user used for governing the OCI IAM. ##### Oracle Access Governance Deployment: AGCS User Group Policy statements: 1. `ALLOW GROUP / to inspect all-resources IN TENANCY` @@ -114,12 +113,12 @@ AGCS User which will be created in Default domain as the user needs visibility i 1. `ALLOW GROUP / to inspect all-resources IN TENANCY` 2. `ALLOW GROUP / to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}` -3. `Allow GROUP / to read audit-events IN TENANCY` -4. `Allow GROUP / to manage domains IN TENANCY` +3. `ALLOW GROUP / to read audit-events IN TENANCY` +4. `ALLOW GROUP / to manage domains IN TENANCY` ##### Oracle Access Governance Deployment: Access Governance Service Instance: -An Access Governance Service instance will be deployed in security compartment +An Access Governance Service instance will be deployed in security compartment. ##### Oracle Access Governance Deployment: OCI system on Access Governance Instance: Cloud gateway system will be added as connected system to the service instance. @@ -132,4 +131,4 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or See [LICENSE](../../LICENSE) for more details. ## Known Issues -None. \ No newline at end of file +None.