resolved conflicts

oci-landing-zones · Feb 22, 2024 · f7a1820 · f7a1820
2 parents ba9a455 + c9ae3eb
commit f7a1820
Show file tree

Hide file tree

Showing 22 changed files with 136 additions and 110 deletions.
diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md
@@ -13,26 +13,26 @@ To learn more, visit: https://docs.oracle.com/en/cloud/paas/access-governance/ag
 
 ## Deployment Overview
 
-The terraform code in this folder deploys Oracle Access Governance.  It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy.
+The Terraform code in this folder deploys Oracle Access Governance.  It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy.
 
 ## Prerequisites
 
-To deploy the Oracle Enterprise Landing Zone Workload Expansion from the terraform cli you will need the following prerequisites.
-- [Latest Version of Terrafom](https://developer.hashicorp.com/terraform/downloads)
+To deploy the Oracle Enterprise Landing Zone Workload Expansion from the Terraform CLI you will need the following prerequisites.
+- [Latest Version of Terraform](https://developer.hashicorp.com/terraform/downloads) v1.7.3 or later
 - [OCI Terraform provider](https://registry.terraform.io/providers/oracle/oci/latest/docs) v4.109.0 or later
 - [oci - cli](https://github.com/oracle/oci-cli)
 
 ## User
 
-The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an api key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble.
+The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an API key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble:
 
 ```text
 [DEFAULT]
 user=ocid1.xxxxxx.xxxxxx.xxxxxx.....  #ocid of the user
 fingerprint=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx #user api key fingerprint
 tenancy=ocid1.xxxxxx.xxxxxx.xxxxxx..... #tenancy ocid
 region=us-phoenix-1 #or desired region
-key_file=<path to your private keyfile> # TODO
+key_file=<path to your private keyfile> #your specific path
 ```
 
 
@@ -62,11 +62,10 @@ key_file=<path to your private keyfile> # TODO
 | **oci_system_description**             | OCI Connected System Description.                                                                                                                                   | Yes     | OCI Connected System.                     |
 | **oci_system_name**                    | OCI Connected System Name.                                                                                                                                          | Yes     | Local-OCI-System                          |
 
-## How to execute
 
-## How to execute
+## How to Execute
 ### Via Resource Manager
-Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in
+Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in.
 <blockquote> Only new AGCS User scenario is supported via Resource Manager Deployment</blockquote>
 
 1. Under **Working directory** select the directory *templates/enterprise-landing-zone*
@@ -84,13 +83,13 @@ Use the Deploy to Oracle Cloud button which will take you directly to OCI Resour
 4. terraform apply.
 
 ##### Oracle Access Governance Deployment: Access Governance Service Instance:
-An Access Governance Service instance will be deployed in security compartment
+An Access Governance Service instance will be deployed in security compartment.
 
 ##### Oracle Access Governance Deployment: AGCS Group:
 A group will be created called AGCS Group, which is meant to have AGCS user and policies related to Access Governance functionalities.
 
 ##### Oracle Access Governance Deployment: AGCS User:
-AGCS User which will be created in Default domain as the user needs visibility into all domains and their resources for policy review and group review. This is the primary user used for governing the OCI IAM
+AGCS User which will be created in Default domain as the user needs visibility into all domains and their resources for policy review and group review. This is the primary user used for governing the OCI IAM.
 
 ##### Oracle Access Governance Deployment: AGCS User Group Policy statements:
 1. `ALLOW GROUP <domain>/<group> to inspect all-resources IN TENANCY`
@@ -114,12 +113,12 @@ AGCS User which will be created in Default domain as the user needs visibility i
 
 1. `ALLOW GROUP <domain>/<group> to inspect all-resources IN TENANCY`
 2. `ALLOW GROUP <domain>/<group> to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}` 
-3. `Allow GROUP <domain>/<group> to read audit-events IN TENANCY`
-4. `Allow GROUP <domain>/<group> to manage domains IN TENANCY`
+3. `ALLOW GROUP <domain>/<group> to read audit-events IN TENANCY`
+4. `ALLOW GROUP <domain>/<group> to manage domains IN TENANCY`
 
 
 ##### Oracle Access Governance Deployment: Access Governance Service Instance:
-An Access Governance Service instance will be deployed in security compartment
+An Access Governance Service instance will be deployed in security compartment.
 
 ##### Oracle Access Governance Deployment: OCI system on Access Governance Instance:
 Cloud gateway system will be added as connected system to the service instance.
@@ -132,4 +131,4 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or
 See [LICENSE](../../LICENSE) for more details.
 
 ## Known Issues
-None.
+None.
diff --git a/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md b/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md
@@ -544,7 +544,7 @@ The OELZ deploys configurations for multiple security services. VSS (Vulnerabili
 
 CloudGuard can monitor for a multitude of security conditions. The OELZ configures CloudGuard with several Oracle-managed security recipes for up-to-date best practice security monitoring.
 
-By default, CloudGuard is configured to monitor just the resources deployed in the OELZ Home compartment, and compartments within that. An option is for CloudGuard to monitor the entire tenancy is there and it is controlled by the [cloud_guard_target_tenancy](../../templates/enterprise-landing-zone/README.md#inputs) variable. This is a Boolean variable that defaults to `false`. If it is set to `true` CloudGuard will be configured to monitor the entire tenancy, instead of just the OELZ Home compartment. 
+By default, CloudGuard is configured to monitor just the resources deployed in the OELZ Home compartment, and compartments within that. 
 
 Cloud Guard Target will be deployed in base compartment of both L2-Prod and L2-Non-Prod environments along with related IAM policies. All Oracle managed responder recipes will reside in L4 Security compartment of each environment.
 
@@ -563,7 +563,6 @@ For further details on CloudGuard, see the [Cloud Guard documentation](https://d
     | Name                                                                                                                   | Description                                                                                           | Type   | Default | Required |
     | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------ | ------- | :------: |
     | <a name="input_enable_cloud_guard"></a> [enable\_cloud\_guard](#input\_enable\_cloud\_guard)                           | true if you don't have cloud guard enabled, false if you've already have cloud guard enabled.         | `bool` | `true`  |    no    |
-    | <a name="input_cloud_guard_target_tenancy"></a> [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to OELZ home compartment | `bool` | `false` |    no    |
 
 ### Bastion Sub Module
 

diff --git a/Official_Documentation/OELZ_Workload_Deployment/CONFIGURATION.md b/Official_Documentation/OELZ_Workload_Deployment/CONFIGURATION.md
@@ -117,6 +117,18 @@ These are the configuration options for Workload Monitoring:
 | <a name="input_enable_security_monitoring_alarms"></a> [enable_security_monitoring_alarms](#input\_workload\_name)                                    | Enable security alarm in workload expansion         | `bool`         | `false` | no |
 | <a name="input_enable_workload_monitoring_alarms"></a> [enable_enable_workload_monitoring_alarms](#input\_workload\_name)                                    | Enable workload alarm in workload expansion         | `bool`         | `false` | no |
 
+## Security Module
+
+Bastion service is created in the L4 Security Compartment.
+
+* **Required Arguments/Parameters Under Bastion Module**:
+
+  | Name                                                                                                                                               | Description                                                                                                     | Type           | Default | Required |
+      | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------- | ------- | :------: |
+  | <a name="enable_bastion"></a> [enable\_bastion](#input\_enable\_bastion)                                                                           | Option to enable bastion service                                                                                | `bool`         | n/a     |   yes    |
+  | <a name="bastion_client_cidr_block_allow_list"></a> [bastion\_client\_cidr\_block\_allow\_list](#input\_bastion\_client\_cidr\_block\_allow\_list) | A list of address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion. | `list(string)` | n/a     |   yes    |
+
+
 ## Workload Expansion DataSafe 
 
 These are the configuration options for Workload Expansion ExaData Datasafe: 

diff --git a/templates/elz-environment/README.md b/templates/elz-environment/README.md
@@ -50,7 +50,6 @@
 | <a name="input_budget_alert_rule_recipients"></a> [budget\_alert\_rule\_recipients](#input\_budget\_alert\_rule\_recipients) | The delimited list of email addresses to receive the alert when it triggers. Delimiter characters can be a comma, space, TAB, or semicolon | `string` | `""` | no |
 | <a name="input_budget_alert_rule_threshold"></a> [budget\_alert\_rule\_threshold](#input\_budget\_alert\_rule\_threshold) | The threshold for the budget alert. | `string` | `""` | no |
 | <a name="input_budget_amount"></a> [budget\_amount](#input\_budget\_amount) | The amount of the budget expressed as a whole number in the currency of the customer's rate card. | `string` | `""` | no |
-| <a name="input_cloud_guard_target_tenancy"></a> [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment | `bool` | n/a | yes |
 | <a name="input_cost_center_tagging"></a> [cost\_center\_tagging](#input\_cost\_center\_tagging) | Cost Center Varible | `string` | n/a | yes |
 | <a name="input_cpe_display_name"></a> [cpe\_display\_name](#input\_cpe\_display\_name) | n/a | `string` | n/a | yes |
 | <a name="input_cpe_ip_address"></a> [cpe\_ip\_address](#input\_cpe\_ip\_address) | Customer Premises Equipment (CPE) IP address | `string` | n/a | yes |

diff --git a/templates/elz-environment/main.tf b/templates/elz-environment/main.tf
@@ -94,16 +94,12 @@ module "security" {
   enable_cloud_guard                   = var.enable_cloud_guard
   resource_label                       = var.resource_label
   home_compartment_id                  = var.home_compartment_id
-  cloud_guard_target_tenancy           = var.cloud_guard_target_tenancy
   tenancy_ocid                         = var.tenancy_ocid
   environment_prefix                   = var.environment_prefix
   home_compartment_name                = var.home_compartment_name
   region                               = var.region
   environment_compartment_id           = module.compartment.compartments.environment.id
   security_compartment_id              = module.compartment.compartments.security.id
-  enable_bastion                       = var.enable_bastion
-  bastion_target_subnet_id             = module.network.spoke_web_subnet_ocid
-  bastion_client_cidr_block_allow_list = var.bastion_client_cidr_block_allow_list
   vault_type                           = var.vault_type
   replica_region                       = var.vault_replica_region
   enable_replication                   = var.enable_vault_replication

diff --git a/templates/elz-environment/variables.tf b/templates/elz-environment/variables.tf
@@ -172,11 +172,6 @@ variable "enable_cloud_guard" {
   description = "true if you don't have cloud guard enabled, false if you've already have cloud guard enabled."
 }
 
-variable "cloud_guard_target_tenancy" {
-  type        = bool
-  description = "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment"
-}
-
 # -----------------------------------------------------------------------------
 # Tagging Variables
 # -----------------------------------------------------------------------------

diff --git a/templates/elz-environment/workload.tf b/templates/elz-environment/workload.tf
@@ -50,6 +50,9 @@ module "workload" {
   workload_spoke_vcn_cidr                      = var.spoke_vcn_cidr
   enable_datasafe                              = var.enable_datasafe
   idcs_endpoint                                = module.identity.idcs_endpoint
+  enable_bastion                               = var.enable_bastion
+  bastion_target_subnet_id                     = module.network.spoke_web_subnet_ocid
+  bastion_client_cidr_block_allow_list         = var.bastion_client_cidr_block_allow_list
 
   providers = {
     oci             = oci

diff --git a/templates/elz-security/README.md b/templates/elz-security/README.md
@@ -38,7 +38,6 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_bastion_client_cidr_block_allow_list"></a> [bastion\_client\_cidr\_block\_allow\_list](#input\_bastion\_client\_cidr\_block\_allow\_list) | A list of address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion. | `list(string)` | n/a | yes |
 | <a name="input_bastion_target_subnet_id"></a> [bastion\_target\_subnet\_id](#input\_bastion\_target\_subnet\_id) | The OCID of the subnet that the bastion connects to | `string` | n/a | yes |
-| <a name="input_cloud_guard_target_tenancy"></a> [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment | `bool` | n/a | yes |
 | <a name="input_create_master_encryption_key"></a> [create\_master\_encryption\_key](#input\_create\_master\_encryption\_key) | Option create master encryption key | `bool` | n/a | yes |
 | <a name="input_enable_bastion"></a> [enable\_bastion](#input\_enable\_bastion) | Option to enable bastion service | `bool` | n/a | yes |
 | <a name="input_enable_cloud_guard"></a> [enable\_cloud\_guard](#input\_enable\_cloud\_guard) | true if you don't have cloud guard enabled, false if you've already have cloud guard enabled. | `bool` | n/a | yes |

diff --git a/templates/elz-security/main.tf b/templates/elz-security/main.tf
@@ -13,8 +13,6 @@ locals {
     activity_detector_recipe_display_name      = "OCI Activity Detector Recipe"
     threat_detector_recipe_display_name        = "OCI Threat Detector Recipe"
     responder_recipe_display_name              = "OCI Responder Recipe"
-    compartment_id                             = var.cloud_guard_target_tenancy ? var.tenancy_ocid : var.environment_compartment_id
-    target_resource_id                         = var.cloud_guard_target_tenancy ? var.tenancy_ocid : var.environment_compartment_id
   }
 
   vss = {
@@ -26,10 +24,6 @@ locals {
     vss_scan_schedule                          = "DAILY"
   }
 
-  bastion = {
-    name = "${var.resource_label}-OCI-ELZ-BAS-${var.environment_prefix}"
-  }
-
   vault = {
     name = "${var.resource_label}-OCI-ELZ-VAL-${var.environment_prefix}"
   }
@@ -62,9 +56,9 @@ module "cloud_guard" {
   tenancy_ocid                               = var.tenancy_ocid
   region                                     = var.region
   status                                     = local.cloud_guard.status
-  compartment_id                             = local.cloud_guard.compartment_id
+  compartment_id                             = var.environment_compartment_id
   display_name                               = local.cloud_guard.display_name
-  target_resource_id                         = local.cloud_guard.target_resource_id
+  target_resource_id                         = var.environment_compartment_id
   target_resource_type                       = local.cloud_guard.target_resource_type
   description                                = local.cloud_guard.description
   configuration_detector_recipe_display_name = local.cloud_guard.configuration_detector_recipe_display_name
@@ -90,15 +84,6 @@ module "vss" {
   host_scan_target_display_name              = local.vss.host_scan_target_display_name
 }
 
-module "bastion" {
-  source                               = "../../modules/bastion"
-  count                                = var.enable_bastion ? 1 : 0
-  target_subnet_id                     = var.bastion_target_subnet_id
-  bastion_client_cidr_block_allow_list = var.bastion_client_cidr_block_allow_list
-  bastion_name                         = local.bastion.name
-  compartment_id                       = var.security_compartment_id
-}
-
 module "vault" {
   source             = "../../modules/vault"
   # vault_type = "NONE" is used for testing. 

diff --git a/templates/elz-security/outputs.tf b/templates/elz-security/outputs.tf
@@ -7,10 +7,6 @@ output "key_id" {
   value = local.create_key ? module.key[0].key_ocid : null
 }
 
-output "bastion_id" {
-  value = var.enable_bastion ? module.bastion[0].bastion_ocid : null
-}
-
 output "vault_id" {
   value = var.vault_type != "NONE" ? module.vault[0].management_endpoint : null 
 }
diff --git a/templates/elz-security/variables.tf b/templates/elz-security/variables.tf
@@ -33,11 +33,6 @@ variable "tenancy_ocid" {
   description = "The OCID of tenancy"
 }
 
-variable "cloud_guard_target_tenancy" {
-  type        = bool
-  description = "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment"
-}
-
 variable "region" {
   type        = string
   description = "The OCI region"
@@ -53,22 +48,6 @@ variable "environment_compartment_id" {
   description = "The OCID of environment compartment"
 }
 
-// Bastion Variables
-variable "bastion_target_subnet_id" {
-  type        = string
-  description = "The OCID of the subnet that the bastion connects to"
-}
-
-variable "bastion_client_cidr_block_allow_list" {
-  type        = list(string)
-  description = "A list of address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion."
-}
-
-variable "enable_bastion" {
-  type        = bool
-  description = "Option to enable bastion service"
-}
-
 // Vault & Key Variables
 variable "vault_type" {
   type        = string

diff --git a/templates/elz-workload/schema.yaml b/templates/elz-workload/schema.yaml
@@ -70,6 +70,11 @@ variableGroups:
     visible: true
     variables:
       - baseline_spoke_subnets_cidr_blocks
+  - title: Security Module
+    visible: true
+    variables:
+      - enable_basion
+      - bastion_client_cidr_block_allow_list
   - title: Invisible Variables
     visible: false
     variables:
@@ -336,3 +341,18 @@ variables:
     required: false
     title: Baseline Spoke VCN CIDR Block
     description: "A list of Baseline Spoke VCN CIDR Block"
+  enable_bastion:
+    type: boolean
+    description: "Option to enable bastion service"
+    default: true
+    required: true
+    title: Enable Bastion
+  bastion_client_cidr_block_allow_list:
+    type: array
+    items:
+      type: string
+      pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1][0-9]|[2][0-9]))$
+    description: "A list of address ranges in CIDR notation that bastion is allowed to connect"
+    required: true
+    visible: enable_bastion
+    title: Bastion Client CIDR Block Allow List