diff --git a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md index 776bdc3..d4881b6 100644 --- a/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md +++ b/Official_Documentation/OELZ_Access_Governance_Deployment/IMPLEMENTATION.md @@ -13,7 +13,7 @@ To learn more, visit: https://docs.oracle.com/en/cloud/paas/access-governance/ag ## Deployment Overview -The Terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloudgateway connected system. This workload supports only Identity Domain Tenancy. +The Terraform code in this folder deploys Oracle Access Governance. It is accomplished by deploying an Oracle Access Governance Instance, creating an Oracle Access Governance User and adding a Cloud gateway connected system. This workload supports only Identity Domain Tenancy. ## Prerequisites @@ -24,7 +24,7 @@ To deploy the Oracle Enterprise Landing Zone Workload Expansion from the Terrafo ## User -The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an API key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble: +The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user needs to have an API key entry defined as described [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble below: ```text [DEFAULT] @@ -37,30 +37,30 @@ key_file= #your specific path ## Variables -| Variable Name | Description | Required | Default Value | -|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------------------------------------------------------| -| **user_ocid** | OCID of the Administrator. | Yes | None | -| **fingerprint** | Fingerprint of the Administrator. | Yes | None | -| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | -| **region** | Region of the Administrator. | Yes | None | -| **private_key_path** | Private Key Path of Administrator. | Yes | None | -| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | -| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None | -| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | | -| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Servce Instance. | -| **service_instance_display_name** | Access Governance Instance Display Name. | Yes | access-governance-instance | -| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" |Yes | None | -| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | -| **agcs_user_name** | New Access Governance User's name. | Yes | None | -| **agcs_user_email** | Email address for the user. | Yes | None | -| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | None | -| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | -| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | -| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | -| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | -| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | -| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. | -| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System | +| Variable Name | Description | Required | Default Value | +|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|--------------------------------------------------------------------| +| **user_ocid** | OCID of the Administrator. | Yes | None | +| **fingerprint** | Fingerprint of the Administrator. | Yes | None | +| **tenancy_ocid** | OCID of the Administrator's Identity Domain Tenancy. | Yes | None | +| **region** | Region of the Administrator. | Yes | None | +| **private_key_path** | Private Key Path of Administrator. | Yes | None | +| **admin_domain_name** | Administrator's Identity Domain Name. | Yes | Default | +| **admin_domain_compartment_ocid** | Compartment of Identity Domain of the Administrator. | Yes | None | +| **service_instance_compartment_ocid** | Compartment OCID for Access Governance Instance. | Yes | OCID of the Security compartment created by baseline Landing Zone. | +| **service_instance_description** | Access Governance Instance Description. | Yes | Oracle Access Governance Service Instance. | +| **service_instance_display_name** | Unique Access Governance Instance Display Name. | Yes | access-governance-instance | +| **ag_license_type** | Access Governance Instance License Type. Supported license types are "Access Governance for Oracle Workloads", "Access Governance for Oracle Cloud Infrastructure" | Yes | None | +| **use_existing_agcs_user** | Set this value to either use existing Access Governance user or create new one. | No | false | +| **agcs_user_name** | New Access Governance User's name. | Yes | prod_agcs_user | +| **agcs_user_email** | Email address for the user. | Yes | None | +| **agcs_user_group_display_name** | Group to create for Access Governance User. | Yes | prod_agcs_group | +| **agcs_user_ocid_oci_system** | Access Governance User's OCID. | Yes | None | +| **agcs_user_private_key_path** | Private Key for Access Governance User. | Yes | None | +| **agcs_user_fingerprint_oci_system** | Access Governance User's Fingerprint. | Yes | None | +| **agcs_user_region_oci_system** | Region of the Access Governance User. | Yes | None | +| **agcs_user_tenancy_ocid_oci_system** | Access Governance User's Tenancy OCID. | Yes | None | +| **oci_system_description** | OCI Connected System Description. | Yes | OCI Connected System. | +| **oci_system_name** | OCI Connected System Name. | Yes | Local-OCI-System | ## How to Execute @@ -68,25 +68,17 @@ key_file= #your specific path
Currently only production deployment is supported via stack deployment, to deploy in non-production environment, run the Access Governance Module as standalone deployment. Please change the working directory to oci-landing-zones/modules/access-governance and enable the provider lines and disable remaining lines, fill the terraform.tfvars and follow terraform CLI commands
### Via Resource Manager -Use the Deploy to Oracle Cloud button which will take you directly to OCI Resource Manager if you are logged in. -
Only new AGCS User scenario is supported via Resource Manager Deployment
- -1. Under **Working directory** select the directory *templates/enterprise-landing-zone* -2. Click Next. -3. Enter the values for required variables. -4. Click Next. -5. Click Next. -6. Click Apply. +Deployment via Resource Manager is currently not supported. ### Via Terraform CLI (Two Deployment Scenarios) #### Deployment Scenario 1: use_existing_agcs_user = false: -1. Enter required variables in terraform.tfvars, for examples refer examples.tfvars file +1. Enter required variables in terraform.tfvars, for examples refer to templates/elz-access-governance/examples/new_agcs_user.tfvarexample 2. terraform init. 3. terraform plan. 4. terraform apply. ##### Oracle Access Governance Deployment: Access Governance Service Instance: -An Access Governance Service instance will be deployed in security compartment. +An Access Governance Service instance will be deployed in the security compartment. ##### Oracle Access Governance Deployment: AGCS Group: A group will be created called AGCS Group, which is meant to have AGCS user and policies related to Access Governance functionalities. @@ -97,12 +89,12 @@ AGCS User which will be created in Default domain as the user needs visibility i ##### Oracle Access Governance Deployment: AGCS User Group Policy statements: 1. `ALLOW GROUP / to inspect all-resources IN TENANCY` 2. `ALLOW GROUP / to manage policies IN TENANCY where any {request.permission='POLICY_UPDATE' ,request.permission='POLICY_READ', request.permission='POLICY_DELETE',target.policy.name != 'Tenant Admin Policy'}` -3. `Allow GROUP / to read audit-events IN TENANCY` -4. `Allow GROUP / to manage domains IN TENANCY` +3. `ALLOW GROUP / to read audit-events IN TENANCY` +4. `ALLOW GROUP / to manage domains IN TENANCY` #### Deployment Scenario 2: use_existing_agcs_user = true: -1. Enter required variables in terraform.tfvars, for examples refer templates/elz-access-governance/examples/new_agcs_user.tfvarexample +1. Enter required variables in terraform.tfvars, for examples refer to templates/elz-access-governance/examples/existing_agcs_user.tfvarexample 2. terraform init. 3. terraform plan. 4. terraform apply. @@ -121,7 +113,7 @@ AGCS User which will be created in Default domain as the user needs visibility i ##### Oracle Access Governance Deployment: Access Governance Service Instance: -An Access Governance Service instance will be deployed in security compartment. +An Access Governance Service instance will be deployed in the security compartment. ##### Oracle Access Governance Deployment: OCI system on Access Governance Instance: Cloud gateway system will be added as connected system to the service instance. @@ -134,4 +126,4 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or See [LICENSE](../../LICENSE) for more details. ## Known Issues -None. +None. \ No newline at end of file