Release 0.2.5 (#33)

* Release 0.2.1

* Release 0.2.2

* feat: TF < 1.3.0 restriction removed

* feat: TF binary equal or greater than 1.3.0 requirement added

* chore: release notes and version bump

* chore: release notes, tag and SPECs updated

* fix typo in dynamic groups that refered to domain groups

* fix: version = "<= 5.16.0" removed

* chore: release notes, version and spec updated

* feat: OCI FW and ZPR IAM policies added

* feat: examples updated

* chore: release notes and version update

* chore: release notes updated.

---------

Signed-off-by: Andre Correa <andre.correa@oracle.com>
Co-authored-by: Rory Nguyen <rory.nguyen@oracle.com>
Co-authored-by: josh_hammer <josh.hammer@oracle.com>

RELEASE-NOTES.md

@@ -1,3 +1,11 @@
+# November 01, 2024 Release Notes - 0.2.5
+## Updates
+1. [Policies module](./policies/)
+    - Added IAM policies for OCI Network Firewall and ZPR.
+        - OCI Network Firewall granted manage permissions to Network admins.
+        - ZPR granted manage permissions to Security admins.   
+
+
 # October 07, 2024 Release Notes - 0.2.4
 ## Updates
 1. [Identity Domains module](./identity-domains/)

compartments/examples/vision/README.md

@@ -1,6 +1,6 @@
 # OCI Landing Zones IAM Compartments Module Example - Vision compartments
 
-This example shows how to deploy Identity and Access Management (IAM) compartments in Oracle Cloud Infrastructure (OCI) for a hypothetical Vision entity. The sample topology is the same one deployed by [OCI Base Landing Zone](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart). 
+This example shows how to deploy Identity and Access Management (IAM) compartments in Oracle Cloud Infrastructure (OCI) for a hypothetical Vision entity. The sample topology is the same one deployed by [OCI Core Landing Zone](https://github.com/oci-landing-zones/terraform-oci-core-landingzone). 
 
 It creates the compartment topology as shown in the picture below:
 
@@ -23,6 +23,8 @@ Refer to [compartment's module README.md](../../README.md) for overall attribute
 
 *TOP-CMP* defines two tag defaults. *COST-CENTER-TAG-DEFAULT* will automatically apply value "a1" to any resources created in *TOP-CMP* compartment and  sub-compartments. *ENVIRONMENT-TAG-DEFAULT* will automatically require that users provide a value when creating resources in *TOP-CMP* compartment and sub-compartments.
 
+The *cislz* and *cislz-cmp-type* freeform tags assigned to each compartment are used as lookups by [Template Policies Example](https://github.com/oci-landing-zones/terraform-oci-modules-iam/tree/main/policies/examples/template-policies).
+
 **Note**: If the *automation_config* variable is provided, the example writes the compartments output to the specified OCI Object Storage bucket (write permissions are required on the bucket). The example can be easily changed to write the output to a local file instead. The output can be further used by another module that depends on these compartments.
 
 3. In this folder, run the typical Terraform workflow:

compartments/examples/vision/input.auto.tfvars.template

@@ -37,6 +37,10 @@ compartments_configuration = {
     TOP-CMP = { 
       name = "vision-top-cmp", 
       description = "Vision Enclosing compartment", 
+      freeform_tags = {
+        cislz = "template-policies-example",
+        cislz-cmp-type = "enclosing"
+      }
       #parent_id = null,
       tag_defaults = {
         COST-CENTER-TAG-DEFAULT = {
@@ -54,22 +58,42 @@ compartments_configuration = {
         NETWORK-CMP = { 
           name = "vision-network-cmp", 
           description = "Vision Network compartment", 
+          freeform_tags = {
+            cislz = "template-policies-example",
+            cislz-cmp-type = "network"
+          }
         },
         SECURITY-CMP = { 
           name = "vision-security-cmp", 
-          description = "Vision Security compartment", 
+          description = "Vision Security compartment",
+          freeform_tags = {
+            cislz = "template-policies-example",
+            cislz-cmp-type = "security"
+          } 
         },
         APP-CMP = { 
           name = "vision-application-cmp", 
-          description = "Vision Application compartment", 
+          description = "Vision Application compartment",
+          freeform_tags = {
+            cislz = "template-policies-example",
+            cislz-cmp-type = "application"
+          } 
         },
         DB-CMP = { 
           name = "vision-database-cmp", 
-          description = "Vision Database compartment", 
+          description = "Vision Database compartment",
+          freeform_tags = {
+            cislz = "template-policies-example",
+            cislz-cmp-type = "database"
+          } 
         },
         EXACS-CMP = { 
           name = "vision-exainfra-cmp", 
-          description = "Vision Exadata Cloud Service compartment",  
+          description = "Vision Exadata Cloud Service compartment", 
+          freeform_tags = {
+            cislz = "template-policies-example",
+            cislz-cmp-type = "exainfra"
+          } 
         } 
       }
     }

identity-domains/README.md

@@ -22,9 +22,11 @@ This module requires Terraform binary version 1.3.0 or greater, as it relies on
 ### IAM Permissions
 
 This module requires the following OCI IAM permission:
+
 ```
 Allow group <group> to manage domains in tenancy
 ```
+
 ## <a name="invoke">How to Invoke the Module</a>
 
 Terraform modules can be invoked locally or remotely.

policies/examples/template-policies/README.md

@@ -2,9 +2,9 @@
 
 ## Introduction
 
-This example shows how to use [OCI Landing Zones IAM policy module](../..) to manage policies that are generated based on metadata that is associated to existing compartments. A matching compartments example is available at https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam-modules/compartments/examples/vision.
+This example shows how to use [OCI Landing Zones IAM policy module](../..) to manage policies that are generated based on metadata that is associated to existing compartments. A matching compartments example is available at https://github.com/oci-landing-zones/terraform-oci-modules-iam/tree/main/compartments/examples/vision.
 
-For compartment level policies (excluding Root compartment), the target compartments are obtained from a data source whose output is filtered based on freeform tag "cislz" with value "vision". The returned compartments are passed to the policy module via the *supplied_compartments* attribute. Each returned compartment is associated with metadata for appropriate policy generation based on the freeform tag "cislz-cmp-type" applied to each compartment.
+For compartment level policies (excluding Root compartment), the target compartments are obtained from a data source whose output is filtered based on freeform tag "cislz" with value "template-policies-example". The returned compartments are passed to the policy module via the *supplied_compartments* attribute. Each returned compartment is associated with metadata for appropriate policy generation based on the freeform tag "cislz-cmp-type" applied to each compartment.
 
 For tenancy level policies (policies attached to Root compartment), a list of group names with their respective roles are passed to the module via the *groups_with_tenancy_level_roles* attribute.
 

policies/examples/template-policies/main.tf

@@ -74,8 +74,8 @@ locals {
         name : cmp.name, 
         id : cmp.id, 
         cislz_metadata : local.cislz_compartments_metadata[cmp.freeform_tags["cislz-cmp-type"]] #-- This example expects compartments to be freeform tagged with "cislz-cmp-type", so it can figure out the compartments intent and associate it with the appropriate metadata.
-      } 
-    if lookup(cmp.freeform_tags, "cislz","") == "vision" #-- The compartments we are interested are freeform tagged as {"cislz" : "vision"} but you could identify the compartments through some other attributes that makes sense to your deployment.
+      }
+    if lookup(cmp.freeform_tags, "cislz","") == "template-policies-example" #-- The compartments we are interested are freeform tagged as {"cislz" : "template-policies-example"} but you could identify the compartments through some other attributes that makes sense to your deployment.
   }
 
   policies_configuration = {

policies/network_cmp_policy.tf

@@ -39,7 +39,8 @@ locals {
       "allow group ${values["net-group"]} to manage metrics in compartment ${values["name"]}",
       "allow group ${values["net-group"]} to manage keys in compartment ${values["name"]}",
       "allow group ${values["net-group"]} to use key-delegate in compartment ${values["name"]}",
-      "allow group ${values["net-group"]} to manage secret-family in compartment ${values["name"]}"
+      "allow group ${values["net-group"]} to manage secret-family in compartment ${values["name"]}",
+      "allow group ${values["net-group"]} to manage network-firewall-family in compartment ${values["name"]}"
       #"allow group ${values["net-group"]} to read instance-agent-plugins in compartment ${values["name"]}"
     ] : []
   }  
@@ -61,7 +62,8 @@ locals {
   #-- Security admin grants on Network compartment
   security_admin_grants_on_network_cmp_map = {
     for k, values in local.cmp_name_to_cislz_tag_map : k => (contains(split(",",values["cmp-type"]),"network") && values["sec-group"] != null) ? [
-      "allow group ${values["sec-group"]} to read keys in compartment ${values["name"]}"
+      "allow group ${values["sec-group"]} to read keys in compartment ${values["name"]}",
+      "allow group ${values["sec-group"]} to use network-firewall-family in compartment ${values["name"]}"
     ] : []
   }
 

policies/root_cmp_policy.tf

@@ -94,10 +94,19 @@ locals {
   security_admin_grants_on_root_cmp = contains(keys(local.group_name_map_transpose),local.security_role) ? [
     "allow group ${local.security_group_names} to manage cloudevents-rules in tenancy",
     "allow group ${local.security_group_names} to manage cloud-guard-family in tenancy",
-    "allow group ${local.security_group_names} to read tenancies in tenancy"
+    "allow group ${local.security_group_names} to read tenancies in tenancy",
+    "allow group ${local.security_group_names} to manage zpr-configuration in tenancy",
+    "allow group ${local.security_group_names} to manage zpr-policy in tenancy",
+    "allow group ${local.security_group_names} to manage security-attribute-namespace in tenancy"
     #"allow group ${local.security_group_names} to read objectstorage-namespaces in tenancy"
   ] : []
 
+  network_admin_grants_on_root_cmp = contains(keys(local.group_name_map_transpose),local.network_role) ? [
+    "allow group ${local.network_group_names} to read zpr-configuration in tenancy",
+    "allow group ${local.network_group_names} to read zpr-policy in tenancy",
+    "allow group ${local.network_group_names} to read security-attribute-namespace in tenancy"
+  ] : []
+
   objectstorage_read_grantees = compact(
                                   concat(contains(keys(local.group_name_map_transpose),local.network_role) ?     [local.network_group_names]     : [],
                                          contains(keys(local.group_name_map_transpose),local.security_role) ?    [local.security_group_names]    : [],
@@ -126,27 +135,31 @@ locals {
   ] : []  
 
   auditor_grants = contains(keys(local.group_name_map_transpose),local.auditor_role) ? [
- "allow group ${local.auditor_group_names} to inspect all-resources in tenancy",
-        "allow group ${local.auditor_group_names} to read instances in tenancy",
-        "allow group ${local.auditor_group_names} to read load-balancers in tenancy",
-        "allow group ${local.auditor_group_names} to read buckets in tenancy",
-        "allow group ${local.auditor_group_names} to read nat-gateways in tenancy",
-        "allow group ${local.auditor_group_names} to read public-ips in tenancy",
-        "allow group ${local.auditor_group_names} to read file-family in tenancy",
-        "allow group ${local.auditor_group_names} to read instance-configurations in tenancy",
-        "allow group ${local.auditor_group_names} to read network-security-groups in tenancy",
-        "allow group ${local.auditor_group_names} to read resource-availability in tenancy",
-        "allow group ${local.auditor_group_names} to read audit-events in tenancy",
-        "allow group ${local.auditor_group_names} to read users in tenancy",
-        "allow group ${local.auditor_group_names} to use cloud-shell in tenancy",
-        "allow group ${local.auditor_group_names} to read vss-family in tenancy",
-        "allow group ${local.auditor_group_names} to read usage-budgets in tenancy",
-        "allow group ${local.auditor_group_names} to read usage-reports in tenancy",
-        "allow group ${local.auditor_group_names} to read data-safe-family in tenancy",
-        "allow group ${local.auditor_group_names} to read vaults in tenancy",
-        "allow group ${local.auditor_group_names} to read keys in tenancy",
-        "allow group ${local.auditor_group_names} to read tag-namespaces in tenancy",
-        "allow group ${local.auditor_group_names} to use ons-family in tenancy where any {request.operation!=/Create*/, request.operation!=/Update*/, request.operation!=/Delete*/, request.operation!=/Change*/}"
+    "allow group ${local.auditor_group_names} to inspect all-resources in tenancy",
+    "allow group ${local.auditor_group_names} to read instances in tenancy",
+    "allow group ${local.auditor_group_names} to read load-balancers in tenancy",
+    "allow group ${local.auditor_group_names} to read buckets in tenancy",
+    "allow group ${local.auditor_group_names} to read nat-gateways in tenancy",
+    "allow group ${local.auditor_group_names} to read public-ips in tenancy",
+    "allow group ${local.auditor_group_names} to read file-family in tenancy",
+    "allow group ${local.auditor_group_names} to read instance-configurations in tenancy",
+    "allow group ${local.auditor_group_names} to read network-security-groups in tenancy",
+    "allow group ${local.auditor_group_names} to read resource-availability in tenancy",
+    "allow group ${local.auditor_group_names} to read audit-events in tenancy",
+    "allow group ${local.auditor_group_names} to read users in tenancy",
+    "allow group ${local.auditor_group_names} to use cloud-shell in tenancy",
+    "allow group ${local.auditor_group_names} to read vss-family in tenancy",
+    "allow group ${local.auditor_group_names} to read usage-budgets in tenancy",
+    "allow group ${local.auditor_group_names} to read usage-reports in tenancy",
+    "allow group ${local.auditor_group_names} to read data-safe-family in tenancy",
+    "allow group ${local.auditor_group_names} to read vaults in tenancy",
+    "allow group ${local.auditor_group_names} to read keys in tenancy",
+    "allow group ${local.auditor_group_names} to read tag-namespaces in tenancy",
+    "allow group ${local.auditor_group_names} to use ons-family in tenancy where any {request.operation!=/Create*/, request.operation!=/Update*/, request.operation!=/Delete*/, request.operation!=/Change*/}",
+    "allow group ${local.auditor_group_names} to read zpr-configuration in tenancy",
+    "allow group ${local.auditor_group_names} to read zpr-policy in tenancy",
+    "allow group ${local.auditor_group_names} to read security-attribute-namespace in tenancy",
+    "allow group ${local.auditor_group_names} to read network-firewall-family in tenancy"
   ] : []
 
   announcement_reader_grants = contains(keys(local.group_name_map_transpose),local.announcement_reader_role) ? [
@@ -155,7 +168,8 @@ locals {
 
   root_cmp_admin_grants = concat(local.cost_admin_grants_on_root_cmp,local.iam_admin_grants_on_root_cmp,
                                  local.iam_admin_grants_on_enclosing_cmp,local.cred_admin_grants_on_root_cmp,
-                                 local.security_admin_grants_on_root_cmp,local.security_admin_grants_on_enclosing_cmp)
+                                 local.security_admin_grants_on_root_cmp,local.security_admin_grants_on_enclosing_cmp,
+                                 local.network_admin_grants_on_root_cmp)
 
   root_cmp_nonadmin_grants = concat(local.basic_grants_on_root_cmp,local.application_admin_grants_on_enclosing_cmp,
                                     local.auditor_grants,local.announcement_reader_grants, local.objectstorage_read_on_root_cmp)                               

release.txt

@@ -1 +1 @@
-0.2.4
+0.2.5