diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md index f1eea6f..287ddb9 100644 --- a/RELEASE-NOTES.md +++ b/RELEASE-NOTES.md @@ -1,3 +1,11 @@ +# November 01, 2024 Release Notes - 0.2.5 +## Updates +1. [Policies module](./policies/) + - Added IAM policies for OCI Network Firewall and ZPR. + - OCI Network Firewall granted manage permissions to Network admins. + - ZPR granted manage permissions to Security admins. + + # October 07, 2024 Release Notes - 0.2.4 ## Updates 1. [Identity Domains module](./identity-domains/) diff --git a/compartments/examples/vision/README.md b/compartments/examples/vision/README.md index 5b0f6df..e4cbc3b 100644 --- a/compartments/examples/vision/README.md +++ b/compartments/examples/vision/README.md @@ -1,6 +1,6 @@ # OCI Landing Zones IAM Compartments Module Example - Vision compartments -This example shows how to deploy Identity and Access Management (IAM) compartments in Oracle Cloud Infrastructure (OCI) for a hypothetical Vision entity. The sample topology is the same one deployed by [OCI Base Landing Zone](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart). +This example shows how to deploy Identity and Access Management (IAM) compartments in Oracle Cloud Infrastructure (OCI) for a hypothetical Vision entity. The sample topology is the same one deployed by [OCI Core Landing Zone](https://github.com/oci-landing-zones/terraform-oci-core-landingzone). It creates the compartment topology as shown in the picture below: @@ -23,6 +23,8 @@ Refer to [compartment's module README.md](../../README.md) for overall attribute *TOP-CMP* defines two tag defaults. *COST-CENTER-TAG-DEFAULT* will automatically apply value "a1" to any resources created in *TOP-CMP* compartment and sub-compartments. *ENVIRONMENT-TAG-DEFAULT* will automatically require that users provide a value when creating resources in *TOP-CMP* compartment and sub-compartments. +The *cislz* and *cislz-cmp-type* freeform tags assigned to each compartment are used as lookups by [Template Policies Example](https://github.com/oci-landing-zones/terraform-oci-modules-iam/tree/main/policies/examples/template-policies). + **Note**: If the *automation_config* variable is provided, the example writes the compartments output to the specified OCI Object Storage bucket (write permissions are required on the bucket). The example can be easily changed to write the output to a local file instead. The output can be further used by another module that depends on these compartments. 3. In this folder, run the typical Terraform workflow: diff --git a/compartments/examples/vision/input.auto.tfvars.template b/compartments/examples/vision/input.auto.tfvars.template index 7977da2..f08f80b 100644 --- a/compartments/examples/vision/input.auto.tfvars.template +++ b/compartments/examples/vision/input.auto.tfvars.template @@ -37,6 +37,10 @@ compartments_configuration = { TOP-CMP = { name = "vision-top-cmp", description = "Vision Enclosing compartment", + freeform_tags = { + cislz = "template-policies-example", + cislz-cmp-type = "enclosing" + } #parent_id = null, tag_defaults = { COST-CENTER-TAG-DEFAULT = { @@ -54,22 +58,42 @@ compartments_configuration = { NETWORK-CMP = { name = "vision-network-cmp", description = "Vision Network compartment", + freeform_tags = { + cislz = "template-policies-example", + cislz-cmp-type = "network" + } }, SECURITY-CMP = { name = "vision-security-cmp", - description = "Vision Security compartment", + description = "Vision Security compartment", + freeform_tags = { + cislz = "template-policies-example", + cislz-cmp-type = "security" + } }, APP-CMP = { name = "vision-application-cmp", - description = "Vision Application compartment", + description = "Vision Application compartment", + freeform_tags = { + cislz = "template-policies-example", + cislz-cmp-type = "application" + } }, DB-CMP = { name = "vision-database-cmp", - description = "Vision Database compartment", + description = "Vision Database compartment", + freeform_tags = { + cislz = "template-policies-example", + cislz-cmp-type = "database" + } }, EXACS-CMP = { name = "vision-exainfra-cmp", - description = "Vision Exadata Cloud Service compartment", + description = "Vision Exadata Cloud Service compartment", + freeform_tags = { + cislz = "template-policies-example", + cislz-cmp-type = "exainfra" + } } } } diff --git a/identity-domains/README.md b/identity-domains/README.md index eb4246a..0607bdc 100644 --- a/identity-domains/README.md +++ b/identity-domains/README.md @@ -22,9 +22,11 @@ This module requires Terraform binary version 1.3.0 or greater, as it relies on ### IAM Permissions This module requires the following OCI IAM permission: + ``` Allow group to manage domains in tenancy ``` + ## How to Invoke the Module Terraform modules can be invoked locally or remotely. diff --git a/policies/examples/template-policies/README.md b/policies/examples/template-policies/README.md index 225fc69..e7bb7c8 100644 --- a/policies/examples/template-policies/README.md +++ b/policies/examples/template-policies/README.md @@ -2,9 +2,9 @@ ## Introduction -This example shows how to use [OCI Landing Zones IAM policy module](../..) to manage policies that are generated based on metadata that is associated to existing compartments. A matching compartments example is available at https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam-modules/compartments/examples/vision. +This example shows how to use [OCI Landing Zones IAM policy module](../..) to manage policies that are generated based on metadata that is associated to existing compartments. A matching compartments example is available at https://github.com/oci-landing-zones/terraform-oci-modules-iam/tree/main/compartments/examples/vision. -For compartment level policies (excluding Root compartment), the target compartments are obtained from a data source whose output is filtered based on freeform tag "cislz" with value "vision". The returned compartments are passed to the policy module via the *supplied_compartments* attribute. Each returned compartment is associated with metadata for appropriate policy generation based on the freeform tag "cislz-cmp-type" applied to each compartment. +For compartment level policies (excluding Root compartment), the target compartments are obtained from a data source whose output is filtered based on freeform tag "cislz" with value "template-policies-example". The returned compartments are passed to the policy module via the *supplied_compartments* attribute. Each returned compartment is associated with metadata for appropriate policy generation based on the freeform tag "cislz-cmp-type" applied to each compartment. For tenancy level policies (policies attached to Root compartment), a list of group names with their respective roles are passed to the module via the *groups_with_tenancy_level_roles* attribute. diff --git a/policies/examples/template-policies/main.tf b/policies/examples/template-policies/main.tf index d517bd1..c9ff0a6 100644 --- a/policies/examples/template-policies/main.tf +++ b/policies/examples/template-policies/main.tf @@ -74,8 +74,8 @@ locals { name : cmp.name, id : cmp.id, cislz_metadata : local.cislz_compartments_metadata[cmp.freeform_tags["cislz-cmp-type"]] #-- This example expects compartments to be freeform tagged with "cislz-cmp-type", so it can figure out the compartments intent and associate it with the appropriate metadata. - } - if lookup(cmp.freeform_tags, "cislz","") == "vision" #-- The compartments we are interested are freeform tagged as {"cislz" : "vision"} but you could identify the compartments through some other attributes that makes sense to your deployment. + } + if lookup(cmp.freeform_tags, "cislz","") == "template-policies-example" #-- The compartments we are interested are freeform tagged as {"cislz" : "template-policies-example"} but you could identify the compartments through some other attributes that makes sense to your deployment. } policies_configuration = { diff --git a/policies/network_cmp_policy.tf b/policies/network_cmp_policy.tf index 77baf64..6a4506a 100644 --- a/policies/network_cmp_policy.tf +++ b/policies/network_cmp_policy.tf @@ -39,7 +39,8 @@ locals { "allow group ${values["net-group"]} to manage metrics in compartment ${values["name"]}", "allow group ${values["net-group"]} to manage keys in compartment ${values["name"]}", "allow group ${values["net-group"]} to use key-delegate in compartment ${values["name"]}", - "allow group ${values["net-group"]} to manage secret-family in compartment ${values["name"]}" + "allow group ${values["net-group"]} to manage secret-family in compartment ${values["name"]}", + "allow group ${values["net-group"]} to manage network-firewall-family in compartment ${values["name"]}" #"allow group ${values["net-group"]} to read instance-agent-plugins in compartment ${values["name"]}" ] : [] } @@ -61,7 +62,8 @@ locals { #-- Security admin grants on Network compartment security_admin_grants_on_network_cmp_map = { for k, values in local.cmp_name_to_cislz_tag_map : k => (contains(split(",",values["cmp-type"]),"network") && values["sec-group"] != null) ? [ - "allow group ${values["sec-group"]} to read keys in compartment ${values["name"]}" + "allow group ${values["sec-group"]} to read keys in compartment ${values["name"]}", + "allow group ${values["sec-group"]} to use network-firewall-family in compartment ${values["name"]}" ] : [] } diff --git a/policies/root_cmp_policy.tf b/policies/root_cmp_policy.tf index 17c1499..24fe72b 100644 --- a/policies/root_cmp_policy.tf +++ b/policies/root_cmp_policy.tf @@ -94,10 +94,19 @@ locals { security_admin_grants_on_root_cmp = contains(keys(local.group_name_map_transpose),local.security_role) ? [ "allow group ${local.security_group_names} to manage cloudevents-rules in tenancy", "allow group ${local.security_group_names} to manage cloud-guard-family in tenancy", - "allow group ${local.security_group_names} to read tenancies in tenancy" + "allow group ${local.security_group_names} to read tenancies in tenancy", + "allow group ${local.security_group_names} to manage zpr-configuration in tenancy", + "allow group ${local.security_group_names} to manage zpr-policy in tenancy", + "allow group ${local.security_group_names} to manage security-attribute-namespace in tenancy" #"allow group ${local.security_group_names} to read objectstorage-namespaces in tenancy" ] : [] + network_admin_grants_on_root_cmp = contains(keys(local.group_name_map_transpose),local.network_role) ? [ + "allow group ${local.network_group_names} to read zpr-configuration in tenancy", + "allow group ${local.network_group_names} to read zpr-policy in tenancy", + "allow group ${local.network_group_names} to read security-attribute-namespace in tenancy" + ] : [] + objectstorage_read_grantees = compact( concat(contains(keys(local.group_name_map_transpose),local.network_role) ? [local.network_group_names] : [], contains(keys(local.group_name_map_transpose),local.security_role) ? [local.security_group_names] : [], @@ -126,27 +135,31 @@ locals { ] : [] auditor_grants = contains(keys(local.group_name_map_transpose),local.auditor_role) ? [ - "allow group ${local.auditor_group_names} to inspect all-resources in tenancy", - "allow group ${local.auditor_group_names} to read instances in tenancy", - "allow group ${local.auditor_group_names} to read load-balancers in tenancy", - "allow group ${local.auditor_group_names} to read buckets in tenancy", - "allow group ${local.auditor_group_names} to read nat-gateways in tenancy", - "allow group ${local.auditor_group_names} to read public-ips in tenancy", - "allow group ${local.auditor_group_names} to read file-family in tenancy", - "allow group ${local.auditor_group_names} to read instance-configurations in tenancy", - "allow group ${local.auditor_group_names} to read network-security-groups in tenancy", - "allow group ${local.auditor_group_names} to read resource-availability in tenancy", - "allow group ${local.auditor_group_names} to read audit-events in tenancy", - "allow group ${local.auditor_group_names} to read users in tenancy", - "allow group ${local.auditor_group_names} to use cloud-shell in tenancy", - "allow group ${local.auditor_group_names} to read vss-family in tenancy", - "allow group ${local.auditor_group_names} to read usage-budgets in tenancy", - "allow group ${local.auditor_group_names} to read usage-reports in tenancy", - "allow group ${local.auditor_group_names} to read data-safe-family in tenancy", - "allow group ${local.auditor_group_names} to read vaults in tenancy", - "allow group ${local.auditor_group_names} to read keys in tenancy", - "allow group ${local.auditor_group_names} to read tag-namespaces in tenancy", - "allow group ${local.auditor_group_names} to use ons-family in tenancy where any {request.operation!=/Create*/, request.operation!=/Update*/, request.operation!=/Delete*/, request.operation!=/Change*/}" + "allow group ${local.auditor_group_names} to inspect all-resources in tenancy", + "allow group ${local.auditor_group_names} to read instances in tenancy", + "allow group ${local.auditor_group_names} to read load-balancers in tenancy", + "allow group ${local.auditor_group_names} to read buckets in tenancy", + "allow group ${local.auditor_group_names} to read nat-gateways in tenancy", + "allow group ${local.auditor_group_names} to read public-ips in tenancy", + "allow group ${local.auditor_group_names} to read file-family in tenancy", + "allow group ${local.auditor_group_names} to read instance-configurations in tenancy", + "allow group ${local.auditor_group_names} to read network-security-groups in tenancy", + "allow group ${local.auditor_group_names} to read resource-availability in tenancy", + "allow group ${local.auditor_group_names} to read audit-events in tenancy", + "allow group ${local.auditor_group_names} to read users in tenancy", + "allow group ${local.auditor_group_names} to use cloud-shell in tenancy", + "allow group ${local.auditor_group_names} to read vss-family in tenancy", + "allow group ${local.auditor_group_names} to read usage-budgets in tenancy", + "allow group ${local.auditor_group_names} to read usage-reports in tenancy", + "allow group ${local.auditor_group_names} to read data-safe-family in tenancy", + "allow group ${local.auditor_group_names} to read vaults in tenancy", + "allow group ${local.auditor_group_names} to read keys in tenancy", + "allow group ${local.auditor_group_names} to read tag-namespaces in tenancy", + "allow group ${local.auditor_group_names} to use ons-family in tenancy where any {request.operation!=/Create*/, request.operation!=/Update*/, request.operation!=/Delete*/, request.operation!=/Change*/}", + "allow group ${local.auditor_group_names} to read zpr-configuration in tenancy", + "allow group ${local.auditor_group_names} to read zpr-policy in tenancy", + "allow group ${local.auditor_group_names} to read security-attribute-namespace in tenancy", + "allow group ${local.auditor_group_names} to read network-firewall-family in tenancy" ] : [] announcement_reader_grants = contains(keys(local.group_name_map_transpose),local.announcement_reader_role) ? [ @@ -155,7 +168,8 @@ locals { root_cmp_admin_grants = concat(local.cost_admin_grants_on_root_cmp,local.iam_admin_grants_on_root_cmp, local.iam_admin_grants_on_enclosing_cmp,local.cred_admin_grants_on_root_cmp, - local.security_admin_grants_on_root_cmp,local.security_admin_grants_on_enclosing_cmp) + local.security_admin_grants_on_root_cmp,local.security_admin_grants_on_enclosing_cmp, + local.network_admin_grants_on_root_cmp) root_cmp_nonadmin_grants = concat(local.basic_grants_on_root_cmp,local.application_admin_grants_on_enclosing_cmp, local.auditor_grants,local.announcement_reader_grants, local.objectstorage_read_on_root_cmp) diff --git a/release.txt b/release.txt index 72f9fa8..28af839 100644 --- a/release.txt +++ b/release.txt @@ -1 +1 @@ -0.2.4 \ No newline at end of file +0.2.5 \ No newline at end of file