Merge pull request #135 from oracle-quickstart/release-2.7.1

Release 2.7.1

README.md

@@ -1,6 +1,26 @@
-[![Deploy_To_OCI](images/DeployToOCI.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+[![Deploy_To_OCI](images/DeployToOCI.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)<br>
+*If you are logged into your OCI tenancy in the Commercial Realm (OC1), the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.*
+<br>
+<details><summary>To deploy to non-commercial realms and regions click here</summary>
+
+**OC2 Realm**
+- [ Deploy to us-langley-1](https://console.us-langley-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+- [Deploy to us-luke-1](https://console.us-luke-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+
+
+**OC3 Realm**
+- [Deploy to us-gov-ashburn-1](https://console.us-gov-ashburn-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+- [Deploy to us-gov-chicago-1](https://console.us-gov-chicago-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+- [Deploy to us-gov-phoenix-1](https://console.us-gov-phoenix-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
 
-*If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.*
+**OC4 Realm**
+- [Deploy to uk-gov-london-1](https://console.uk-gov-london-1.oraclegovcloud.uk/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+- [Deploy to uk-gov-cardiff-1](https://console.uk-gov-cardiff-1.oraclegovcloud.uk/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+
+**OC10 Realm**
+- [Deploy to ap-dcc-canberra-1](https://oc10.cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+
+</details>
 <br>
 <br>
 <img align="left" src="./images/the_o.png" height="30" width="30">&nbsp;&nbsp;Check [CIS Landing Zone course](https://mylearn.oracle.com/ou/course/oci-landing-zone/123962/193003) in Oracle University for a comprehensive introduction.
@@ -9,6 +29,7 @@
 <img align="left" src="./images/livelab.png" height="30" width="30">&nbsp;&nbsp;Also check our [Live Lab](https://apexapps.oracle.com/pls/apex/r/dbpm/livelabs/view-workshop?wid=3662) for key use cases and hands on deployment experience.
 <br>
 <br>
+
 # CIS OCI Landing Zone Quick Start Template
 ![Landing_Zone_Logo](images/landing%20zone_300.png)
 ## Table of Contents

config/data_sources.tf

@@ -177,12 +177,4 @@ data "oci_identity_compartments" "exainfra" {
 
 data "oci_identity_tag_namespaces" "this" {
   compartment_id = var.tenancy_ocid
-}
-
-data "oci_identity_compartments" "all" {
-  depends_on = [module.lz_compartments]
-  compartment_id = var.tenancy_ocid
-  compartment_id_in_subtree = true
-  access_level = "ACCESSIBLE"
-  state = "ACTIVE"
-}
+}

config/iam_service_policies.tf

@@ -18,6 +18,15 @@ module "lz_services_policy" {
   policies_configuration = local.services_policies_configuration
 }
 
+module "lz_oke_clusters_policy" {
+  depends_on = [null_resource.wait_on_compartments]
+  count = var.extend_landing_zone_to_new_region == false && var.enable_template_policies == false ? 1 : 0
+  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.1.7"
+  providers = { oci = oci.home }
+  tenancy_ocid = var.tenancy_ocid
+  policies_configuration = local.oke_clusters_policy_configuration
+}
+
 locals {
 #--------------------------------------------------------------------------
 #-- These variables are NOT meant to be overriden.
@@ -60,4 +69,28 @@ locals {
     enable_cis_benchmark_checks : true
     supplied_policies : local.services_policy
   }
+
+  # Grants allowing OKE clusters to use Native Pod Networking (NPN) and to use network resources in the Network compartment.
+  # In CIS Landing Zone, OKE clusters are defined in the AppDev compartment, while the network resources are defined in the Network compartment.
+  # Reference: https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpodnetworking_topic-OCI_CNI_plugin.htm
+  oke_clusters_statements = ["allow any-user to manage instances in compartment ${local.appdev_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }",
+                            "allow any-user to use private-ips in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }",
+                            "allow any-user to use network-security-groups in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }",
+                            "allow any-user to use subnets in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }"]
+
+  oke_clusters_policy = { 
+    ("${var.service_label}-oke-clusters-policy") : {
+      compartment_ocid = local.enclosing_compartment_id
+      name             = "${var.service_label}-oke-clusters-policy"
+      description      = "Landing Zone policy for OKE clusters. It allows OKE clusters to use Native Pod Networking (NPN) and to use network resources in the Network compartment."
+      statements       = local.oke_clusters_statements
+      defined_tags     = local.service_policy_defined_tags
+      freeform_tags    = local.service_policy_freeform_tags
+    }
+  } 
+
+  oke_clusters_policy_configuration = {
+    enable_cis_benchmark_checks : true
+    supplied_policies : local.oke_clusters_policy
+  }                         
 }  

config/iam_template_policies.tf

@@ -18,7 +18,7 @@ locals {
 module "lz_template_policies" {
   depends_on = [module.lz_top_compartment, module.lz_compartments, module.lz_groups, module.lz_dynamic_groups]
   count = var.extend_landing_zone_to_new_region == false && var.enable_template_policies == true ? 1 : 0
-  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.1.7"
+  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.1.8"
   providers = { oci = oci.home }
   tenancy_ocid = var.tenancy_ocid
   policies_configuration = local.template_policies_configuration

config/mon_service_connector.tf

@@ -21,9 +21,9 @@ locals {
   custom_policy_defined_tags = null
   custom_policy_freeform_tags = null
 
-  audit_logs_sources = !var.extend_landing_zone_to_new_region ? [for cmp in data.oci_identity_compartments.all.compartments : {
-    compartment_id = cmp.id
-    log_group_id = "_Audit"
+  audit_logs_sources = !var.extend_landing_zone_to_new_region ? [{
+    compartment_id = var.tenancy_ocid
+    log_group_id = "_Audit_Include_Subcompartment"
     log_id = ""
   }] : []
   oss_logs_sources = [for k, v in module.lz_oss_logs.logs : {

config/schema.yml

@@ -921,7 +921,7 @@ variables:
     enum:
       - STRICT
       - MEDIUM
-      - LIGHTWEIGTH
+      - LIGHTWEIGHT
       - NONE
     visible:
       and: