diff --git a/README.md b/README.md
index 6a057427..6ce112a7 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,26 @@
-[](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+[](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+*If you are logged into your OCI tenancy in the Commercial Realm (OC1), the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.*
+
+To deploy to non-commercial realms and regions click here
+
+**OC2 Realm**
+- [ Deploy to us-langley-1](https://console.us-langley-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+- [Deploy to us-luke-1](https://console.us-luke-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+
+
+**OC3 Realm**
+- [Deploy to us-gov-ashburn-1](https://console.us-gov-ashburn-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+- [Deploy to us-gov-chicago-1](https://console.us-gov-chicago-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+- [Deploy to us-gov-phoenix-1](https://console.us-gov-phoenix-1.oraclegovcloud.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
-*If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.*
+**OC4 Realm**
+- [Deploy to uk-gov-london-1](https://console.uk-gov-london-1.oraclegovcloud.uk/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+- [Deploy to uk-gov-cardiff-1](https://console.uk-gov-cardiff-1.oraclegovcloud.uk/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+
+**OC10 Realm**
+- [Deploy to ap-dcc-canberra-1](https://oc10.cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/archive/refs/heads/main.zip)
+
+
Check [CIS Landing Zone course](https://mylearn.oracle.com/ou/course/oci-landing-zone/123962/193003) in Oracle University for a comprehensive introduction.
@@ -9,6 +29,7 @@
Also check our [Live Lab](https://apexapps.oracle.com/pls/apex/r/dbpm/livelabs/view-workshop?wid=3662) for key use cases and hands on deployment experience.
+
# CIS OCI Landing Zone Quick Start Template
## Table of Contents
diff --git a/config/data_sources.tf b/config/data_sources.tf
index 23590ed0..4c4fa93b 100644
--- a/config/data_sources.tf
+++ b/config/data_sources.tf
@@ -177,12 +177,4 @@ data "oci_identity_compartments" "exainfra" {
data "oci_identity_tag_namespaces" "this" {
compartment_id = var.tenancy_ocid
-}
-
-data "oci_identity_compartments" "all" {
- depends_on = [module.lz_compartments]
- compartment_id = var.tenancy_ocid
- compartment_id_in_subtree = true
- access_level = "ACCESSIBLE"
- state = "ACTIVE"
-}
+}
\ No newline at end of file
diff --git a/config/iam_service_policies.tf b/config/iam_service_policies.tf
index 059f9474..ed5d5331 100644
--- a/config/iam_service_policies.tf
+++ b/config/iam_service_policies.tf
@@ -18,6 +18,15 @@ module "lz_services_policy" {
policies_configuration = local.services_policies_configuration
}
+module "lz_oke_clusters_policy" {
+ depends_on = [null_resource.wait_on_compartments]
+ count = var.extend_landing_zone_to_new_region == false && var.enable_template_policies == false ? 1 : 0
+ source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.1.7"
+ providers = { oci = oci.home }
+ tenancy_ocid = var.tenancy_ocid
+ policies_configuration = local.oke_clusters_policy_configuration
+}
+
locals {
#--------------------------------------------------------------------------
#-- These variables are NOT meant to be overriden.
@@ -60,4 +69,28 @@ locals {
enable_cis_benchmark_checks : true
supplied_policies : local.services_policy
}
+
+ # Grants allowing OKE clusters to use Native Pod Networking (NPN) and to use network resources in the Network compartment.
+ # In CIS Landing Zone, OKE clusters are defined in the AppDev compartment, while the network resources are defined in the Network compartment.
+ # Reference: https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpodnetworking_topic-OCI_CNI_plugin.htm
+ oke_clusters_statements = ["allow any-user to manage instances in compartment ${local.appdev_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }",
+ "allow any-user to use private-ips in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }",
+ "allow any-user to use network-security-groups in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }",
+ "allow any-user to use subnets in compartment ${local.network_compartment_name} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.appdev_compartment_id}' }"]
+
+ oke_clusters_policy = {
+ ("${var.service_label}-oke-clusters-policy") : {
+ compartment_ocid = local.enclosing_compartment_id
+ name = "${var.service_label}-oke-clusters-policy"
+ description = "Landing Zone policy for OKE clusters. It allows OKE clusters to use Native Pod Networking (NPN) and to use network resources in the Network compartment."
+ statements = local.oke_clusters_statements
+ defined_tags = local.service_policy_defined_tags
+ freeform_tags = local.service_policy_freeform_tags
+ }
+ }
+
+ oke_clusters_policy_configuration = {
+ enable_cis_benchmark_checks : true
+ supplied_policies : local.oke_clusters_policy
+ }
}
diff --git a/config/iam_template_policies.tf b/config/iam_template_policies.tf
index 4b8bc32a..f62ea05e 100644
--- a/config/iam_template_policies.tf
+++ b/config/iam_template_policies.tf
@@ -18,7 +18,7 @@ locals {
module "lz_template_policies" {
depends_on = [module.lz_top_compartment, module.lz_compartments, module.lz_groups, module.lz_dynamic_groups]
count = var.extend_landing_zone_to_new_region == false && var.enable_template_policies == true ? 1 : 0
- source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.1.7"
+ source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.1.8"
providers = { oci = oci.home }
tenancy_ocid = var.tenancy_ocid
policies_configuration = local.template_policies_configuration
diff --git a/config/mon_service_connector.tf b/config/mon_service_connector.tf
index 51ddfe68..1c90f41d 100644
--- a/config/mon_service_connector.tf
+++ b/config/mon_service_connector.tf
@@ -21,9 +21,9 @@ locals {
custom_policy_defined_tags = null
custom_policy_freeform_tags = null
- audit_logs_sources = !var.extend_landing_zone_to_new_region ? [for cmp in data.oci_identity_compartments.all.compartments : {
- compartment_id = cmp.id
- log_group_id = "_Audit"
+ audit_logs_sources = !var.extend_landing_zone_to_new_region ? [{
+ compartment_id = var.tenancy_ocid
+ log_group_id = "_Audit_Include_Subcompartment"
log_id = ""
}] : []
oss_logs_sources = [for k, v in module.lz_oss_logs.logs : {
diff --git a/config/schema.yml b/config/schema.yml
index 14fdc5dd..9c771d7e 100644
--- a/config/schema.yml
+++ b/config/schema.yml
@@ -921,7 +921,7 @@ variables:
enum:
- STRICT
- MEDIUM
- - LIGHTWEIGTH
+ - LIGHTWEIGHT
- NONE
visible:
and:
diff --git a/images/landing_zone__bw_.svg b/images/landing_zone__bw_.svg
new file mode 100644
index 00000000..f6acadba
--- /dev/null
+++ b/images/landing_zone__bw_.svg
@@ -0,0 +1,117 @@
+
+
diff --git a/images/landing_zone__gs_.svg b/images/landing_zone__gs_.svg
new file mode 100644
index 00000000..33983a2c
--- /dev/null
+++ b/images/landing_zone__gs_.svg
@@ -0,0 +1,117 @@
+
+
diff --git a/pre-config/lz_groups_policies.tf b/pre-config/lz_groups_policies.tf
index bf988696..ac29bccc 100644
--- a/pre-config/lz_groups_policies.tf
+++ b/pre-config/lz_groups_policies.tf
@@ -158,13 +158,19 @@ module "lz_groups_read_only_policy" {
statements = [
# Auditor
"Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to inspect all-resources in tenancy",
- "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read repos in tenancy",
- "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read objectstorage-namespaces in tenancy",
- "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read app-catalog-listing in tenancy",
- "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read instance-images in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read instances in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read load-balancers in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read buckets in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read nat-gateways in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read public-ips in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read file-family in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read instance-configurations in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read network-security-groups in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read resource-availability in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read audit-events in tenancy",
"Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read users in tenancy",
- "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to inspect buckets in tenancy",
"Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to use cloud-shell in tenancy",
+ "Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read vss-family in tenancy",
"Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read usage-budgets in tenancy",
"Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read usage-reports in tenancy",
"Allow group ${each.value.group_name_prefix}${local.auditor_group_name_suffix} to read data-safe-family in tenancy"
diff --git a/release-notes.md b/release-notes.md
index e5c646d3..052b5f0c 100644
--- a/release-notes.md
+++ b/release-notes.md
@@ -1,3 +1,24 @@
+# January 5, 2024 Release Notes - 2.7.1
+1. [Links to Deploy in Non-commercial Regions](#2-7-1-deploy-links)
+1. [Terraform Updates](#2-7-1-tf-updates)
+1. [Script Updates](#2-7-1-script-updates)
+
+## Links to Deploy in Non-commercial Regions
+Links have been added to [README.md](./README.md) allowing the initiation of Terraform deployments in **non-commercial** regions through OCI Resource Manager service. The existing "Deploy to Oracle Cloud" button is unchanged, initiating deployments to commercial regions only. Use the links when deploying to Gov cloud.
+
+## Terraform Updates
+**config module**
+* *tenancy_ocid*, *user_ocid* and *region* variables are now hidden in [generic_workload_compartments](./workloads/generic_workload_compartments/) RMS UI.
+* IAM policies have been added to allow OKE clusters deployment with NPN (Native Pod Networking) and split compartment topology (i.e., networking in Network compartment and cluster in AppDev compartment).
+* Tenancy wide audit logs for Service Connector Hub are now collected using "_Audit_Include_Subcompartment" construct instead of explicitly looping through all tenancy compartments.
+
+**pre-config module**
+* Auditor grants in pre-config module aligned with auditor grants in config module.
+
+## Script Updates
+- Fixes:
+ - Added additional error handling in `__search_resources_in_root_compartment` to resolve [issue 134](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/issues/134).
+
# November 17, 2023 Release Notes - 2.7.0
1. [CIS Compliance Script Gets Network Topology](#2-7-0-script-network-topology)
1. [CIS Compliance Script Gets All Resources](#2-7-0-script-all-resources)
diff --git a/release.txt b/release.txt
index 1cec3486..fa026c72 100644
--- a/release.txt
+++ b/release.txt
@@ -1 +1 @@
-2.7.0
+2.7.1
diff --git a/scripts/cis_reports.py b/scripts/cis_reports.py
index 1affa4a7..80c70f76 100644
--- a/scripts/cis_reports.py
+++ b/scripts/cis_reports.py
@@ -27,7 +27,6 @@
import re
import requests
import pickle
-#test
try:
from xlsxwriter.workbook import Workbook
@@ -36,9 +35,9 @@
except Exception:
OUTPUT_TO_XLSX = False
-RELEASE_VERSION = "2.7.0"
-PYTHON_SDK_VERSION = "2.115.1"
-UPDATED_DATE = "November 20, 2023"
+RELEASE_VERSION = "2.7.1"
+PYTHON_SDK_VERSION = "2.118.0"
+UPDATED_DATE = "January 05, 2024"
##########################################################################
@@ -3375,13 +3374,17 @@ def __search_resources_in_root_compartment(self):
for item in structured_search_all_resources:
# ignoring global resources like IAM
- if item.identifier.split('.')[3]:
- record = {
- "display_name": item.display_name,
- "id": item.identifier,
- "region": region_key
- }
- self.cis_foundations_benchmark_1_2['5.2']['Total'].append(item)
+ try:
+ if item.identifier.split('.')[3]:
+ record = {
+ "display_name": item.display_name,
+ "id": item.identifier,
+ "region": region_key
+ }
+ self.cis_foundations_benchmark_1_2['5.2']['Total'].append(item)
+ except:
+ self.__errors.append({"id" : "search_resources_in_root_compartment Invalid OCID", "error" : str(item)})
+ debug(f'__search_resources_in_root_compartment: Invalid OCID: {str(item)}')
except Exception as e:
raise RuntimeError(
diff --git a/workloads/generic_workload_compartments/schema.yml b/workloads/generic_workload_compartments/schema.yml
index 4b0ceb33..441e9c15 100644
--- a/workloads/generic_workload_compartments/schema.yml
+++ b/workloads/generic_workload_compartments/schema.yml
@@ -10,6 +10,7 @@ locale: "en"
variableGroups:
- title: "Environment"
variables:
+ - "region"
- "service_label"
- "existing_lz_enclosing_compartment_ocid"
- "existing_lz_security_compartment_ocid"
@@ -26,8 +27,8 @@ variableGroups:
- title: "Hidden Variables"
visible: false
variables:
- - "tenancy_id"
- - "user_id"
+ - "tenancy_ocid"
+ - "user_ocid"
- "fingerprint"
- "private_key_path"
- "private_key_password"
@@ -85,10 +86,13 @@ variables:
title: "Create Workload Dynamic Groups"
# Variables not required to display to user
- tenancy_id:
+ tenancy_ocid:
type: string
- user_id:
+ region:
+ type: string
+
+ user_ocid:
type: string
fingerprint:
diff --git a/workloads/generic_workload_compartments/variables.tf b/workloads/generic_workload_compartments/variables.tf
index 1d94faa6..cb6b5e59 100644
--- a/workloads/generic_workload_compartments/variables.tf
+++ b/workloads/generic_workload_compartments/variables.tf
@@ -4,7 +4,9 @@
# ----- Environment
# ------------------------------------------------------
variable "tenancy_ocid" {}
-variable "user_ocid" {}
+variable "user_ocid" {
+ default = ""
+}
variable "fingerprint" {
default = ""
}
@@ -21,51 +23,6 @@ variable "region" {
}
}
-#-------------------------------------------------------------
-#-- Arbitrary compartments topology
-#-------------------------------------------------------------
-# variable "compartments" {
-# description = "The compartments structure, given as a map of objects nested up to 6 levels."
-# type = map(object({
-# name = string
-# description = string
-# parent_id = string
-# defined_tags = map(string)
-# freeform_tags = map(string)
-# children = map(object({
-# name = string
-# description = string
-# defined_tags = map(string)
-# freeform_tags = map(string)
-# children = map(object({
-# name = string
-# description = string
-# defined_tags = map(string)
-# freeform_tags = map(string)
-# children = map(object({
-# name = string
-# description = string
-# defined_tags = map(string)
-# freeform_tags = map(string)
-# children = map(object({
-# name = string
-# description = string
-# defined_tags = map(string)
-# freeform_tags = map(string)
-# children = map(object({
-# name = string
-# description = string
-# defined_tags = map(string)
-# freeform_tags = map(string)
-# }))
-# }))
-# }))
-# }))
-# }))
-# }))
-# default = {}
-# }
-
variable "service_label" {
description = "Prefix used in your CIS Landing Zone deployment."
type = string
Check [CIS Landing Zone course](https://mylearn.oracle.com/ou/course/oci-landing-zone/123962/193003) in Oracle University for a comprehensive introduction.
@@ -9,6 +29,7 @@
Also check our [Live Lab](https://apexapps.oracle.com/pls/apex/r/dbpm/livelabs/view-workshop?wid=3662) for key use cases and hands on deployment experience.