Merge pull request #132 from oracle-quickstart/release-2.7.0.1

Release 2.7.0

.gitignore

@@ -1,15 +1,19 @@
-**/*.tfstate*
-**/*.out
-**/.terraform/*
-**/.terraform.*
-**/.DS_Store
-**/crash.log
-**/.csv
-*.pem
-**/terraform.tfvars
-**/terraform_*.tfvars
-**/vars_*.tfvars
-test/**
-*.csv
-*.xlsx
-*.html
+**/*.tfstate*
+**/*.out
+**/.terraform/*
+**/.terraform.*
+**/.DS_Store
+**/crash.log
+**/.csv
+*.pem
+**/terraform.tfvars
+**/terraform_*.tfvars
+**/vars_*.tfvars
+test/**
+*.csv
+*.xlsx
+*.html
+**/creds/**
+**/tfvars/**
+**/scripts/**/*.json
+**/scripts/**/*.pkl

README.md

@@ -3,7 +3,10 @@
 *If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.*
 <br>
 <br>
-<img align="left" src="./images/livelab.png">&nbsp;&nbsp;Check our [Live Lab](https://apexapps.oracle.com/pls/apex/r/dbpm/livelabs/view-workshop?wid=3662) for key use cases and hands on deployment experience!
+<img align="left" src="./images/the_o.png" height="30" width="30">&nbsp;&nbsp;Check [CIS Landing Zone course](https://mylearn.oracle.com/ou/course/oci-landing-zone/123962/193003) in Oracle University for a comprehensive introduction.
+<br>
+<br>
+<img align="left" src="./images/livelab.png" height="30" width="30">&nbsp;&nbsp;Also check our [Live Lab](https://apexapps.oracle.com/pls/apex/r/dbpm/livelabs/view-workshop?wid=3662) for key use cases and hands on deployment experience.
 <br>
 <br>
 # CIS OCI Landing Zone Quick Start Template
@@ -15,6 +18,7 @@
     1. [IAM](#arch-iam)
     1. [Network](#arch-network)
     1. [Diagram](#arch-diagram)
+    1. [Mapping to CIS OCI Benchmark v1.2](cis-architecture-mapping.md)
 1. [Deployment Guide](DEPLOYMENT-GUIDE.md)
 1. [Executing Instructions](#instructions)
     1. [Terraform Configuration](terraform.md)
@@ -116,7 +120,7 @@ The greyed out icons in the AppDev and Database compartments indicate services n
 - [Creating a Secure Multi-Region Landing Zone](https://www.ateam-oracle.com/post/creating-a-secure-multi-region-landing-zone)
 - [The Center for Internet Security Oracle Cloud Infrastructure Foundations Benchmark 1.2 Release update](https://www.ateam-oracle.com/post/the-center-for-internet-security-oracle-cloud-infrastructure-foundations-benchmark-12-release-update)
 
-## <a name="modules"></a>CIS OCI Foundations Benchmark Modules
+## <a name="modules"></a>CIS OCI Foundations Benchmark Modules Collection
 
 This repository uses a broader collection of repositories containing modules that help customers align their OCI implementations with the CIS OCI Foundations Benchmark recommendations:
 - [Identity & Access Management](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam)
@@ -162,21 +166,21 @@ We welcome your feedback. To post feedback, submit feature ideas or report bugs,
 
 
 * **OCI Compartment Deletion**
-    * By design, OCI compartments are not deleted upon Terraform destroy by default. Deletion can be enabled in Landing Zone by setting *enable_cmp_delete* variable to true in locals.tf file. However, compartments may take a long time to delete. Not deleting compartments is ok if you plan on reusing them. For more information about deleting compartments in OCI via Terraform, check [OCI Terraform provider documentation](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_compartment).
+    * By design, OCI compartments are not deleted upon *terraform destroy* by default. Deletion can be enabled in Landing Zone by setting *enable_cmp_delete* variable to true in locals.tf file. However, compartments may take a long time to delete. Not deleting compartments is ok if you plan on reusing them. For more information about deleting compartments in OCI via Terraform, check [OCI Terraform provider documentation](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_compartment).
 
 
 * **OCI Vault Deletion**
-    * By design, OCI vaults and keys are not deleted immediately upon Terraform destroy, but scheduled for deletion. Both have a default 30 day grace period. For shortening that period, use OCI Console to first cancel the scheduled deletion and then set the earliest possible deletion date (7 days from current date) when deleting.
+    * By design, OCI vaults and keys are not deleted immediately upon *terraform destroy*, but scheduled for deletion. Both have a default 30 day grace period. For shortening that period, use OCI Console to first cancel the scheduled deletion and then set the earliest possible deletion date (7 days from current date) when deleting.
 
 
 * **Enabling no internet access on an existing deployment**
-    * Enabling *no_internet_access* on currently deployed stack fails to apply due to timeout.  This is due to OCI Terraform provider not being able remove Internet Gateway(s) and and NAT Gateway(s) when there are route table rules referencing them. For enabling *no_internet_access* on a deployed stack, you have to first manually remove the rules from the route tables that reference the gateways. 
+    * Enabling *no_internet_access* on a currently deployed stack fails to apply due to timeout. This is due to OCI Terraform provider not being able remove Internet Gateway(s) and NAT Gateway(s) when there are route table rules referencing them. For enabling *no_internet_access* on a deployed stack, you have to first manually remove the rules from the route tables that reference the gateways. 
 
 
 * **Resource Manager does not allow elements with same value in array type** 
     * This impacts the ability to deploy custom subnets with the same size, as subnets_sizes is an array of strings. If you need custom subnets sizes, do not use Resource Manager UI. Deploy with either Terraform CLI or Resource Manager APIs.
 
     ![ORM Array Issue](images/orm_array_issue.png)
 
-* **Support for free tier tenancies***
-    * Deploying in a free tier tenancy is not supported at this time as there are some services that are not available.  If you want to try the Landing Zone please upgrade your account to a pay-go. 
+* **Support for free tier tenancies**
+    * Deploying in a free tier tenancy is not supported at this time as there are some services that are not available. If you want to try the Landing Zone please upgrade your account to a pay-go. 

VARIABLES.md

@@ -170,7 +170,7 @@ Variable Name | Description | Required | Default Value
 **enclosing_compartment_names** | A list of compartment names that will hold the Landing Zone compartments. If no compartment name is given, the module creates one compartment with a default name ending in *-top-cmp*. | No | "*unique_prefix*-top-cmp" or "lz-top-cmp"
 **existing_enclosing_compartments_parent_ocid** | the parent compartment ocid of the top compartment, indicating where to insert the enclosing compartment in the hierarchy. Remember that OCI has a max six level compartment hierarchy. If you create the enclosing compartment at level five, the Landing Zone compartments will be at level six and adding sub-compartments to Landing Zone compartments will not be possible. | No | *tenancy_ocid*	
 **use_existing_provisioning_group** | A boolean flag indicating whether or not an existing group will be used for Landing Zone provisioning. If false, one group is created for each compartment defined by *enclosing_compartment_names* variable. | No | false
-**existing_provisioning_group_name(\*)** | The name of an existing group to be used for provisioning all resources in the compartments defined by *enclosing_compartment_names* variable. Ignored if *use_existing_provisioning_group* is false. | No | None
+**existing_provisioning_group_name(\*)** | The name or OCID of an existing group to be used for provisioning all resources in the compartments defined by *enclosing_compartment_names* variable. Ignored if *use_existing_provisioning_group* is false. | No | None
 **grant_services_policies** | Whether services policies should be granted. If these policies already exist in the root compartment, set it to false for avoiding policies duplication. Useful if the module is reused across distinct stacks or configurations. | No | true
 **use_existing_groups** | A boolean flag indicating whether or not existing groups are to be reused for Landing Zone. If false, one set of groups is created for each compartment defined by *enclosing_compartment_names* variable. If true, existing group names must be provided and this single set will be able to manage resources in all enclosing compartments. It does not apply to dynamic groups.| No | false 
 **existing_iam_admin_group_name** | The name or OCID of an existing group for IAM administrators. | Yes, if *use_existing_groups* is true. | None
@@ -183,9 +183,13 @@ Variable Name | Description | Required | Default Value
 **existing_auditor_group_name** | The name or OCID of an existing group for auditors. | Yes, if *use_existing_groups* is true. | None
 **existing_announcement_reader_group_name** | The name or OCID of an existing group for announcement readers. | Yes, if *use_existing_groups* is true. | None
 **existing_cost_admin_group_name** | The name or OCID of an existing group for cost management administrators. | Yes, if *use_existing_groups* is true. | None
-**existing_security_fun_dyn_group_name** | The name of an existing dynamic group to be used by OCI Functions in the Security compartment. | No | None
-**existing_appdev_fun_dyn_group_name** | The name of an existing dynamic group to be used by OCI Functions in the AppDev compartment. | No | None
-**existing_compute_agent_dyn_group_name** | The name of an existing dynamic group to be used by Compute's management agent in the AppDev compartment. | No | None
-**existing_database_kms_dyn_group_name** | The name of an existing dynamic group to be used by databases in the Database compartment to access OCI KMS Keys. | No | None
+**deploy_dynamic_groups** | Whether dynamic groups should be created. When true, one set with four dynamic groups is created for each compartment specified in *enclosing_compartment_names* (**). When false, no dynamic groups are created. | No | true
 
 (*) A user with an API key must be assigned to the provisioning group. The module does not create or assign the user.
+
+<a name="dynamic_group_names"></a>
+(**) The dynamic group names are the following:
+- ***<compartment_name>*-sec-fun-dynamic-group** : dynamic group to be used by OCI Functions in CIS Landing Zone Security compartment.
+- ***<compartment_name>*-appdev-fun-dynamic-group** :  dynamic group to be used by OCI Functions in CIS Landing Zone AppDev compartment.
+- ***<compartment_name>*-appdev-computeagent-dynamic-group** : dynamic group to be used by Compute's management agent in the CIS Landing Zone AppDev compartment.
+- ***<compartment_name>*-database-kms-dynamic-group** : dynamic group to be used by databases in CIS Landing Zone Database compartment to access encryption keys in the Vault service.