Cloud guard target tenancy variable update (#163)

* set default value false for cloud guard variable

* updated variable description and tfvars

* removed target tenancy variable

* updated documentation

Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md

@@ -544,7 +544,7 @@ The OELZ deploys configurations for multiple security services. VSS (Vulnerabili
 
 CloudGuard can monitor for a multitude of security conditions. The OELZ configures CloudGuard with several Oracle-managed security recipes for up-to-date best practice security monitoring.
 
-By default, CloudGuard is configured to monitor just the resources deployed in the OELZ Home compartment, and compartments within that. An option is for CloudGuard to monitor the entire tenancy is there and it is controlled by the [cloud_guard_target_tenancy](../../templates/enterprise-landing-zone/README.md#inputs) variable. This is a Boolean variable that defaults to `false`. If it is set to `true` CloudGuard will be configured to monitor the entire tenancy, instead of just the OELZ Home compartment. 
+By default, CloudGuard is configured to monitor just the resources deployed in the OELZ Home compartment, and compartments within that. 
 
 Cloud Guard Target will be deployed in base compartment of both L2-Prod and L2-Non-Prod environments along with related IAM policies. All Oracle managed responder recipes will reside in L4 Security compartment of each environment.
 
@@ -563,7 +563,6 @@ For further details on CloudGuard, see the [Cloud Guard documentation](https://d
     | Name                                                                                                                   | Description                                                                                           | Type   | Default | Required |
     | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------ | ------- | :------: |
     | <a name="input_enable_cloud_guard"></a> [enable\_cloud\_guard](#input\_enable\_cloud\_guard)                           | true if you don't have cloud guard enabled, false if you've already have cloud guard enabled.         | `bool` | `true`  |    no    |
-    | <a name="input_cloud_guard_target_tenancy"></a> [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to OELZ home compartment | `bool` | `false` |    no    |
 
 ### Bastion Sub Module
 

templates/elz-environment/README.md

@@ -50,7 +50,6 @@
 | <a name="input_budget_alert_rule_recipients"></a> [budget\_alert\_rule\_recipients](#input\_budget\_alert\_rule\_recipients) | The delimited list of email addresses to receive the alert when it triggers. Delimiter characters can be a comma, space, TAB, or semicolon | `string` | `""` | no |
 | <a name="input_budget_alert_rule_threshold"></a> [budget\_alert\_rule\_threshold](#input\_budget\_alert\_rule\_threshold) | The threshold for the budget alert. | `string` | `""` | no |
 | <a name="input_budget_amount"></a> [budget\_amount](#input\_budget\_amount) | The amount of the budget expressed as a whole number in the currency of the customer's rate card. | `string` | `""` | no |
-| <a name="input_cloud_guard_target_tenancy"></a> [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment | `bool` | n/a | yes |
 | <a name="input_cost_center_tagging"></a> [cost\_center\_tagging](#input\_cost\_center\_tagging) | Cost Center Varible | `string` | n/a | yes |
 | <a name="input_cpe_display_name"></a> [cpe\_display\_name](#input\_cpe\_display\_name) | n/a | `string` | n/a | yes |
 | <a name="input_cpe_ip_address"></a> [cpe\_ip\_address](#input\_cpe\_ip\_address) | Customer Premises Equipment (CPE) IP address | `string` | n/a | yes |

templates/elz-environment/main.tf

@@ -94,7 +94,6 @@ module "security" {
   enable_cloud_guard                   = var.enable_cloud_guard
   resource_label                       = var.resource_label
   home_compartment_id                  = var.home_compartment_id
-  cloud_guard_target_tenancy           = var.cloud_guard_target_tenancy
   tenancy_ocid                         = var.tenancy_ocid
   environment_prefix                   = var.environment_prefix
   home_compartment_name                = var.home_compartment_name

templates/elz-environment/variables.tf

@@ -172,11 +172,6 @@ variable "enable_cloud_guard" {
   description = "true if you don't have cloud guard enabled, false if you've already have cloud guard enabled."
 }
 
-variable "cloud_guard_target_tenancy" {
-  type        = bool
-  description = "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment"
-}
-
 # -----------------------------------------------------------------------------
 # Tagging Variables
 # -----------------------------------------------------------------------------

templates/elz-security/README.md

@@ -38,7 +38,6 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_bastion_client_cidr_block_allow_list"></a> [bastion\_client\_cidr\_block\_allow\_list](#input\_bastion\_client\_cidr\_block\_allow\_list) | A list of address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion. | `list(string)` | n/a | yes |
 | <a name="input_bastion_target_subnet_id"></a> [bastion\_target\_subnet\_id](#input\_bastion\_target\_subnet\_id) | The OCID of the subnet that the bastion connects to | `string` | n/a | yes |
-| <a name="input_cloud_guard_target_tenancy"></a> [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment | `bool` | n/a | yes |
 | <a name="input_create_master_encryption_key"></a> [create\_master\_encryption\_key](#input\_create\_master\_encryption\_key) | Option create master encryption key | `bool` | n/a | yes |
 | <a name="input_enable_bastion"></a> [enable\_bastion](#input\_enable\_bastion) | Option to enable bastion service | `bool` | n/a | yes |
 | <a name="input_enable_cloud_guard"></a> [enable\_cloud\_guard](#input\_enable\_cloud\_guard) | true if you don't have cloud guard enabled, false if you've already have cloud guard enabled. | `bool` | n/a | yes |

templates/elz-security/main.tf

@@ -13,8 +13,6 @@ locals {
     activity_detector_recipe_display_name      = "OCI Activity Detector Recipe"
     threat_detector_recipe_display_name        = "OCI Threat Detector Recipe"
     responder_recipe_display_name              = "OCI Responder Recipe"
-    compartment_id                             = var.cloud_guard_target_tenancy ? var.tenancy_ocid : var.environment_compartment_id
-    target_resource_id                         = var.cloud_guard_target_tenancy ? var.tenancy_ocid : var.environment_compartment_id
   }
 
   vss = {
@@ -62,9 +60,9 @@ module "cloud_guard" {
   tenancy_ocid                               = var.tenancy_ocid
   region                                     = var.region
   status                                     = local.cloud_guard.status
-  compartment_id                             = local.cloud_guard.compartment_id
+  compartment_id                             = var.environment_compartment_id
   display_name                               = local.cloud_guard.display_name
-  target_resource_id                         = local.cloud_guard.target_resource_id
+  target_resource_id                         = var.environment_compartment_id
   target_resource_type                       = local.cloud_guard.target_resource_type
   description                                = local.cloud_guard.description
   configuration_detector_recipe_display_name = local.cloud_guard.configuration_detector_recipe_display_name

templates/elz-security/variables.tf

@@ -33,11 +33,6 @@ variable "tenancy_ocid" {
   description = "The OCID of tenancy"
 }
 
-variable "cloud_guard_target_tenancy" {
-  type        = bool
-  description = "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment"
-}
-
 variable "region" {
   type        = string
   description = "The OCI region"

templates/enterprise-landing-zone/README.md

@@ -70,7 +70,6 @@ Version 2 of Oracle Enterprise Landing Zone
 | <a name="input_archive_log_retention_policy_duration_time_unit"></a> [archive\_log\_retention\_policy\_duration\_time\_unit](#input\_archive\_log\_retention\_policy\_duration\_time\_unit) | The unit that should be used to interpret timeAmount. | `string` | `"DAYS"` | no |
 | <a name="input_bgp_md5auth_key"></a> [bgp\_md5auth\_key](#input\_bgp\_md5auth\_key) | The key for BGP MD5 authentication. Only applicable if your system requires MD5 authentication | `string` | `""` | no |
 | <a name="input_break_glass_user_email_list"></a> [break\_glass\_user\_email\_list](#input\_break\_glass\_user\_email\_list) | Unique list of break glass user email addresses that do not exist in the tenancy. These users are added to the Administrator group. | `list(string)` | `[]` | no |
-| <a name="input_cloud_guard_target_tenancy"></a> [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment | `bool` | `false` | no |
 | <a name="input_current_user_ocid"></a> [current\_user\_ocid](#input\_current\_user\_ocid) | The OCID of the current user | `string` | `""` | no |
 | <a name="input_customer_onprem_ip_cidr"></a> [customer\_onprem\_ip\_cidr](#input\_customer\_onprem\_ip\_cidr) | n/a | `list(string)` | `[]` | no |
 | <a name="input_customer_primary_bgp_peering_ip"></a> [customer\_primary\_bgp\_peering\_ip](#input\_customer\_primary\_bgp\_peering\_ip) | The primary BGP IPv4 address of the customer's router | `string` | `""` | no |

templates/enterprise-landing-zone/environment.tf

@@ -45,7 +45,6 @@ module "prod_environment" {
   budget_alert_rule_message    = var.prod_budget_alert_rule_message
   budget_alert_rule_recipients = var.prod_budget_alert_rule_recipients
   enable_cloud_guard           = var.enable_cloud_guard
-  cloud_guard_target_tenancy   = var.cloud_guard_target_tenancy
   is_create_alarms             = var.is_create_alarms
   is_service_connector_limit   = var.is_service_connector_limit
   domain_license_type          = var.domain_license_type
@@ -140,13 +139,13 @@ module "prod_environment" {
 
   # Access Governance Variables
 
-  ag_current_user_ocid              = var.current_user_ocid
-  ag_api_fingerprint                = var.api_fingerprint
-  ag_region                         = var.region
-  ag_tenancy_ocid                   = var.tenancy_ocid
-  ag_api_private_key_path           = var.api_private_key_path
-  admin_domain_name                 = var.admin_domain_name
-  admin_domain_compartment_ocid     = var.admin_domain_compartment_ocid
+  ag_current_user_ocid          = var.current_user_ocid
+  ag_api_fingerprint            = var.api_fingerprint
+  ag_region                     = var.region
+  ag_tenancy_ocid               = var.tenancy_ocid
+  ag_api_private_key_path       = var.api_private_key_path
+  admin_domain_name             = var.admin_domain_name
+  admin_domain_compartment_ocid = var.admin_domain_compartment_ocid
 
   enable_access_governance          = var.prod_enable_access_governance
   service_instance_description      = var.prod_service_instance_description
@@ -224,7 +223,6 @@ module "nonprod_environment" {
   is_service_connector_limit        = var.is_service_connector_limit
   domain_license_type               = var.domain_license_type
   enable_cloud_guard                = var.enable_cloud_guard
-  cloud_guard_target_tenancy        = var.cloud_guard_target_tenancy
   home_compartment_name             = var.home_compartment_name
   enable_vpn_or_fastconnect         = var.enable_vpn_or_fastconnect
   cpe_ip_address                    = var.nonprod_cpe_ip_address
@@ -320,13 +318,13 @@ module "nonprod_environment" {
   additional_workload_subnets_cidr_blocks = var.nonprod_additional_workload_subnets_cidr_blocks
 
   # Access Governance Variables
-  ag_current_user_ocid              = var.current_user_ocid
-  ag_api_fingerprint                = var.api_fingerprint
-  ag_region                         = var.region
-  ag_tenancy_ocid                   = var.tenancy_ocid
-  ag_api_private_key_path           = var.api_private_key_path
-  admin_domain_name                 = var.admin_domain_name
-  admin_domain_compartment_ocid     = var.admin_domain_compartment_ocid
+  ag_current_user_ocid          = var.current_user_ocid
+  ag_api_fingerprint            = var.api_fingerprint
+  ag_region                     = var.region
+  ag_tenancy_ocid               = var.tenancy_ocid
+  ag_api_private_key_path       = var.api_private_key_path
+  admin_domain_name             = var.admin_domain_name
+  admin_domain_compartment_ocid = var.admin_domain_compartment_ocid
 
   enable_access_governance          = var.nonprod_enable_access_governance
   service_instance_description      = var.nonprod_service_instance_description

templates/enterprise-landing-zone/example.tfvars

@@ -18,7 +18,6 @@ enable_compartment_delete  = false
 
 # security
 enable_cloud_guard                           = true
-cloud_guard_target_tenancy                   = false
 nonprod_enable_bastion                       = true
 prod_enable_bastion                          = true
 prod_bastion_client_cidr_block_allow_list    = ["10.0.0.0/16", "10.0.0.0/24"]
@@ -98,13 +97,13 @@ nonprod_identity_topic_endpoints = []
 nonprod_workload_topic_endpoints = []
 
 # Logging
-onboard_log_analytics        = false
+onboard_log_analytics = false
 
 # Workload Expansion
 prod_additional_workload_subnets_cidr_blocks    = []
 nonprod_additional_workload_subnets_cidr_blocks = []
-prod_workload_compartment_names = []
-nonprod_workload_compartment_names = []
+prod_workload_compartment_names                 = []
+nonprod_workload_compartment_names              = []
 
 #Network Firewall can be only deployed in Prod or Non_prod Enviornment
 
@@ -123,11 +122,11 @@ admin_domain_compartment_ocid    = ""
 
 # ACCESS GOVERNANCE SERVICE INSTANCE DETAILS
 prod_ag_license_type               = "Access Governance for Oracle Cloud Infrastructure"
-prod_service_instance_display_name = ""
+#prod_service_instance_display_name = ""
 prod_service_instance_description  = "Prod OAG service instance"
 
 nonprod_ag_license_type               = "Access Governance for Oracle Cloud Infrastructure"
-nonprod_service_instance_display_name = ""
+#nonprod_service_instance_display_name = ""
 nonprod_service_instance_description  = "Non Prod OAG service instance"
 
 # ACCESS GOVERNANCE USER COMMON DETAILS

templates/enterprise-landing-zone/schema.yaml

@@ -45,7 +45,6 @@ variableGroups:
     visible: true
     variables:
       - enable_cloud_guard
-      - cloud_guard_target_tenancy
       - prod_enable_bastion
       - prod_bastion_client_cidr_block_allow_list
       - nonprod_enable_bastion
@@ -492,12 +491,6 @@ variables:
     default: true
     required: true
     title: Enable Cloud Guard
-  cloud_guard_target_tenancy:
-    type: boolean
-    description: "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment."
-    default: false
-    required: true
-    title: Cloud Guard Target Tenancy
   prod_enable_bastion:
     type: boolean
     description: "Option to enable bastion service in prod"

templates/enterprise-landing-zone/security.tf

@@ -37,14 +37,7 @@ locals {
     name        = "${var.resource_label}-OCI-ELZ-CGTarget-Policy"
     description = "OCI Enterprise Landing Zone Cloud Guard Target Policy"
 
-    statements = var.cloud_guard_target_tenancy ? [
-      "Allow service cloudguard to manage instance-family in tenancy",
-      "Allow service cloudguard to manage object-family in tenancy",
-      "Allow service cloudguard to manage buckets in tenancy",
-      "Allow service cloudguard to manage users in tenancy",
-      "Allow service cloudguard to manage policies in tenancy",
-      "Allow service cloudguard to manage keys in tenancy"
-      ] : [
+    statements = [
       "Allow service cloudguard to manage instance-family in compartment ${var.home_compartment_name}",
       "Allow service cloudguard to manage object-family in compartment ${var.home_compartment_name}",
       "Allow service cloudguard to manage buckets in compartment ${var.home_compartment_name}",
@@ -135,7 +128,7 @@ module "cloud_guard_root_policy" {
 module "cloud_guard_target_policy" {
   count            = var.enable_cloud_guard ? 1 : 0
   source           = "../../modules/policies"
-  compartment_ocid = var.cloud_guard_target_tenancy ? var.tenancy_ocid : module.home_compartment.compartment_id
+  compartment_ocid = module.home_compartment.compartment_id
   policy_name      = local.cloud_guard_target_policy.name
   description      = local.cloud_guard_target_policy.description
   statements       = local.cloud_guard_target_policy.statements

templates/enterprise-landing-zone/variables.tf

@@ -251,12 +251,6 @@ variable "enable_cloud_guard" {
   description = "true if you don't have cloud guard enabled, false if you've already have cloud guard enabled."
 }
 
-variable "cloud_guard_target_tenancy" {
-  type        = bool
-  default     = false
-  description = "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment"
-}
-
 variable "prod_bastion_client_cidr_block_allow_list" {
   type        = list(string)
   default     = ["0.0.0.0/0"]