generated from oracle/template-repo
-
Notifications
You must be signed in to change notification settings - Fork 2
/
sec_vss.tf
130 lines (116 loc) · 5.94 KB
/
sec_vss.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Copyright (c) 2023 Oracle and/or its affiliates.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
### Creates scanning recipes and targets. All Landing Zone compartments are targets.
locals {
#------------------------------------------------------------------------------------------------------
#-- Any of these local variables can be overridden in a _override.tf file
#------------------------------------------------------------------------------------------------------
custom_vss_defined_tags = null
custom_vss_freeform_tags = null
custom_vss_recipe_name = null
}
#-- VSS is a regional service. As such, we must not skip provisioning when extending Landing Zone to a new region.
module "lz_scanning" {
source = "github.com/oci-landing-zones/terraform-oci-modules-security//vss?ref=v0.1.7"
# depends_on = [null_resource.wait_on_services_policy]
count = var.vss_create ? 1 : 0
scanning_configuration = local.scanning_configuration
}
locals {
#------------------------------------------------------------------------------------------------------
#-- These local variables are NOT meant to be overriden
#------------------------------------------------------------------------------------------------------
default_vss_defined_tags = null
default_vss_freeform_tags = local.landing_zone_tags
vss_defined_tags = local.custom_vss_defined_tags != null ? merge(local.custom_vss_defined_tags, local.default_vss_defined_tags) : local.default_vss_defined_tags
vss_freeform_tags = local.custom_vss_freeform_tags != null ? merge(local.custom_vss_freeform_tags, local.default_vss_freeform_tags) : local.default_vss_freeform_tags
vss_recipe_name = local.custom_vss_recipe_name != null ? local.custom_vss_recipe_name : "${var.service_label}-default-scan-recipe"
#--------------------------------------------------------------------
#-- Scan Recipes
#--------------------------------------------------------------------
default_host_recipe = {
DEFAULT-HOST-RECIPE = {
name = local.vss_recipe_name
port_scan_level = var.vss_port_scan_level
schedule_settings = {
type = var.vss_scan_schedule
day_of_week = var.vss_scan_day
}
agent_settings = {
port_scan_level = var.vss_agent_scan_level
cis_benchmark_scan_level = var.vss_agent_cis_benchmark_settings_scan_level
}
file_scan_settings = {
enable = var.vss_enable_file_scan
folders_to_scan = var.vss_folders_to_scan
}
defined_tags = local.vss_defined_tags
freeform_tags = local.vss_freeform_tags
}
}
#--------------------------------------------------------------------
#-- Scan Targets
#--------------------------------------------------------------------
security_host_target = {
SECURITY-HOST-TARGET = {
name = "${var.service_label}-security-cmp-scan-target"
description = "CIS Landing Zone ${local.security_compartment_name} compartment scanning target."
target_compartment_id = local.security_compartment_id
host_recipe_id = "DEFAULT-HOST-RECIPE"
defined_tags = local.vss_defined_tags
freeform_tags = local.vss_freeform_tags
}
}
network_host_target = {
NETWORK-HOST-TARGET = {
name = "${var.service_label}-network-cmp-scan-target"
description = "CIS Landing Zone ${local.network_compartment_name} compartment scanning target."
target_compartment_id = local.network_compartment_id
host_recipe_id = "DEFAULT-HOST-RECIPE"
defined_tags = local.vss_defined_tags
freeform_tags = local.vss_freeform_tags
}
}
app_host_target = local.enable_app_compartment ? {
APP-HOST-TARGET = {
name = "${var.service_label}-app-cmp-scan-target"
description = "CIS Landing Zone ${local.app_compartment_name} compartment scanning target."
target_compartment_id = local.app_compartment_id
host_recipe_id = "DEFAULT-HOST-RECIPE"
defined_tags = local.vss_defined_tags
freeform_tags = local.vss_freeform_tags
}
} : {}
database_host_target = local.enable_database_compartment ? {
DATABASE-HOST-TARGET = {
name = "${var.service_label}-database-cmp-scan-target"
description = "CIS Landing Zone ${local.database_compartment_name} compartment scanning target."
target_compartment_id = local.database_compartment_id
host_recipe_id = "DEFAULT-HOST-RECIPE"
defined_tags = local.vss_defined_tags
freeform_tags = local.vss_freeform_tags
}
} : {}
exainfra_host_target = local.enable_exainfra_compartment ? {
EXAINFRA-HOST-TARGET = {
name = "${var.service_label}-exainfra-cmp-scan-target"
description = "CIS Landing Zone ${local.exainfra_compartment_name} compartment scanning target."
target_compartment_id = local.exainfra_compartment_id
host_recipe_id = "DEFAULT-HOST-RECIPE"
defined_tags = local.vss_defined_tags
freeform_tags = local.vss_freeform_tags
}
} : {}
#------------------------------------------------------------------------
#----- VSS configuration definition. Input to module.
#------------------------------------------------------------------------
host_recipes = merge(local.default_host_recipe)
vss_targets = merge(local.app_host_target, local.database_host_target, local.security_host_target, local.network_host_target, local.exainfra_host_target)
scanning_configuration = {
default_compartment_id = local.security_compartment_id
default_defined_tags = local.default_vss_defined_tags
default_freeform_tags = local.default_vss_freeform_tags
host_recipes = local.host_recipes
host_targets = local.vss_targets
}
}