generated from oracle-quickstart/oci-quickstart-template
-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathoci_open_lz_hub_a_iam.auto.tfvars.json
292 lines (291 loc) · 24.7 KB
/
oci_open_lz_hub_a_iam.auto.tfvars.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
{
"compartments_configuration": {
"enable_delete": "true",
"compartments": {
"CMP-LANDINGZONE-P-KEY": {
"name": "cmp-landingzone-p",
"description": "Enclosing Production Landing Zone Compartment",
"children": {
"CMP-LZP-NETWORK-KEY": {
"name": "cmp-lzp-network",
"description": "Shared Network Compartment"
},
"CMP-LZP-SECURITY-KEY": {
"name": "cmp-lzp-security",
"description": "Shared Security Compartment"
},
"CMP-LZP-PLATFORM-KEY": {
"name": "cmp-lzp-platform",
"description": "Shared Platform Compartment"
}
}
}
}
},
"groups_configuration": {
"groups": {
"GRP-IAM-ADMINS": {
"name": "grp-iam-admins",
"description": "Tenancy global Identity and access management administrator group."
},
"GRP-CREDENTIAL-ADMINS": {
"name": "grp-credential-admins",
"description": "Tenancy global credential administrator group."
},
"GRP-ANNOUNCEMENT-READERS": {
"name": "grp-announcement-readers",
"description": "Tenancy global readers of OCI monitoring information group."
},
"GRP-COST-ADMINS": {
"name": "grp-cost-admins",
"description": "Tenancy global cost control group."
},
"GRP-AUDITORS": {
"name": "grp-auditors",
"description": "Tenancy global read access group(for security auditing or health checks)."
},
"GRP-SECURITY-ADMINS": {
"name": "grp-security-admins",
"description": "Tenancy Security Administrators for global resources as Cloud Guard."
},
"GRP-LZP-IAM-ADMINS": {
"name": "grp-lzp-iam-admins",
"description": "Production Landing Zone Environment Identity and access management administrator group."
},
"GRP-LZP-NETWORK-ADMINS": {
"name": "grp-lzp-network-admins",
"description": "Production Landing Zone Environment shared network administration group, including common OE network elements."
},
"GRP-LZP-SECURITY-ADMINS": {
"name": "grp-lzp-security-admins",
"description": "Production Landing Zone Environment shared security administration group, including common OE network elements."
},
"GRP-LZP-PLATFORM-ADMINS": {
"name": "grp-lzp-platform-admins",
"description": "Production Landing Zone Environment shared platform administration group, including common OE network elements."
}
}
},
"policies_configuration": {
"enable_cis_benchmark_checks": "false",
"supplied_policies": {
"PCY-SERVICES": {
"name": "pcy-services",
"description": "POL.00 Open LZ policy for all supported resources in the tenancy.",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow service cloudguard to manage cloudevents-rules in tenancy where target.rule.type='managed'",
"allow service cloudguard to read tenancies in tenancy",
"allow service cloudguard to read all-resources in tenancy",
"allow service cloudguard to use network-security-groups in tenancy",
"allow any-user to { WLP_BOM_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}",
"allow any-user to { WLP_CONFIG_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}",
"endorse any-user to { WLP_LOG_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }",
"endorse any-user to { WLP_METRICS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }",
"endorse any-user to { WLP_ADHOC_QUERY_READ } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }",
"endorse any-user to { WLP_ADHOC_RESULTS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}",
"allow service vulnerability-scanning-service to manage instances in tenancy",
"allow service vulnerability-scanning-service to read compartments in tenancy",
"allow service vulnerability-scanning-service to read repos in tenancy",
"allow service vulnerability-scanning-service to read vnics in tenancy",
"allow service vulnerability-scanning-service to read vnic-attachments in tenancy",
"allow service osms to read instances in tenancy",
"allow service blockstorage, oke, streaming, Fssoc1Prod, objectstorage-eu-frankfurt-1 to use keys in tenancy"
]
},
"PCY-IAM-ADMINISTRATION": {
"name": "pcy-iam-administration",
"description": "Policy to allow grp-iam-admins group users to manage IAM resoures in the tenancy.",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow group grp-iam-admins to inspect users in tenancy",
"allow group grp-iam-admins to manage users in tenancy where all {request.operation != 'ListApiKeys',request.operation != 'ListAuthTokens',request.operation != 'ListCustomerSecretKeys',request.operation != 'UploadApiKey',request.operation != 'DeleteApiKey',request.operation != 'UpdateAuthToken',request.operation != 'CreateAuthToken',request.operation != 'DeleteAuthToken',request.operation != 'CreateSecretKey',request.operation != 'UpdateCustomerSecretKey',request.operation != 'DeleteCustomerSecretKey'}",
"allow group grp-iam-admins to inspect groups in tenancy",
"allow group grp-iam-admins to manage policies in tenancy",
"allow group grp-iam-admins to manage groups in tenancy where all {target.group.name != 'Administrators',target.group.name != 'grp-credential-admins'}",
"allow group grp-iam-admins to inspect identity-providers in tenancy",
"allow group grp-iam-admins to manage identity-providers in tenancy where any {request.operation = 'AddIdpGroupMapping', request.operation = 'DeleteIdpGroupMapping'}",
"allow group grp-iam-admins to manage dynamic-groups in tenancy",
"allow group grp-iam-admins to manage authentication-policies in tenancy",
"allow group grp-iam-admins to manage network-sources in tenancy",
"allow group grp-iam-admins to manage quota in tenancy",
"allow group grp-iam-admins to use cloud-shell in tenancy",
"allow group grp-iam-admins to manage tag-defaults in tenancy",
"allow group grp-iam-admins to manage tag-namespaces in tenancy",
"allow group grp-iam-admins to manage orm-jobs in tenancy",
"allow group grp-iam-admins to manage orm-config-source-providers in tenancy"
]
},
"PCY-CREDENTIAL-ADMINISTRATION": {
"name": "pcy-credential-administration",
"description": "Policy which allows grp-credential-admins group users to manage user credentials of local users in the tenancy.",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow group grp-credential-admins to inspect users in tenancy",
"allow group grp-credential-admins to inspect groups in tenancy",
"allow group grp-credential-admins to manage users in tenancy where any {request.operation = 'ListApiKeys',request.operation = 'ListAuthTokens',request.operation = 'ListCustomerSecretKeys',request.operation = 'UploadApiKey',request.operation = 'DeleteApiKey',request.operation = 'UpdateAuthToken',request.operation = 'CreateAuthToken',request.operation = 'DeleteAuthToken',request.operation = 'CreateSecretKey',request.operation = 'UpdateCustomerSecretKey',request.operation = 'DeleteCustomerSecretKey',request.operation = 'UpdateUserCapabilities'}",
"allow group grp-credential-admins to use cloud-shell in tenancy"
]
},
"PCY-ANNOUNCEMENT-READERS": {
"name": "pcy-announcement-readers",
"description": "Policy which allows grp-announcement-readers group users to read OCI announcements in the tenancy.",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow group grp-announcement-readers to read announcements in tenancy",
"allow group grp-announcement-readers to use cloud-shell in tenancy"
]
},
"PCY-COST-ADMINISTRATION": {
"name": "pcy-cost-administration",
"description": "Policy which allows grp-cost-admins group users to manage all budget resources in the tenancy.",
"compartment_id": "TENANCY-ROOT",
"statements": [
"define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq",
"endorse group grp-cost-admins to read objects in tenancy usage-report",
"allow group grp-cost-admins to manage usage-report in tenancy",
"allow group grp-cost-admins to manage usage-budgets in tenancy"
]
},
"PCY-AUDITING": {
"name": "pcy-auditing",
"description": "Policy which allows grp-auditors group users to read all the resources in the tenancy.",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow group grp-auditors to inspect all-resources in tenancy",
"allow group grp-auditors to read instances in tenancy",
"allow group grp-auditors to read load-balancers in tenancy",
"allow group grp-auditors to read buckets in tenancy",
"allow group grp-auditors to read nat-gateways in tenancy",
"allow group grp-auditors to read public-ips in tenancy",
"allow group grp-auditors to read file-family in tenancy",
"allow group grp-auditors to read instance-configurations in tenancy",
"allow group grp-auditors to read network-security-groups in tenancy",
"allow group grp-auditors to read resource-availability in tenancy",
"allow group grp-auditors to read audit-events in tenancy",
"allow group grp-auditors to read users in tenancy",
"allow group grp-auditors to use cloud-shell in tenancy",
"allow group grp-auditors to read vss-family in tenancy",
"allow group grp-auditors to read usage-budgets in tenancy",
"allow group grp-auditors to read usage-reports in tenancy",
"allow group grp-auditors to read data-safe-family in tenancy",
"allow group grp-auditors to read vaults in tenancy",
"allow group grp-auditors to read keys in tenancy",
"allow group grp-auditors to read tag-namespaces in tenancy",
"allow group grp-auditors to read serviceconnectors in tenancy",
"allow group grp-auditors to use ons-family in tenancy where any {request.operation!=/Create*/, request.operation!=/Update*/, request.operation!=/Delete*/, request.operation!=/Change*/}"
]
},
"PCY-SECURITY-ADMINISTRATION": {
"name": "pcy-security-administration",
"description": "Policy which allows grp-security-admins group users to manage all security resources in the security compartment.",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow group grp-security-admins to use cloud-shell in tenancy",
"allow group grp-security-admins to read usage-budgets in tenancy",
"allow group grp-security-admins to read usage-reports in tenancy",
"allow group grp-security-admins to read objectstorage-namespaces in tenancy",
"allow group grp-security-admins to manage cloudevents-rules in tenancy",
"allow group grp-security-admins to manage cloud-guard-family in tenancy",
"allow group grp-security-admins to read tenancies in tenancy",
"allow group grp-security-admins to read objectstorage-namespaces in tenancy"
]
},
"PCY-LZP-IAM-ADMINISTRATION": {
"name": "pcy-lzp-iam-administration",
"description": "Policy to allow grp-lzp-iam-admins group users to manage IAM resoures in the Landing Zone Production environment.",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow group grp-iam-admins to manage policies in compartment cmp-landingzone-p",
"allow group grp-iam-admins to manage compartments in compartment cmp-landingzone-p"
]
},
"PCY-LZP-NETWORK-ADMINISTRATION": {
"name": "pcy-lzp-network-administration",
"description": "Policy which allows grp-lzp-network-admins group users to manage all network resources in the compartment cmp-landingzone-p:cmp-lzp-network.",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow group grp-lzp-network-admins to use cloud-shell in tenancy",
"allow group grp-lzp-network-admins to read usage-budgets in tenancy",
"allow group grp-lzp-network-admins to read usage-reports in tenancy",
"allow group grp-lzp-network-admins to read objectstorage-namespaces in tenancy",
"allow group grp-lzp-network-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage dns in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage load-balancers in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to read ons-topics in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-network-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to read audit-events in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to read work-requests in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage volume-family in compartment cmp-landingzone-p:cmp-lzp-network where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}",
"allow group grp-lzp-network-admins to manage object-family in compartment cmp-landingzone-p:cmp-lzp-network where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}",
"allow group grp-lzp-network-admins to manage file-family in compartment cmp-landingzone-p:cmp-lzp-network where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}",
"allow group grp-lzp-network-admins to manage bastion-session in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage cloudevents-rules in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to read instance-agent-plugins in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage keys in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to use key-delegate in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage secret-family in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to manage repos in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to read vss-family in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-network-admins to use bastion in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-network-admins to use bastion-session in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-network-admins to use vaults in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-network-admins to read logging-family in compartment cmp-landingzone-p:cmp-lzp-security"
]
},
"PCY-LZP-SECURITY-ADMINISTRATION": {
"name": "pcy-lzp-security-administration",
"description": "Policy which allows grp-security-admins group users to manage all security resources in the Landing Zone Production Environment, shared Security compartment.",
"compartment_id": "TENANCY-ROOT",
"statements": [
"allow group grp-lzp-security-admins to manage tag-namespaces in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage tag-defaults in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage repos in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to read audit-events in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to read app-catalog-listing in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to read instance-images in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to inspect buckets in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage volume-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}",
"allow group grp-lzp-security-admins to manage object-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}",
"allow group grp-lzp-security-admins to manage file-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}",
"allow group grp-lzp-security-admins to manage vaults in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage keys in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage secret-family in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage logging-family in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage serviceconnectors in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage streams in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage ons-family in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage functions-family in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage waas-family in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage security-zone in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage vss-family in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to read work-requests in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage bastion-family in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to read instance-agent-plugins in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage cloudevents-rules in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to use key-delegate in compartment cmp-landingzone-p:cmp-lzp-security",
"allow group grp-lzp-security-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-security-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-security-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-security-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-security-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-security-admins to read keys in compartment cmp-landingzone-p:cmp-lzp-network",
"allow group grp-lzp-security-admins to manage operator-control-family in compartment cmp-landingzone-p:cmp-lzp-security"
]
}
}
}
}