Release 0.1.4 (#5)

* Replace README.md * Update README.md * Update README.md * feat: ability to use "TENANCY-ROOT" for referring to tenancy OCID * fix: var.endpoints_dependency in target_resource_private_ip_address * feat: dependencies strongly typed * doc: spec updated * feat: dependency strongly typed * doc: release notes and version bump * fix: cloud agent plugin check --------- Co-authored-by: CINTHIA JIMENEZ <cinthia.jimenez@oracle.com>
oci-landing-zones · Apr 17, 2024 · 11975b0 · 11975b0
1 parent 2569984
commit 11975b0
Show file tree

Hide file tree

Showing 34 changed files with 122 additions and 375 deletions.
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -1,3 +1,9 @@
+# April 16, 2024 Release Notes - 0.1.4
+
+## Updates
+1. [Cloud Guard module](./cloud-guard/): ability to use "TENANCY-ROOT" key for referring to tenancy OCID in *cloud_guard_configuration*. *tenancy_ocid* becomes a variable of its own.
+2. All modules: all dependency variables are now strongly typed, enhancing usage guidance.
+
 # March 20, 2024 Release Notes - 0.1.3
 
 ## New

diff --git a/bastion/README.md b/bastion/README.md
@@ -78,7 +78,7 @@ Sessions are defined using the  **sessions** attribute. In Terraform terms, it i
 - **bastion_id**: The bastion where the session is created. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in the *bastions* map of objects.
 - **ssh_public_key**: (Optional) The SSH public key path to connect to target. *default_ssh_public_key* is used if undefined.
 - **session_type**: (Optional) The session type. Supported values are "MANAGED_SSH" and "PORT_FORWARDING". *default_session_type* if undefined.
-- **target_resource**: Either the FQDN, OCID or IP of the target resource.
+- **target_resource**: Either the FQDN, OCID or private IP address of the target resource that the session connects to.
 - **target_user**: (Optional) The SSH user name in the target resource. Required for "MANAGED_SSH" session type. 
 - **target_port**: The SSH port number.
 - **session_ttl_in_seconds**: (Optional) The session time to live.
@@ -96,9 +96,8 @@ Example:
 	}
 }
 ```
-- **network_dependency**: A map of objects containing the externally managed network resources (including subnets and network security groups) this module may depend on. All map objects must have the same type and should contain the following attributes:
+- **network_dependency**: A map of objects containing the externally managed network resources (subnets) this module may depend on. All map objects must have the same type and should contain the following attributes:
   - An *id* attribute with the subnet OCID.
-  - An *id* attribute with the network security group OCID.
 
 Example:
 ```
@@ -107,12 +106,7 @@ Example:
     "APP-SUBNET" : {
       "id" : "ocid1.subnet.oc1.iad.aaaaaaaax...e7a"
     }
-  },
-  "network_security_groups" : { 
-    "APP-NSG" : {
-      "id" : "ocid1.networksecuritygroup.oc1.iad.aaaaaaaa...xlq"
-    }
-  } 
+  }
 }
 ```
 
@@ -129,16 +123,14 @@ Example:
 ```
 
 - **endpoints_dependency**: A map of objects containing the externally managed endpoint resources this module may depend on. All map objects must have the same type and should contain the following attributes:
-  - A *private_endpoint* attribute with endpoint IP.
+  - An *ip_address* attribute with endpoint private IP address that the bastion session connects to.
 
 Example:
 ```
 {
   "OKE1" : {
-    "endpoints" : {
-        "private_endpoint" : "10.0.1.23"
-    }
-  }, 
+    "ip_address" : "10.0.1.23"
+  } 
 } 
 ```
 ## <a name="related">Related Documentation</a>

diff --git a/bastion/SPEC.MD b/bastion/SPEC.MD
@@ -1,6 +1,8 @@
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
 
 ## Providers
 
@@ -24,12 +26,12 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_bastions_configuration"></a> [bastions\_configuration](#input\_bastions\_configuration) | Bastion configuration attributes. | <pre>object({<br>    default_compartment_id        = optional(string)       # the default compartment where all resources are defined. It's overriden by the compartment_ocid attribute within each object.<br>    default_defined_tags          = optional(map(string))  # the default defined tags. It's overriden by the defined_tags attribute within each object.<br>    default_freeform_tags         = optional(map(string))  # the default freeform tags. It's overriden by the freeform_tags attribute within each object.<br>    default_subnet_id             = optional(string)       # the default subnet_id. It`s overriden by the subnet_id attribute in each object.<br>    default_cidr_block_allow_list = optional(list(string)) # the default cidr block allow list. It`s overriden by the cidr_block_allow_list attribute in each object.<br>    enable_cidr_check             = optional(bool,true)    # whether provided CIDR blocks should be checked for "0.0.0.0\0".<br>    bastions = map(object({ <br>      bastion_type               = optional(string,"standard") # type of bastion. Allowed value is "STANDARD".<br>      compartment_id             = optional(string)            # the compartment where the bastion is created. default_compartment_ocid is used if this is not defined.<br>      subnet_id                  = optional(string)            # the subnet id where the bastion will be created. default_subnet_id is used if this is not defined.<br>      defined_tags               = optional(map(string))       # bastions defined_tags. default_defined_tags is used if this is not defined.<br>      freeform_tags              = optional(map(string))       # bastions freeform_tags. default_freeform_tags is used if this is not defined.<br>      cidr_block_allow_list      = optional(list(string))      # list of cidr blocks that will be able to connect to bastion. default_cidr_block_allow_list is used if this is not defined.<br>      enable_dns_proxy           = optional(bool,true)         # bool to enable dns_proxy on the bastion.<br>      max_session_ttl_in_seconds = optional(number)            # maximum allowd time to live for a session on the bastion.<br>      name                       = string                      # bastion name<br>    }))<br>  })</pre> | `null` | no |
-| <a name="input_compartments_dependency"></a> [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type. | `map(any)` | `null` | no |
+| <a name="input_compartments_dependency"></a> [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type. | <pre>map(object({<br>    id = string # the compartment OCID<br>  }))</pre> | `null` | no |
 | <a name="input_enable_output"></a> [enable\_output](#input\_enable\_output) | Whether Terraform should enable the module output. | `bool` | `true` | no |
-| <a name="input_endpoints_dependency"></a> [endpoints\_dependency](#input\_endpoints\_dependency) | A map of objects containing the externally managed endpoints this module may depend on. | `map(any)` | `null` | no |
-| <a name="input_instances_dependency"></a> [instances\_dependency](#input\_instances\_dependency) | A map of objects containing the externally managed Compute instances this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the instance OCID) of string type. | `map(any)` | `null` | no |
+| <a name="input_endpoints_dependency"></a> [endpoints\_dependency](#input\_endpoints\_dependency) | A map of objects containing the externally managed endpoints this module may depend on. The objects, when defined, must contain at least an 'ip\_address' attribute (representing the endpoint private IP address of the target resource) of string type. | <pre>map(object({<br>    ip_address = string # the private IP address<br>  }))</pre> | `null` | no |
+| <a name="input_instances_dependency"></a> [instances\_dependency](#input\_instances\_dependency) | A map of objects containing the externally managed Compute instances this module may depend on. The objects, when defined, must contain at least an 'id' attribute (representing the instance OCID) of string type. | <pre>map(object({<br>    id = string # the instance OCID<br>  }))</pre> | `null` | no |
 | <a name="input_module_name"></a> [module\_name](#input\_module\_name) | The module name. | `string` | `"bastion"` | no |
-| <a name="input_network_dependency"></a> [network\_dependency](#input\_network\_dependency) | A map of objects containing the externally managed network resources this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the network resource OCID) of string type. | `map(any)` | `null` | no |
+| <a name="input_network_dependency"></a> [network\_dependency](#input\_network\_dependency) | A map of objects containing the externally managed network resources this module may depend on. Supported resources are 'subnets', represent as a map of objects. Each object must have an 'id' attribute of string type set with the subnet OCID. | <pre>object({<br>    subnets = optional(map(object({<br>      id = string # the subnet OCID<br>    })))<br>  })</pre> | `null` | no |
 | <a name="input_sessions_configuration"></a> [sessions\_configuration](#input\_sessions\_configuration) | Sessions configuration attributes. | <pre>object({<br>    default_ssh_public_key   = optional(string)        # the default ssh_public_key path. It's overriden by the ssh_public_key attribute within each object.<br>    default_session_type     = optional(string)        # the default session_type. It's overriden by the session_type attribute within each object.<br>    sessions = map(object({ <br>      bastion_id             = string                  # the ocid or the key of Bastion where the session will be created.<br>      ssh_public_key         = optional(string)        # the ssh_public_key path used by the session to connect to target. The default_ssh_public_key is used if this is not defined.<br>      session_type           = optional(string)        # session type of the session. Supported values are MANAGED_SSH and PORT_FORWARDING. The default_session_type is used if this is not defined.<br>      target_resource        = string                  # Either the FQDN, OCID or IP of the target resource to connect the session to.<br>      target_user            = optional(string)        # User of the target that will be used by session. It is required only with MANAGED_SSH. <br>      target_port            = number                  # Port number that will be used by the session.<br>      session_ttl_in_seconds = optional(number,10800)  # Session time to live<br>      session_name           = string                  # Session name<br>    }))<br>  })</pre> | `null` | no |
 
 ## Outputs

diff --git a/bastion/sessions.tf b/bastion/sessions.tf
@@ -35,7 +35,7 @@ resource "oci_bastion_session" "these" {
     target_resource_id                         = length(regexall("^ocid1.*$", each.value.target_resource)) > 0 ? each.value.target_resource : var.instances_dependency != null ? (contains(keys(var.instances_dependency),each.value.target_resource) ? var.instances_dependency[each.value.target_resource].id : null) : null
     target_resource_operating_system_user_name = each.value.target_user
     target_resource_port                       = each.value.target_port
-    target_resource_private_ip_address         = length(regexall("^(\\d+\\.){3}\\d+$", each.value.target_resource)) > 0 ? each.value.target_resource : var.endpoints_dependency != null ? (contains(keys(var.endpoints_dependency),each.value.target_resource) ? split(":", var.endpoints_dependency[each.value.target_resource].endpoints[0].private_endpoint)[0] : null) : null
+    target_resource_private_ip_address         = length(regexall("^(\\d+\\.){3}\\d+$", each.value.target_resource)) > 0 ? each.value.target_resource : var.endpoints_dependency != null ? (contains(keys(var.endpoints_dependency),each.value.target_resource) ? var.endpoints_dependency[each.value.target_resource].ip_address : null) : null
   }
   display_name           = each.value.session_name
   session_ttl_in_seconds = each.value.session_ttl_in_seconds

diff --git a/bastion/variables.tf b/bastion/variables.tf
@@ -56,21 +56,31 @@ variable "module_name" {
 }
 variable "compartments_dependency" {
   description = "A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type." 
-  type = map(any)
+  type = map(object({
+    id = string # the compartment OCID
+  }))
   default = null
 }
 variable "network_dependency" {
-  description = "A map of objects containing the externally managed network resources this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the network resource OCID) of string type." 
-  type = map(any)
+  description = "A map of objects containing the externally managed network resources this module may depend on. Supported resources are 'subnets', represent as a map of objects. Each object must have an 'id' attribute of string type set with the subnet OCID." 
+  type = object({
+    subnets = optional(map(object({
+      id = string # the subnet OCID
+    })))
+  })  
   default = null
 }
 variable "instances_dependency" {
-  description = "A map of objects containing the externally managed Compute instances this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the instance OCID) of string type." 
-  type = map(any)
+  description = "A map of objects containing the externally managed Compute instances this module may depend on. The objects, when defined, must contain at least an 'id' attribute (representing the instance OCID) of string type." 
+  type = map(object({
+    id = string # the instance OCID
+  }))
   default = null
 }
 variable "endpoints_dependency" {
-  description = "A map of objects containing the externally managed endpoints this module may depend on." 
-  type = map(any)
+  description = "A map of objects containing the externally managed endpoints this module may depend on. The objects, when defined, must contain at least an 'ip_address' attribute (representing the endpoint private IP address of the target resource) of string type."  
+  type = map(object({
+    ip_address = string # the private IP address
+  }))
   default = null
 }
diff --git a/cloud-guard/README.md b/cloud-guard/README.md
@@ -119,13 +119,14 @@ cloud_guard_configuration = {
 ```
 ### <a name="ext_dep">External Dependencies</a>
 
-The example above has some dependencies. Specifically, it requires *tenancy_ocid* and *resource_id* values. These values need to be obtained somehow. In some cases, you can simply get them from the team that is managing compartments and operate on a manual copy-and-paste fashion. However, in the automation world, copying and pasting can be slow and error prone. More sophisticated automation approaches would get these dependencies from their producing Terraform configurations. With this scenario in mind, **the module overloads the attributes ending in *_id***. Note *tenancy_ocid* is immutable in the tenancy lifetime, hence the module expects that the literal tenancy OCID is used. The *\*_id* attributes can be assigned a literal OCID (as in the example above, for those whom copying and pasting is an acceptable approach) or a reference (a key) to an OCID. If a key to an OCID is given, the module requires a map of objects where the key and the OCID are expected to be found. This map of objects is passed to the module via the *compartments_dependency* attribute. 
+The example above has some dependencies. Specifically, it requires *tenancy_ocid* and *resource_id* values. These values need to be obtained somehow. In some cases, you can simply get them from the team that is managing compartments and operate on a manual copy-and-paste fashion. However, in the automation world, copying and pasting can be slow and error prone. More sophisticated automation approaches would get these dependencies from their producing Terraform configurations. With this scenario in mind, **the module overloads the attributes ending in *_id***. The *\*_id* attributes can be assigned a literal OCID (as in the example above, for those whom copying and pasting is an acceptable approach) or a reference (a key) to an OCID. If a key to an OCID is given, the module requires a map of objects where the key and the OCID are expected to be found. This map of objects is passed to the module via the *compartments_dependency* variable. 
+
+**Note**: The special key "TENANCY-ROOT" is reserved and should be used for referring to the tenancy OCID in *resource_id* and *compartment_id* attributes.
 
 Rewriting the example above with the external dependency:
 
 ```
 cloud_guard_configuration = {
-  tenancy_ocid = "ocid1.tenancy.oc1..aaaaaa...nuq"
   reporting_region = "us-ashburn-1"
   
   targets = {