Release 0.1.6 (#8)

* Update README.md
* Release 0.1.4

* Release 0.1.5

* feat: public key string now supported

* fix: correct attr name is type

* doc: Updated License file

* doc: Updated Readme

* doc: Updated Contributing

* doc: Added Security file

* Update README.md

* feat: release notes and release bump

---------

Signed-off-by: Andre Correa <andre.correa@oracle.com>
Co-authored-by: CINTHIA JIMENEZ <cinthia.jimenez@oracle.com>
Co-authored-by: Josh Hammer <josh.hammer@oracle.com>

CONTRIBUTING.md

@@ -1,23 +1,55 @@
-# Contributing to the CIS OCI Terraform Modules
+# Contributing to this repository
 
-*Copyright (c) 2023, Oracle and/or its affiliates.*
+We welcome your contributions! There are multiple ways to contribute.
 
-*Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.*
+## Opening issues
 
-To post feedback, submit feature ideas or report bugs, please use the Issues section in this repository.
+For bugs or enhancement requests, please file a GitHub issue unless it's
+security related. When filing a bug remember that the better written the bug is,
+the more likely it is to be fixed. If you think you've found a security
+vulnerability, do not raise a GitHub issue and follow the instructions in our
+[security policy](./SECURITY.md).
 
-Pull requests can be made under [The Oracle Contributor Agreement](https://oca.opensource.oracle.com/) (OCA).
+## Contributing code
 
-For pull requests to be accepted, the bottom of your commit message must have the following line using your name and e-mail address as it appears in the OCA Signatories list.
+We welcome your code contributions. Before submitting code via a pull request,
+you will need to have signed the [Oracle Contributor Agreement][OCA] (OCA) and
+your commits need to include the following line using the name and e-mail
+address you used to sign the OCA:
 
-```
-  Signed-off-by: Your Name <you@example.org>
+```text
+Signed-off-by: Your Name <you@example.org>
 ```
 
-This can be automatically added to pull requests by committing with:
+This can be automatically added to pull requests by committing with `--sign-off`
+or `-s`, e.g.
 
-```sh
-  git commit --signoff
+```text
+git commit --signoff
 ```
 
-Only pull requests from committers that can be verified as having signed the OCA can be accepted.
+Only pull requests from committers that can be verified as having signed the OCA
+can be accepted.
+
+## Pull request process
+
+1. Ensure there is an issue created to track and discuss the fix or enhancement
+   you intend to submit.
+1. Fork this repository.
+1. Create a branch in your fork to implement the changes. We recommend using
+   the issue number as part of your branch name, e.g. `1234-fixes`.
+1. Ensure that any documentation is updated with the changes that are required
+   by your change.
+1. Ensure that any samples are updated if the base image has been changed.
+1. Submit the pull request. *Do not leave the pull request blank*. Explain exactly
+   what your changes are meant to do and provide simple steps on how to validate.
+   your changes. Ensure that you reference the issue you created as well.
+1. We will assign the pull request to 2-3 people for review before it is merged.
+
+## Code of conduct
+
+Follow the [Golden Rule](https://en.wikipedia.org/wiki/Golden_Rule). If you'd
+like more specific guidelines, see the [Contributor Covenant Code of Conduct][COC].
+
+[OCA]: https://oca.opensource.oracle.com
+[COC]: https://www.contributor-covenant.org/version/1/4/code-of-conduct/

LICENSE → LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2023 Oracle and/or its affiliates. 
+Copyright (c) 2023 Oracle and/or its affiliates.
 
 The Universal Permissive License (UPL), Version 1.0
 
@@ -32,4 +32,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.

README.md

@@ -1,4 +1,4 @@
-# CIS OCI Landing Zone Security Modules
+# OCI Landing Zone Security Modules
 
 ![Landing Zone logo](./landing_zone_300.png)
 
@@ -27,15 +27,26 @@ The modules in this collection are designed for flexibility, are straightforward
 
 Using these modules does not require a user extensive knowledge of Terraform or OCI resource types usage. Users declare a JSON object describing the OCI resources according to each module’s specification and minimal Terraform code to invoke the modules. The modules generate outputs that can be consumed by other modules as inputs, allowing for the creation of independently managed operational stacks to automate your entire OCI infrastructure.
 
+## Help
+
+Open an issue in this repository.
+
 ## Contributing
-See [CONTRIBUTING.md](./CONTRIBUTING.md).
+
+This project welcomes contributions from the community. Before submitting a pull request, please [review our contribution guide](./CONTRIBUTING.md).
+
+## Security
+
+Please consult the [security guide](./SECURITY.md) for our responsible security vulnerability disclosure process.
 
 ## License
-Copyright (c) 2023, Oracle and/or its affiliates.
 
-Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+Copyright (c) 2023,2024 Oracle and/or its affiliates.
+
+*Replace this statement if your project is not licensed under the UPL*
 
-See [LICENSE](./LICENSE) for more details.
+Released under the Universal Permissive License v1.0 as shown at
+<https://oss.oracle.com/licenses/upl/>.
 
 ## Known Issues
 None.

RELEASE-NOTES.md

@@ -1,3 +1,11 @@
+# July 19, 2024 Release Notes - 0.1.6
+
+## Updates
+1. Aligned [README.md](./README.md) structure to Oracle's GitHub organizations requirements.
+2. [Bastion module](./bastion/)
+    - In addition to an SSH public key path, an SSH public key literal string can now be used for defining Bastion sessions (*default_ssh_public_key* and *ssh_public_key* attributes).
+
+
 # May 22, 2024 Release Notes - 0.1.5
 
 ## Updates

SECURITY.md

@@ -0,0 +1,38 @@
+# Reporting security vulnerabilities
+
+Oracle values the independent security research community and believes that
+responsible disclosure of security vulnerabilities helps us ensure the security
+and privacy of all our users.
+
+Please do NOT raise a GitHub Issue to report a security vulnerability. If you
+believe you have found a security vulnerability, please submit a report to
+[secalert_us@oracle.com][1] preferably with a proof of concept. Please review
+some additional information on [how to report security vulnerabilities to Oracle][2].
+We encourage people who contact Oracle Security to use email encryption using
+[our encryption key][3].
+
+We ask that you do not use other channels or contact the project maintainers
+directly.
+
+Non-vulnerability related security issues including ideas for new or improved
+security features are welcome on GitHub Issues.
+
+## Security updates, alerts and bulletins
+
+Security updates will be released on a regular cadence. Many of our projects
+will typically release security fixes in conjunction with the
+Oracle Critical Patch Update program. Additional
+information, including past advisories, is available on our [security alerts][4]
+page.
+
+## Security-related information
+
+We will provide security related information such as a threat model, considerations
+for secure use, or any known security issues in our documentation. Please note
+that labs and sample code are intended to demonstrate a concept and may not be
+sufficiently hardened for production use.
+
+[1]: mailto:secalert_us@oracle.com
+[2]: https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html
+[3]: https://www.oracle.com/security-alerts/encryptionkey.html
+[4]: https://www.oracle.com/security-alerts/

bastion/README.md

@@ -71,12 +71,12 @@ The bastions themselves are defined within the **bastions** attribute. In Terraf
 Sessions are managed using the **sessions_configuration** object. It contains a set of attributes starting with the prefix *default_* and an attribute named *sessions* .The *default_* attribute values are applied to all sessions, unless overridden at the session object level.
 
 The defined **default_** attributes are the following:
-- **default_ssh_public_key**: (Optional) Default SSH public key path for all sessions. It can be overridden by the *ssh_public_key* attribute in each session.
+- **default_ssh_public_key**: (Optional) Default SSH public key path or SSH public key literal string for all sessions. It can be overridden by the *ssh_public_key* attribute in each session.
 - **default_session_type**: (Optional) Default session type for all sessions. Supported values are "MANAGED_SSH" and "PORT_FORWARDING". It can be overridden by *session_type* attribute in each session.
 
 Sessions are defined using the  **sessions** attribute. In Terraform terms, it is a map of objects, where each object is referred by an identifying key. The following attributes are supported:
 - **bastion_id**: The bastion where the session is created. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in the *bastions* map of objects.
-- **ssh_public_key**: (Optional) The SSH public key path to connect to target. *default_ssh_public_key* is used if undefined.
+- **ssh_public_key**: (Optional) The SSH public key path or the SSH public key literal string to connect to target. *default_ssh_public_key* is used if undefined.
 - **session_type**: (Optional) The session type. Supported values are "MANAGED_SSH" and "PORT_FORWARDING". *default_session_type* if undefined.
 - **target_resource**: Either the FQDN, OCID or private IP address of the target resource that the session connects to.
 - **target_user**: (Optional) The SSH user name in the target resource. Required for "MANAGED_SSH" session type. 

bastion/examples/bastion_managed_ssh_session/input.auto.tfvars.template

@@ -36,7 +36,7 @@ sessions_configuration = {
     sessions = {
       SESSION-1 = {
         bastion_id      = "BASTION-1"
-        ssh_public_key  = "<REPLACE-BY-SSH-PUBLIC-KEY-PATH>"
+        ssh_public_key  = "<REPLACE-BY-SSH-PUBLIC-KEY-PATH>" # the SSH public key string is also supported.
         session_type    = "MANAGED_SSH"
         target_resource = "<REPLACE-BY-TARGET-INSTANCE-OCID>"
         target_user     = "opc"

bastion/examples/bastion_port_forwarding_session/input.auto.tfvars.template

@@ -36,7 +36,7 @@ sessions_configuration = {
     sessions = {
       SESSION-1 = {
         bastion_id      = "BASTION-1"
-        ssh_public_key  = "<REPLACE-BY-SSH-PUBLIC-KEY-PATH>"
+        ssh_public_key  = "<REPLACE-BY-SSH-PUBLIC-KEY-PATH>" # the SSH public key string is also supported.
         session_type    = "PORT_FORWARDING"
         target_resource = "<REPLACE-BY-TARGET-RESOURCE-OCID>"
         target_port     = "<REPLACE-BY-TARGET-PORT>"

bastion/sessions.tf

@@ -27,7 +27,7 @@ resource "oci_bastion_session" "these" {
   }
   bastion_id = length(regexall("^ocid1.*$", each.value.bastion_id)) > 0 ? each.value.bastion_id : oci_bastion_bastion.these[each.value.bastion_id].id
   key_details {
-    public_key_content = each.value.ssh_public_key != null ? file(each.value.ssh_public_key) : file(var.sessions_configuration.default_ssh_public_key)
+    public_key_content = each.value.ssh_public_key != null ? (fileexists(each.value.ssh_public_key) ? file(each.value.ssh_public_key) : each.value.ssh_public_key) : var.sessions_configuration.default_ssh_public_key != null ? (fileexists(var.sessions_configuration.default_ssh_public_key) ? file(var.sessions_configuration.default_ssh_public_key) : var.sessions_configuration.default_ssh_public_key): null
   }
   target_resource_details {
     session_type                               = each.value.session_type != null ? each.value.session_type : var.sessions_configuration.default_session_type #MANAGED_SSH / PORT_FORWARDING/

release.txt

@@ -1 +1 @@
-0.1.5
+0.1.6

vaults/examples/external_dependency/README.md

@@ -1,4 +1,4 @@
-# CIS OCI Vaults Module Example - External Dependency
+# OCI Vaults Module Example - External Dependency
 
 ## Introduction
 
@@ -56,4 +56,4 @@ Refer to [Vaults module README.md](../../README.md) for overall attributes usage
 terraform init
 terraform plan -out plan.out
 terraform apply plan.out
-```
+```

vaults/examples/vision/README.md

@@ -1,4 +1,4 @@
-# CIS OCI Vaults Module Example
+# OCI Vaults Module Example
 
 ## Introduction
 
@@ -19,4 +19,4 @@ Refer to [Vaults module README.md](../../README.md) for overall attributes usage
 terraform init
 terraform plan -out plan.out
 terraform apply plan.out
-```
+```

vss/README.md

@@ -37,7 +37,7 @@ allow service vulnerability-scanning-service to read vnic-attachments in tenancy
 
 ### Scanning
 
-Host scanning relies on Vulnerability Scanning cloud agent plugin enabled and running in target instances. After setting your host scanning targets using this module, make sure the plugin is available, enabled and running. In order to enable the plugin, the cloud agent needs an egress path to Oracle Services Network via a Service Gateway. Therefore, also make sure the subnet where the target instances are located have a route rule and security rule allowing such egress path. The [Landing Zone Compute module](https://github.com/oracle-quickstart/terraform-oci-secure-workloads/tree/main/cis-compute-storage) aids in enabling cloud agent plugins.
+Host scanning relies on Vulnerability Scanning cloud agent plugin enabled and running in target instances. After setting your host scanning targets using this module, make sure the plugin is available, enabled and running. In order to enable the plugin, the cloud agent needs an egress path to Oracle Services Network via a Service Gateway. Therefore, also make sure the subnet where the target instances are located have a route rule and security rule allowing such egress path. The [OCI Landing Zone Compute module](https://github.com/oracle-quickstart/terraform-oci-secure-workloads/tree/main/cis-compute-storage) aids in enabling cloud agent plugins.
 
 ### Terraform Version < 1.3.x and Optional Object Type Attributes
 This module relies on [Terraform Optional Object Type Attributes feature](https://developer.hashicorp.com/terraform/language/expressions/type-constraints#optional-object-type-attributes), which is experimental from Terraform 0.14.x to 1.2.x. It shortens the amount of input values in complex object types, by having Terraform automatically inserting a default value for any missing optional attributes. The feature has been promoted and it is no longer experimental in Terraform 1.3.x.

vss/examples/external_dependency/README.md

@@ -1,4 +1,4 @@
-# CIS OCI Vulnerability Scanning Module Example - External Dependency
+# OCI Vulnerability Scanning Module Example - External Dependency
 
 ## Introduction
 
@@ -45,4 +45,4 @@ Refer to [VSS module README.md](../../README.md) for overall attributes usage.
 terraform init
 terraform plan -out plan.out
 terraform apply plan.out
-```
+```

vss/examples/vision/README.md

@@ -1,4 +1,4 @@
-# CIS OCI Vulnerability Scanning Module Example
+# OCI Vulnerability Scanning Module Example
 
 ## Introduction
 
@@ -21,4 +21,4 @@ Refer to [VSS module README.md](../../README.md) for overall attributes usage.
 terraform init
 terraform plan -out plan.out
 terraform apply plan.out
-```
+```

vss/main.tf

@@ -26,7 +26,7 @@ resource "oci_vulnerability_scanning_host_scan_recipe" "these" {
       }
     }
     application_settings {
-      application_scan_recurrence = each.value.file_scan_settings != null ? (each.value.file_scan_settings.scan_recurrence != null ? upper(each.value.file_scan_settings.scan_recurrence) : (each.value.schedule_settings != null ? (each.value.schedule_settings.scan_type != null ? (each.value.schedule_settings.scan_type == "WEEKLY" ? "FREQ=WEEKLY;INTERVAL=2;WKST=${substr(upper(each.value.schedule_settings.day_of_week != null ? each.value.schedule_settings.day_of_week : "SUNDAY"),0,2)}" : "FREQ=WEEKLY;INTERVAL=2;WKST=SU") : "FREQ=WEEKLY;INTERVAL=2;WKST=SU") : "FREQ=WEEKLY;INTERVAL=2;WKST=SU")) : "FREQ=WEEKLY;INTERVAL=2;WKST=SU"
+      application_scan_recurrence = each.value.file_scan_settings != null ? (each.value.file_scan_settings.scan_recurrence != null ? upper(each.value.file_scan_settings.scan_recurrence) : (each.value.schedule_settings != null ? (each.value.schedule_settings.type != null ? (each.value.schedule_settings.type == "WEEKLY" ? "FREQ=WEEKLY;INTERVAL=2;WKST=${substr(upper(each.value.schedule_settings.day_of_week != null ? each.value.schedule_settings.day_of_week : "SUNDAY"),0,2)}" : "FREQ=WEEKLY;INTERVAL=2;WKST=SU") : "FREQ=WEEKLY;INTERVAL=2;WKST=SU") : "FREQ=WEEKLY;INTERVAL=2;WKST=SU")) : "FREQ=WEEKLY;INTERVAL=2;WKST=SU"
       folders_to_scan {
         folder = each.value.file_scan_settings != null ? (each.value.file_scan_settings.folders_to_scan != null ? join(";", each.value.file_scan_settings.folders_to_scan) : "/") : "/"
         operatingsystem = each.value.file_scan_settings != null ? upper(coalesce(each.value.file_scan_settings.operating_system,"LINUX")) : "LINUX"