Merge pull request #104 from oracle-quickstart/release-2.5.9

Release 2.5.9

README.md

@@ -39,6 +39,7 @@ The template uses multiple compartments, groups, and IAM policies to segregate a
 - Notifications
 - Object Storage
 - Budgets
+- Security Zone
 
  ## <a name="deliverables"></a>Deliverables
  This repository encloses two deliverables:

VARIABLES.md

@@ -118,8 +118,8 @@ Variable Name | Description | Required | Default Value
 ### <a name="security_zones_variables"></a>Security Zones Variables
 Variable Name | Description | Required | Default Value
 --------------|-------------|----------|--------------
-**enable_security_zones** | Determines if Security Zones are enabled in Landing Zone compartment(s). If *true*, Security Zones recipe(s) are created and a Security Zone with that recipe is attached to either the enclosing compartment if enabled or the individual compartments managed by the Landing Zone. | No | false
-**sz_security_policies** | List of Security Zones policy OCIDs that will be added to the Security Zones recipe.  These policies will in addition to the Security Zones policies associated to your select cis_level. To get a Security Zone policy OCID use the oci cli:  `oci cloud-guard security-policy-collection list-security-policies --compartment-id <tenancy-ocid>`  | No | []
+**enable_security_zones** | Determines if Security Zones are enabled in Landing Zone compartment(s). If *true*, Security Zones recipe(s) are created and a Security Zone with that recipe is enabled for the enclosing compartment. The Security Zone is only enabled if an enclosing compartment is used. | No | false
+**sz_security_policies** | List of Security Zones policy OCIDs that will be added to the Security Zones recipe. These policies are added to the Security Zone policies associated to the selected cis_level. If cis_level is "1", *"deny public_buckets"* and *"deny db_instance_public_access"* policies are added. If cis_level is "2", *"deny block_volume_without_vault_key"*, *"deny boot_volume_without_vault_key"*, *"deny buckets_without_vault_key"*, and *"deny file_system_without_vault_key"* policies are further added. To get a Security Zone policy OCID use the oci cli:  `oci cloud-guard security-policy-collection list-security-policies --compartment-id <tenancy-ocid>`  | No | []
 
 
 ### <a name="logging_variables"></a>Logging Variables

config/mon_notifications.tf

@@ -114,15 +114,14 @@ locals {
           "com.oraclecloud.virtualnetwork.updateinternetgateway",
           "com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment",
           "com.oraclecloud.virtualnetwork.createlocalpeeringgateway",
-          "com.oraclecloud.virtualnetwork.deletelocalpeeringgateway",
+          "com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end",
           "com.oraclecloud.virtualnetwork.updatelocalpeeringgateway",
           "com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment",
           "com.oraclecloud.natgateway.createnatgateway",
           "com.oraclecloud.natgateway.deletenatgateway",
           "com.oraclecloud.natgateway.updatenatgateway",
           "com.oraclecloud.natgateway.changenatgatewaycompartment",
           "com.oraclecloud.servicegateway.createservicegateway",
-          "com.oraclecloud.servicegateway.deleteservicegateway.begin",
           "com.oraclecloud.servicegateway.deleteservicegateway.end",
           "com.oraclecloud.servicegateway.attachserviceid",
           "com.oraclecloud.servicegateway.detachserviceid",

config/schema.yml

@@ -713,7 +713,7 @@ variables:
   enable_security_zones:
     type: boolean
     title: Enable Security Zones
-    description: "Determines if Security Zones are enabled in Landing Zone compartments."
+    description: "Determines if Security Zones are enabled in Landing Zone compartments. When set to true, the Security Zone is enabled for the enclosing compartment. If no enclosing compartment is used, then the Security Zone is not enabled."
     default: false
 
   sz_security_policies:

config/security_zones.tf

@@ -2,17 +2,10 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 locals {
-
-  all_security_zones_defined_tags  = {}
-  all_security_zones_freeform_tags = {}
-
-  managed_enclosing_target_sz_compartment  = length(module.lz_top_compartment) > 0 ? { "${local.enclosing_compartment.key}-security-zone" = { "sz_compartment_name" : module.lz_top_compartment[0].compartments[local.enclosing_compartment.key].name, "sz_compartment_id" : module.lz_top_compartment[0].compartments[local.enclosing_compartment.key].id } } : {}
-  existing_enclosing_target_sz_compartment = local.enclosing_compartment_id != var.tenancy_ocid ? { "${local.enclosing_compartment.key}-security-zone" = { "sz_compartment_name" : local.enclosing_compartment.name, "sz_compartment_id" : local.enclosing_compartment_id } } : {}
-  managed_compartments_sz_compartments     = { for k, v in module.lz_compartments.compartments : "${k}-security-zone" => { "sz_compartment_name" : v.name, "sz_compartment_id" : v.id } }
-  auto_security_zone_target_compartments   = length(local.managed_enclosing_target_sz_compartment) > 0 ? local.managed_enclosing_target_sz_compartment : (length(local.existing_enclosing_target_sz_compartment) > 0 ? local.existing_enclosing_target_sz_compartment : local.managed_compartments_sz_compartments)
-  custom_security_zone_target_compartments = {}
-  security_zone_target_compartments = local.custom_security_zone_target_compartments == {} ? local.auto_security_zone_target_compartments : local.custom_security_zone_target_compartments
-
+  ### These variables can be overriden.
+  custom_security_zones_defined_tags  = null
+  custom_security_zones_freeform_tags = null
+  custom_security_zone_target_compartments = null
 }
 
 module "lz_security_zones" {
@@ -21,22 +14,36 @@ module "lz_security_zones" {
   ]
   source                 = "../modules/security/security-zones"
   providers              = { oci = oci.home }
-  count                  = var.enable_security_zones ? 1 : 0
+  count                  = var.enable_security_zones && length(local.security_zone_target_compartments) > 0 ? 1 : 0
   compartment_id         = var.tenancy_ocid
   cis_level              = var.cis_level
   security_policies      = var.sz_security_policies
   sz_target_compartments = local.security_zone_target_compartments
   defined_tags           = local.security_zones_defined_tags
   freeform_tags          = local.security_zones_freeform_tags
-
 }
 
 locals {
+  ### These variables are NOT meant to be overriden.
+  managed_enclosing_target_sz_compartment  = length(module.lz_top_compartment) > 0 ? { 
+    "${local.enclosing_compartment.key}-security-zone" = { 
+      "sz_compartment_name" : module.lz_top_compartment[0].compartments[local.enclosing_compartment.key].name, 
+      "sz_compartment_id" : module.lz_top_compartment[0].compartments[local.enclosing_compartment.key].id 
+      } 
+  } : {}
+  existing_enclosing_target_sz_compartment = length(module.lz_top_compartment) == 0 && local.enclosing_compartment_id != var.tenancy_ocid ? { 
+    "${local.enclosing_compartment.key}-security-zone" = { 
+      "sz_compartment_name" : local.enclosing_compartment.name, 
+      "sz_compartment_id" : local.enclosing_compartment_id 
+      } 
+  } : {}
+
+  auto_security_zone_target_compartments = length(local.managed_enclosing_target_sz_compartment) > 0 ? local.managed_enclosing_target_sz_compartment : (length(local.existing_enclosing_target_sz_compartment) > 0 ? local.existing_enclosing_target_sz_compartment : {})
+  security_zone_target_compartments      = local.custom_security_zone_target_compartments != null ? local.custom_security_zone_target_compartments : local.auto_security_zone_target_compartments
 
-  ### DON'T TOUCH THESE ###
   default_security_zones_defined_tags  = null
   default_security_zones_freeform_tags = local.landing_zone_tags
 
-  security_zones_defined_tags  = length(local.all_security_zones_defined_tags) > 0 ? local.all_security_zones_defined_tags : local.default_security_zones_defined_tags
-  security_zones_freeform_tags = length(local.all_security_zones_freeform_tags) > 0 ? merge(local.all_security_zones_freeform_tags, local.default_security_zones_freeform_tags) : local.default_security_zones_freeform_tags
+  security_zones_defined_tags  = local.custom_security_zones_defined_tags != null ? merge(local.custom_security_zones_defined_tags, local.default_security_zones_defined_tags) : local.default_security_zones_defined_tags
+  security_zones_freeform_tags = local.custom_security_zones_freeform_tags != null ? merge(local.custom_security_zones_freeform_tags, local.default_security_zones_freeform_tags) : local.default_security_zones_freeform_tags
 }

config/variables.tf

@@ -478,7 +478,7 @@ variable "cloud_guard_admin_email_endpoints" {
 variable "enable_security_zones" {
     type        = bool
     default     = false
-    description = "Determines if Security Zones are enabled in Landing Zone compartments."
+    description = "Determines if Security Zones are enabled in Landing Zone. When set to true, the Security Zone is enabled for the enclosing compartment. If no enclosing compartment is used, then the Security Zone is not enabled."
   }
 
   variable "sz_security_policies" {

release-notes.md

@@ -1,3 +1,11 @@
+#   April 26, 2023 Release Notes - 2.5.9
+1. [Terraform Template Updates](#2-5-9-tf-updates)
+
+## <a name="2-5-9-tf-updates">Terraform Template Updates</a>
+Updates:
+- Security Zone is enabled only if an enclosing compartment is used. Changes in [security_zones.tf](./config/security_zones.tf).
+- Network event types updated for local peering gateway and service gateway: only event types ending with ".end" are captured. Changes in [mon_notifications.tf](./config/mon_notifications.tf).
+
 #   April 17, 2023 Release Notes - 2.5.8
 1. [Compliance Checking Script Updates](#2-5-8-script-updates)
 1. [Terraform Template Updates](#2-5-8-tf-updates)

scripts/cis_reports.py

@@ -585,7 +585,7 @@ def __init__(self, config, signer, proxy, output_bucket, report_directory, print
                 'com.oraclecloud.virtualnetwork.updateinternetgateway',
                 'com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment',
                 'com.oraclecloud.virtualnetwork.createlocalpeeringgateway',
-                'com.oraclecloud.virtualnetwork.deletelocalpeeringgateway',
+                'com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end',
                 'com.oraclecloud.virtualnetwork.updatelocalpeeringgateway',
                 'com.oraclecloud.natgateway.changenatgatewaycompartment',
                 'com.oraclecloud.natgateway.createnatgateway',
@@ -594,7 +594,6 @@ def __init__(self, config, signer, proxy, output_bucket, report_directory, print
                 'com.oraclecloud.servicegateway.attachserviceid',
                 'com.oraclecloud.servicegateway.changeservicegatewaycompartment',
                 'com.oraclecloud.servicegateway.createservicegateway',
-                'com.oraclecloud.servicegateway.deleteservicegateway.begin',
                 'com.oraclecloud.servicegateway.deleteservicegateway.end',
                 'com.oraclecloud.servicegateway.detachserviceid',
                 'com.oraclecloud.servicegateway.updateservicegateway'