Merge pull request #116 from oracle-quickstart/release-2.6.2

Release 2.6.2

DEPLOYMENT-GUIDE.md

@@ -150,17 +150,17 @@ Two extra compartments can be provisioned based on user choice:
 
 By default, the Landing Zone defines the following personas that account for most organization needs:
 
-- **Security Administrators**: manages security services and resources including Vaults, Keys, Logging, Vulnerability Scanning, Web Application Firewall, Bastion, Service Connector Hub.
-- **Network Administrators**: manages OCI network family, including VCNs, DRGs, VNICs, IP addresses.
-- **Application Administrators**: manages application related resources including Compute images, OCI Functions, Kubernetes clusters, Streams, Object Storage, Block Storage, File Storage.
-- **Database Administrators**: manages database services, including Oracle VMDB (Virtual Machine), BMDB (Bare Metal), ADB (Autonomous databases), Exadata databases, MySQL, NoSQL, etc. 
-- **IAM Administrators**: manages IAM services and resources including compartments, groups, dynamic groups, policies, identity providers, authentication policies, network sources, tag defaults. However, this group is not allowed to manage the out-of-box *Administrators* and *Credential Administrators* groups. It's also not allowed to touch the out-of-box *Tenancy Admin Policy* policy.
-- **Credential Administrators**: manages a users’ capabilities and users credentials in general, including API keys, authentication tokens and secret keys.
-- **Cost Administrators**: manages budgets and usage reports.
+- **IAM Administrators**: manage IAM services and resources including compartments, groups, dynamic groups, policies, identity providers, authentication policies, network sources, tag defaults. However, this group is not allowed to manage the out-of-box *Administrators* and *Credential Administrators* groups. It's also not allowed to touch the out-of-box *Tenancy Admin Policy* policy.
+- **Credential Administrators**: manage users capabilities and users credentials in general, including API keys, authentication tokens and secret keys.
+- **Cost Administrators**: manage budgets and usage reports.
 - **Auditors**: entitled with read-only access across the tenancy and the ability to use cloud-shell to run the *cis_reports.py* script. 
 - **Announcement Readers**: for reading announcements displayed in OCI Console.
-
-- **ExaCS Administrators** (only created when ExaCS compartment is created): manages Exadata infrastructure and VM clusters in the ExaCS compartment.
+- **Security Administrators**: manage security services and resources including Vaults, Keys, Logging, Vulnerability Scanning, Web Application Firewall, Bastion, Service Connector Hub.
+- **Network Administrators**: manage OCI network family, including VCNs, Load Balancers, DRGs, VNICs, IP addresses.
+- **Application Administrators**: manage application related resources including Compute images, OCI Functions, Kubernetes clusters, Streams, Object Storage, Block Storage, File Storage.
+- **Database Administrators**: manage database services, including Oracle VMDB (Virtual Machine), BMDB (Bare Metal), ADB (Autonomous databases), Exadata databases, MySQL, NoSQL, etc. 
+- **ExaCS Administrators** (only created when ExaCS compartment is created): manage Exadata infrastructure and VM clusters in the ExaCS compartment.
+- **Storage Administrators**: the only group allowed to delete storage resources, including buckets, volumes and files. Used as a protection measure against inadvertent deletion of storage resources.
 
 > **_NOTE:_** following least privilege principle, groups are only entitled to manage, use, read or inspect the necessary resources to fulfill their duties.
 
@@ -169,7 +169,7 @@ By default, the Landing Zone defines the following personas that account for mos
 The Landing Zone defines four dynamic groups to satisfy common needs of workloads that are eventually deployed:
 
 - **Security Functions**: to be used by functions defined in the Security compartment. The matching rule includes all functions in the Security compartment. An example is a function for rotating secrets kept in a Vault.
-- **AppDev Functions**: to be used by functions defined in the AppDev compartment. The matching rule includes all functions in the AppDev compartment. An example is a function for processing of application data and the sending to Object Storage.
+- **AppDev Functions**: to be used by functions defined in the AppDev compartment. The matching rule includes all functions in the AppDev compartment. An example is a function for processing of application data and writing it to an Object Storage bucket.
 - **Compute Agent**: to be used by Compute's management agent in the AppDev compartment.
 - **Database KMS**: to be used by databases in the Database compartment to access keys in the Vault service.
 
@@ -273,6 +273,25 @@ In these cases, simply provide the existing OCI group names to the appropriate c
 - **existing_compute_agent_dyn_group_name**: existing dynamic group for Compute management agent access.
 - **existing_database_kms_dyn_group_name**: existing dynamic group for databases to access OCI KMS Keys.
 
+### Custom Group Names
+
+By default, the group names are following the convention `${var.service_label}-group_name` using the `service-label` defined in the `tfvars` file. When a different naming convention should be used, for example, to match an established naming convention, these names can be customized using the Terraform Override technique.
+
+The supported variables are:
+- **custom_iam_admin_group_name**
+- **custom_cred_admin_group_name**
+- **custom_cost_admin_group_name**
+- **custom_auditor_group_name**
+- **custom_announcement_reader_group_name**
+- **custom_network_admin_group_name**
+- **custom_security_admin_group_name**
+- **custom_appdev_admin_group_name**
+- **custom_database_admin_group_name**
+- **custom_exainfra_admin_group_name**
+- **custom_storage_admin_group_name**
+
+For an example see [Example 4: Using Custom Group Names](#example-4-using-custom-group-names)
+
 ### Extending Landing Zone to a New Region
 
 When you run Landing Zone's Terraform, some resources are created in the home region, while others are created in a region of choice. Among home region resources are compartments, groups, dynamic groups, policies, tag defaults and an infrastructure for IAM related notifications (including events, topics and subscriptions). Among resources created in the region of choice are VCNs, Log Groups, and those pertaining to security services like Vault Service, Vulnerability Scanning, Service Connector Hub, Bastion. The home region resources are automatically made available by OCI in all subscribed regions.
@@ -1031,6 +1050,26 @@ Now, we're placing ```vision_stage2_override.tf``` into the ```config``` directo
 
 When you run ```terraform apply``` the defined tags of your components will be updated accordingly.
 
+### Example 4: Using Custom Group Names
+
+To define group names that follow the company naming convention, create a file `iam_groups_override.tf` containing the following lines:
+
+    locals {
+      custom_iam_admin_group_name = "grp-iam-admins"
+      custom_cred_admin_group_name = "grp-credentials-admins"
+      custom_cost_admin_group_name = "grp-cost-admins"
+      custom_auditor_group_name = "grp-auditors"
+      custom_announcement_reader_group_name = "grp-announcement-readers"
+      custom_network_admin_group_name = "grp-network-admins"
+      custom_security_admin_group_name = "grp-security-admins"
+      custom_appdev_admin_group_name = "grp-application-admins"
+      custom_database_admin_group_name = "grp-database-admins"
+      custom_exainfra_admin_group_name = "grp-exainfra-admins"
+      custom_storage_admin_group_name = "grp-storage-admins"
+    }
+
+When done, move it to the `config` directory and verify it with `terraform plan`.
+
 # <a name="samples"></a>7. Deployment Samples
 
 In this section we give deployment examples of Landing Zone variables input file (*config/quickstart-input.tfvars* or *config/terraform.tfvars*) for common scenarios. The list is not exhaustive.

README.md

@@ -15,17 +15,16 @@
     1. [IAM](#arch-iam)
     1. [Network](#arch-network)
     1. [Diagram](#arch-diagram)
+1. [Deployment Guide](DEPLOYMENT-GUIDE.md)
 1. [Executing Instructions](#instructions)
     1. [Terraform Configuration](terraform.md)
     1. [Compliance Checking](compliance-script.md)
 1. [Blog Posts](#documentation)
-1. [Acknowledgements](#acknowledgements)
-1. [The Team](#team)
+1. [CIS OCI Foundations Benchmark Modules Collection](#modules)
 1. [Feedback](#feedback)
 1. [Known Issues](#known-issues)
-1. [Contribute](#CONTRIBUTING.md)
+1. [Contribute](CONTRIBUTING.md)
 1. [Frequently Asked Questions](FAQ.md)
-1. [Deployment Guide](DEPLOYMENT-GUIDE.md)
 
 ## <a name="overview"></a>Overview
 This Landing Zone template deploys a standardized environment in an Oracle Cloud Infrastructure (OCI) tenancy that helps organizations to comply with the [CIS OCI Foundations Benchmark v1.2](https://www.cisecurity.org/benchmark/oracle_cloud/).    
@@ -117,13 +116,19 @@ The greyed out icons in the AppDev and Database compartments indicate services n
 - [Creating a Secure Multi-Region Landing Zone](https://www.ateam-oracle.com/post/creating-a-secure-multi-region-landing-zone)
 - [The Center for Internet Security Oracle Cloud Infrastructure Foundations Benchmark 1.2 Release update](https://www.ateam-oracle.com/post/the-center-for-internet-security-oracle-cloud-infrastructure-foundations-benchmark-12-release-update)
 
-## <a name="acknowledgements"></a>Acknowledgements
-- Parts of the Terraform code reuses and adapts from [Oracle Terraform Modules](https://github.com/oracle-terraform-modules).
-- The Compliance Checking script builds on [Adi Zohar's showoci OCI Reporting tool](https://github.com/adizohar/showoci).
+## <a name="modules"></a>CIS OCI Foundations Benchmark Modules
+
+This repository uses a broader collection of repositories containing modules that help customers align their OCI implementations with the CIS OCI Foundations Benchmark recommendations:
+- [Identity & Access Management](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam)
+- [Networking](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking)
+- [Governance](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-governance)
+- [Security](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-security)
+- [Observability & Monitoring](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-observability)
+
+The modules in this collection are designed for flexibility, are straightforward to use, and enforce CIS OCI Foundations Benchmark recommendations when possible.
+
+Using these modules does not require a user extensive knowledge of Terraform or OCI resource types usage. Users declare a JSON object describing the OCI resources according to each module’s specification and minimal Terraform code to invoke the modules. The modules generate outputs that can be consumed by other modules as inputs, allowing for the creation of independently managed operational stacks to automate your entire OCI infrastructure.
 
-## <a name="team"></a>The Team
-- **Owners**: [Andre Correa](https://github.com/andrecorreaneto), [Josh Hammer](https://github.com/Halimer).
-- **Contributors**: [Chad Russell](https://github.com/chad-russell-git), [Johannes Murmman](https://github.com/jomurmann), [KC Flynn](https://github.com/flynnkc), [Logan Kleier](https://github.com/herosjourney), [Olaf Heimburger](https://github.com/oheimburger), Pulkit Sharma.
 
 ## <a name="feedback"></a>Feedback
 We welcome your feedback. To post feedback, submit feature ideas or report bugs, please use the Issues section on this repository.	

examples/deployment_override_iam_groups/iam_goups_override.tf

@@ -0,0 +1,13 @@
+locals {
+  custom_iam_admin_group_name = "grp-iam-admins"
+  custom_cred_admin_group_name = "grp-credentials-admins"
+  custom_cost_admin_group_name = "grp-cost-admins"
+  custom_auditor_group_name = "grp-auditors"
+  custom_announcement_reader_group_name = "grp-announcement-readers"
+  custom_network_admin_group_name = "grp-network-admins"
+  custom_security_admin_group_name = "grp-security-admins"
+  custom_appdev_admin_group_name = "grp-application-admins"
+  custom_database_admin_group_name = "grp-database-admins"
+  custom_exainfra_admin_group_name = "grp-exainfra-admins"
+  custom_storage_admin_group_name = "grp-storage-admins"
+}

release-notes.md

@@ -1,3 +1,23 @@
+#   August 8, 2023 Release Notes - 2.6.2
+1. [Fixes to the CIS Compliance Script](#2-6-2-script-updates)
+1. [Updates to the CIS Compliance Script](#2-6-2-script-updates)
+1. [Updates to the Readme](#2-6-2-readme-updates)
+
+## <a name="2-6-2-script-updates">Updates to the CIS Compliance Script</a>
+Updates:
+- Added Service Connector Hub ID and Name to OBP Best practices for VCN Flow Logs and Object Storage Buckets
+- Alert users when the cis_reports.py is not run in home region which can impact budgets collection
+
+## <a name="2-6-2-script-fixes">Fixes to the CIS Compliance Script</a>
+Fixes: 
+- Updated CIS 2.8 check updated to exclude ADB-S that are in a VCN but not attached to Network Security Group.  Closes issue [#105](https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/issues/105)
+- Cleaned up 1900+ Flake8 
+
+## <a name="2-6-2-readme-updates">Updates to the Readme</a>
+Updates:
+- Removed team section
+- Added the CIS Terraform Modules Section
+
 #   July 26, 2023 Release Notes - 2.6.1
 1. [Updates to Terraform Template](#2-6-1-tf-updates)
 1. [Documentation Updates](#2-6-1-doc-updates)

release.txt

@@ -1 +1,2 @@
-2.6.1
+2.6.2
+