Skip to content

Commit

Permalink
Release 0.7.1 (#43)
Browse files Browse the repository at this point in the history 
* fix: compartments dependency fixed for LB

* doc: updates

* feat: release tracking

* fix: default security list in subnets when VCN is injected

* fix: doc enhancements for network_dependency usage

* feat: dependencies strongly typed and examples

* fix: ipv6cidr_block type fixed

* fix: is_force_plain_text type rolled back

* fix: network_dependency with all objects, doc updates

* feat: NLB mvp module

* removed references to cis

* updated url

* updated readme

* updated readme

* removed extra files

* Release 0.6.5

* Release 0.6.5

* Release 0.6.6

* Release 0.6.7

* add vtap module

* remove the root level vtap tf file

* update the dependency description

* Added non empty network_dependency check

* add SPEC.md for vtap module

* doc: Updated Readme

* doc: Updated license file

* doc: Added Security file

* doc: Updated Contributing

* chore: link references updated to existing repo

* chore: release notes and version bump

* fix: merge conflicts removed

* Upgrade the Terraform Version to Atleast 1.3

* chore: release notes and release bump

* feat: NFW policy upgrade - initial

* fix: position attr removed

* fix: public ip OCIDs added to output

* network firewall policies refactoring

* typo fix

* provider version update

* fix: added dependency DRGs to SGW route targets

* fix: cross-connect group reference

* feat: module tag updated to ocilz-terraform-module

* chore: release notes and SPECs updated

* doc: updates

* fix networking firewall policies

* still failing, security rules unable to find application and url lists

* feat: standalone NFW example added

* fix: application_lists (application_group resource type) added

* doc: urls updated to new org

* feat: provider version requirement removed

* fix: example updated per new NFW interface

* fix: template file updated per new NFW interface

* add services and service lists

* fix conflicts

* feat: ability to inject an externally managed DNS private view into a managed DNS resolver

* fix: example provider.tf updated

* fix: DNS steering policies must refer to local.one_dimension_processed_vcns (issue 570)

* update firewall example

* fix service list service lookup

* update SPEC.md

* clean up

* update readme and tfvars

* update link

* update README

* doc: README.md file added to example

* chore: release notes and version bump

* chore: typo

* add security zpr attributes to vcn

* add validation check for duplicate zpr attributes

* fixed zpr example in README.md

* updated vision tfvars template file with security attribute example

* updated SPEC.md

* add validation check for security attribute

* added default null value for tenancy_ocid var

* modified validation check for security attributes

* cleaned up code

* edit of error msgs in zpr validation checks

* add check for valid value in pre-defined list of values for zpr attribute key; fix typos

* add data source oci_security_attribute_security_attribute

* fix lookup of list of values by namespace.attr_value

* adjust validation statement for existing values

* fix typo in dns_enpoints output

* chore: release notes and version update

* chore: spec updated

* added condition to sec attr namespace data block; only require tenancy ocid when zpr attributes are required

* count condition change for data block security attr ns

* change to count condition data block secattr ns

* fix: removed ZPR validations that depend on existing namespaces

* chore: release notes updated

---------

Co-authored-by: Rory Nguyen <rory.nguyen@oracle.com>
Co-authored-by: Yupei Yang <yupei.yang@oracle.com>
Co-authored-by: Pablo Alonso <pablo.alonso@oracle.com>
Co-authored-by: Josh Hammer <josh.hammer@oracle.com>
Co-authored-by: vinaykumar-oci <er.vinayk@gmail.com>
Co-authored-by: Erna Guerrero <erna.guerrero@oracle.com>
  • Loading branch information
@andrecorreaneto @rrywhen
@yupeiyang-oci @paalonso @Halimer @VinayKumar611 @ernaguro
7 people authored Nov 5, 2024
1 parent 1ab5933 commit 9e2bf72
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 62 deletions.
1 change: 0 additions & 1 deletion RELEASE-NOTES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@

## Updates
1. ZPR (Zero Trust Packet Routing) security attributes can now be applied to VCNs. See *zpr_attributes* attribute under [Module Functioning](./README.md#functioning) for details.
- Provided ZPR namespaces, keys and values are checked at plan time for valid values.

# September 20, 2024 Release Notes - 0.7.0

Expand Down
64 changes: 3 additions & 61 deletions vcns.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,70 +102,27 @@ locals {
]
]) : flat_security.security_attr_key => flat_security
} : null

zpr_existing_namespaces = length(data.oci_security_attribute_security_attribute_namespaces.these) > 0 ? [for n in data.oci_security_attribute_security_attribute_namespaces.these.security_attribute_namespaces : n.name] : []

zpr_existing_attributes = flatten([
for n in data.oci_security_attribute_security_attribute_namespaces.these.security_attribute_namespaces : [
for a in data.oci_security_attribute_security_attributes.these[n.id].security_attributes : "${a.security_attribute_namespace_name}.${a.name}"
]
])

zpr_existing_attribute_keys = merge([for item in {
for n in data.oci_security_attribute_security_attributes.these : n.security_attribute_namespace_id => {
for a in data.oci_security_attribute_security_attributes.these[n.security_attribute_namespace_id].security_attributes : "${a.security_attribute_namespace_name}.${a.name}" => {
attr_name = a.name
namespace_id = a.security_attribute_namespace_id }
}
} : item]...)

zpr_existing_attribute_key_values = merge([for item in {
for n in data.oci_security_attribute_security_attribute.these : "${n.security_attribute_namespace_name}.${n.security_attribute_name}" => {
for val in data.oci_security_attribute_security_attribute.these["${n.security_attribute_namespace_name}.${n.security_attribute_name}"].validator : "${n.security_attribute_namespace_name}.${n.name}" => {
type = val.validator_type
values = toset(val.values)
}
}
} : item]...)
}

#------------------------------
# ZPR namespaces data source
#------------------------------
data "oci_security_attribute_security_attribute_namespaces" "these" {
compartment_id = var.tenancy_ocid
compartment_id_in_subtree = true
count = length([for v in local.one_dimension_processed_vcns : v if try(v.security.zpr_attributes[0].attr_name, null) != null]) > 0 ? 1 : 0
lifecycle {
precondition {
condition = var.tenancy_ocid != null
error_message = "VALIDATION FAILURE: variable \"tenancy_ocid\" is required when applying security attribute to VCN."
}
}
compartment_id = var.tenancy_ocid
compartment_id_in_subtree = true
filter {
name = "state"
values = ["ACTIVE"]
}
}

#------------------------------
# ZPR attributes data source
#------------------------------
data "oci_security_attribute_security_attributes" "these" {
for_each = length(data.oci_security_attribute_security_attribute_namespaces.these) > 0 ? { for n in data.oci_security_attribute_security_attribute_namespaces.these.security_attribute_namespaces : n.id => n.name } : {}
security_attribute_namespace_id = each.key
filter {
name = "state"
values = ["ACTIVE"]
}
}

## empty validator list from oci_security_attribute_security_attributes datasource - pull key value list elsewhere by attribute
data "oci_security_attribute_security_attribute" "these" {
for_each = local.zpr_existing_attribute_keys
security_attribute_name = each.value.attr_name
security_attribute_namespace_id = each.value.namespace_id
}

# OCI RESOURCE
resource "oci_core_vcn" "these" {
for_each = local.one_dimension_processed_vcns
Expand Down Expand Up @@ -204,20 +161,5 @@ resource "oci_core_vcn" "these" {
condition = try(each.value.security.zpr_attributes, null) != null ? length(toset([for a in each.value.security.zpr_attributes : "${a.namespace}.${a.attr_name}"])) == length([for a in each.value.security.zpr_attributes : "${a.namespace}.${a.attr_name}"]) : true
error_message = try(each.value.security.zpr_attributes, null) != null ? "VALIDATION FAILURE in VCN \"${each.key}\": ZPR security attribute assigned more than once. \"security.zpr_attributes.namespace/security.zpr_attributes.attr_name\" pairs must be unique." : "__void__"
}
## VALIDATION ZPR attributes - check ZPR non-existing namespaces
precondition {
condition = try(each.value.security.zpr_attributes, null) != null ? length([for a in each.value.security.zpr_attributes : a.namespace if contains(local.zpr_existing_namespaces, a.namespace)]) == length(each.value.security.zpr_attributes) : true
error_message = try(each.value.security.zpr_attributes, null) != null ? "VALIDATION FAILURE in VCN \"${each.key}\" for \"security.zpr-attributes\" attribute: ZPR namespace(s) ${join(", ", [for a in each.value.security.zpr_attributes : "\"${a.namespace}\"" if !contains(local.zpr_existing_namespaces, a.namespace)])} is undefined in ZPR." : "__void__"
}
## VALIDATION ZPR attributes - check ZPR non-existing attribute keys
precondition {
condition = try(each.value.security.zpr_attributes, null) != null ? length([for a in each.value.security.zpr_attributes : "${a.namespace}.${a.attr_name}" if contains(local.zpr_existing_attributes, "${a.namespace}.${a.attr_name}")]) == length(each.value.security.zpr_attributes) : true
error_message = try(each.value.security.zpr_attributes, null) != null ? "VALIDATION FAILURE in VCN \"${each.key}\" for \"security.zpr-attributes\" attribute: ${join(", ", [for a in each.value.security.zpr_attributes : "ZPR attribute \"${a.attr_name}\" is undefined in namespace \"${a.namespace}\"" if !contains(local.zpr_existing_attributes, "${a.namespace}.${a.attr_name}")])}." : "__void__"
}
## VALIDATION ZPR attributes - check ZPR non-existing value from attributes defined list of values
precondition {
condition = try(each.value.security.zpr_attributes, null) != null ? length([for a in each.value.security.zpr_attributes : "${a.attr_value}" if contains(try(local.zpr_existing_attribute_key_values["${a.namespace}.${a.attr_name}"].values, []), "${a.attr_value}")]) == length([for a in each.value.security.zpr_attributes : "${a.attr_value}" if try(local.zpr_existing_attribute_key_values["${a.namespace}.${a.attr_name}"].type, []) == "ENUM"]) : true
error_message = try(each.value.security.zpr_attributes, null) != null ? "VALIDATION FAILURE in VCN \"${each.key}\" for \"security.zpr-attributes\" attribute: ${join(", ", [for a in each.value.security.zpr_attributes : "ZPR attribute value \"${a.attr_value}\" is undefined. Value must exist in the pre-defined list of values for key \"${a.attr_name}\" in namespace \"${a.namespace}\"" if try(local.zpr_existing_attribute_key_values["${a.namespace}.${a.attr_name}"].type, []) == "ENUM" && !contains(try(local.zpr_existing_attribute_key_values["${a.namespace}.${a.attr_name}"].values, []), "${a.attr_value}")])}." : "__void__"
}
}
}

0 comments on commit 9e2bf72

Please sign in to comment.