From 9e2bf7227225bd371d21f9841b8e672f0ca3aed0 Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Tue, 5 Nov 2024 17:20:22 -0300 Subject: [PATCH] Release 0.7.1 (#43) * fix: compartments dependency fixed for LB * doc: updates * feat: release tracking * fix: default security list in subnets when VCN is injected * fix: doc enhancements for network_dependency usage * feat: dependencies strongly typed and examples * fix: ipv6cidr_block type fixed * fix: is_force_plain_text type rolled back * fix: network_dependency with all objects, doc updates * feat: NLB mvp module * removed references to cis * updated url * updated readme * updated readme * removed extra files * Release 0.6.5 * Release 0.6.5 * Release 0.6.6 * Release 0.6.7 * add vtap module * remove the root level vtap tf file * update the dependency description * Added non empty network_dependency check * add SPEC.md for vtap module * doc: Updated Readme * doc: Updated license file * doc: Added Security file * doc: Updated Contributing * chore: link references updated to existing repo * chore: release notes and version bump * fix: merge conflicts removed * Upgrade the Terraform Version to Atleast 1.3 * chore: release notes and release bump * feat: NFW policy upgrade - initial * fix: position attr removed * fix: public ip OCIDs added to output * network firewall policies refactoring * typo fix * provider version update * fix: added dependency DRGs to SGW route targets * fix: cross-connect group reference * feat: module tag updated to ocilz-terraform-module * chore: release notes and SPECs updated * doc: updates * fix networking firewall policies * still failing, security rules unable to find application and url lists * feat: standalone NFW example added * fix: application_lists (application_group resource type) added * doc: urls updated to new org * feat: provider version requirement removed * fix: example updated per new NFW interface * fix: template file updated per new NFW interface * add services and service lists * fix conflicts * feat: ability to inject an externally managed DNS private view into a managed DNS resolver * fix: example provider.tf updated * fix: DNS steering policies must refer to local.one_dimension_processed_vcns (issue 570) * update firewall example * fix service list service lookup * update SPEC.md * clean up * update readme and tfvars * update link * update README * doc: README.md file added to example * chore: release notes and version bump * chore: typo * add security zpr attributes to vcn * add validation check for duplicate zpr attributes * fixed zpr example in README.md * updated vision tfvars template file with security attribute example * updated SPEC.md * add validation check for security attribute * added default null value for tenancy_ocid var * modified validation check for security attributes * cleaned up code * edit of error msgs in zpr validation checks * add check for valid value in pre-defined list of values for zpr attribute key; fix typos * add data source oci_security_attribute_security_attribute * fix lookup of list of values by namespace.attr_value * adjust validation statement for existing values * fix typo in dns_enpoints output * chore: release notes and version update * chore: spec updated * added condition to sec attr namespace data block; only require tenancy ocid when zpr attributes are required * count condition change for data block security attr ns * change to count condition data block secattr ns * fix: removed ZPR validations that depend on existing namespaces * chore: release notes updated --------- Co-authored-by: Rory Nguyen Co-authored-by: Yupei Yang Co-authored-by: Pablo Alonso Co-authored-by: Josh Hammer Co-authored-by: vinaykumar-oci Co-authored-by: Erna Guerrero --- RELEASE-NOTES.md | 1 - vcns.tf | 64 +++--------------------------------------------- 2 files changed, 3 insertions(+), 62 deletions(-) diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md index ac5eb92..335182a 100644 --- a/RELEASE-NOTES.md +++ b/RELEASE-NOTES.md @@ -2,7 +2,6 @@ ## Updates 1. ZPR (Zero Trust Packet Routing) security attributes can now be applied to VCNs. See *zpr_attributes* attribute under [Module Functioning](./README.md#functioning) for details. - - Provided ZPR namespaces, keys and values are checked at plan time for valid values. # September 20, 2024 Release Notes - 0.7.0 diff --git a/vcns.tf b/vcns.tf index 0f8ab7e..889643e 100644 --- a/vcns.tf +++ b/vcns.tf @@ -102,70 +102,27 @@ locals { ] ]) : flat_security.security_attr_key => flat_security } : null - - zpr_existing_namespaces = length(data.oci_security_attribute_security_attribute_namespaces.these) > 0 ? [for n in data.oci_security_attribute_security_attribute_namespaces.these.security_attribute_namespaces : n.name] : [] - - zpr_existing_attributes = flatten([ - for n in data.oci_security_attribute_security_attribute_namespaces.these.security_attribute_namespaces : [ - for a in data.oci_security_attribute_security_attributes.these[n.id].security_attributes : "${a.security_attribute_namespace_name}.${a.name}" - ] - ]) - - zpr_existing_attribute_keys = merge([for item in { - for n in data.oci_security_attribute_security_attributes.these : n.security_attribute_namespace_id => { - for a in data.oci_security_attribute_security_attributes.these[n.security_attribute_namespace_id].security_attributes : "${a.security_attribute_namespace_name}.${a.name}" => { - attr_name = a.name - namespace_id = a.security_attribute_namespace_id } - } - } : item]...) - - zpr_existing_attribute_key_values = merge([for item in { - for n in data.oci_security_attribute_security_attribute.these : "${n.security_attribute_namespace_name}.${n.security_attribute_name}" => { - for val in data.oci_security_attribute_security_attribute.these["${n.security_attribute_namespace_name}.${n.security_attribute_name}"].validator : "${n.security_attribute_namespace_name}.${n.name}" => { - type = val.validator_type - values = toset(val.values) - } - } - } : item]...) } #------------------------------ # ZPR namespaces data source #------------------------------ data "oci_security_attribute_security_attribute_namespaces" "these" { - compartment_id = var.tenancy_ocid - compartment_id_in_subtree = true + count = length([for v in local.one_dimension_processed_vcns : v if try(v.security.zpr_attributes[0].attr_name, null) != null]) > 0 ? 1 : 0 lifecycle { precondition { condition = var.tenancy_ocid != null error_message = "VALIDATION FAILURE: variable \"tenancy_ocid\" is required when applying security attribute to VCN." } } + compartment_id = var.tenancy_ocid + compartment_id_in_subtree = true filter { name = "state" values = ["ACTIVE"] } } -#------------------------------ -# ZPR attributes data source -#------------------------------ -data "oci_security_attribute_security_attributes" "these" { - for_each = length(data.oci_security_attribute_security_attribute_namespaces.these) > 0 ? { for n in data.oci_security_attribute_security_attribute_namespaces.these.security_attribute_namespaces : n.id => n.name } : {} - security_attribute_namespace_id = each.key - filter { - name = "state" - values = ["ACTIVE"] - } -} - -## empty validator list from oci_security_attribute_security_attributes datasource - pull key value list elsewhere by attribute -data "oci_security_attribute_security_attribute" "these" { - for_each = local.zpr_existing_attribute_keys - security_attribute_name = each.value.attr_name - security_attribute_namespace_id = each.value.namespace_id -} - # OCI RESOURCE resource "oci_core_vcn" "these" { for_each = local.one_dimension_processed_vcns @@ -204,20 +161,5 @@ resource "oci_core_vcn" "these" { condition = try(each.value.security.zpr_attributes, null) != null ? length(toset([for a in each.value.security.zpr_attributes : "${a.namespace}.${a.attr_name}"])) == length([for a in each.value.security.zpr_attributes : "${a.namespace}.${a.attr_name}"]) : true error_message = try(each.value.security.zpr_attributes, null) != null ? "VALIDATION FAILURE in VCN \"${each.key}\": ZPR security attribute assigned more than once. \"security.zpr_attributes.namespace/security.zpr_attributes.attr_name\" pairs must be unique." : "__void__" } - ## VALIDATION ZPR attributes - check ZPR non-existing namespaces - precondition { - condition = try(each.value.security.zpr_attributes, null) != null ? length([for a in each.value.security.zpr_attributes : a.namespace if contains(local.zpr_existing_namespaces, a.namespace)]) == length(each.value.security.zpr_attributes) : true - error_message = try(each.value.security.zpr_attributes, null) != null ? "VALIDATION FAILURE in VCN \"${each.key}\" for \"security.zpr-attributes\" attribute: ZPR namespace(s) ${join(", ", [for a in each.value.security.zpr_attributes : "\"${a.namespace}\"" if !contains(local.zpr_existing_namespaces, a.namespace)])} is undefined in ZPR." : "__void__" - } - ## VALIDATION ZPR attributes - check ZPR non-existing attribute keys - precondition { - condition = try(each.value.security.zpr_attributes, null) != null ? length([for a in each.value.security.zpr_attributes : "${a.namespace}.${a.attr_name}" if contains(local.zpr_existing_attributes, "${a.namespace}.${a.attr_name}")]) == length(each.value.security.zpr_attributes) : true - error_message = try(each.value.security.zpr_attributes, null) != null ? "VALIDATION FAILURE in VCN \"${each.key}\" for \"security.zpr-attributes\" attribute: ${join(", ", [for a in each.value.security.zpr_attributes : "ZPR attribute \"${a.attr_name}\" is undefined in namespace \"${a.namespace}\"" if !contains(local.zpr_existing_attributes, "${a.namespace}.${a.attr_name}")])}." : "__void__" - } - ## VALIDATION ZPR attributes - check ZPR non-existing value from attributes defined list of values - precondition { - condition = try(each.value.security.zpr_attributes, null) != null ? length([for a in each.value.security.zpr_attributes : "${a.attr_value}" if contains(try(local.zpr_existing_attribute_key_values["${a.namespace}.${a.attr_name}"].values, []), "${a.attr_value}")]) == length([for a in each.value.security.zpr_attributes : "${a.attr_value}" if try(local.zpr_existing_attribute_key_values["${a.namespace}.${a.attr_name}"].type, []) == "ENUM"]) : true - error_message = try(each.value.security.zpr_attributes, null) != null ? "VALIDATION FAILURE in VCN \"${each.key}\" for \"security.zpr-attributes\" attribute: ${join(", ", [for a in each.value.security.zpr_attributes : "ZPR attribute value \"${a.attr_value}\" is undefined. Value must exist in the pre-defined list of values for key \"${a.attr_name}\" in namespace \"${a.namespace}\"" if try(local.zpr_existing_attribute_key_values["${a.namespace}.${a.attr_name}"].type, []) == "ENUM" && !contains(try(local.zpr_existing_attribute_key_values["${a.namespace}.${a.attr_name}"].values, []), "${a.attr_value}")])}." : "__void__" - } } } \ No newline at end of file