Release 0.7.0 (#39)

* fix: compartments dependency fixed for LB

* doc: updates

* feat: release tracking

* fix: default security list in subnets when VCN is injected

* fix: doc enhancements for network_dependency usage

* feat: dependencies strongly typed and examples

* fix: ipv6cidr_block type fixed

* fix: is_force_plain_text type rolled back

* fix: network_dependency with all objects, doc updates

* feat: NLB mvp module

* removed references to cis

* updated url

* updated readme

* updated readme

* removed extra files

* Release 0.6.5

* Release 0.6.5

* Release 0.6.6

* Release 0.6.7

* add vtap module

* remove the root level vtap tf file

* update the dependency description

* Added non empty network_dependency check

* add SPEC.md for vtap module

* doc: Updated Readme

* doc: Updated license file

* doc: Added Security file

* doc: Updated Contributing

* chore: link references updated to existing repo

* chore: release notes and version bump

* fix: merge conflicts removed

* Upgrade the Terraform Version to Atleast 1.3

* chore: release notes and release bump

* feat: NFW policy upgrade - initial

* fix: position attr removed

* fix: public ip OCIDs added to output

* network firewall policies refactoring

* typo fix

* provider version update

* fix: added dependency DRGs to SGW route targets

* fix: cross-connect group reference

* feat: module tag updated to ocilz-terraform-module

* chore: release notes and SPECs updated

* doc: updates

* fix networking firewall policies

* still failing, security rules unable to find application and url lists

* feat: standalone NFW example added

* fix: application_lists (application_group resource type) added

* doc: urls updated to new org

* feat: provider version requirement removed

* fix: example updated per new NFW interface

* fix: template file updated per new NFW interface

* add services and service lists

* fix conflicts

* feat: ability to inject an externally managed DNS private view into a managed DNS resolver

* fix: example provider.tf updated

* fix: DNS steering policies must refer to local.one_dimension_processed_vcns (issue 570)

* update firewall example

* fix service list service lookup

* update SPEC.md

* clean up

* update readme and tfvars

* update link

* update README

* doc: README.md file added to example

* chore: release notes and version bump

* chore: typo

---------

Co-authored-by: Rory Nguyen <rory.nguyen@oracle.com>
Co-authored-by: Yupei Yang <yupei.yang@oracle.com>
Co-authored-by: Pablo Alonso <pablo.alonso@oracle.com>
Co-authored-by: Josh Hammer <josh.hammer@oracle.com>
Co-authored-by: vinaykumar-oci <er.vinayk@gmail.com>

README.md

@@ -40,12 +40,12 @@ The separation of code and configuration supports DevOps key concepts for operat
 This repository is part of a broader collection of repositories containing modules that help customers align their OCI implementations with the CIS OCI Foundations Benchmark recommendations:
 <br />
 
-- [Identity & Access Management ](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam)
-- [Networking](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking) - current repository
-- [Governance](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-governance)
-- [Security](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-security)
-- [Observability & Monitoring](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-observability)
-- [Secure Workloads](https://github.com/oracle-quickstart/terraform-oci-secure-workloads)
+- [Identity & Access Management ](https://github.com/oci-landing-zones/terraform-oci-modules-iam)
+- [Networking](https://github.com/oci-landing-zones/terraform-oci-modules-networking) - current repository
+- [Governance](https://github.com/oci-landing-zones/terraform-oci-modules-governance)
+- [Security](https://github.com/github.com/oci-landing-zones/terraform-oci-modules-security)
+- [Observability & Monitoring](https://github.com/oci-landing-zones/terraform-oci-modules-observability)
+- [Secure Workloads](https://github.com/oci-landing-zones/terraform-oci-modules-workloads)
 
 The modules in this collection are designed for flexibility, are straightforward to use, and enforce CIS OCI Foundations Benchmark recommendations when possible.
 <br />
@@ -83,32 +83,30 @@ module "terraform-oci-landing-zones-networking" {
 
 For invoking the module remotely, set the module *source* attribute to the networking module repository, as shown:
 ```
-module "terraform-oci-cis-landing-zone-networking" {
-  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking"
+module "terraform-oci-landing-zone-networking" {
+  source = "github.com/oci-landing-zones/terraform-oci-modules-networking"
   network_configuration = var.network_configuration
 }
 ```
 For referring to a specific module version, append *ref=\<version\>* to the *source* attribute value, as in:
 ```
-  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking?ref=v0.1.0"
+  source = "github.com/oci-landing-zones/terraform-oci-modules-networking?ref=v0.1.0"
 ```
 
 ### <a name="with-orm">Using the Module with Resource Manager
 
 For an ad-hoc use where you can select your resources, follow these guidelines:
-1. [![Deploy_To_OCI](images/DeployToOCI.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking/archive/refs/heads/main.zip)
+1. [![Deploy_To_OCI](images/DeployToOCI.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oci-landing-zones/terraform-oci-modules-networking/archive/refs/heads/main.zip)
 2. Accept terms,  wait for the configuration to load. 
 3. Set the working directory to “orm-facade”. 
 4. Set the stack name you prefer.
-5. Set the terraform version to 1.2.x. Click Next. 
-6. Add your json/yaml configuration files. Click Next.
-8. Un-check run apply. Click Create.
+5. Add your JSON/YAML configuration files. Click Next.
+6. Un-check run apply. Click Create.
 
 ## <a name="functioning">Module Functioning
 
 The input parameters for the module can be divided into two categories, for which we recommend to create two different ```*.tfvars.*``` files:
-The input parameters for the module can be divided into two categories, for which we recommend to create two different ```*.tfvars.*``` files:
- 1. OCI REST API authentication information (secrets) - ```terraform.tfvars``` (HCL) or ```terraform.tfvars.json``` (JSON):
+1. OCI REST API authentication information (secrets) - ```terraform.tfvars``` (HCL) or ```terraform.tfvars.json``` (JSON):
     - ```tenancy_ocid```
     - ```user_ocid```
     - ```fingerprint```
@@ -283,7 +281,7 @@ Attributes that support a compartment referring key:
   - *compartment_id*
 
 #### network_dependency (Optional)
-A map of map of objects containing the externally managed network resources this module may depend on. This mechanism allows for the usage of referring keys (instead of OCIDs) in some attributes. The module replaces the keys by the OCIDs provided within *network_dependency* map. Contents of *network_dependency* is typically the output of a client of this module. Within *network_dependency*, VCNs must be indexed with the **vcns** key, DRGs indexed with the **dynamic_routing_gateways** key, DRG attachments indexed with **drg_attachments** key, Local Peering Gateways (LPG) indexed with **local_peering_gateways**, Remote Peering Connections (RPC) indexed with **remote_peering_connections** key. Each VCN, DRG, DRG attachment, LPG and RPC must contain the *id* attribute (to which the actual OCID is assigned). RPCs must also pass the peer region name in the *region_name* attribute.
+A map of map of objects containing the externally managed network resources this module may depend on. This mechanism allows for the usage of referring keys (instead of OCIDs) in some attributes. The module replaces the keys by the OCIDs provided within *network_dependency* map. Contents of *network_dependency* is typically the output of a client of this module. Within *network_dependency*, VCNs must be indexed with the **vcns** key, DRGs indexed with the **dynamic_routing_gateways** key, DRG attachments indexed with **drg_attachments** key, Local Peering Gateways (LPG) indexed with **local_peering_gateways**, Remote Peering Connections (RPC) indexed with **remote_peering_connections** key, DNS Private Views indexed by **dns_private_views**. Each VCN, DRG, DRG attachment, LPG, RPC and DNS Private View must contain the *id* attribute (to which the actual OCID is assigned). RPCs must also pass the peer region name in the *region_name* attribute.
 
 *network_dependency* example:
 ```
@@ -314,9 +312,14 @@ A map of map of objects containing the externally managed network resources this
       "region_name" : "us-ashburn-1"
     }
   }  
+  "dns_private_views" : {  
+    "XYZ-DNS-VIEW" : {
+      "id" : "ocid1.dnsview.oc1.phx.aaaaaaaa...nhq",
+    }
+  }
 } 
 ```
-**Note**: **vcns**, **dynamic_routing_gateways**, **drg_attachments**, **local_peering_gateways**, and **remote_peering_connections** attributes are all optional. They only become mandatory if the *network_configuration* refers to one of these resources through a referring key. Below are the attributes where a referring key is supported:
+**Note**: **vcns**, **dynamic_routing_gateways**, **drg_attachments**, **local_peering_gateways**, **remote_peering_connections** and **dns_private_views** attributes are all optional. They only become mandatory if the *network_configuration* refers to one of these resources through a referring key. Below are the attributes where a referring key is supported:
 
 *network_dependency* attribute | Attribute names in *network_configuration* where the referring key can be utilized
 --------------|-------------
@@ -325,6 +328,7 @@ A map of map of objects containing the externally managed network resources this
 **drg_attachments** | *drg_attachment_key*
 **local_peering_gateways** | *peer_key* in *local_peering_gateways*
 **remote_peering_connections** | *peer_key* in *remote_peering_connections*
+**dns_private_views** | *existing_view_id* in *dns_resolver's* *attached_views*.
 
 #### private_ips_dependency (Optional)
 A map of map of objects containing the externally managed private IP resources this module may depend on. This mechanism allows for the usage of referring keys (instead of OCIDs) in some attributes. The module replaces the keys by the OCIDs provided within *private_ips_dependency* map. Each private IP must contain the **"id"** attribute (to which the actual OCID is assigned), as in the example below:
@@ -379,9 +383,6 @@ See [external-dependency example](./examples/external-dependency/) for a functio
    - [IPSec VPN Examples](examples/edge-connectivity/ipsec-examples/)
       - [Generic OCI IPSec BGP VPN](examples/edge-connectivity/ipsec-examples/generic-OCI-ipsec-bgp-vpn/)    
 - [Local Peering Gateways](examples/local-peering-gateways/)     
-- [Remote Peering Connections](examples/remote-peering-connections/)  
-      - [Generic OCI IPSec BGP VPN](examples/edge-connectivity/ipsec-examples/generic-OCI-ipsec-bgp-vpn/)    
-- [Local Peering Gateways](examples/local-peering-gateways/)     
 - [Remote Peering Connections](examples/remote-peering-connections/)  
 
 ## <a name="related">Related Documentation

RELEASE-NOTES.md

@@ -1,3 +1,9 @@
+# September 20, 2024 Release Notes - 0.7.0
+
+## Updates
+1. OCI Network Firewall refactored according to updates post Terraform OCI Provider 5.16.0 release. See [oci-network-firewall example](./examples/oci-network-firewall/).
+2. Ability to inject externally managed existing private DNS views into managed DNS resolvers. See [dns-view-injection example](./examples/dns-view-injection/).
+
 # August 28, 2024 Release Notes - 0.6.9
 
 ## Updates

dns.tf

@@ -77,8 +77,7 @@ locals {
           display_name   = view_value.display_name
           defined_tags   = view_value.defined_tags
           freeform_tags  = view_value.freeform_tags
-        }
-
+        } if view_value.existing_view_id == null
       ] : [] : []
     ]) : flat_attached_views.view_key => flat_attached_views
   } : {}
@@ -101,6 +100,7 @@ locals {
             external_downstreams = zone_value.external_downstreams != null ? zone_value.external_downstreams : []
             external_masters     = zone_value.external_masters != null ? zone_value.external_masters : []
             zone_type            = zone_value.zone_type
+            view_id              = view_value.existing_view_id
           }
         ] : []
       ] : [] : []
@@ -109,7 +109,7 @@ locals {
 
   one_dimension_dns_steering_policies = local.one_dimension_processed_vcns != null ? {
     for flat_dns_steering_policies in flatten([
-      for vcn_key, vcn_value in local.one_dimension_processed_existing_vcns :
+      for vcn_key, vcn_value in local.one_dimension_processed_vcns :
       vcn_value.dns_resolver != null ? vcn_value.dns_resolver.attached_views != null ? [
         for view_key, view_value in vcn_value.dns_resolver.attached_views :
         view_value.dns_zones != null ? [
@@ -169,13 +169,11 @@ data "oci_core_vcn_dns_resolver_association" "dns_resolvers" {
 
 resource "oci_dns_view" "these" {
   for_each = local.one_dimension_dns_views
-
-  compartment_id = each.value.compartment_id
-
-  display_name  = each.value.display_name
-  scope         = "PRIVATE"
-  defined_tags  = each.value.defined_tags
-  freeform_tags = each.value.freeform_tags
+    compartment_id = each.value.compartment_id
+    display_name  = each.value.display_name
+    scope         = "PRIVATE"
+    defined_tags  = each.value.defined_tags
+    freeform_tags = each.value.freeform_tags
 }
 
 
@@ -186,7 +184,7 @@ resource "oci_dns_zone" "these" {
   scope          = each.value.scope
   zone_type      = each.value.zone_type
 
-  view_id = each.value.view_key != null ? oci_dns_view.these[each.value.view_key].id : null
+  view_id = each.value.view_key != null ? (contains(keys(oci_dns_view.these),each.value.view_key) ? oci_dns_view.these[each.value.view_key].id : (length(regexall("^ocid1.*$", each.value.view_id)) > 0 ? each.value.view_id : var.network_dependency["dns_private_views"][each.value.view_id].id)) : null
 
   dynamic "external_downstreams" {
     for_each = each.value.external_downstreams
@@ -274,7 +272,7 @@ resource "oci_dns_resolver" "these" {
     for_each = each.value.attached_views
     iterator = views
     content {
-      view_id = oci_dns_view.these[views.key].id
+      view_id = views.key != null ? (contains(keys(oci_dns_view.these),views.key) ? oci_dns_view.these[views.key].id : (length(regexall("^ocid1.*$", views.value.existing_view_id)) > 0 ? views.value.existing_view_id : var.network_dependency["dns_private_views"][views.value.existing_view_id].id)) : null
     }
   }
   defined_tags  = each.value.defined_tags

examples/TransitRouting-DRGHub-NFW/main.tf

@@ -9,7 +9,6 @@
 
 module "terraform_oci_networking" {
   source = "../../"
-
   network_configuration = var.network_configuration
 }
 

examples/TransitRouting-DRGHub-NFW/network_configuration.auto.tfvars

@@ -8,7 +8,7 @@
 # ####################################################################################################### #
 
 network_configuration = {
-  default_compartment_id = "ocid1.compartment.oc1....."
+  default_compartment_id    = "ocid1.compartment.oc1....."
   default_freeform_tags = {
     "vision-environment" = "vision"
   }
@@ -300,81 +300,61 @@ network_configuration = {
               display_name                = "hub_nfw"
               subnet_key                  = "SUBNET-H-KEY"
               ipv4address                 = "10.0.0.10"
-              network_firewall_policy_key = "HUB-NFW-POLICY-KEY"
+              network_firewall_policy_key = "HUB-NFW-POLICY"
             }
           }
           network_firewall_policies = {
-            HUB-NFW-POLICY-KEY = {
-              display_name = "hub_nfw_policy"
+            HUB-NFW-POLICY = {
+              display_name = "hubnfw-policy"
+              applications = {
+                HUBNFW-APP-1 = {
+                  name      = "hubnfw-app-1"
+                  type      = "ICMP"
+                  icmp_type = "128"
+                }
+              }
               application_lists = {
-                hubnfw_app_list_1 = {
-                  application_list_name = "hubnfw_app_list_1"
-                  application_values = {
-                    hubnfw_app_list_1_1 = {
-                      type         = "TCP"
-                      minimum_port = 80
-                      maximum_port = 8080
-                    }
-                  }
+                HUBNFW-APP-LIST = {
+                  name = "hubnfw-app-list"
+                  applications = ["HUBNFW-APP-1"]
                 }
               }
-
-              ip_address_lists = {
-                hubnfw_ip_list = {
-                  ip_address_list_name  = "hubnfw_ip_list"
-                  ip_address_list_value = ["10.0.0.1"]
+              address_lists = {
+                HUBNFW-IP-LIST = {
+                  name      = "hubnfw-ip-list"
+                  addresses = ["10.0.0.1"]
+                  type      = "IP"
                 }
               }
-              security_rules = {
-                SecurityRuleA = {
-                  action = "ALLOW"
-                  name   = "SecurityRuleA"
-                  conditions = {
-                    prd_cond1_A = {
-                      applications = []
-                      destinations = ["hubnfw_ip_list"]
-                      sources      = []
-                      urls         = ["hubnfw_policy_url_1"]
-                    }
-                  }
+              url_lists = {
+                HUBNFW-URL-1 = {
+                  name    = "hubnfw-url-1",
+                  type    = "SIMPLE"
+                  pattern = "www.oracle.com"
                 }
-
-                SecurityRuleB = {
-                  action     = "INSPECT"
-                  inspection = "INTRUSION_DETECTION"
-                  name       = "SecurityRuleB"
-                  conditions = {
-                    prd_cond1_B = {
-                      applications = ["hubnfw_app_list_1"]
-                      destinations = []
-                      sources      = ["hubnfw_ip_list"]
-                      urls         = ["hubnfw_policy_url_1"]
-                    }
-                  }
+                HUBNFW-URL-2 = {
+                  name    = "hubnfw-url-2",
+                  type    = "SIMPLE"
+                  pattern = "www.google.com"
                 }
               }
-              url_lists = {
-                hubnfw_policy_url_1 = {
-                  url_list_name = "hubnfw_policy_url_1",
-                  url_list_values = {
-                    hubnfw_policy_url_1_1 = {
-                      type    = "SIMPLE"
-                      pattern = "www.oracle.com"
-                    }
-                    hubnfw_policy_url_1_2 = {
-                      type    = "SIMPLE"
-                      pattern = "www.google.com"
-                    }
-                  }
+              security_rules = {
+                SECURITY-RULE-A = {
+                  action              = "ALLOW"
+                  name                = "security-rule-a"
+                  application_lists         = []
+                  destination_address_lists = ["HUBNFW-IP-LIST"]
+                  source_address_lists      = []
+                  url_lists                 = ["HUBNFW-URL-1"]
                 }
-                hubnfw_policy_url_2 = {
-                  url_list_name = "hubnfw_policy_url_2",
-                  url_list_values = {
-                    hubnfw_policy_url_2_1 = {
-                      type    = "SIMPLE"
-                      pattern = "www.facebook.com"
-                    }
-                  }
+                SECURITY-RULE-B = {
+                  action              = "INSPECT"
+                  inspection          = "INTRUSION_DETECTION"
+                  name                = "security-rule-b"
+                  application         = ["HUBNFW-APP-LIST"]
+                  destination_address = []
+                  source_address      = ["HUBNFW-IP-LIST"]
+                  url_lists           = ["HUBNFW-URL-2"]
                 }
               }
             }

examples/TransitRouting-DRGHub-NFW/provider.tf

@@ -21,9 +21,7 @@ terraform {
 
   required_providers {
     oci = {
-      source                = "oracle/oci"
-      version               = "<= 5.16.0"
-      configuration_aliases = [oci]
+      source = "oracle/oci"
     }
   }
 }