Release 0.1.8 (#12)

* feat: oss module basics * Release 0.1.4 * doc: Updated Contributing * doc: Updated License file * doc: Updated Security File * doc: Updated Readme with help and security * doc: Cleaned up readme * chore: modules names updated * chore: release notes and version bump * feat: tf >= 1.3.0 required * chore: specs updated * chore: release notes and version bump * feat: secondary vnic info added to outputs * fix: is_pv_encryption_in_transit_enabled check fixed * fix: is_pv_encryption_in_transit_enabled check fixed (top level) * feat: module tag updated to ocilz-terraform-module * chore: release notes and SPECs updates * fix: markeplace images and custom images split * chore: object-storage folder removed * doc: doc updates and release notes * feat: input validations and default values added * fix: platform images and custom images support * feat: examples adjusted to new interface for images * chore: release notes updated * fix: custom images updated * doc: clarification on how to inform version attribute * feat: Fortigate example added * doc: updated * fix: support for the same custom image name in different instances * fix: marketplace_image.name and marketplace_image.version checks * chore: release notes date updated * feat: ZPR support added to Compute module. Existing example updated. * fix: Compute check 11 disabled * feat: release notes and version update --------- Signed-off-by: Andre Correa <andre.correa@oracle.com> Co-authored-by: Josh Hammer <josh.hammer@oracle.com>
oci-landing-zones · Dec 4, 2024 · 2a64e7f · 2a64e7f
1 parent b1027fa
commit 2a64e7f
Show file tree

Hide file tree

Showing 8 changed files with 85 additions and 12 deletions.
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -1,15 +1,23 @@
+# December 04, 2024 Release Notes - 0.1.8
+## Updates in [Compute module](./cis-compute-storage/)
+1. Support for ZPR (Zero Trust Packet Routing) attributes on Compute instances and secondary VNICs. See *zpr_attributes* attribute in [Compute module documentation](./cis-compute-storage/README.md#compute-1) for details.
+2. Disabled precondition check on platform images supported shapes when the platform image OCID is provided as the Compute image source.
+
+
 # October 14, 2024 Release Notes - 0.1.7
 ## Updates in [Compute module](./cis-compute-storage/)
 1. Marketplace images, platform images and custom images split for clarity in module interface. 
 2. Marketplace image's *publisher_name* attribute has been removed and *version* attribute has been introduced. See [Compute section](./README.md#compute) for usage guidance.
 3. Marketplace images configured with automatic Marketplace agreements.
 4. Module now validates whether provided shape is compatible with provided marketplace or platform image. 
 
+
 # August 28, 2024 Release Notes - 0.1.6
 ## Updates
 1. All modules now require Terraform binary equal or greater than 1.3.0.
 2. *cislz-terraform-module* tag renamed to *ocilz-terraform-module*.
 
+
 # July 25, 2024 Release Notes - 0.1.5
 ## Updates    
 1. Aligned README.md structure to Oracle's GitHub organizations requirements.

diff --git a/cis-compute-storage/README.md b/cis-compute-storage/README.md
@@ -161,7 +161,7 @@ The CIS Benchmark profile levels drive some aspects of Compute and Storage. In t
 ##### CIS profile level "2": 
   - encryption at rest with customer managed keys is enforced.
 
-### <a name="compute">Compute</a>
+### <a name="compute-1">Compute</a>
 
 Compute instances are managed using the **instances_configuration** variable. It contains a set of attributes starting with the prefix **default_** and one attribute named **instances**. The **default_** attribute values are applied to all instances within **instances**, unless overridden at the instance level.
 
@@ -232,12 +232,25 @@ The instances themselves are defined within the **instances** attribute, In Terr
     - **network_security_groups** &ndash; (Optional) List of network security groups the VNIC should be placed into.
     - **skip_source_dest_check** &ndash; (Optional) Whether the source/destination check is disabled on the VNIC. If true, the VNIC is able to forward the packet. Default is false.
     - **nic_index** &ndash; (Optional) The physical network interface card (NIC) the VNIC will use. Defaults to 0. Certain bare metal instance shapes have two active physical NICs (0 and 1).
+    - **security** &ndash; (Optional) Security settings for the VNIC, currently only for ZPR (Zero Trust Packet Routing) attributes.
+      - **zpr_attributes** &ndash; (Optional) List of objects representing ZPR attributes.
+        - **namespace** &ndash; (Optional) ZPR namespace. Default is *oracle-zpr*, a default namespace created by Oracle and available in all tenancies.
+        - **attr_name** &ndash; ZPR attribute name. It must exist in the specified namespace.
+        - **attr_value** &ndash; ZPR attribute value.
+        - **mode** &ndash; (Optional) ZPR mode. Default value is *enforce*.
     - **secondary_ips** &ndash; (Optional) Map of secondary private IP addresses for the VNIC.
       - **display_name** &ndash; (Optional) Secondary IP display name.
       - **hostname** &ndash; (Optional) Secondary IP host name.
       - **private_ip** &ndash; (Optional) Secondary IP address. If not provided, an IP address from the subnet is randomly chosen.
       - **defined_tags** &ndash; (Optional) Secondary IP defined_tags. default_defined_tags is used if undefined.
       - **freeform_tags** &ndash; (Optional) Secondary IP freeform_tags. default_freeform_tags is used if undefined.  
+- **security** &ndash; (Optional) Security settings for the instance, currently only for ZPR (Zero Trust Packet Routing) attributes.
+  - **apply_to_primary_vnic_only** &ndash; (Optional) Whether ZPR attributes are applied to the instance primary VNIC only. The default value is false, meaning ZPR attributes are applied to the instance itself (a.k.a. parent resource),thus inherited by all VNICs that are attached to the instance. Set this value to true to stop the inheritance, thus making ZPR attributes applied to the instance primary VNIC only.
+  - **zpr_attributes** &ndash; (Optional) List of objects representing ZPR attributes.
+    - **namespace** &ndash; (Optional) ZPR namespace. Default is *oracle-zpr*, a default namespace created by Oracle and available in all tenancies.
+    - **attr_name** &ndash; ZPR attribute name. It must exist in the specified namespace.
+    - **attr_value** &ndash; ZPR attribute value.
+    - **mode** &ndash; (Optional) ZPR mode. Default value is *enforce*.  
 - **encryption** &ndash; (Optional) Encryption settings. See section [In Transit Encryption](#in-transit-encryption) for important information.
   - **kms_key_id** &ndash; (Optional) The encryption key for boot volume encryption. *default_kms_key_id* is used if undefined. Required if *cis_level* or *default_cis_level* is "2".
   - **encrypt_in_transit_on_instance_create** &ndash; (Optional) Whether to enable in-transit encryption for the data volume's paravirtualized attachment. Default is false. Applicable during instance **creation** time only. Note that some platform images do not allow instances overriding the image configuration for in-transit encryption at instance creation time. In such cases, for enabling in-transit encryption, use *encrypt_in_transit_on_instance_update* attribute. First run ```terraform apply``` with it set to false, then run ```terraform apply``` again with it set to true.
@@ -342,7 +355,7 @@ The defined **default_** attributes are the following:
 - **default_defined_tags** &ndash; (Optional) The default defined tags for all storage units. It can be overridden by *defined_tags* attribute in each unit.
 - **default_freeform_tags** &ndash; (Optional) the default freeform tags for all storage units. It can be overridden by *freeform_tags* attribute in each unit.
 
-#### <a name="block-volumes">Block Volumes</a>
+#### <a name="block-volumes-1">Block Volumes</a>
 Block volumes are defined using the optional **block_volumes** attribute. In Terraform terms, it is a map of objects, where each object is referred by an identifying key. The following attributes are supported:
 - **compartment_id** &ndash; (Optional) The volume compartment. The *default_compartment_id* is used if undefined. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in *compartments_dependency* variable. See [External Dependencies](#ext-dep) for details.
 - **cis_level** &ndash; (Optional) The CIS OCI Benchmark profile level to apply. The *default_cis_level* is used if undefined.
@@ -562,7 +575,7 @@ sdb                  8:16   0   60G  0 disk
 For more information on mounting block volumes without consistent device path see [Traditional fstab Options](https://docs.oracle.com/en-us/iaas/Content/Block/References/fstaboptions.htm#Traditional_fstab_Options).
 
 
-#### <a name="file-storage">File Storage</a>
+#### <a name="file-storage-1">File Storage</a>
 The **file_storage** attribute defines the file systems, mount targets and snapshot policies for OCI File Storage service. The optional attribute **default_subnet_id** applies to all mount targets, unless overridden by **subnet_id** attribute in each mount target. Attribute **subnet_id** is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
 
 ##### <a name="file-systems">File Systems</a>