Release 0.1.9 (#13)

* feat: oss module basics

* Release 0.1.4

* doc: Updated Contributing

* doc: Updated License file

* doc: Updated Security File

* doc: Updated Readme with help and security

* doc: Cleaned up readme

* chore: modules names updated

* chore: release notes and version bump

* feat: tf >= 1.3.0 required

* chore: specs updated

* chore: release notes and version bump

* feat: secondary vnic info added to outputs

* fix: is_pv_encryption_in_transit_enabled check fixed

* fix: is_pv_encryption_in_transit_enabled check fixed (top level)

* feat: module tag updated to ocilz-terraform-module

* chore: release notes and SPECs updates

* fix: markeplace images and custom images split

* chore: object-storage folder removed

* doc: doc updates and release notes

* feat: input validations and default values added

* fix: platform images and custom images support

* feat: examples adjusted to new interface for images

* chore: release notes updated

* fix: custom images updated

* doc: clarification on how to inform version attribute

* feat: Fortigate example added

* doc: updated

* fix: support for the same custom image name in different instances

* fix: marketplace_image.name and marketplace_image.version checks

* chore: release notes date updated

* Release 0.1.8

* fix: platform image lookup by name

* fix: cross-region replication and custom key encryption check removed

* feat: NSGs, hostname_label, defined_tags and freeform_tags added to file system mount targets

* chore: release notes and version increment

---------

Signed-off-by: Andre Correa <andre.correa@oracle.com>
Co-authored-by: Josh Hammer <josh.hammer@oracle.com>

RELEASE-NOTES.md

@@ -1,3 +1,10 @@
+# December 18, 2024 Release Notes - 0.1.9
+## Updates in [Compute module](./cis-compute-storage/)
+1. Compute: logic updated for platform images lookup by name.
+2. Block Volumes: precondition check for cross region replication and encryption with customer managed key removed.
+3. File Storage: following attributes were added to *mount_targets* attribute: *network_security_groups*, *hostname_label*, *defined_tags*, *freeform_tags*.
+
+
 # December 04, 2024 Release Notes - 0.1.8
 ## Updates in [Compute module](./cis-compute-storage/)
 1. Support for ZPR (Zero Trust Packet Routing) attributes on Compute instances and secondary VNICs. See *zpr_attributes* attribute in [Compute module documentation](./cis-compute-storage/README.md#compute-1) for details.

cis-compute-storage/README.md

@@ -215,7 +215,7 @@ The instances themselves are defined within the **instances** attribute, In Terr
   - **hostname** – (Optional) The primary VNIC hostname.
   - **assign_public_ip** – (Optional) Whether to assign the primary VNIC a public IP. Default is false.
   - **subnet_id** – (Optional) The subnet where the primary VNIC is created. *default_subnet_id* is used if undefined. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
-  - **network_security_groups** – (Optional) List of network security groups the primary VNIC should be placed into. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
+  - **network_security_groups** – (Optional) List of network security groups the primary VNIC should be placed into. This attribute is overloaded. The list can contain literal Network Security Group OCIDs or references (keys) to Network Security Group OCIDs in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
   - **skip_source_dest_check** – (Optional) Whether the source/destination check is disabled on the primary VNIC. If true, the VNIC is able to forward the packet. Default is false.
   - **secondary_ips** – (Optional) Map of secondary private IP addresses for the primary VNIC.
     - **display_name** – (Optional) Secondary IP display name.
@@ -228,8 +228,8 @@ The instances themselves are defined within the **instances** attribute, In Terr
     - **private_ip** – (Optional) a private IP address of your choice to assign to the VNIC. If not provided, an IP address from the subnet is randomly chosen.
     - **hostname** – (Optional) The VNIC hostname.
     - **assign_public_ip**– (Optional) Whether to assign the VNIC a public IP. Defaults to whether the subnet is public or private.
-    - **subnet_id** – (Optional) The subnet where the VNIC is created. default_subnet_id is used if undefined.
-    - **network_security_groups** – (Optional) List of network security groups the VNIC should be placed into.
+    - **subnet_id** – (Optional) The subnet where the VNIC is created. default_subnet_id is used if undefined. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
+    - **network_security_groups** – (Optional) List of network security groups the VNIC should be placed into. This attribute is overloaded. The list can contain literal Network Security Group OCIDs or references (keys) to Network Security Group OCIDs in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
     - **skip_source_dest_check** – (Optional) Whether the source/destination check is disabled on the VNIC. If true, the VNIC is able to forward the packet. Default is false.
     - **nic_index** – (Optional) The physical network interface card (NIC) the VNIC will use. Defaults to 0. Certain bare metal instance shapes have two active physical NICs (0 and 1).
     - **security** – (Optional) Security settings for the VNIC, currently only for ZPR (Zero Trust Packet Routing) attributes.
@@ -599,6 +599,8 @@ Mount targets are defined using the optional attribute **mount_targets**. A Terr
 - **mount_target_name** – The mount target and export set name.
 - **availability_domain** – (Optional) The mount target availability domain.  
 - **subnet_id** – (Optional) The mount target subnet. It defaults to *default_subnet_id* from *file_storage* if undefined. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
+ - **network_security_groups** – (Optional) List of network security groups the mount target should be placed into. This attribute is overloaded. The list can contain literal Network Security Group OCIDs or references (keys) to Network Security Group OCIDs in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
+ - **hostname_label** – (Optional) The hostname for the mount target's IP address, used for DNS resolution. The value is the hostname portion of the private IP address's fully qualified domain name (FQDN).
 - **exports** – (Optional) List of exports, where each element refers to a file system, defined by *file_system_id* attribute. The following attributes are supported:
   - **path** – Export path.
   - **file_system_id** – The file system identifying key this mount target applies.
@@ -607,6 +609,8 @@ Mount targets are defined using the optional attribute **mount_targets**. A Terr
     - **access** – (Optional) Type of access grants. Valid values (case sensitive): "READ_WRITE", "READ_ONLY". Default is "READ_ONLY".
     - **identity** – (Optional) UID and GID remapped to. Valid values(case sensitive): ALL, ROOT, NONE. Default is "NONE".
     - **use_port** – (Optional) Whether file system access is only allowed from a privileged source port. Default is true.
+- **defined_tags** – (Optional) Mount target defined_tags. *storage_configuration*'s *default_defined_tags* is used if undefined.
+- **freeform_tags** – (Optional) Mount target freeform_tags. *storage_configuration*'s *default_freeform_tags* is used if undefined.    
 
 ##### <a name="snapshot-policies">Snapshot Policies</a>
 Snapshot policies are defined using the optional attribute **snapshot_policies**. A Terraform map of objects, where each object is referred by an identifying key. The following attributes are supported:

cis-compute-storage/block-storage.tf

@@ -27,10 +27,6 @@ resource "oci_core_volume" "these" {
         condition = coalesce(each.value.cis_level,var.storage_configuration.default_cis_level,"1") == "2" ? (each.value.encryption != null ? (each.value.encryption.kms_key_id != null || var.storage_configuration.default_kms_key_id != null) : var.storage_configuration.default_kms_key_id != null) : true
         error_message = "VALIDATION FAILURE (CIS Storage 4.1.2) in block volume \"${each.key}\": A customer managed key is required when CIS level is set to 2. Either \"encryption.kms_key_id\" or \"default_kms_key_id\" must be provided."
       }
-      precondition {
-        condition = each.value.encryption != null ? (each.value.encryption.kms_key_id != null || var.storage_configuration.default_kms_key_id != null ? (each.value.replication != null ? split("-AD",split(":",data.oci_identity_availability_domains.bv_ads[each.key].availability_domains[each.value.availability_domain - 1].name)[1])[0] == split("-AD",split(":",data.oci_identity_availability_domains.bv_ads_replicas[each.key].availability_domains[each.value.replication.availability_domain - 1].name)[1])[0] : true) : true) : true
-        error_message = "VALIDATION FAILURE in block volume \"${each.key}\": cross-region replication not possible for volumes encrypted with a customer managed key. Either unset \"encryption.kms_key_id\"/\"default_kms_key_id\" or disable cross-region replication."
-      }
     }
     availability_domain = data.oci_identity_availability_domains.bv_ads[each.key].availability_domains[each.value.availability_domain - 1].name
     compartment_id      = each.value.compartment_id != null ? (length(regexall("^ocid1.*$", each.value.compartment_id)) > 0 ? each.value.compartment_id : var.compartments_dependency[each.value.compartment_id].id) : (length(regexall("^ocid1.*$", var.storage_configuration.default_compartment_id)) > 0 ? var.storage_configuration.default_compartment_id : var.compartments_dependency[var.storage_configuration.default_compartment_id].id)

cis-compute-storage/compute.tf

@@ -5,11 +5,11 @@
 # Platform images data sources
 #------------------------------
 data "oci_core_images" "these_platform" {
-  count = local.deploy_platform_image ? 1 : 0
+  count = local.deploy_platform_image_by_name ? 1 : 0
     lifecycle {
       precondition {
           condition = var.tenancy_ocid != null
-          error_message = "VALIDATION FAILURE: variable \"tenancy_ocid\" is required when deploying a Compute instance based on a platform image."
+          error_message = "VALIDATION FAILURE: variable \"tenancy_ocid\" is required when deploying a Compute instance based on a platform image name."
         }
     }
     compartment_id = var.tenancy_ocid
@@ -64,7 +64,7 @@ locals {
   # Platform images
   #------------------------------
 
-  deploy_platform_image = var.instances_configuration != null ? length([for v in var.instances_configuration["instances"] : v if v.platform_image != null]) > 0 : false
+  deploy_platform_image_by_name = var.instances_configuration != null ? length([for v in var.instances_configuration["instances"] : v if try(v.platform_image.name,null) != null]) > 0 : false
 
   platform_images = length(data.oci_core_images.these_platform) > 0 ? [
     for i in data.oci_core_images.these_platform[0].images : {

cis-compute-storage/examples/storage-only/README.md

@@ -18,11 +18,9 @@ For block volume BV-2:
 
 **Note 1:** replicated block volumes are not destroyed upon *terraform destroy*. In order to destroy replicated block volumes, it is first necessary to manually terminate the replication. 
 
-**Note 2:** block volumes encrypted with a customer managed key cannot be replicated to another region.
-
 For file system FS-1:
 - The file system is encrypted with an Oracle-managed key (OCI default) as it does not define *encryption.kms_key_id* attribute and there's no applicable *default_kms_key_id* attribute.
-- The file system is replicated to target file system specified by *replication.file_system_target_id* attribute. See [replica-file-system example](../replica-file-system/) for a replica file system configuration example.
+- The file system is replicated to target file system specified by *replication.file_system_target_id* attribute. See [replica-file-system example](../replica-file-system/) for creating the required replica file system.
 - The file system is backed up per policy defined by *snapshot_policy_id* attribute. The value is a pointer to the "SNAPSHOT-POLICY-1" policy defined within *snapshot_policies* attribute. 
 - The file system is exported per the settings defined by "EXP-1" export within "MT-1" mount target in *mount_targets* attribute. Note *file_system_id* attribute value is a pointer to "FS-1" file system.
 

cis-compute-storage/examples/storage-only/input.auto.tfvars.template

@@ -25,7 +25,7 @@ region               = "<your tenancy region>"     # The region name.
 block_volumes_replication_region = "<REPLACE-BY-REPLICATION-REGION-NAME>"
 
 storage_configuration = {
-  default_compartment_id = "<REPLACE-BY-COMPARTMENT-OCID>" 
+  default_compartment_id = "<REPLACE-BY-COMPARTMENT-ID>" 
   block_volumes = {
     BV-1 = {
       display_name = "<REPLACE-BY-BLOCK-VOLUME-NAME>"
@@ -39,28 +39,28 @@ storage_configuration = {
       display_name = "<REPLACE-BY-BLOCK-VOLUME-NAME>"
       availability_domain = 1   
       encryption = {
-        kms_key_id = "<REPLACE-BY-KEY-OCID>"
+        kms_key_id = "<REPLACE-BY-KEY-ID>"
       }
       backup_policy = "silver"  
     }
   }
 
    file_storage = {
-    default_subnet_id = "<REPLACE-BY-SUBNET-OCID>"
+    default_subnet_id = "<REPLACE-BY-SUBNET-ID>"
     file_systems = {
       FS-1 = {
         file_system_name = "<REPLACE-BY-FILE-SYSTEM-NAME>"
         availability_domain = 1
         replication = {
-          file_system_target_id = "<REPLACE-BY-TARGET-FILE-SYSTEM-OCID>"
+          file_system_target_id = "<REPLACE-BY-TARGET-FILE-SYSTEM-ID>"
         }
         snapshot_policy_id = "SNAPSHOT-POLICY-1"
       }
       FS-2 = {
         cis_level = "2"
         file_system_name = <REPLACE-BY-FILE-SYSTEM-NAME>"
-        availability_domain = 2
-        kms_key_id = "<REPLACE-BY-KEY-OCID>"
+        availability_domain = 1
+        kms_key_id = "<REPLACE-BY-KEY-ID>"
         snapshot_policy_id = "SNAPSHOT-POLICY-1"
       }
     }
@@ -73,18 +73,21 @@ storage_configuration = {
             file_system_id = "FS-1"
             options = [
               {source = "0.0.0.0/0", access = "READ_ONLY", identity = "NONE", use_privileged_source_port = true}, 
-              {source = "<REPLACE-BY-IP_ADDRESS>", access = "READ_WRITE", identity = "ROOT", use_privileged_source_port = true}
+              {source = "<REPLACE-BY-IP-ADDRESS>", access = "READ_WRITE", identity = "ROOT", use_privileged_source_port = true}
             ]
           },
           {
             path = "/another_export_path"
             file_system_id = "FS-2"
             options = [
               {source = "0.0.0.0/0", access = "READ_ONLY", identity = "NONE", use_privileged_source_port = true}, 
-              {source = "<REPLACE-BY-IP_ADDRESS>", access = "READ_WRITE", identity = "ROOT", use_privileged_source_port = true}
+              {source = "<REPLACE-BY-IP-ADDRESS>", access = "READ_WRITE", identity = "ROOT", use_privileged_source_port = true}
             ]
           }
         ]
+        network_security_groups = ["<REPLACE-BY-NETWORK-SECURITY-GROUP-ID"]
+        hostname_label = "mt-1"
+        freeform_tags = {"sample-tag":"sample-value"}
       }
     }
     snapshot_policies = {

cis-compute-storage/file-storage.tf

@@ -41,6 +41,10 @@ resource "oci_file_storage_mount_target" "these" {
     availability_domain = data.oci_identity_availability_domains.mt_ads[each.key].availability_domains[each.value.availability_domain - 1].name
     display_name        = each.value.mount_target_name
     subnet_id           = each.value.subnet_id != null ? (length(regexall("^ocid1.*$", each.value.subnet_id)) > 0 ? each.value.subnet_id : var.network_dependency["subnets"][each.value.subnet_id].id) : (length(regexall("^ocid1.*$", var.storage_configuration.file_storage.default_subnet_id)) > 0 ? var.storage_configuration.file_storage.default_subnet_id : var.network_dependency["subnets"][var.storage_configuration.file_storage.default_subnet_id].id)
+    hostname_label      = each.value.hostname_label
+    nsg_ids             = [for nsg in coalesce(each.value.network_security_groups,[]) : (length(regexall("^ocid1.*$", nsg)) > 0 ? nsg : var.network_dependency["network_security_groups"][nsg].id)]
+    defined_tags        = each.value.defined_tags != null ? each.value.defined_tags : var.storage_configuration.default_defined_tags
+    freeform_tags       = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.storage_configuration.default_freeform_tags)
 }
 
 

cis-compute-storage/variables.tf

@@ -192,6 +192,8 @@ variable "storage_configuration" {
         mount_target_name   = string           # the mount target and export set name.
         availability_domain = optional(number,1) # the mount target availability domain.  
         subnet_id           = optional(string) # the mount target subnet. default_subnet_id is used if this is not defined.
+        hostname_label      = optional(string) # the hostname for the mount target's IP address, used for DNS resolution. The value is the hostname portion of the private IP address's fully qualified domain name (FQDN).
+        network_security_groups = optional(list(string)) # the Network Security Groups for the mount target
         exports = optional(list(object({
           path = string # export path. For example: /foo
           file_system_id = string # the file system identifying key the export applies to. It must be one of the keys in file_systems map of objects.
@@ -202,6 +204,8 @@ variable "storage_configuration" {
             use_privileged_source_port = optional(bool, true)   # If true, accessing the file system through this export must connect from a privileged source port.
           })))
         })))
+        defined_tags  = optional(map(string)) # mount target defined_tags. default_defined_tags is used if this is not defined.
+        freeform_tags = optional(map(string)) # mount target freeform_tags. default_freeform_tags is used if this is not defined.
       })))
       snapshot_policies = optional(map(object({
         name = string

release.txt

@@ -1 +1 @@
-0.1.8
+0.1.9