Release 0.1.6 (#9)

* Release 0.1.4 * doc: Updated Contributing * doc: Updated License file * doc: Updated Security File * doc: Updated Readme with help and security * doc: Cleaned up readme * chore: modules names updated * chore: release notes and version bump * feat: tf >= 1.3.0 required * chore: specs updated * chore: release notes and version bump * feat: secondary vnic info added to outputs * fix: is_pv_encryption_in_transit_enabled check fixed * fix: is_pv_encryption_in_transit_enabled check fixed (top level) * feat: module tag updated to ocilz-terraform-module * chore: release notes and SPECs updates --------- Signed-off-by: Andre Correa <andre.correa@oracle.com> Co-authored-by: Josh Hammer <josh.hammer@oracle.com>
oci-landing-zones · Aug 28, 2024 · ed821fe · ed821fe
1 parent 13c883a
commit ed821fe
Show file tree

Hide file tree

Showing 14 changed files with 98 additions and 29 deletions.
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -1,3 +1,8 @@
+# August 28, 2024 Release Notes - 0.1.6
+## Updates
+1. All modules now require Terraform binary equal or greater than 1.3.0.
+2. *cislz-terraform-module* tag renamed to *ocilz-terraform-module*.
+
 # July 25, 2024 Release Notes - 0.1.5
 ## Updates    
 1. Aligned README.md structure to Oracle's GitHub organizations requirements.

diff --git a/cis-compute-storage/README.md b/cis-compute-storage/README.md
@@ -55,6 +55,10 @@ The following security features are currently supported by the module:
 - Deployment of cluster networks and compute clusters.
 
 ## <a name="requirements">Requirements</a>
+### Terraform Version >= 1.3.0
+
+This module requires Terraform binary version 1.3.0 or greater, as it relies on Optional Object Type Attributes feature. The feature shortens the amount of input values in complex object types, by having Terraform automatically inserting a default value for any missing optional attributes.
+
 ### IAM Permissions
 
 This module requires the following OCI IAM permissions in the compartments where instances, block volumes, and file systems are defined. 
@@ -99,9 +103,38 @@ Allow group <GROUP-NAME> to read keys in compartment <ENCRYPTION-KEYS-COMPARTMEN
 Allow group <GROUP-NAME> to use key-delegate in compartment <ENCRYPTION-KEYS-COMPARTMENT-NAME>
 ```
 
-### Terraform Version > 1.3.x
+## <a name="invoke">How to Invoke the Module</a>
+
+Terraform modules can be invoked locally or remotely. 
 
-This module relies on [Terraform Optional Object Type Attributes feature](https://developer.hashicorp.com/terraform/language/expressions/type-constraints#optional-object-type-attributes), which has been promoted and no longer experimental in versions greater than 1.3.x. The feature shortens the amount of input values in complex object types, by having Terraform automatically inserting a default value for any missing optional attributes.
+For invoking the module locally, just set the module *source* attribute to the module file path (relative path works). The following example assumes the module is two folders up in the file system.
+```
+module "compute" {
+  source = "../.."
+  providers = {
+    oci = oci
+    oci.block_volumes_replication_region = oci.block_volumes_replication_region
+  }
+  instances_configuration = var.instances_configuration
+  storage_configuration   = var.storage_configuration
+}
+```
+For invoking the module remotely, set the module *source* attribute to the *cis-compute-storage* module folder in this repository, as shown:
+```
+module "compute" {
+  source = "github.com/oracle-quickstart/terraform-oci-secure-workloads/cis-compute-storage"
+  providers = {
+    oci = oci
+    oci.block_volumes_replication_region = oci.block_volumes_replication_region
+  }
+  instances_configuration = var.instances_configuration
+  storage_configuration   = var.storage_configuration
+}
+```
+For referring to a specific module version, add an extra slash before the folder name and append *ref=\<version\>* to the *source* attribute value, as in:
+```
+  source = "github.com/oracle-quickstart/terraform-oci-secure-workloads//cis-compute-storage?ref=v0.1.0"
+```
 
 ## <a name="invoke">How to Invoke the Module</a>
 

diff --git a/cis-compute-storage/SPEC.md b/cis-compute-storage/SPEC.md
diff --git a/cis-compute-storage/compute.tf b/cis-compute-storage/compute.tf
@@ -108,7 +108,7 @@ resource "oci_core_instance" "these" {
     defined_tags         = each.value.defined_tags != null ? each.value.defined_tags : var.instances_configuration.default_defined_tags
     freeform_tags        = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.instances_configuration.default_freeform_tags)
     # some images don't allow encrypt in transit
-    is_pv_encryption_in_transit_enabled = coalesce(each.value.cis_level,var.instances_configuration.default_cis_level,"1") >= "1" ? true : (each.value.encryption != null ? each.value.encryption.encrypt_in_transit_on_instance_create : null)
+    is_pv_encryption_in_transit_enabled = coalesce(each.value.cis_level,var.instances_configuration.default_cis_level,"1") == "2" ? true : (each.value.encryption != null ? each.value.encryption.encrypt_in_transit_on_instance_create : null)
     create_vnic_details {
       private_ip       = each.value.networking != null ? each.value.networking.private_ip : null
       assign_public_ip = each.value.networking != null ? coalesce(each.value.networking.assign_public_ip,false) : false
@@ -128,7 +128,7 @@ resource "oci_core_instance" "these" {
       firmware = each.value.boot_volume != null ? (each.value.boot_volume.firmware != null ? upper(each.value.boot_volume.firmware) : null) : null
       network_type = each.value.networking != null ? upper(each.value.networking.type) : "PARAVIRTUALIZED"
       remote_data_volume_type = upper(each.value.volumes_emulation_type)
-      is_pv_encryption_in_transit_enabled = coalesce(each.value.cis_level,var.instances_configuration.default_cis_level,"1") >= "1" ? true : (each.value.encryption != null ? each.value.encryption.encrypt_in_transit_on_instance_update : null)
+      is_pv_encryption_in_transit_enabled = coalesce(each.value.cis_level,var.instances_configuration.default_cis_level,"1") == "2" ? true : (each.value.encryption != null ? each.value.encryption.encrypt_in_transit_on_instance_update : null)
     }
     dynamic "platform_config" {
       for_each = each.value.platform_type != null || coalesce(each.value.cis_level,var.instances_configuration.default_cis_level,"1") == "2" ? [1] : []
@@ -284,6 +284,11 @@ resource "oci_core_vnic_attachment" "these" {
     }
 }
 
+data "oci_core_vnic" "these" {
+  for_each = oci_core_vnic_attachment.these
+    vnic_id = each.value.vnic_id
+}
+
 resource "oci_core_private_ip" "these" {
   for_each = { for v in concat(local.primary_vnic_secondary_ips, local.secondary_vnics_secondary_ips) : v.key => {
                                                                                                                   vnic_id       = v.vnic_id

diff --git a/cis-compute-storage/metadata.tf b/cis-compute-storage/metadata.tf
@@ -3,5 +3,5 @@
 
 #-- Used to inform module and release number.
 locals {
-    cislz_module_tag = {"cislz-terraform-module" : fileexists("${path.module}/../release.txt") ? "${var.module_name}/${file("${path.module}/../release.txt")}" : "${var.module_name}"}
+    cislz_module_tag = {"ocilz-terraform-module" : fileexists("${path.module}/../release.txt") ? "${var.module_name}/${file("${path.module}/../release.txt")}" : "${var.module_name}"}
 }    
diff --git a/cis-compute-storage/outputs.tf b/cis-compute-storage/outputs.tf
@@ -11,11 +11,21 @@ output "private_ips" {
   value = var.enable_output ? oci_core_private_ip.these : null
 }
 
-output "vnic_attachments" {
-  description = "The VNIC attachments"
+output "secondary_vnics" {
+  description = "The secondary VNICs"
+  value = var.enable_output ? data.oci_core_vnic.these : null
+}
+
+output "secondary_vnic_attachments" {
+  description = "The secondary VNIC attachments"
   value = var.enable_output ? oci_core_vnic_attachment.these : null
 }
 
+output "secondary_private_ips" {
+  description = "The secondary private IPs in all instances VNICs"
+  value = var.enable_output ? oci_core_private_ip.these : null
+}
+
 output "block_volumes" {
   description = "The block volumes"
   value       = var.enable_output ? oci_core_volume.these : null

diff --git a/cis-compute-storage/providers.tf b/cis-compute-storage/providers.tf
@@ -2,6 +2,7 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 terraform {
+  required_version = ">= 1.3.0"
   required_providers {
     oci = {
       source  = "oracle/oci"

diff --git a/cis-oke/README.md b/cis-oke/README.md
@@ -32,6 +32,10 @@ The following features are currently supported by the module:
 - Boot volumes in-transit encryption enforced, drive by CIS profile level "2".
 
 ## <a name="requirements">Requirements</a>
+### Terraform Version >= 1.3.0
+
+This module requires Terraform binary version 1.3.0 or greater, as it relies on Optional Object Type Attributes feature. The feature shortens the amount of input values in complex object types, by having Terraform automatically inserting a default value for any missing optional attributes.
+
 ### IAM Permissions
 
 This module requires the following IAM permissions: 
@@ -64,10 +68,6 @@ Allow any-user to manage instances in compartment <OKE-CLUSTER-COMPARTMENT-NAME>
 
 For more information about OKE Policies [click here](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#Policy_Configuration_for_Cluster_Creation_and_Deployment).
 
-### Terraform Version > 1.3.x
-
-This module relies on [Terraform Optional Object Type Attributes feature](https://developer.hashicorp.com/terraform/language/expressions/type-constraints#optional-object-type-attributes), which has been promoted and no longer experimental in versions greater than 1.3.x. The feature shortens the amount of input values in complex object types, by having Terraform automatically inserting a default value for any missing optional attributes.
-
 ## <a name="invoke">How to Invoke the Module</a>
 
 Terraform modules can be invoked locally or remotely. 

diff --git a/cis-oke/SPEC.MD b/cis-oke/SPEC.MD
diff --git a/cis-oke/examples/flannel/oke-operator-host-iam/main.tf b/cis-oke/examples/flannel/oke-operator-host-iam/main.tf
@@ -1,11 +1,11 @@
 module "operator_dynamic_group" {
-  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//dynamic-groups?ref=v0.2.0"
+  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//dynamic-groups?ref=v0.2.3"
   tenancy_ocid = var.tenancy_ocid
   dynamic_groups_configuration = var.dynamic_groups_configuration
 }
 
 module "operator_policy" {
-  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.2.0"
+  source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.2.3"
   tenancy_ocid = var.tenancy_ocid
   policies_configuration = var.policies_configuration
 }  
diff --git a/cis-oke/examples/flannel/oke-operator-host-iam/providers.tf b/cis-oke/examples/flannel/oke-operator-host-iam/providers.tf
@@ -12,11 +12,9 @@ provider "oci" {
 }
 
 terraform {
-  required_version = "< 1.3.0"
   required_providers {
     oci = {
       source = "oracle/oci"
     }
   }
-  experiments = [module_variable_optional_attrs]
 }
diff --git a/cis-oke/metadata.tf b/cis-oke/metadata.tf
@@ -3,5 +3,5 @@
 
 #-- Used to inform module and release number.
 locals {
-    cislz_module_tag = {"cislz-terraform-module" : fileexists("${path.module}/../release.txt") ? "${var.module_name}/${file("${path.module}/../release.txt")}" : "${var.module_name}"}
+    cislz_module_tag = {"ocilz-terraform-module" : fileexists("${path.module}/../release.txt") ? "${var.module_name}/${file("${path.module}/../release.txt")}" : "${var.module_name}"}
 }    
diff --git a/cis-oke/providers.tf b/cis-oke/providers.tf
@@ -2,6 +2,7 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 terraform {
+  required_version = ">= 1.3.0"
   required_providers {
     oci = {
       source  = "oracle/oci"

diff --git a/release.txt b/release.txt
@@ -1 +1 @@
-0.1.5
+0.1.6