Release 0.2.1 (#27)

* fix: FSS principal names * fix: dependencies strongly typed * feat: automation config added * fix: dependencies strongly typed * feat: data types changed to any in examples * fix: substr length arg added * doc: release notes and version bump
oci-landing-zones · Apr 17, 2024 · f729216 · f729216
1 parent 07cc201
commit f729216
Show file tree

Hide file tree

Showing 22 changed files with 103 additions and 378 deletions.
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -1,11 +1,19 @@
-# February 27, 2024 Release Notes
+# April 17, 2024 Release Notes - 0.2.1
+## Updates
+### All Modules
+1. Dependency variables are now strongly typed, enhancing usage guidance.
+### Policies Module
+1. FSS (File System Service) principal names fixed in realms with keys greater than 10.
+
+
+# February 27, 2024 Release Notes - 0.2.0
 ## Updates
 ### Identity Domains Module
 1. The Identity Domains module now supports creating SAML Identity Providers through a new configuration variable. The variable *identity_domain_identity_providers_configuration* includes parameters to manage identity providers using either a SAML metadata file or individual metadata parameter values.
 ### Compartments Module
 1. The reserved key "TENANCY-ROOT" has been introduced. It is used for referring to the root compartment OCID. It can be assigned to *default_parent_id* and *parent_id* attributes.
 ### Policies Module
-1. The reserved key "TENANCY-ROOT" has been introduced. It is used for referring to the root compartment OCID. It can be assigned to *compartment_id* attribute within *supplied_policies* attribute.
+2. The reserved key "TENANCY-ROOT" has been introduced. It is used for referring to the root compartment OCID. It can be assigned to *compartment_id* attribute within *supplied_policies* attribute.
 
 # January 08, 2024 Release Notes - 0.1.9
 ## Updates

diff --git a/compartments/README.md b/compartments/README.md
@@ -56,10 +56,29 @@ Check the [examples](./examples) folder for module usage with actual input data.
 
 ## External Dependencies
 
-An optional feature, external dependencies are resources managed elsewhere that resources managed by this module may depend on. The following dependencies are supported:
+An optional feature, external dependencies are resources managed elsewhere that resources managed by this module depends on. The following dependencies are supported:
 
-- **tags_dependency** &ndash; (Optional) A map of objects containing the externally managed tags this module may depend on. All map objects must have the same type and must contain at least an *id* attribute with the tag OCID.
-- **compartments_dependency** &ndash; (Optional) A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an *id* attribute with the tag OCID. This is typically used when using separate configurations for managing compartments.
+- **compartments_dependency** &ndash; (Optional) A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an *id* attribute with the compartment OCID. This mechanism allows for the usage of referring keys (instead of OCIDs) in *default_parent_id* and *parent_id* attributes. The module replaces the keys by the OCIDs provided within *compartments_dependency* map. Contents of *compartments_dependency* is typically the output of a client of this module.
+
+Example:
+```
+{
+	"NETWORK-CMP": {
+		"id": "ocid1.compartment.oc1..aaaaaaaa...7xq"
+	}
+}
+```
+
+- **tags_dependency** &ndash; (Optional) A map of objects containing the externally managed tags this module may depend on. All map objects must have the same type and must contain at least an *id* attribute with the tag OCID. This mechanism allows for the usage of referring keys (instead of OCIDs) in *tag_id* attribute. The module replaces the keys by the OCIDs provided within *tags_dependency* map. Contents of *tags_dependency* is typically the output of a client of the [Tags module](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-governance/tree/main/tags).
+
+Example:
+```
+{
+	"COST-CENTER-TAG": {
+		"id": "ocid1.tag.oc1..aaaaaaaa...8yr"
+	}
+}
+```
 
 ## Requirements
 ### IAM Permissions

diff --git a/compartments/SPEC.md b/compartments/SPEC.md
@@ -31,10 +31,10 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_compartments_configuration"></a> [compartments\_configuration](#input\_compartments\_configuration) | The compartments configuration. Use the compartments attribute to define your topology. OCI supports compartment hierarchies up to six levels. | <pre>object({<br>    default_parent_id = optional(string) # the default parent for all top (first level) compartments. Use parent_id attribute within each compartment to specify different parents.<br>    default_defined_tags = optional(map(string)) # applies to all compartments, unless overriden by defined_tags in a compartment object<br>    default_freeform_tags = optional(map(string)) # applies to all compartments, unless overriden by freeform_tags in a compartment object<br>    enable_delete = optional(bool) # whether or not compartments are physically deleted when destroyed. Default is false.<br>    compartments = map(object({<br>      name          = string<br>      description   = string<br>      parent_id   = optional(string)<br>      defined_tags  = optional(map(string))<br>      freeform_tags = optional(map(string))<br>      tag_defaults     = optional(map(object({<br>        tag_id = string,<br>        default_value = string,<br>        is_user_required = optional(bool)<br>      })))<br>      children      = optional(map(object({<br>        name          = string<br>        description   = string<br>        defined_tags  = optional(map(string))<br>        freeform_tags = optional(map(string))<br>        tag_defaults     = optional(map(object({<br>            tag_id = string,<br>            default_value = string,<br>            is_user_required = optional(bool)<br>          })))<br>        children      = optional(map(object({<br>          name          = string<br>          description   = string<br>          defined_tags  = optional(map(string))<br>          freeform_tags = optional(map(string))<br>          tag_defaults     = optional(map(object({<br>            tag_id = string,<br>            default_value = string,<br>            is_user_required = optional(bool)<br>          })))<br>          children      = optional(map(object({<br>            name          = string<br>            description   = string<br>            defined_tags  = optional(map(string))<br>            freeform_tags = optional(map(string))<br>            tag_defaults     = optional(map(object({<br>              tag_id = string,<br>              default_value = string,<br>              is_user_required = optional(bool)<br>            })))<br>            children      = optional(map(object({<br>              name          = string<br>              description   = string<br>              defined_tags  = optional(map(string))<br>              freeform_tags = optional(map(string))<br>              tag_defaults     = optional(map(object({<br>                tag_id = string,<br>                default_value = string,<br>                is_user_required = optional(bool)<br>              })))<br>              children      = optional(map(object({<br>                name          = string<br>                description   = string<br>                defined_tags  = optional(map(string))<br>                freeform_tags = optional(map(string))<br>                tag_defaults     = optional(map(object({<br>                  tag_id = string,<br>                  default_value = string,<br>                  is_user_required = optional(bool)<br>                })))<br>              })))  <br>            })))<br>          })))<br>        })))<br>      })))  <br>    }))<br>  })</pre> | `null` | no |
-| <a name="input_compartments_dependency"></a> [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type. | `map(any)` | `null` | no |
+| <a name="input_compartments_dependency"></a> [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain an 'id' attribute of string type set with the compartment OCID. See 'External Dependencies' section in README.md for details. | <pre>map(object({<br>    id = string<br>  }))</pre> | `null` | no |
 | <a name="input_derive_keys_from_hierarchy"></a> [derive\_keys\_from\_hierarchy](#input\_derive\_keys\_from\_hierarchy) | Whether identifying keys should be derived from the provided compartments hierarchy | `bool` | `false` | no |
 | <a name="input_module_name"></a> [module\_name](#input\_module\_name) | The module name. | `string` | `"iam-compartments"` | no |
-| <a name="input_tags_dependency"></a> [tags\_dependency](#input\_tags\_dependency) | A map of objects containing the externally managed tags this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the tag OCID) of string type. | `map(any)` | `null` | no |
+| <a name="input_tags_dependency"></a> [tags\_dependency](#input\_tags\_dependency) | A map of objects containing the externally managed tags this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the tag OCID) of string type. See 'External Dependencies' section in README.md for details. | <pre>map(object({<br>    id = string<br>  }))</pre> | `null` | no |
 | <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | The OCID of the tenancy. | `string` | n/a | yes |
 
 ## Outputs

diff --git a/compartments/examples/external-dependency/variables.tf b/compartments/examples/external-dependency/variables.tf
@@ -14,80 +14,7 @@ variable "private_key_password" {default = ""}
 #-------------------------------------------------------------
 variable "compartments_configuration" {
   description = "The compartments configuration. Use the compartments attribute to define your topology. OCI supports compartment hierarchies up to six levels."
-  type = object({
-    default_parent_id = optional(string) # the default parent for all top (first level) compartments. Use parent_id attribute within each compartment to specify different parents.
-    default_defined_tags = optional(map(string)) # applies to all compartments, unless overriden by defined_tags in a compartment object
-    default_freeform_tags = optional(map(string)) # applies to all compartments, unless overriden by freeform_tags in a compartment object
-    enable_delete = optional(bool) # whether or not compartments are physically deleted when destroyed. Default is false.
-    compartments = map(object({
-      name          = string
-      description   = string
-      parent_id   = optional(string)
-      defined_tags  = optional(map(string))
-      freeform_tags = optional(map(string))
-      tag_defaults     = optional(map(object({
-        tag_id = string,
-        default_value = string,
-        is_user_required = optional(bool)
-      })))
-      children      = optional(map(object({
-        name          = string
-        description   = string
-        defined_tags  = optional(map(string))
-        freeform_tags = optional(map(string))
-        tag_defaults     = optional(map(object({
-            tag_id = string,
-            default_value = string,
-            is_user_required = optional(bool)
-          })))
-        children      = optional(map(object({
-          name          = string
-          description   = string
-          defined_tags  = optional(map(string))
-          freeform_tags = optional(map(string))
-          tag_defaults     = optional(map(object({
-            tag_id = string,
-            default_value = string,
-            is_user_required = optional(bool)
-          })))
-          children      = optional(map(object({
-            name          = string
-            description   = string
-            defined_tags  = optional(map(string))
-            freeform_tags = optional(map(string))
-            tag_defaults     = optional(map(object({
-              tag_id = string,
-              default_value = string,
-              is_user_required = optional(bool)
-            })))
-            children      = optional(map(object({
-              name          = string
-              description   = string
-              defined_tags  = optional(map(string))
-              freeform_tags = optional(map(string))
-              tag_defaults     = optional(map(object({
-                tag_id = string,
-                default_value = string,
-                is_user_required = optional(bool)
-              })))
-              children      = optional(map(object({
-                name          = string
-                description   = string
-                defined_tags  = optional(map(string))
-                freeform_tags = optional(map(string))
-                tag_defaults     = optional(map(object({
-                  tag_id = string,
-                  default_value = string,
-                  is_user_required = optional(bool)
-                })))
-              })))  
-            })))
-          })))
-        })))
-      })))  
-    }))
-  })
-  default = null
+  type = any
 }
 
 variable "oci_shared_config_bucket_name" {

diff --git a/compartments/examples/vision/README.md b/compartments/examples/vision/README.md
@@ -21,9 +21,9 @@ The same structure as shown by OCI Console:
 
 Refer to [compartment's module README.md](../../README.md) for overall attributes usage.
 
-Note the *freeform_tags* applied to each compartment. **They are not required**, but if defined they are leveraged by [OCI CIS Landing Zone IAM Policies Module](../../../policies/) for deploying template (pre-configured) policies.
+*TOP-CMP* defines two tag defaults. *COST-CENTER-TAG-DEFAULT* will automatically apply value "a1" to any resources created in *TOP-CMP* compartment and  sub-compartments. *ENVIRONMENT-TAG-DEFAULT* will automatically require that users provide a value when creating resources in *TOP-CMP* compartment and sub-compartments.
 
-*TOP-CMP* defines two tag defaults. *COST-CENTER-TAG-DEFAULT* will automatically apply value "a1" to any resources created in *TOP-CMP* compartment and  sub-compartments. *ENVIRONMENT-TAG-DEFAULT* will automatically require that users provide a value when creating resources in *TOP-CMP* compartment and  sub-compartments.
+**Note**: If the *automation_config* variable is provided, the example writes the compartments output to the specified OCI Object Storage bucket (write permissions are required on the bucket). The example can be easily changed to write the output to a local file instead. The output can be further used by another module that depends on these compartments.
 
 3. In this folder, run the typical Terraform workflow:
 ```

diff --git a/compartments/examples/vision/automation_config.tf b/compartments/examples/vision/automation_config.tf
@@ -0,0 +1,16 @@
+# Copyright (c) 2023, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+data "oci_objectstorage_namespace" "this" {
+  count = var.automation_config != null ? 1 : 0
+  compartment_id = var.tenancy_ocid
+}
+
+### Writing compartments module output to Object Storage bucket. 
+resource "oci_objectstorage_object" "this" {
+  count = var.automation_config != null ? 1 : 0
+  bucket    = var.automation_config.bucket_name
+  content   = jsonencode(module.vision_compartments.compartments)
+  namespace = data.oci_objectstorage_namespace.this[0].namespace
+  object    = var.automation_config.output_file_name
+}  
diff --git a/compartments/examples/vision/input.auto.tfvars.template b/compartments/examples/vision/input.auto.tfvars.template
@@ -38,10 +38,6 @@ compartments_configuration = {
       name = "vision-top-cmp", 
       description = "Vision Enclosing compartment", 
       #parent_id = null,
-      freeform_tags = {
-        "cislz"="vision",
-        "cislz-cmp-type"="enclosing"
-      },
       tag_defaults = {
         COST-CENTER-TAG-DEFAULT = {
           tag_id = "<REPLACE-BY-THE-COST-CENTER-TAG-OCID>"
@@ -58,44 +54,29 @@ compartments_configuration = {
         NETWORK-CMP = { 
           name = "vision-network-cmp", 
           description = "Vision Network compartment", 
-          freeform_tags = {
-            "cislz"="vision",
-            "cislz-cmp-type"="network"
-          }
         },
         SECURITY-CMP = { 
           name = "vision-security-cmp", 
           description = "Vision Security compartment", 
-          freeform_tags = {
-            "cislz"="vision",
-            "cislz-cmp-type"="security"
-          }
         },
         APP-CMP = { 
           name = "vision-application-cmp", 
           description = "Vision Application compartment", 
-          freeform_tags = {
-            "cislz"="vision",
-            "cislz-cmp-type"="application"
-          }
         },
         DB-CMP = { 
           name = "vision-database-cmp", 
           description = "Vision Database compartment", 
-          freeform_tags = {
-            "cislz"="vision",
-            "cislz-cmp-type"="database"
-          }
         },
         EXACS-CMP = { 
           name = "vision-exainfra-cmp", 
           description = "Vision Exadata Cloud Service compartment",  
-          freeform_tags = {
-            "cislz"="vision",
-            "cislz-cmp-type"="exainfra"
-          }
         } 
       }
     }
   }
-}  
+}  
+
+# automation_config = {
+#  bucket_name      : "<REPLACE-BY-THE-BUCKET-NAME>"
+#  output_file_name : "vision-compartments.json"
+# }