-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
217 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| <!-- | ||
| # Copyright (c) 2024, Oracle and/or its affiliates. | ||
| # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. | ||
| --> | ||
|
|
||
| # **OCI Management Agent Policy Advisor** | ||
|
|
||
| []() | ||
|
|
||
| ## Introduction | ||
|
|
||
| This stack helps setup required policies for working with management agents | ||
|
|
||
| ## Stack Details | ||
|
|
||
| * This stack gets input of the available user group, compartment and sets up the required policies for working with management agents | ||
|
|
||
| ## Using this stack | ||
|
|
||
| 1. Click on above Deploy to Oracle Cloud button which will redirect you to OCI console and prompt a dialogue box with further steps on deploying this application. | ||
| 2. Configure the variables for the infrastructure resources that this stack will create when you run the apply job for this execution plan. | ||
| 3. Review the changes after the configuration fields are updated. | ||
|
|
||
| *Note:* For more details on Management Agents please refer | ||
| https://docs.oracle.com/iaas/management-agents/index.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| # Copyright (c) 2024, Oracle and/or its affiliates. | ||
| # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. | ||
|
|
||
| data "oci_identity_group" "usergroup_data" { | ||
| group_id = var.user_group_id | ||
| } | ||
|
|
||
| data "oci_identity_compartment" "compartment_data" { | ||
| id = var.resource_compartment_id | ||
| } | ||
|
|
||
|
|
||
| locals{ | ||
| currentDateTime = formatdate("YYYYMMDDhhmmss", timestamp()) | ||
| mgmtagent_policy_name = var.policy_name != "" && var.policy_name != "ManagementAgent_Policy" ? var.policy_name : "ManagementAgent_Policy_${local.currentDateTime}" | ||
| user_group_name = data.oci_identity_group.usergroup_data.name | ||
| policy_location = var.resource_compartment_id == var.tenancy_ocid ? "TENANCY" : data.oci_identity_compartment.compartment_data.compartment_id == var.tenancy_ocid ? "COMPARTMENT ${data.oci_identity_compartment.compartment_data.name}" : "COMPARTMENT ID ${var.resource_compartment_id}" | ||
| policy_statements_root = [ | ||
| "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agents IN ${local.policy_location}", | ||
| "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agent-install-keys IN ${local.policy_location}", | ||
| "ALLOW GROUP ${local.user_group_name} TO READ METRICS IN ${local.policy_location}", | ||
| "ALLOW GROUP ${local.user_group_name} TO READ ALARMS IN ${local.policy_location}", | ||
| "ALLOW GROUP ${local.user_group_name} TO READ USERS IN TENANCY" | ||
| ] | ||
| policy_statements_nonroot = [ | ||
| "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agents IN ${local.policy_location}", | ||
| "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agent-install-keys IN ${local.policy_location}", | ||
| "ALLOW GROUP ${local.user_group_name} TO READ METRICS IN ${local.policy_location}", | ||
| "ALLOW GROUP ${local.user_group_name} TO READ ALARMS IN ${local.policy_location}" | ||
| ] | ||
| } | ||
|
|
||
|
|
||
| module "mgmtagent_policy_creation" { | ||
|
|
||
| source = "./modules/policies" | ||
|
|
||
| policy_name = local.mgmtagent_policy_name | ||
| policy_description = "This policy allows to manage management agents" | ||
| policy_compartment_id = var.policy_compartment_id | ||
| policy_statements = var.resource_compartment_id == var.tenancy_ocid ? local.policy_statements_root : local.policy_statements_nonroot | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Copyright (c) 2024, Oracle and/or its affiliates. | ||
| # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. | ||
|
|
||
| terraform { | ||
| required_providers { | ||
| oci = { | ||
| source = "hashicorp/oci" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| resource "oci_identity_policy" "create_policy" { | ||
| name = var.policy_name | ||
| description = var.policy_description | ||
| compartment_id = var.policy_compartment_id | ||
| statements = var.policy_statements | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Copyright (c) 2024, Oracle and/or its affiliates. | ||
| # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. | ||
|
|
||
| variable "policy_name" { | ||
| type = string | ||
| description = "The name you assign to the policy during creation." | ||
| } | ||
|
|
||
| variable "policy_description" { | ||
| type = string | ||
| description = "The description you assign to the policy." | ||
| } | ||
|
|
||
| variable "policy_statements" { | ||
| type = list(string) | ||
| description = "Consists of one or more policy statements. " | ||
| } | ||
|
|
||
| variable "policy_compartment_id" { | ||
| type = string | ||
| description = "The compartment id to assign this policy to." | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # Copyright (c) 2024, Oracle and/or its affiliates. | ||
| # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. | ||
|
|
||
| output "policy_name" { | ||
| description = "Name of the policy created" | ||
| value = "${local.mgmtagent_policy_name}" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Copyright (c) 2024, Oracle and/or its affiliates. | ||
| # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. | ||
|
|
||
| terraform { | ||
| required_version = ">= 1.0.0" | ||
| required_providers { | ||
| # Recommendation from ORM / OCI provider teams | ||
| oci = { | ||
| version = ">= 4.21.0" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| provider "oci" { | ||
| tenancy_ocid = var.tenancy_ocid | ||
| region = var.region | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| # Copyright (c) 2024, Oracle and/or its affiliates. | ||
| # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. | ||
|
|
||
| title: "Management Agent Policy Advisor" | ||
| schemaVersion: 1.1.0 | ||
| description: "Create required policies for management agent for the given user group and compartment." | ||
| version: "20240301" | ||
| locale: "en" | ||
|
|
||
| variableGroups: | ||
| - title: General Configuration | ||
| visible: false | ||
| variables: | ||
| - tenancy_ocid | ||
| - region | ||
| - compartment_ocid | ||
|
|
||
| - title: Required Policy Configuration | ||
| visible: true | ||
| variables: | ||
| - policyInfo | ||
| - policy_compartment_id | ||
| - policy_name | ||
|
|
||
| - title: Management Agent Policies | ||
| visible: true | ||
| variables: | ||
| - user_group_id | ||
| - resource_compartment_id | ||
|
|
||
| variables: | ||
| policy_compartment_id: | ||
| type: oci:identity:compartment:id | ||
| required: true | ||
| default: ${compartment_ocid} | ||
| title: Policy Compartment | ||
| description: Compartment where the policy definition should be created. | ||
|
|
||
| resource_compartment_id: | ||
| type: oci:identity:compartment:id | ||
| required: true | ||
| default: ${compartment_ocid} | ||
| title: Management Agent Resource Compartment | ||
| description: Compartment where the policies should be applied. Usually the management agents' compartment. | ||
|
|
||
| user_group_id: | ||
| type: oci:identity:groups:id | ||
| required: true | ||
| title: User group | ||
| description: User group for which the policies should be mapped. | ||
| dependsOn: | ||
| compartmentId: tenancy_ocid | ||
|
|
||
| policy_name: | ||
| type: string | ||
| required: true | ||
| title: Policy Name | ||
| default: ManagementAgent_Policy | ||
| description: Name of the policy. | ||
|
|
||
| policyInfo: | ||
| type: text | ||
| required: true | ||
| title: Policies to be created | ||
| description: Above is the template of policy statements that will be created. | ||
| multiline: true | ||
| default: "allow group <User group> to manage management-agents in compartment <Management Agent Resource Compartment>\nallow group <User group> to manage management-agent-install-keys in compartment <Management Agent Resource Compartment>\nallow group <User group> to read metrics in compartment <Management Agent Resource Compartment>\nallow group <User group> to read alarms in compartment <Management Agent Resource Compartment>\nallow group <User group> to read users in tenancy" | ||
|
|
||
| region: | ||
| visible: false | ||
|
|
||
| tenancy_ocid: | ||
| visible: false | ||
|
|
||
| compartment_ocid: | ||
| visible: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # Copyright (c) 2024, Oracle and/or its affiliates. | ||
| # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. | ||
|
|
||
| variable "compartment_ocid" {} | ||
| variable "tenancy_ocid" {} | ||
| variable "region" {} | ||
| variable "policy_compartment_id" {} | ||
| variable "resource_compartment_id" {} | ||
| variable "user_group_id" {} | ||
| variable "policy_name" {} |