From bad1888a6a01f633fa1dafcd70315b99993b3cf7 Mon Sep 17 00:00:00 2001
From: goutv <goutham.v@oracle.com>
Date: Wed, 3 Apr 2024 13:54:08 +0530
Subject: [PATCH] Adding MgmtAgent Policy Advisor

---
 mgmtagent-policy-advisor/README.md            | 25 ++++++
 mgmtagent-policy-advisor/main.tf              | 43 +++++++++++
 .../modules/policies/main.tf                  | 17 +++++
 .../modules/policies/variables.tf             | 22 ++++++
 mgmtagent-policy-advisor/outputs.tf           |  7 ++
 mgmtagent-policy-advisor/provider.tf          | 17 +++++
 mgmtagent-policy-advisor/schema.yaml          | 76 +++++++++++++++++++
 mgmtagent-policy-advisor/variables.tf         | 10 +++
 8 files changed, 217 insertions(+)
 create mode 100644 mgmtagent-policy-advisor/README.md
 create mode 100644 mgmtagent-policy-advisor/main.tf
 create mode 100644 mgmtagent-policy-advisor/modules/policies/main.tf
 create mode 100644 mgmtagent-policy-advisor/modules/policies/variables.tf
 create mode 100644 mgmtagent-policy-advisor/outputs.tf
 create mode 100644 mgmtagent-policy-advisor/provider.tf
 create mode 100644 mgmtagent-policy-advisor/schema.yaml
 create mode 100644 mgmtagent-policy-advisor/variables.tf

diff --git a/mgmtagent-policy-advisor/README.md b/mgmtagent-policy-advisor/README.md
new file mode 100644
index 0000000..f220560
--- /dev/null
+++ b/mgmtagent-policy-advisor/README.md
@@ -0,0 +1,25 @@
+<!--
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+-->
+
+# **OCI Management Agent Policy Advisor**
+
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)]()
+
+## Introduction
+
+This stack helps setup required policies for working with management agents
+
+## Stack Details
+
+* This stack gets input of the available user group, compartment and sets up the required policies for working with management agents
+
+## Using this stack
+
+1. Click on above Deploy to Oracle Cloud button which will redirect you to OCI console and prompt a dialogue box with further steps on deploying this application.
+2. Configure the variables for the infrastructure resources that this stack will create when you run the apply job for this execution plan.
+3. Review the changes after the configuration fields are updated.
+
+*Note:* For more details on Management Agents please refer
+https://docs.oracle.com/iaas/management-agents/index.html 
\ No newline at end of file
diff --git a/mgmtagent-policy-advisor/main.tf b/mgmtagent-policy-advisor/main.tf
new file mode 100644
index 0000000..12cde0e
--- /dev/null
+++ b/mgmtagent-policy-advisor/main.tf
@@ -0,0 +1,43 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+data "oci_identity_group" "usergroup_data" {
+    group_id = var.user_group_id
+}
+
+data "oci_identity_compartment" "compartment_data" {
+    id = var.resource_compartment_id
+}
+
+
+locals{
+    currentDateTime          = formatdate("YYYYMMDDhhmmss", timestamp())
+    mgmtagent_policy_name    = var.policy_name != "" && var.policy_name != "ManagementAgent_Policy" ? var.policy_name : "ManagementAgent_Policy_${local.currentDateTime}"
+    user_group_name          = data.oci_identity_group.usergroup_data.name
+    policy_location          = var.resource_compartment_id == var.tenancy_ocid ? "TENANCY" : data.oci_identity_compartment.compartment_data.compartment_id == var.tenancy_ocid ? "COMPARTMENT ${data.oci_identity_compartment.compartment_data.name}" : "COMPARTMENT ID ${var.resource_compartment_id}"
+    policy_statements_root   = [
+        "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agents IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agent-install-keys IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO READ METRICS IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO READ ALARMS IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO READ USERS IN TENANCY"
+    ]
+    policy_statements_nonroot = [
+        "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agents IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agent-install-keys IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO READ METRICS IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO READ ALARMS IN ${local.policy_location}"
+    ]
+}
+
+
+module "mgmtagent_policy_creation" {
+
+    source = "./modules/policies"
+
+    policy_name           = local.mgmtagent_policy_name
+    policy_description    = "This policy allows to manage management agents"
+    policy_compartment_id = var.policy_compartment_id
+    policy_statements     = var.resource_compartment_id == var.tenancy_ocid ? local.policy_statements_root : local.policy_statements_nonroot
+
+}
\ No newline at end of file
diff --git a/mgmtagent-policy-advisor/modules/policies/main.tf b/mgmtagent-policy-advisor/modules/policies/main.tf
new file mode 100644
index 0000000..0178851
--- /dev/null
+++ b/mgmtagent-policy-advisor/modules/policies/main.tf
@@ -0,0 +1,17 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+terraform {
+  required_providers {
+    oci = {
+      source = "hashicorp/oci"
+    }
+  }
+}
+
+resource "oci_identity_policy" "create_policy" {
+  name           = var.policy_name
+  description    = var.policy_description
+  compartment_id = var.policy_compartment_id
+  statements     = var.policy_statements
+}
\ No newline at end of file
diff --git a/mgmtagent-policy-advisor/modules/policies/variables.tf b/mgmtagent-policy-advisor/modules/policies/variables.tf
new file mode 100644
index 0000000..824fd7b
--- /dev/null
+++ b/mgmtagent-policy-advisor/modules/policies/variables.tf
@@ -0,0 +1,22 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+variable "policy_name" {
+  type        = string
+  description = "The name you assign to the policy during creation."
+}
+
+variable "policy_description" {
+  type        = string
+  description = "The description you assign to the policy."
+}
+
+variable "policy_statements" {
+  type        = list(string)
+  description = "Consists of one or more policy statements. "
+}
+
+variable "policy_compartment_id" {
+  type        = string
+  description = "The compartment id to assign this policy to."
+}
diff --git a/mgmtagent-policy-advisor/outputs.tf b/mgmtagent-policy-advisor/outputs.tf
new file mode 100644
index 0000000..1473a33
--- /dev/null
+++ b/mgmtagent-policy-advisor/outputs.tf
@@ -0,0 +1,7 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+output "policy_name" {
+  description = "Name of the policy created"
+  value       = "${local.mgmtagent_policy_name}"
+}
\ No newline at end of file
diff --git a/mgmtagent-policy-advisor/provider.tf b/mgmtagent-policy-advisor/provider.tf
new file mode 100644
index 0000000..8c208b1
--- /dev/null
+++ b/mgmtagent-policy-advisor/provider.tf
@@ -0,0 +1,17 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    # Recommendation from ORM / OCI provider teams
+    oci = {
+      version = ">= 4.21.0"
+    }
+  }
+}
+
+provider "oci" {
+  tenancy_ocid     = var.tenancy_ocid
+  region           = var.region
+}
\ No newline at end of file
diff --git a/mgmtagent-policy-advisor/schema.yaml b/mgmtagent-policy-advisor/schema.yaml
new file mode 100644
index 0000000..6990bed
--- /dev/null
+++ b/mgmtagent-policy-advisor/schema.yaml
@@ -0,0 +1,76 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+  title: "Management Agent Policy Advisor"
+  schemaVersion: 1.1.0
+  description: "Create required policies for management agent for the given user group and compartment."
+  version: "20240301"
+  locale: "en"
+
+  variableGroups:
+  - title: General Configuration
+    visible: false
+    variables:
+      - tenancy_ocid
+      - region
+      - compartment_ocid
+    
+  - title: Required Policy Configuration
+    visible: true
+    variables:
+      - policyInfo
+      - policy_compartment_id
+      - policy_name
+
+  - title: Management Agent Policies
+    visible: true
+    variables:
+      - user_group_id
+      - resource_compartment_id
+
+  variables:
+    policy_compartment_id:
+      type: oci:identity:compartment:id
+      required: true
+      default: ${compartment_ocid}
+      title: Policy Compartment
+      description: Compartment where the policy definition should be created.
+
+    resource_compartment_id:
+      type: oci:identity:compartment:id
+      required: true
+      default: ${compartment_ocid}
+      title: Management Agent Resource Compartment
+      description: Compartment where the policies should be applied. Usually the management agents' compartment.
+
+    user_group_id:
+      type: oci:identity:groups:id
+      required: true
+      title: User group
+      description: User group for which the policies should be mapped.
+      dependsOn:
+        compartmentId: tenancy_ocid
+
+    policy_name:
+      type: string
+      required: true
+      title: Policy Name
+      default: ManagementAgent_Policy
+      description: Name of the policy.
+
+    policyInfo:
+      type: text
+      required: true
+      title: Policies to be created
+      description: Above is the template of policy statements that will be created.
+      multiline: true
+      default: "allow group <User group> to manage management-agents in compartment <Management Agent Resource Compartment>\nallow group <User group> to manage management-agent-install-keys in compartment <Management Agent Resource Compartment>\nallow group <User group> to read metrics in compartment <Management Agent Resource Compartment>\nallow group <User group> to read alarms in compartment <Management Agent Resource Compartment>\nallow group <User group> to read users in tenancy"
+
+    region:
+      visible: false
+
+    tenancy_ocid:
+      visible: false
+
+    compartment_ocid:
+      visible: false
\ No newline at end of file
diff --git a/mgmtagent-policy-advisor/variables.tf b/mgmtagent-policy-advisor/variables.tf
new file mode 100644
index 0000000..a994f73
--- /dev/null
+++ b/mgmtagent-policy-advisor/variables.tf
@@ -0,0 +1,10 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+variable "compartment_ocid" {}
+variable "tenancy_ocid" {}
+variable "region" {}
+variable "policy_compartment_id" {}
+variable "resource_compartment_id" {}
+variable "user_group_id" {}
+variable "policy_name" {}
\ No newline at end of file