oracle-quickstart / terraform-oci-open-lz Goto Github PK

The OCI Open LZ is a set of open and secure landing zone blueprints to simplify the onboarding and running of organizations, business units, and subsidiaries into OCI - by customers, partners, or ISVs. Use it to create your own OCI Landing Zone.

License: Universal Permissive License v1.0

landing-zones newtwork oci oracle security terraform design cloud-operations iac onboard

terraform-oci-open-lz's Introduction

The OCI Operating Entities Landing Zone

Simplifying the Onboarding and Running of OCI

Welcome to the OCI Operating Entities Landing Zone, also known as OCI Open LZ, a set of open assets and best practices to simplify the onboarding and running of OCI for organizations and their functional divisions – identified as Operating Entities (OEs).

The OCI Open LZ provides complete OCI blueprints, including designs and declarative IaC, reducing design and implementation timelines, associated costs, and efforts - while enabling a future-proof OCI with complete security and scalability.

Repository Structure

This repository is the source of truth for the OCI Open LZ and includes three types of assets (blueprints, add-ons, and workload extensions) and three blueprint sizes (M, L, and XL):

#	Directory	Description
1	`blueprints/`	Select the most suitable OCI landing zone blueprint to onboard and run OCI.
	...`one-oe/`	Onboards One OE with its environments, platforms, and projects in one tenancy.
	...`multi-oe/`	Onboards Multiple OEs with shared services and OE-dedicated resources, sharing one tenancy.
	...`multi-tenancy/`	Uses One-OE and Multi-OE to onboard all your organizations or customers into several tenancies.
2	`addons/`	Complement your landing zone with add-ons to run OCI with best practices. (e.g., Network Hubs)
3	`workload-extensions/`	Extend your landing zone with pluggable workload extensions (e.g., EBS, OCVS, ...).

As general guidance, it's recommended to start with the order of the table above. The first step is choosing the right blueprint shape and size (M, L, or XL). Complementary, review the network add-ons to update the design. After the Landing Zone is set, extend it with workload extensions. You can also use the OCI-tailored Landing Zone approach for further guidance on the creation of your landing zone.

Related Repositories

The OCI Open LZ uses a declarative Infrastructure-as-Code (IaC) approach that is distributed into several repositories.

Name	Description / Scope
OCI Landing Zones Orchestrator	Relates several OCI resource into one consolidated operation (i.e., one plan/apply).
OCI Landing Zones IAM	Covers OCI Compartments, Groups, Policies, Dynamic Groups, etc.
OCI Landing Zones Network	Covers all OCI Core Network Resources for any network topology.
OCI Landing Zones Security	Covers OCI Security Resources (e.g., Cloud Guard, VSS, Security Zones, Vaults, etc.).
OCI Landing Zones Observability	Covers OCI Monitoring resources (e.g., Logging, Events, Alarms, Notifications, etc.).
OCI Landing Zones Governance	Covers OCI Tagging.

Contributing

If your project has specific contribution requirements, update the CONTRIBUTING.md file to ensure those requirements are clearly explained

This project welcomes contributions from the community. Before submitting a pull request, please review our contribution guide

Security

Please consult the security guide for our responsible security vulnerability disclosure process

License

Licensed under the Universal Permissive License (UPL), Version 1.0.

See LICENSE for more details.

terraform-oci-open-lz's People

Contributors

Stargazers

Watchers

Forkers

iyvonnebett pavi550 mohmedhussain wenjian80 cnst-george mariusciotir paolajuarezgomez hrvolapeter

terraform-oci-open-lz's Issues

Cannot create IPSec tunnels phases configuration details

IPSec tunnels can be created but we're missing the key configuration parameter to be able to create the working tunnels as the phases details.

Needs to be reviewed and fixed.

examples/shared should have a reference to LBaaS certificates creation

The provided example creates a LB with a certificate that has a reference to pre-existing local certificates folder:

                        "certificates": {
                            "LB-SHARED-CERT-1-KEY": {
                                "ca_certificate": "~/certs/ca.crt",
                                "certificate_name": "lb1-cert1",
                                "private_key": "~/certs/my_cert.key",
                                "public_certificate": "~/certs/my_cert.crt"
                            }
                        },

We should indicate the need to have valid PEM certificates for the Load Balancer. For educational purposes, and if the user has not trusted CA certificates we can point to a public reference with instructions on how to setup self-signed certificates in the shared MD documentation or a link to a secondary MD with some instructions like:

	a. Create a Self-Signed Root CA:
	openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout ca.key -out ca.crt
	
	b. Create a cert key and certificate signing request (CSR):
	openssl req -nekey rsa:2048 -nodes -keyout my_cert.key -out my_cert.csr
	
	c. Sign the certificate CSR with Root CA:
	cat my_cert.txt
	authorityKeyIdentifier=keyid,issuer 
	basicConstraints=CA:FALSE 
	subjectAltName = @alt_names [alt_names] 
	DNS.1 = oe01.com
	
	openssl x509 -req -CA ca.crt -CAkey ca.key -in my_cert.csr -out my_cert.crt -days 365 -CAcreateserial -extfile my_cert.txt
	
	d. Check the cert:
	openssl x509 -text -noout -in my_cert.crt

network_security_groups created through inject_into_existing_vcns have autogenerated names

network_security_groups created through inject_into_existing_vcns have autogenerated names - the attribute display_name seems to be ignored.

region Vs home_region

oci-credentials.tfvars.json.template has two parameters "region" and "home_region" but usecase associated with them is not mentioned and not clear which one to use. Better we add detail in "Setup Terraform Authentication" section.

Defining explicit default_security_list expects to define display_name

When defining explicitly a default_security_list in a VCN (to have the absolute control of the entries on it with the JSON config), it is expecting a display_name, not defined in the variables.tf of the orchestrator:

Error:

Error: Unsupported attribute
│ 
│   on networking.tf line 42, in locals:
│   42:               display_name   = vcn_value.default_security_list.display_name
│     ├────────────────
│     │ vcn_value.default_security_list is object with 6 attributes
│ 
│ This object does not have an attribute named "display_name".
╵

orchestrator variables.tf:
    
default_security_list = optional(object({
          compartment_id  = optional(string),
          compartment_key = optional(string),
          defined_tags    = optional(map(string)),
          freeform_tags   = optional(map(string)),
          ingress_rules = optional(list(object({

fix with:
    
        default_security_list = optional(object({
          compartment_id  = optional(string),
          compartment_key = optional(string),
          defined_tags    = optional(map(string)),
          freeform_tags   = optional(map(string)),
          **_display_name    = optional(string),_**

typo for variables user_ocid & tenancy_ocid

file https://github.com/oracle-quickstart/terraform-oci-open-lz/tree/master/examples/oci-open-lz/shared/oci-credentials.tfvars.json.template

Has this content:

tenancy_id should be tenancy_ocid
and
user_id should be user_ocid

Regards,

Need a way to be able to ignore the changes in Oracle-Tags namespace

While not modifying any defined_tags in any resource (default null), with any plan/apply operation the orchestrator will try (not effectively change) the Oracle-Tags.CreatedBy and Oracle-Tags.CreatedOn to null values. These tags will be reset to the inherited values at creation time, as they get their values from the default tenancy-wide Oracle Tags namespace.

Different parties desire a way to ignore the changes on these tags.

This best solution so far is to configure the provider with the option:

provider "oci" {
region = var.home_region
tenancy_ocid = var.tenancy_ocid
user_ocid = var.user_ocid
fingerprint = var.fingerprint
private_key_path = var.private_key_path
private_key_password = var.private_key_password
ignore_defined_tags = ["Oracle-Tags.CreatedBy", "Oracle-Tags.CreatedOn"] <---------
}

Error: Iteration over null value

Terraform plan for /examples/oci-open-lz/op01_manage_shared_services example giving below error:

Error: Iteration over null value
│
│ on .terraform/modules/cislz_groups/groups/main.tf line 24, in locals:
│ 24: users = { for u in data.oci_identity_users.these.users : u.name => u }
│ ├────────────────
│ │ data.oci_identity_users.these.users is null
│
│ A null value cannot be used as the collection in a 'for' expression.

Optional input file

Run the Configurations step has given command as

terraform plan
-var-file ../examples/oci-open-lz/shared/oci-credentials.tfvars.json
-var-file ../examples/oci-open-lz/shared/open_lz_shared_identity.auto.tfvars.json
-var-file ../examples/oci-open-lz/shared/open_lz_shared_network.auto.tfvars.json
-state ../examples/oci-open-lz/shared/terraform.tfstate

but if we don't want to use any component from network side, we should have option not to pass that command line argument.

Unknown type 'IPSEC_TUNNEL' while creating a DRT Attachment of type IPSEC_TUNNEL

While creating an IPSEC_TUNNEL DRG attachment type and configuring in the network_details the type as IPSEC_TUNNEL, we got an error on apply operation with "Error: unknown type 'IPSEC_TUNNEL' was specified.

Is something different is specified in the type argument we got an error like: "Error: expected network_details.0.type to be one of [IPSEC_TUNNEL LOOPBACK REMOTE_PEERING_CONNECTION VCN].

Open LZ v1.3.0 can not create compartments in enclosing compartments

Error in orchestrator coming from the update to the IAM core module v0.1.6/comparments as this version changed the default_parent_ocid and parent_ocid for default_parent_id and parent_id and this was not changed in the orchestrator.

To modify files:

variables.tf:

variable "compartments_configuration" {
description = "The compartments configuration. Use the compartments attribute to define your topology. OCI supports compartment hierarchies up to six levels."
type = object({
derive_keys_from_hierarchy = optional(bool) # Whether identifying keys should be derived from the provided compartments hierarchy
module_name = optional(string) # The module name.
tags_dependency = optional(map(any)) # Map of objects containing the externally managed tags this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the tag OCID) of string type.
default_parent_ocid = optional(string) # the default parent for all top (first level) compartments. Use parent_ocid attribute within each compartment to specify different parents.
default_defined_tags = optional(map(string)) # applies to all compartments, unless overriden by defined_tags in a compartment object
default_freeform_tags = optional(map(string)) # applies to all compartments, unless overriden by freeform_tags in a compartment object
enable_delete = optional(bool) # whether or not compartments are physically deleted when destroyed. Default is false.
compartments = map(object({
name = string
description = string
parent_ocid = optional(string)

For:

variable "compartments_configuration" {
description = "The compartments configuration. Use the compartments attribute to define your topology. OCI supports compartment hierarchies up to six levels."
type = object({
derive_keys_from_hierarchy = optional(bool) # Whether identifying keys should be derived from the provided compartments hierarchy
module_name = optional(string) # The module name.
tags_dependency = optional(map(any)) # Map of objects containing the externally managed tags this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the tag OCID) of string type.
default_parent_id = optional(string) # the default parent for all top (first level) compartments. Use parent_ocid attribute within each compartment to specify different parents.
default_defined_tags = optional(map(string)) # applies to all compartments, unless overriden by defined_tags in a compartment object
default_freeform_tags = optional(map(string)) # applies to all compartments, unless overriden by freeform_tags in a compartment object
enable_delete = optional(bool) # whether or not compartments are physically deleted when destroyed. Default is false.
compartments = map(object({
name = string
description = string
parent_id = optional(string)

Configuration needs to use this default_parent_id & parent_id accordingly.

Issue creating compartments from examples/oci-open-lz/shared/open_lz_shared_identity.auto.tfvars.json

When running the module I am seeing the following:

$ terraform plan -var-file ./oci-credentials.tfvars.json -var-file ../examples/oci-open-lz/shared/open_lz_shared_identity.auto.tfvars.json -var-file ../examples/oci-open-lz/shared/open_lz_shared_network.auto.tfvars.json -state ../examples/oci-open-lz/shared/terraform.tfstate

Error: Invalid value for input variable
│
│ on identity.tf line 9, in module "cislz_compartments":
│ 9: compartments_configuration = var.compartments_configuration
│
│ The given value is not suitable for
│ module.cislz_compartments.var.compartments_configuration declared at
│ ....\terraform-oci-cis-landing-zone-iam\compartments\variables.tf:12,1-38:
│ attribute "compartments": incorrect map element type: attribute "children":
│ incorrect map element type: attribute "children": incorrect map element
│ type: attribute "tag_defaults": incorrect map element type: attribute
│ "tag_id" is required.