Merge pull request #21 from oracle-quickstart/release-0.1.8

Release 0.1.8
oci-landing-zones · Dec 8, 2023 · 6344683 · 6344683
2 parents 7775ac3 + eef72dc
commit 6344683
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,4 @@
 **/terraform.tfvars
 **/input.auto.tfvars
 **/private
+**/creds
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -1,3 +1,8 @@
+# December 08, 2023 Release Notes - 0.1.8
+## Updates
+### Policy Module
+1. Grants added for supporting OKE deployments with NPN (Native Pod Networking) and in a split compartment topology, where OKE networking and OKE clusters are deployed in different compartments.
+
 # November 01, 2023 Release Notes - 0.1.7
 ## New
 1. Identity Domains module, supporting identity domains, groups, and dynamic groups. 

diff --git a/policies/application_cmp_policy.tf b/policies/application_cmp_policy.tf
@@ -78,6 +78,12 @@ locals {
     ] : []
   }
 
+  oke_cluster_grants_on_application_cmp_map = {
+    for k, values in local.cmp_name_to_cislz_tag_map : k => (contains(split(",",values["cmp-type"]),"application")) && local.enable_oke_service_policies ? [
+      "allow any-user to manage instances in compartment ${values["name"]} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${values["ocid"]}' }"
+    ] : []
+  }
+
   #-- Policies for compartments marked as application compartments (values["cmp-type"] == "application").
   application_cmps_policies = {
     for k, values in local.cmp_name_to_cislz_tag_map : 
@@ -89,7 +95,7 @@ locals {
         freeform_tags    = var.policies_configuration.freeform_tags
         statements       = concat(local.application_admin_grants_on_application_cmp_map[k],local.application_read_grants_on_application_cmp_map[k],
                                   local.storage_admin_grants_on_application_cmp_map[k],local.security_admin_grants_on_application_cmp_map[k],
-                                  local.compute_agent_grants_on_application_cmp_map[k])
+                                  local.compute_agent_grants_on_application_cmp_map[k],local.oke_cluster_grants_on_application_cmp_map[k])
       }
     if contains(split(",",values["cmp-type"]),"application")
   }

diff --git a/policies/network_cmp_policy.tf b/policies/network_cmp_policy.tf
@@ -88,6 +88,16 @@ locals {
     ] : [] 
   }  
 
+  application_compartment_id = local.enable_oke_service_policies ? (distinct(compact(concat([for k, values in local.cmp_name_to_cislz_tag_map : (contains(split(",",values["cmp-type"]),"application")) ? values["ocid"] : ""])))[0]) : null
+
+  oke_cluster_grants_on_network_cmp_map = {
+    for k, values in local.cmp_name_to_cislz_tag_map : k => (contains(split(",",values["cmp-type"]),"network")) && local.enable_oke_service_policies && local.application_compartment_id != null ? [
+      "allow any-user to use private-ips in compartment ${values["name"]} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.application_compartment_id}' }",
+      "allow any-user to use network-security-groups in compartment ${values["name"]} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.application_compartment_id}' }",
+      "allow any-user to use subnets in compartment ${values["name"]} where all { request.principal.type = 'cluster', request.principal.compartment.id = '${local.application_compartment_id}' }"
+    ] : []
+  }
+
   #-- Policies for compartments marked as network compartments (values["cmp-type"] == "network").
   network_cmps_policies = {
     for k, values in local.cmp_name_to_cislz_tag_map : 
@@ -100,7 +110,8 @@ locals {
         statements       = concat(local.network_admin_grants_on_network_cmp_map[k],local.network_read_grants_on_network_cmp_map[k],
                                   local.security_admin_grants_on_network_cmp_map[k],local.appdev_admin_grants_on_network_cmp_map[k],
                                   #local.database_admin_grants_on_network_cmp_map[k],local.exainfra_admin_grants_on_network_cmp_map[k],
-                                  local.common_admin_grants_on_network_cmp_map[k], local.storage_admin_grants_on_network_cmp_map[k])
+                                  local.common_admin_grants_on_network_cmp_map[k], local.storage_admin_grants_on_network_cmp_map[k],
+                                  local.oke_cluster_grants_on_network_cmp_map[k])
       }
     if contains(split(",",values["cmp-type"]),"network")
   }