Skip to content

Commit b8644cd

Browse files
authored
Merge pull request #68 from oracle-devrel/develop
Automation Toolkit Release v12
2 parents 47816d4 + 1ad2015 commit b8644cd

File tree

5 files changed

+25
-10
lines changed

5 files changed

+25
-10
lines changed

README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88

99
<li> <a href= "#introduction">Introduction</a></li>
1010

11-
<li> <a href = "https://github.com/oracle-devrel/cd3-automation-toolkit/releases/tag/v11.1">What's new in this release</a></li>
11+
<li> <a href = "https://github.com/oracle-devrel/cd3-automation-toolkit/releases/tag/v12">What's new in this release</a></li>
1212
<li> <a href = "/cd3_automation_toolkit/documentation/user_guide/learn_more/CD3ExcelTabs.md">Toolkit Supported OCI Services</a></li>
1313
<li> <a href = "/cd3_automation_toolkit/documentation/user_guide/RunningAutomationToolkit.md#excel-sheet-templates">Excel Templates</a></li>
1414

@@ -28,6 +28,7 @@
2828
<ul>
2929
<li> <a href="/cd3_automation_toolkit/documentation/user_guide/GreenField.md">Green Field Tenancies</a>
3030
<ul>
31+
<li> <a href="/cd3_automation_toolkit/documentation/user_guide/learn_more/OPAForCompliance.md"</a> Enforcing OPA (Open Policy Agent) policies for Terraform </li>
3132
<li> <a href="/cd3_automation_toolkit/documentation/user_guide/NetworkingScenariosGF.md"</a><b> Must Read :</b> Managing Network for Greenfield Tenancies</li>
3233
<li> <a href="/cd3_automation_toolkit/documentation/user_guide/ComputeGF.md"</a><b> Must Read :</b> Managing Compute Instances for Greefield Tenancies</li>
3334
</ul>

cd3_automation_toolkit/documentation/user_guide/GreenField.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,9 @@ Choose the resources by specifying a single option (for choosing one of these re
3434
<br>Change your directory to _/cd3user/tenancies/<customer\_name>/terraform\_files/<region\_dir>/_ and Execute:
3535

3636
**terraform init** - To initialize and prepare your working/out directory soTerraform can run the configuration.<br>
37-
**terraform plan** - To preview any changes before you apply them.<br>
37+
38+
**terraform plan** - To preview any changes before you apply them. Run the plan against [OPA policies](/cd3_automation_toolkit/documentation/user_guide/learn_more/OPAForCompliance.md) for compliance against CIS.
39+
3840
**terraform apply** - To make the changes defined by Terraform configuration to create, update, or destroy resources in OCI.
3941

4042
> **Note**

cd3_automation_toolkit/documentation/user_guide/KnownBehaviour.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,3 +127,8 @@
127127
![image](https://github.com/oracle-devrel/cd3-automation-toolkit/assets/103508105/5a50cdb5-b6cf-49fa-b488-1419d32c6b13)
128128
This occurs when NSG and the VCN are in different compartments. In such cases, please modify <prefix>_nsgs.auto.tfvars, specify the compartment name of the VCN in network_compartment_id field of the problematic NSG.
129129

130+
- Terraform ordering changes observed during plan phase for OCI compute plugin's.
131+
![image](https://github.com/oracle-devrel/cd3-automation-toolkit/assets/103548537/f6a2d481-5e79-484b-a24e-a8329e8b6626)
132+
133+
It changes the order of plugin's in terraform state file and doesn't change anything in OCI for compute resource.
134+

cd3_automation_toolkit/documentation/user_guide/Upgrade_Toolkit.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,11 @@
11
# Steps to Upgrade Your Toolkit (For Existing Customers using older versions):
22

3+
## Upgrade to Release v12
4+
1. Follow the steps in Launch Docker Container to build new image with latest code and launch the container by specifying new path for <directory_in_local_system_where_the_files_must_be_generated> to create a fresh outdir.
5+
2. Use Non Greenfield workflow to export the required OCI services into new excel sheet and the tfvars. Run terraform import commands also.
6+
3. Once terraform is in synch, Switch to Greenfield workflow and use for any future modifications to the infra.
7+
8+
39
## Upgrade to Release v11.1 from v11
410
1. Follow the steps in [Launch Docker Container](/cd3_automation_toolkit/documentation/user_guide/Launch_Docker_container.md) to build new image with latest code and launch the container by specifying same path for <directory_in_local_system_where_the_files_must_be_generated> to keep using same outdir.
511

cd3_automation_toolkit/documentation/user_guide/learn_more/OPAForCompliance.md

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -9,26 +9,27 @@ As part of CD3, we have meticulously developed a comprehensive set of policies t
99

1010
Our carefully crafted policies act as gatekeepers, preventing any IAC deployments that do not align with the stringent security and compliance guidelines set by the CIS benchmarks for OCI. By leveraging our policies, you can ensure that your infrastructure deployments remain impervious to any potential vulnerabilities or non-compliance issues.
1111

12-
#### **Run OPA inside CD3 container**
1312

14-
1. First, ensure you have OPA installed inside CD3 containers.
13+
#### **Run OPA inside CD3 container**
1514

16-
2. Open your command line interface inside CD3 container and run OPA. You should see all available options for OPA.
15+
1. Open your command line interface inside CD3 container and run OPA. You should see all available options for OPA.
1716

1817
opa --help
18+
Currently CD3 container has OPA version 0.55.0 installed.
1919

2020
3. Generate the terraform plan output in json format since OPA accepts that format alone for evaluation.
2121

2222
terraform plan -out tfplan.binary
2323
terraform show -json tfplan.binary > tfplan.json
2424

25-
4. Run the following command to evaluate the "deny_ingress_for_sl.rego" policy with a pretty output format:
25+
4. Run the terraform plan against all the available OPA rules. It should return an empty array which means the plan has no non-compliant action against CIS benchmarks.
2626

27-
opa eval -f pretty -d <OPA_POLICY_BUNDLE_DIR>/Networking/oci_deny_ingress_for_sl.rego -i <the_plan_json_file> data.terraform.deny
27+
opa eval -f pretty -b /cd3user/oci_tools/cd3_automation_toolkit/user-scripts/OPA -i tfplan.json data.terraform.deny --fail-defined
2828

29-
This command will analyze the "tfplan.json" input file against the policy and display the evaluation results with a user-friendly format.
29+
30+
Alternatively, run the following command to evaluate just a sinle OPA rule say "deny_ingress_for_sl.rego" policy with a pretty output format:
3031

32+
opa eval -f pretty -d /cd3user/oci_tools/cd3_automation_toolkit/user-scripts/OPA/Networking/oci_deny_ingress_for_sl.rego -i tfplan.json data.terraform.deny
3133

32-
5. Also, We can run only one cmd which will run the terraform plan against all the available OPA rules.It should return an empty array which means the plan has no non-compliant action against CIS benchmarks.
3334

34-
opa eval -f pretty -b <<OPA_POLICY_BUNDLE_DIR>> -i <the_plan_json_file> data.terraform.deny --fail-defined
35+
This command will analyze the "tfplan.json" input file against the policy and display the evaluation results with a user-friendly format.

0 commit comments

Comments
 (0)