Merge pull request #68 from oracle-devrel/develop

xs2suruchi · web-flow · commit b8644cdcb598 · 2023-09-08T23:28:33.000+05:30
Automation Toolkit Release v12
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@
 
   <li> <a href= "#introduction">Introduction</a></li>
 
-  <li> <a href = "https://github.com/oracle-devrel/cd3-automation-toolkit/releases/tag/v11.1">What's new in this release</a></li>
+  <li> <a href = "https://github.com/oracle-devrel/cd3-automation-toolkit/releases/tag/v12">What's new in this release</a></li>
   <li> <a href = "/cd3_automation_toolkit/documentation/user_guide/learn_more/CD3ExcelTabs.md">Toolkit Supported OCI Services</a></li>
   <li> <a href = "/cd3_automation_toolkit/documentation/user_guide/RunningAutomationToolkit.md#excel-sheet-templates">Excel Templates</a></li>
   
@@ -28,6 +28,7 @@
   <ul>
   <li> <a href="/cd3_automation_toolkit/documentation/user_guide/GreenField.md">Green Field Tenancies</a>
     <ul>
+      <li> <a href="/cd3_automation_toolkit/documentation/user_guide/learn_more/OPAForCompliance.md"</a> Enforcing OPA (Open Policy Agent) policies for Terraform </li>
       <li> <a href="/cd3_automation_toolkit/documentation/user_guide/NetworkingScenariosGF.md"</a><b> Must Read :</b> Managing Network for Greenfield Tenancies</li>
       <li> <a href="/cd3_automation_toolkit/documentation/user_guide/ComputeGF.md"</a><b> Must Read :</b> Managing Compute Instances for Greefield Tenancies</li>
     </ul>
diff --git a/cd3_automation_toolkit/documentation/user_guide/GreenField.md b/cd3_automation_toolkit/documentation/user_guide/GreenField.md
@@ -34,7 +34,9 @@ Choose the resources by specifying a single option (for choosing one of these re
 <br>Change your directory to _/cd3user/tenancies/<customer\_name>/terraform\_files/<region\_dir>/_  and Execute:
 
 **terraform init**  - To initialize and prepare your working/out directory soTerraform can run the configuration.<br>
-**terraform plan**  - To preview any changes before you apply them.<br>
+
+**terraform plan**  - To preview any changes before you apply them. Run the plan against [OPA policies](/cd3_automation_toolkit/documentation/user_guide/learn_more/OPAForCompliance.md) for compliance against CIS.
+
 **terraform apply** - To make the changes defined by Terraform configuration to create, update, or destroy resources in OCI.
   
 > **Note**  
diff --git a/cd3_automation_toolkit/documentation/user_guide/KnownBehaviour.md b/cd3_automation_toolkit/documentation/user_guide/KnownBehaviour.md
@@ -127,3 +127,8 @@
   ![image](https://github.com/oracle-devrel/cd3-automation-toolkit/assets/103508105/5a50cdb5-b6cf-49fa-b488-1419d32c6b13)
   This occurs when NSG and the VCN are in different compartments. In such cases, please modify <prefix>_nsgs.auto.tfvars, specify the compartment name of the VCN in network_compartment_id field of the problematic NSG.
 
+- Terraform ordering changes observed during plan phase for OCI compute plugin's.
+  ![image](https://github.com/oracle-devrel/cd3-automation-toolkit/assets/103548537/f6a2d481-5e79-484b-a24e-a8329e8b6626)
+
+  It changes the order of plugin's in terraform state file and doesn't change anything in OCI for compute resource.
+
diff --git a/cd3_automation_toolkit/documentation/user_guide/Upgrade_Toolkit.md b/cd3_automation_toolkit/documentation/user_guide/Upgrade_Toolkit.md
@@ -1,5 +1,11 @@
 # Steps to Upgrade Your Toolkit (For Existing Customers using older versions):
 
+## Upgrade to Release v12
+1. Follow the steps in Launch Docker Container to build new image with latest code and launch the container by specifying new path for <directory_in_local_system_where_the_files_must_be_generated> to create a fresh outdir.
+2. Use Non Greenfield workflow to export the required OCI services into new excel sheet and the tfvars. Run terraform import commands also.
+3. Once terraform is in synch, Switch to Greenfield workflow and use for any future modifications to the infra.
+
+
 ## Upgrade to Release v11.1 from v11
 1. Follow the steps in [Launch Docker Container](/cd3_automation_toolkit/documentation/user_guide/Launch_Docker_container.md) to build new image with latest code and launch the container by specifying same path for <directory_in_local_system_where_the_files_must_be_generated> to keep using same outdir.
    
diff --git a/cd3_automation_toolkit/documentation/user_guide/learn_more/OPAForCompliance.md b/cd3_automation_toolkit/documentation/user_guide/learn_more/OPAForCompliance.md
@@ -9,26 +9,27 @@ As part of CD3, we have meticulously developed a comprehensive set of policies t
 
 Our carefully crafted policies act as gatekeepers, preventing any IAC deployments that do not align with the stringent security and compliance guidelines set by the CIS benchmarks for OCI. By leveraging our policies, you can ensure that your infrastructure deployments remain impervious to any potential vulnerabilities or non-compliance issues.
 
-#### **Run OPA inside CD3 container**
 
- 1. First, ensure you have OPA installed inside CD3 containers.
+#### **Run OPA inside CD3 container**
 
- 2. Open your command line interface inside CD3 container and run OPA. You should see all available options for OPA.
+ 1. Open your command line interface inside CD3 container and run OPA. You should see all available options for OPA.
 
         opa --help
+    Currently CD3 container has OPA version 0.55.0 installed.
 
  3. Generate the terraform plan output in json format since OPA accepts that format alone for evaluation.
    
          terraform plan -out tfplan.binary
 	     terraform show -json tfplan.binary > tfplan.json
 
- 4. Run the following command to evaluate the "deny_ingress_for_sl.rego" policy with a pretty output format:
+ 4. Run the terraform plan against all the available OPA rules. It should return an empty array which means the plan has no non-compliant action against CIS benchmarks.
 
-         opa eval -f pretty -d <OPA_POLICY_BUNDLE_DIR>/Networking/oci_deny_ingress_for_sl.rego -i <the_plan_json_file> data.terraform.deny
+        opa eval -f pretty -b /cd3user/oci_tools/cd3_automation_toolkit/user-scripts/OPA -i tfplan.json data.terraform.deny --fail-defined
 
-    This command will analyze the "tfplan.json" input file against the policy and display the evaluation results with a user-friendly format.
+    
+Alternatively, run the following command to evaluate just a sinle OPA rule say "deny_ingress_for_sl.rego" policy with a pretty output format:
 
+        opa eval -f pretty -d /cd3user/oci_tools/cd3_automation_toolkit/user-scripts/OPA/Networking/oci_deny_ingress_for_sl.rego -i tfplan.json data.terraform.deny
 
- 5. Also, We can run only one cmd which will run the terraform plan against all the available OPA rules.It should return an empty array which means the plan has no non-compliant action against CIS benchmarks.
 
-         opa eval -f pretty -b <<OPA_POLICY_BUNDLE_DIR>> -i <the_plan_json_file> data.terraform.deny --fail-defined
+This command will analyze the "tfplan.json" input file against the policy and display the evaluation results with a user-friendly format.
