Adding mgmtagent-policy-advisor (#36)

.github/workflows/build.yml

@@ -24,6 +24,9 @@ jobs:
     - name: Package ansible playbooks
       run: |
         cd ./deployment/ansible-playbooks && zip -r ../../ansible-playbooks.zip . && cd -
+    - name: Package Management Agent Policy Advisor
+      run: |
+        cd ./mgmtagent-policy-advisor && zip -r ../mgmtagent-policy-advisor.zip . && cd -
     - name: Create Release
       id: create_release
       uses: actions/create-release@v1
@@ -67,4 +70,13 @@ jobs:
         upload_url: ${{ steps.create_release.outputs.upload_url }}
         asset_path: ./ansible-playbooks.zip
         asset_name: ansible-playbooks.zip
+        asset_content_type: application/zip
+    - name: Upload Management Agent Policy Advisor package
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.create_release.outputs.upload_url }}
+        asset_path: ./mgmtagent-policy-advisor.zip
+        asset_name: mgmtagent-policy-advisor.zip
         asset_content_type: application/zip

README.md

@@ -27,4 +27,7 @@ At a high level we have following quick start apps:
 
     This provides the automated agent deployment on multiple target hosts, where monitoring is required.<br>
     The current playbooks works for linux based hosts, but this can be extended to other operating systems as well.
-
+
+- [Management Agent Policy Advisor](./mgmtagent-policy-advisor/README.md):
+
+    This terraform app helps to setup the required IAM policies for management agents and agent install keys.

mgmtagent-policy-advisor/README.md

@@ -0,0 +1,25 @@
+<!--
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+-->
+
+# **OCI Management Agent Policy Advisor**
+
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-management-agent/releases/download/v2.0.7/mgmtagent-policy-advisor.zip)
+
+## Introduction
+
+This stack helps setup required policies for working with management agents and agent install keys
+
+## Stack Details
+
+* This stack gets input of the available user group, compartment and sets up the required policies for working with management agents
+
+## Using this stack
+
+1. Click on above Deploy to Oracle Cloud button which will redirect you to OCI console and prompt a dialogue box with further steps on deploying this application.
+2. Configure the variables for the infrastructure resources that this stack will create when you run the apply job for this execution plan.
+3. Review the changes after the configuration fields are updated.
+
+*Note:* For more details on Management Agents please refer
+https://docs.oracle.com/iaas/management-agents/index.html 

mgmtagent-policy-advisor/main.tf

@@ -0,0 +1,43 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+data "oci_identity_group" "usergroup_data" {
+    group_id = var.user_group_id
+}
+
+data "oci_identity_compartment" "compartment_data" {
+    id = var.resource_compartment_id
+}
+
+
+locals{
+    currentDateTime          = formatdate("YYYYMMDDhhmmss", timestamp())
+    mgmtagent_policy_name    = var.policy_name != "" && var.policy_name != "ManagementAgent_Policy" ? var.policy_name : "ManagementAgent_Policy_${local.currentDateTime}"
+    user_group_name          = data.oci_identity_group.usergroup_data.name
+    policy_location          = var.resource_compartment_id == var.tenancy_ocid ? "TENANCY" : data.oci_identity_compartment.compartment_data.compartment_id == var.tenancy_ocid ? "COMPARTMENT ${data.oci_identity_compartment.compartment_data.name}" : "COMPARTMENT ID ${var.resource_compartment_id}"
+    policy_statements_root   = [
+        "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agents IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agent-install-keys IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO READ METRICS IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO READ ALARMS IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO READ USERS IN TENANCY"
+    ]
+    policy_statements_nonroot = [
+        "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agents IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agent-install-keys IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO READ METRICS IN ${local.policy_location}",
+        "ALLOW GROUP ${local.user_group_name} TO READ ALARMS IN ${local.policy_location}"
+    ]
+}
+
+
+module "mgmtagent_policy_creation" {
+
+    source = "./modules/policies"
+
+    policy_name           = local.mgmtagent_policy_name
+    policy_description    = "This policy allows to manage management agents"
+    policy_compartment_id = var.policy_compartment_id
+    policy_statements     = var.resource_compartment_id == var.tenancy_ocid ? local.policy_statements_root : local.policy_statements_nonroot
+
+}

mgmtagent-policy-advisor/modules/policies/main.tf

@@ -0,0 +1,17 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+terraform {
+  required_providers {
+    oci = {
+      source = "hashicorp/oci"
+    }
+  }
+}
+
+resource "oci_identity_policy" "create_policy" {
+  name           = var.policy_name
+  description    = var.policy_description
+  compartment_id = var.policy_compartment_id
+  statements     = var.policy_statements
+}

mgmtagent-policy-advisor/modules/policies/variables.tf

@@ -0,0 +1,22 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+variable "policy_name" {
+  type        = string
+  description = "The name you assign to the policy during creation."
+}
+
+variable "policy_description" {
+  type        = string
+  description = "The description you assign to the policy."
+}
+
+variable "policy_statements" {
+  type        = list(string)
+  description = "Consists of one or more policy statements. "
+}
+
+variable "policy_compartment_id" {
+  type        = string
+  description = "The compartment id to assign this policy to."
+}

mgmtagent-policy-advisor/outputs.tf

@@ -0,0 +1,7 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+output "policy_name" {
+  description = "Name of the policy created"
+  value       = "${local.mgmtagent_policy_name}"
+}

mgmtagent-policy-advisor/provider.tf

@@ -0,0 +1,17 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    # Recommendation from ORM / OCI provider teams
+    oci = {
+      version = ">= 4.21.0"
+    }
+  }
+}
+
+provider "oci" {
+  tenancy_ocid     = var.tenancy_ocid
+  region           = var.region
+}

mgmtagent-policy-advisor/schema.yaml

@@ -0,0 +1,76 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+  title: "Management Agent Policy Advisor"
+  schemaVersion: 1.1.0
+  description: "Create required policies for management agent for the given user group and compartment."
+  version: "20240301"
+  locale: "en"
+
+  variableGroups:
+  - title: General Configuration
+    visible: false
+    variables:
+      - tenancy_ocid
+      - region
+      - compartment_ocid
+
+  - title: Required Policy Configuration
+    visible: true
+    variables:
+      - policyInfo
+      - policy_compartment_id
+      - policy_name
+
+  - title: Management Agent Policies
+    visible: true
+    variables:
+      - user_group_id
+      - resource_compartment_id
+
+  variables:
+    policy_compartment_id:
+      type: oci:identity:compartment:id
+      required: true
+      default: ${compartment_ocid}
+      title: Policy Compartment
+      description: Compartment where the policy definition should be created.
+
+    resource_compartment_id:
+      type: oci:identity:compartment:id
+      required: true
+      default: ${compartment_ocid}
+      title: Management Agent Resource Compartment
+      description: Compartment where the policies should be applied. Usually the management agents' compartment.
+
+    user_group_id:
+      type: oci:identity:groups:id
+      required: true
+      title: User group
+      description: User group for which the policies should be mapped.
+      dependsOn:
+        compartmentId: tenancy_ocid
+
+    policy_name:
+      type: string
+      required: true
+      title: Policy Name
+      default: ManagementAgent_Policy
+      description: Name of the policy.
+
+    policyInfo:
+      type: text
+      required: true
+      title: Policies to be created
+      description: Above is the template of policy statements that will be created.
+      multiline: true
+      default: "allow group <User group> to manage management-agents in compartment <Management Agent Resource Compartment>\nallow group <User group> to manage management-agent-install-keys in compartment <Management Agent Resource Compartment>\nallow group <User group> to read metrics in compartment <Management Agent Resource Compartment>\nallow group <User group> to read alarms in compartment <Management Agent Resource Compartment>\nallow group <User group> to read users in tenancy"
+
+    region:
+      visible: false
+
+    tenancy_ocid:
+      visible: false
+
+    compartment_ocid:
+      visible: false

mgmtagent-policy-advisor/variables.tf

@@ -0,0 +1,10 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+variable "compartment_ocid" {}
+variable "tenancy_ocid" {}
+variable "region" {}
+variable "policy_compartment_id" {}
+variable "resource_compartment_id" {}
+variable "user_group_id" {}
+variable "policy_name" {}