diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 610180d..d835bcf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,6 +24,9 @@ jobs: - name: Package ansible playbooks run: | cd ./deployment/ansible-playbooks && zip -r ../../ansible-playbooks.zip . && cd - + - name: Package Management Agent Policy Advisor + run: | + cd ./mgmtagent-policy-advisor && zip -r ../mgmtagent-policy-advisor.zip . && cd - - name: Create Release id: create_release uses: actions/create-release@v1 @@ -67,4 +70,13 @@ jobs: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_path: ./ansible-playbooks.zip asset_name: ansible-playbooks.zip + asset_content_type: application/zip + - name: Upload Management Agent Policy Advisor package + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: ./mgmtagent-policy-advisor.zip + asset_name: mgmtagent-policy-advisor.zip asset_content_type: application/zip \ No newline at end of file diff --git a/README.md b/README.md index 05a9100..5ba0b79 100644 --- a/README.md +++ b/README.md @@ -27,4 +27,7 @@ At a high level we have following quick start apps: This provides the automated agent deployment on multiple target hosts, where monitoring is required.
The current playbooks works for linux based hosts, but this can be extended to other operating systems as well. - \ No newline at end of file + +- [Management Agent Policy Advisor](./mgmtagent-policy-advisor/README.md): + + This terraform app helps to setup the required IAM policies for management agents and agent install keys. \ No newline at end of file diff --git a/mgmtagent-policy-advisor/README.md b/mgmtagent-policy-advisor/README.md new file mode 100644 index 0000000..197ef5c --- /dev/null +++ b/mgmtagent-policy-advisor/README.md @@ -0,0 +1,25 @@ + + +# **OCI Management Agent Policy Advisor** + +[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-management-agent/releases/download/v2.0.7/mgmtagent-policy-advisor.zip) + +## Introduction + +This stack helps setup required policies for working with management agents and agent install keys + +## Stack Details + +* This stack gets input of the available user group, compartment and sets up the required policies for working with management agents + +## Using this stack + +1. Click on above Deploy to Oracle Cloud button which will redirect you to OCI console and prompt a dialogue box with further steps on deploying this application. +2. Configure the variables for the infrastructure resources that this stack will create when you run the apply job for this execution plan. +3. Review the changes after the configuration fields are updated. + +*Note:* For more details on Management Agents please refer +https://docs.oracle.com/iaas/management-agents/index.html \ No newline at end of file diff --git a/mgmtagent-policy-advisor/main.tf b/mgmtagent-policy-advisor/main.tf new file mode 100644 index 0000000..12cde0e --- /dev/null +++ b/mgmtagent-policy-advisor/main.tf @@ -0,0 +1,43 @@ +# Copyright (c) 2024, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +data "oci_identity_group" "usergroup_data" { + group_id = var.user_group_id +} + +data "oci_identity_compartment" "compartment_data" { + id = var.resource_compartment_id +} + + +locals{ + currentDateTime = formatdate("YYYYMMDDhhmmss", timestamp()) + mgmtagent_policy_name = var.policy_name != "" && var.policy_name != "ManagementAgent_Policy" ? var.policy_name : "ManagementAgent_Policy_${local.currentDateTime}" + user_group_name = data.oci_identity_group.usergroup_data.name + policy_location = var.resource_compartment_id == var.tenancy_ocid ? "TENANCY" : data.oci_identity_compartment.compartment_data.compartment_id == var.tenancy_ocid ? "COMPARTMENT ${data.oci_identity_compartment.compartment_data.name}" : "COMPARTMENT ID ${var.resource_compartment_id}" + policy_statements_root = [ + "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agents IN ${local.policy_location}", + "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agent-install-keys IN ${local.policy_location}", + "ALLOW GROUP ${local.user_group_name} TO READ METRICS IN ${local.policy_location}", + "ALLOW GROUP ${local.user_group_name} TO READ ALARMS IN ${local.policy_location}", + "ALLOW GROUP ${local.user_group_name} TO READ USERS IN TENANCY" + ] + policy_statements_nonroot = [ + "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agents IN ${local.policy_location}", + "ALLOW GROUP ${local.user_group_name} TO MANAGE management-agent-install-keys IN ${local.policy_location}", + "ALLOW GROUP ${local.user_group_name} TO READ METRICS IN ${local.policy_location}", + "ALLOW GROUP ${local.user_group_name} TO READ ALARMS IN ${local.policy_location}" + ] +} + + +module "mgmtagent_policy_creation" { + + source = "./modules/policies" + + policy_name = local.mgmtagent_policy_name + policy_description = "This policy allows to manage management agents" + policy_compartment_id = var.policy_compartment_id + policy_statements = var.resource_compartment_id == var.tenancy_ocid ? local.policy_statements_root : local.policy_statements_nonroot + +} \ No newline at end of file diff --git a/mgmtagent-policy-advisor/modules/policies/main.tf b/mgmtagent-policy-advisor/modules/policies/main.tf new file mode 100644 index 0000000..0178851 --- /dev/null +++ b/mgmtagent-policy-advisor/modules/policies/main.tf @@ -0,0 +1,17 @@ +# Copyright (c) 2024, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +terraform { + required_providers { + oci = { + source = "hashicorp/oci" + } + } +} + +resource "oci_identity_policy" "create_policy" { + name = var.policy_name + description = var.policy_description + compartment_id = var.policy_compartment_id + statements = var.policy_statements +} \ No newline at end of file diff --git a/mgmtagent-policy-advisor/modules/policies/variables.tf b/mgmtagent-policy-advisor/modules/policies/variables.tf new file mode 100644 index 0000000..6bccd7b --- /dev/null +++ b/mgmtagent-policy-advisor/modules/policies/variables.tf @@ -0,0 +1,22 @@ +# Copyright (c) 2024, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +variable "policy_name" { + type = string + description = "The name you assign to the policy during creation." +} + +variable "policy_description" { + type = string + description = "The description you assign to the policy." +} + +variable "policy_statements" { + type = list(string) + description = "Consists of one or more policy statements. " +} + +variable "policy_compartment_id" { + type = string + description = "The compartment id to assign this policy to." +} \ No newline at end of file diff --git a/mgmtagent-policy-advisor/oci_images.tf b/mgmtagent-policy-advisor/oci_images.tf new file mode 100644 index 0000000..e69de29 diff --git a/mgmtagent-policy-advisor/outputs.tf b/mgmtagent-policy-advisor/outputs.tf new file mode 100644 index 0000000..1473a33 --- /dev/null +++ b/mgmtagent-policy-advisor/outputs.tf @@ -0,0 +1,7 @@ +# Copyright (c) 2024, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +output "policy_name" { + description = "Name of the policy created" + value = "${local.mgmtagent_policy_name}" +} \ No newline at end of file diff --git a/mgmtagent-policy-advisor/provider.tf b/mgmtagent-policy-advisor/provider.tf new file mode 100644 index 0000000..8c208b1 --- /dev/null +++ b/mgmtagent-policy-advisor/provider.tf @@ -0,0 +1,17 @@ +# Copyright (c) 2024, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +terraform { + required_version = ">= 1.0.0" + required_providers { + # Recommendation from ORM / OCI provider teams + oci = { + version = ">= 4.21.0" + } + } +} + +provider "oci" { + tenancy_ocid = var.tenancy_ocid + region = var.region +} \ No newline at end of file diff --git a/mgmtagent-policy-advisor/schema.yaml b/mgmtagent-policy-advisor/schema.yaml new file mode 100644 index 0000000..248e281 --- /dev/null +++ b/mgmtagent-policy-advisor/schema.yaml @@ -0,0 +1,76 @@ +# Copyright (c) 2024, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + + title: "Management Agent Policy Advisor" + schemaVersion: 1.1.0 + description: "Create required policies for management agent for the given user group and compartment." + version: "20240301" + locale: "en" + + variableGroups: + - title: General Configuration + visible: false + variables: + - tenancy_ocid + - region + - compartment_ocid + + - title: Required Policy Configuration + visible: true + variables: + - policyInfo + - policy_compartment_id + - policy_name + + - title: Management Agent Policies + visible: true + variables: + - user_group_id + - resource_compartment_id + + variables: + policy_compartment_id: + type: oci:identity:compartment:id + required: true + default: ${compartment_ocid} + title: Policy Compartment + description: Compartment where the policy definition should be created. + + resource_compartment_id: + type: oci:identity:compartment:id + required: true + default: ${compartment_ocid} + title: Management Agent Resource Compartment + description: Compartment where the policies should be applied. Usually the management agents' compartment. + + user_group_id: + type: oci:identity:groups:id + required: true + title: User group + description: User group for which the policies should be mapped. + dependsOn: + compartmentId: tenancy_ocid + + policy_name: + type: string + required: true + title: Policy Name + default: ManagementAgent_Policy + description: Name of the policy. + + policyInfo: + type: text + required: true + title: Policies to be created + description: Above is the template of policy statements that will be created. + multiline: true + default: "allow group to manage management-agents in compartment \nallow group to manage management-agent-install-keys in compartment \nallow group to read metrics in compartment \nallow group to read alarms in compartment \nallow group to read users in tenancy" + + region: + visible: false + + tenancy_ocid: + visible: false + + compartment_ocid: + visible: false \ No newline at end of file diff --git a/mgmtagent-policy-advisor/variables.tf b/mgmtagent-policy-advisor/variables.tf new file mode 100644 index 0000000..a994f73 --- /dev/null +++ b/mgmtagent-policy-advisor/variables.tf @@ -0,0 +1,10 @@ +# Copyright (c) 2024, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +variable "compartment_ocid" {} +variable "tenancy_ocid" {} +variable "region" {} +variable "policy_compartment_id" {} +variable "resource_compartment_id" {} +variable "user_group_id" {} +variable "policy_name" {} \ No newline at end of file