Merge pull request #25 from oracle-quickstart/release-0.2.0

Release 0.2.0

.gitignore

@@ -9,4 +9,7 @@
 **/terraform.tfvars
 **/input.auto.tfvars
 **/private
+**/*.xml
+**/*.cert
+**/*.ini
 **/creds

RELEASE-NOTES.md

@@ -1,14 +1,23 @@
+# February 27, 2024 Release Notes
+## Updates
+### Identity Domains Module
+1. The Identity Domains module now supports creating SAML Identity Providers through a new configuration variable. The variable *identity_domain_identity_providers_configuration* includes parameters to manage identity providers using either a SAML metadata file or individual metadata parameter values.
+### Compartments Module
+1. The reserved key "TENANCY-ROOT" has been introduced. It is used for referring to the root compartment OCID. It can be assigned to *default_parent_id* and *parent_id* attributes.
+### Policies Module
+1. The reserved key "TENANCY-ROOT" has been introduced. It is used for referring to the root compartment OCID. It can be assigned to *compartment_id* attribute within *supplied_policies* attribute.
+
 # January 08, 2024 Release Notes - 0.1.9
 ## Updates
-### Policy Module
-1. Policy module can now declare dependencies on externally managed compartments. The dependencies are used to resolve compartment OCIDs within *supplied_policies* and *supplied_compartments* attributes.
+### Policies Module
+1. Policies Module can now declare dependencies on externally managed compartments. The dependencies are used to resolve compartment OCIDs within *supplied_policies* and *supplied_compartments* attributes.
 2. The following attributes had their names changed. Make sure to update any existing input variables.
     - *compartment_ocid* to *compartment_id* in *supplied_policies* attribute.
     - *ocid* to *id* in *supplied_compartments* attribute.
 
 # December 08, 2023 Release Notes - 0.1.8
 ## Updates
-### Policy Module
+### Policies Module
 1. Grants added for supporting OKE deployments with NPN (Native Pod Networking) and in a split compartment topology, where OKE networking and OKE clusters are deployed in different compartments.
 
 # November 01, 2023 Release Notes - 0.1.7
@@ -17,7 +26,7 @@
 2. Groups and dynamic groups can be created in existing identity domains.
 
 ## Updates
-### Policy Module
+### Policies Module
 1. Multiple intents can be declared for a specific compartment through *cislz-cmp-type* attribute. This configures the compartment (through the creation of necessary policy grants) to host resources that can be managed by different groups.
 
 # October 06, 2023 Release Notes - 0.1.6
@@ -35,12 +44,12 @@
 # September 04, 2023 Release Notes - 0.1.4
 
 ## Updates
-1. [Policy Module](#0-1-4-policies)
+1. [Policies Module](#0-1-4-policies)
 2. [Compartments Module](#0-1-4-compartments)
 
-### <a name="0-1-4-policies">Policy Module</a>
-1.  Policy module now supports group names that include spaces like: 'vision security adm group'. It's supported for tenancy and compartment level groups.  Please see [main.tf](./policies/examples/template-policies/main.tf) for an example.
-2.  Policy module now supports a list of groups for each role at tenancy and compartment levels, like : "cislz-consumer-groups-security":"vision-security-admin-group,'vision security adm group2'".  Please see [main.tf](./policies/examples/template-policies/main.tf) for an example.
+### <a name="0-1-4-policies">Policies Module</a>
+1.  Policies Module now supports group names that include spaces like: 'vision security adm group'. It's supported for tenancy and compartment level groups.  Please see [main.tf](./policies/examples/template-policies/main.tf) for an example.
+2.  Policies Module now supports a list of groups for each role at tenancy and compartment levels, like : "cislz-consumer-groups-security":"vision-security-admin-group,'vision security adm group2'".  Please see [main.tf](./policies/examples/template-policies/main.tf) for an example.
 
 ### <a name="0-1-4-compartments">Compartments Module</a>
 1. Compartments identifying keys can now be derived from the hierarchy provided in *compartment_configuration* definition. This allow for using the same key across different compartment subtrees, a desirable feature when defining complex compartment hierarchies with similar subtree structures. For using this feature, set *derive_keys_from_hierarchy* variable to true.
@@ -49,10 +58,10 @@
 # July 03, 2023 Release Notes - 0.1.3
 
 ## Updates
-1. [Policy Module](#0-1-3-policies)
+1. [Policies Module](#0-1-3-policies)
 
-### <a name="0-1-3-policies">Policy Module</a>
-1.  Policy module now requires compartments metadata to be explicitly passed in along the compartments. Instead of reading off compartments freeform tags, the module now reads from *cislz_metadata* attribute of *supplied_compartments* attribute. This has been done to avoid customers going beyond freeform tags limit in OCI, which is 10 per resource. Note however, that you can keep tagging your compartments if you wish, but you now need to read those tags and explicitly pass them to the policy module. Please see [main.tf](./policies/examples/template-policies/main.tf) for an example and [Compartment Level Policies](./policies/README.md#22-compartment-level-policies) for details on *cislz_metadata* attribute.
+### <a name="0-1-3-policies">Policies Module</a>
+1.  Policies Module now requires compartments metadata to be explicitly passed in along the compartments. Instead of reading off compartments freeform tags, the module now reads from *cislz_metadata* attribute of *supplied_compartments* attribute. This has been done to avoid customers going beyond freeform tags limit in OCI, which is 10 per resource. Note however, that you can keep tagging your compartments if you wish, but you now need to read those tags and explicitly pass them to the Policies Module. Please see [main.tf](./policies/examples/template-policies/main.tf) for an example and [Compartment Level Policies](./policies/README.md#22-compartment-level-policies) for details on *cislz_metadata* attribute.
 2.  Input variable *policies_configuration* has been restructured for easier usage. A *template_policies* attribute has been introduced to clearly separate settings from *supplied_policies*.  Within *template_policies*, *tenancy_level_settings* drive Root compartment policies while *compartment_level_settings* drive non-Root compartment policies. Please see [Template Policies](./policies/README.md#2-template-policies) for details.
 3.  Support for template OCI service policies introduced. These policies can be enabled all at once or on a per service basis. Please see [Tenancy Level Policies](./policies/README.md#21-tenancy-level-policies) for details.
 4.  Common grants on security and network compartments have been combined into single statements, with group principals in a comma-separated list.
@@ -61,15 +70,15 @@
 # June 19, 2023 Release Notes - 0.1.2
 
 ## Updates
-1. [Policy Module](#0-1-2-policies)
-### <a name="0-1-2-policies">Policy Module</a>
+1. [Policies Module](#0-1-2-policies)
+### <a name="0-1-2-policies">Policies Module</a>
 - Policy names disambiguated in the case where a single compartment has multiple values in the *cislz-cmp-type* tag.
 
 # May 15, 2023 Release Notes - 0.1.1
 
 ## Updates
-1. [Policy Module](#0-1-1-policies)
-### <a name="0-1-1-policies">Policy Module</a>
+1. [Policies Module](#0-1-1-policies)
+### <a name="0-1-1-policies">Policies Module</a>
 1.  Policy target compartments must be passed as a map of objects via *supplied_compartments* attribute.
 2.  Policy examples updated, showcasing template policies and supplied policies.
 

compartments/README.md

@@ -7,17 +7,17 @@ This module manages arbitrary Identity and Access Management (IAM) compartment t
 Check [module specification](./SPEC.md) for a full description of module requirements, supported variables, managed resources and outputs.
 
 A fundamental principle in using a map of objects is the ability to quickly visualize the actual compartment structure by simply looking at the variable definition. The input variable is an object named *compartments_configuration*, with the following attributes:
-- **default_parent_id** – (Optional) determines the parent compartment for all your top (first level) compartments defined by the *compartments* attribute. This attribute is overloaded: it can be either a compartment OCID or a reference (a key) to the compartment OCID. *tenancy_ocid* is used if undefined.
+- **default_parent_id** – (Optional) determines the parent compartment for all your top (first level) compartments defined by the *compartments* attribute. This attribute is overloaded: it can be either a compartment OCID or a reference (a key) to the compartment OCID. For referring to the *tenancy_ocid*, leave it unassigned or use the reserved key "TENANCY-ROOT".
 - **enable_delete** – (Optional) determines whether or not OCI should physically delete compartments when destroyed by Terraform. Default is false.
-- **default_defined_tags** – (Optional) defined tags to apply to all compartments, unless overriden by *defined_tags* attribute within each compartment object.
-- **default_freeform_tags** – (Optional) freeform tags to apply to all compartments, unless overriden by *freeform_tags* attribute within each compartment object. Freeform tags are limited to 10 tags per OCI resource.
+- **default_defined_tags** – (Optional) defined tags to apply to all compartments, unless overridden by *defined_tags* attribute within each compartment object.
+- **default_freeform_tags** – (Optional) freeform tags to apply to all compartments, unless overridden by *freeform_tags* attribute within each compartment object. Freeform tags are limited to 10 tags per OCI resource.
 - **compartments** – (Optional) the map of objects that define compartments hierarchies. Each top (first level) compartment has a *parent_id* attribute to identify the compartment's parent (in other words, where the particular tree descends from). It overrides *default_parent_id*. Each compartment object has a *children* attribute that defines its sub-compartments. The *compartments* map supports up to **six** levels of nesting, which is the maximum supported by OCI.
   - **name** – The compartment name.
   - **description** – The compartment description.
-  - **parent_id** – (Optional) The compartment's parent compartment. Only available for first-level compartments. This attribute is overloaded: it can be either a compartment OCID or a reference (a key) to the compartment OCID. *default_parent_id* is used if undefined.
+  - **parent_id** – (Optional) The compartment's parent compartment. Only available for first-level compartments. This attribute is overloaded: it can be either a compartment OCID or a reference (a key) to the compartment OCID. *default_parent_id* is used if undefined. For referring to the *tenancy_ocid*, use the reserved key "TENANCY-ROOT".
   - **defined_tags** – (Optional) The compartment defined_tags. *default_defined_tags* is used if undefined.
   - **freeform_tags** – (Optional) The compartment freeform_tags. *default_freeform_tags* is used if undefined.
-  - **tag_defaults** – (Optional) A map of tag defaults to apply to the compartment. Every resource created in the compartmet is tagged per this setting.
+  - **tag_defaults** – (Optional) A map of tag defaults to apply to the compartment. Every resource created in the compartment is tagged per this setting.
     - **tag_id** – The tag default tag id. This attribute is overloaded: it can be either a tag OCID or a reference (a key) to the tag OCID. 
     - **default_value** – The default value to assign to the tag.
     - **is_user_required** – (Optional) Whether the user must provide a tag value for resources created in the compartment.

compartments/examples/external-dependency/input.auto.tfvars.template

@@ -24,7 +24,7 @@ region               = "<your tenancy home region>" # This is your tenancy home
 #---------------------------------------
 
 compartments_configuration = { 
-  default_parent_id = "<REPLACE-BY-COMPARTMENT-REFERENCE>"
+  default_parent_id = "<REPLACE-BY-COMPARTMENT-REFERENCE>" # For referring to the tenancy_ocid, use the reserved key "TENANCY-ROOT".
   enable_delete = false
   compartments = {
     WORKLOAD-1-CMP = { 

compartments/examples/vision/README.md

@@ -14,7 +14,7 @@ The same structure as shown by OCI Console:
 1. Rename *input.auto.tfvars.template* to *\<project-name\>.auto.tfvars*, where *\<project-name\>* is any name of your choice.
 
 2. Within *\<project-name\>.auto.tfvars*, provide tenancy connectivity information and adjust the *compartments_configuration* input variable, by making the appropriate substitutions:
-   - Replace *\<REPLACE-BY-THE-PARENT-COMPARTMENT-OCID\>* placeholder by a compartment OCID. This determines the compartment that *TOP-CMP* compartment gets attached to.
+   - Replace *\<REPLACE-BY-THE-PARENT-COMPARTMENT-OCID\>* placeholder by a compartment OCID. This determines the compartment that *TOP-CMP* compartment gets attached to. For referring to the *tenancy_ocid*, use the reserved key "TENANCY-ROOT".
    - Replace *\<REPLACE-BY-THE-COST-CENTER-TAG-OCID\>* placeholder in *TOP-CMP* with the actual cost center tag ocid.
    - Replace *\<REPLACE-BY-THE-ENVIRONMENT-TAG-OCID\>* placeholder in *TOP-CMP* with the actual environment tag ocid.
    - Note that tag defaults are optional and you can simply remove *TOP-CMP*'s *tag_defaults* attribute altogether.

compartments/examples/vision/input.auto.tfvars.template

@@ -6,6 +6,7 @@
 # 2. Provide values for "Tenancy Connectivity Variables".
 # 3. Replace <REPLACE-BY-THE-PARENT-COMPARTMENT-OCID> placeholder by a compartment OCID. 
 #    This determines the compartment that TOP-CMP compartment gets attached to.
+#    For referring to the tenancy_ocid, use the reserved key "TENANCY-ROOT".
 # 4. Replace <REPLACE-BY-THE-COST-CENTER-TAG-OCID> placeholder in TOP-CMP with the actual cost center tag ocid.
 # 5. Replace <REPLACE-BY-THE-ENVIRONMENT-TAG-OCID> placeholder in TOP-CMP with the actual environment tag ocid.
 # Notice that tag defaults are optional and you can simply remove TOP-CMP's tag_defaults attribute altogether.
@@ -28,7 +29,7 @@ region               = "<your tenancy home region>" # This is your tenancy home
 #---------------------------------------
 
 compartments_configuration = {
-  default_parent_id = "<REPLACE-BY-THE-PARENT-COMPARTMENT-OCID>"
+  default_parent_id = "<REPLACE-BY-THE-PARENT-COMPARTMENT-OCID>" # For referring to the tenancy_ocid, use the reserved key "TENANCY-ROOT".
   #default_defined_tags = null
   #default_freeform_tags = null
   #enable_delete = false

compartments/main.tf

@@ -8,7 +8,7 @@ locals {
       key  = k1
       name = v1.name
       description = v1.description
-      parent_ocid = v1.parent_id != null ? (length(regexall("^ocid1.*$", v1.parent_id)) > 0 ? v1.parent_id : var.compartments_dependency[v1.parent_id].id) : var.compartments_configuration.default_parent_id != null ? (length(regexall("^ocid1.*$", var.compartments_configuration.default_parent_id)) > 0 ? var.compartments_configuration.default_parent_id : var.compartments_dependency[var.compartments_configuration.default_parent_id].id) : var.tenancy_ocid
+      parent_ocid = v1.parent_id != null ? (length(regexall("^ocid1.*$", v1.parent_id)) > 0 ? v1.parent_id : (upper(v1.parent_id) == "TENANCY-ROOT" ? var.tenancy_ocid : var.compartments_dependency[v1.parent_id].id)) : var.compartments_configuration.default_parent_id != null ? (length(regexall("^ocid1.*$", var.compartments_configuration.default_parent_id)) > 0 ? var.compartments_configuration.default_parent_id : (upper(var.compartments_configuration.default_parent_id) == "TENANCY-ROOT" ? var.tenancy_ocid : var.compartments_dependency[var.compartments_configuration.default_parent_id].id)) : var.tenancy_ocid
       defined_tags = v1.defined_tags != null ? v1.defined_tags :  var.compartments_configuration.default_defined_tags != null ?  var.compartments_configuration.default_defined_tags : null
       freeform_tags = v1.freeform_tags != null ? v1.freeform_tags : var.compartments_configuration.default_freeform_tags != null ?  var.compartments_configuration.default_freeform_tags : null
       tag_defaults = v1.tag_defaults