-
Notifications
You must be signed in to change notification settings - Fork 19
/
security.tf
149 lines (133 loc) · 6.86 KB
/
security.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# -----------------------------------------------------------------------------
# Create Cloud Guard resources
# -----------------------------------------------------------------------------
module "cloud-guard" {
source = "./security/cloud-guard"
count = var.deploy_global_resources ? 1 : 0
region = local.home_region[0]
is_cloud_guard_enabled = var.is_cloud_guard_enabled
parent_compartment_ocid = module.parent-compartment.parent_compartment_id
security_compartment_ocid = module.security-compartment.security_compartment_id
tenancy_ocid = var.tenancy_ocid
tag_geo_location = var.tag_geo_location
tag_cost_center = var.tag_cost_center
parent_compartment_name = module.parent-compartment.parent_compartment_name
suffix = var.is_sandbox_mode_enabled == true ? "-${random_id.suffix.hex}" : ""
providers = {
oci = oci
oci.home_region = oci.home_region
}
depends_on = [
module.parent-compartment, module.common-infra-compartment, module.security-compartment
]
}
module "vss" {
source = "./security/vss"
count = var.deploy_global_resources && var.is_vulnerability_scanning_service_enabled ? 1 : 0
host_scan_recipe_agent_settings_scan_level = var.host_scan_recipe_agent_settings_scan_level
host_scan_recipe_port_settings_scan_level = var.host_scan_recipe_port_settings_scan_level
agent_cis_benchmark_settings_scan_level = var.agent_cis_benchmark_settings_scan_level
vss_scan_schedule = var.vss_scan_schedule
parent_compartment_ocid = module.parent-compartment.parent_compartment_id
security_compartment_ocid = module.security-compartment.security_compartment_id
tenancy_ocid = var.tenancy_ocid
tag_geo_location = var.tag_geo_location
tag_cost_center = var.tag_cost_center
parent_compartment_name = module.parent-compartment.parent_compartment_name
suffix = var.is_sandbox_mode_enabled == true ? "-${random_id.suffix.hex}" : ""
providers = {
oci = oci
oci.home_region = oci.home_region
}
depends_on = [
module.parent-compartment, module.common-infra-compartment, module.security-compartment
]
}
# -----------------------------------------------------------------------------
# Create Bastion resources
# -----------------------------------------------------------------------------
module "bastion" {
source = "./security/bastion"
count = var.enable_bastion && !var.is_sandbox_mode_enabled ? 1 : 0
vcn_id = module.vcn-core.vcn_id
tag_geo_location = var.tag_geo_location
tag_cost_center = var.tag_cost_center
bastion_subnet_cidr_block = var.bastion_subnet_cidr_block
bastion_client_cidr_block_allow_list = var.bastion_client_cidr_block_allow_list
network_compartment_id = module.network-compartment.network_compartment_id
region_key = local.region_key[0]
suffix = var.is_sandbox_mode_enabled == true ? random_id.suffix.hex : ""
depends_on = [
module.network-compartment
]
}
# -----------------------------------------------------------------------------
# Audit Logging
# -----------------------------------------------------------------------------
module "audit" {
source = "./security/audit"
count = var.deploy_global_resources && (var.advanced_logging_option == "AUDIT_LOGS" || var.advanced_logging_option == "BOTH") ? 1 : 0
tenancy_ocid = var.tenancy_ocid
parent_compartment_name = module.parent-compartment.parent_compartment_name
parent_compartment_ocid = module.parent-compartment.parent_compartment_id
security_compartment_name = var.security_compartment_name
security_compartment_ocid = module.security-compartment.security_compartment_id
retention_rule_duration_time_amount = var.retention_rule_duration_time_amount
tag_geo_location = var.tag_geo_location
tag_cost_center = var.tag_cost_center
suffix = var.is_sandbox_mode_enabled == true ? "-${random_id.suffix.hex}" : ""
key_id = module.key.key_id
is_sandbox_mode_enabled = var.is_sandbox_mode_enabled
providers = {
oci = oci
oci.home_region = oci.home_region
}
depends_on = [
module.parent-compartment, module.security-compartment, module.key
]
}
# -----------------------------------------------------------------------------
# VCN Flow Log
# -----------------------------------------------------------------------------
module "flow-logs" {
source = "./security/flow-logs"
count = var.deploy_global_resources && (var.advanced_logging_option == "FLOW_LOGS" || var.advanced_logging_option == "BOTH") && length(local.subnet_map) > 0 ? 1 : 0
using_third_party_siem = var.using_third_party_siem
tenancy_ocid = var.tenancy_ocid
security_compartment_ocid = module.security-compartment.security_compartment_id
security_compartment_name = var.security_compartment_name
network_compartment_ocid = module.network-compartment.network_compartment_id
subnet_map = local.subnet_map
tag_geo_location = var.tag_geo_location
tag_cost_center = var.tag_cost_center
suffix = var.is_sandbox_mode_enabled == true ? "-${random_id.suffix.hex}" : ""
providers = {
oci = oci
oci.home_region = oci.home_region
}
depends_on = [
module.parent-compartment, module.security-compartment, module.network-compartment
]
}
# -----------------------------------------------------------------------------
# Vault and Key
# -----------------------------------------------------------------------------
module "vault" {
source = "./security/vault"
security_compartment_ocid = module.security-compartment.security_compartment_id
tag_cost_center = var.tag_cost_center
tag_geo_location = var.tag_geo_location
depends_on = [
module.security-compartment
]
}
module "key" {
source = "./security/key"
security_compartment_ocid = module.security-compartment.security_compartment_id
tag_cost_center = var.tag_cost_center
tag_geo_location = var.tag_geo_location
key_management_endpoint = module.vault.key_management_endpoint
depends_on = [
module.security-compartment, module.vault
]
}