feat: configure oci-cli and o cli

fix: #2, #4
kral2 · Oct 24, 2021 · 9d2b967 · 9d2b967
1 parent 3848564
commit 9d2b967
Show file tree

Hide file tree

Showing 10 changed files with 133 additions and 34 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,17 @@ Given a version number MAJOR.MINOR.PATCH:
 - MINOR version when adding functionality in a backwards compatible manner,
 - PATCH version when making backwards compatible bug fixes.
 
+## [0.6.0] - 2021-10-24
+
+### Added
+
+- OCI API: Add instance_principal authentication (Fix #2)
+- Auto-configure `project_o` cli (Fix #4)
+
+## Fixes
+
+- Hashistack-installer bumped to v0.3.2 : fix waypoint installation on Linux arm architecture
+
 ## [0.5.0] - 2021-10-15
 
 ### Added

diff --git a/README.md b/README.md
@@ -10,6 +10,8 @@
 
 ## About
 
+![diagram](https://github.com/kral2/iacbox/blob/main/files/images/iacbox_about.png?raw=true&sanitize=true)
+
 This module deploys an instance with the necessary tools to start developing Infrastructure as Code solutions on OCI.
 
 General development tooling:
@@ -35,6 +37,8 @@ This is the deployed infrastructure:
 
 ![diagram](https://github.com/kral2/iacbox/blob/main/files/images/deployed_infrastructure.png?raw=true&sanitize=true)
 
+The module also create an OCI Dynamic-Group and the associated OCI Policy to grant API `manage` authorization to the iacbox instance over the instance's compartment.
+
 <!-- BEGIN_TF_DOCS -->
 
 ## Requirements
@@ -54,6 +58,8 @@ This is the deployed infrastructure:
 | Name | Type |
 |------|------|
 | [oci_core_subnet.vcn_iacbox_public](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/core_subnet) | resource |
+| [oci_identity_dynamic_group.iacbox](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_dynamic_group) | resource |
+| [oci_identity_policy.dynamic_group_iacbox](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_policy) | resource |
 | [oci_core_images.images](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/data-sources/core_images) | data source |
 ## Inputs
 

diff --git a/files/bootstrap.sh b/files/bootstrap.sh
@@ -5,7 +5,7 @@
 # Description: Install the necessary tools to start developing Infrastructure as Code solutions on OCI.
 
 script_name=$(basename "$0")
-version="0.1.0"
+version="0.6.0"
 echo "$script_name - version $version"
 echo "Installing the necessary tools to start developing Infrastructure as Code solutions on OCI"
 echo ""
@@ -24,7 +24,7 @@ dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
 dnf install gh -y
 
 # getting latest HashiCorp tooling (Packer, Terraform, Consul, Vault, Nomad)
-curl -LO https://raw.github.com/kral2/hashistack-installer/v0.3.1/hashistack-install.sh
+curl -LO https://raw.github.com/kral2/hashistack-installer/v0.3.2/hashistack-install.sh
 chmod +x hashistack-install.sh
 ./hashistack-install.sh packer terraform consul vault nomad boundary waypoint
 
@@ -46,10 +46,30 @@ python -m pip install virtualenvwrapper --upgrade
 python -m pip install oci oci-cli --upgrade
 python -m pip install pre-commit --upgrade
 
-# install project_o (oci cli helpers)
+# Configure OCI-CLI
+
+PARENT_COMPARTMENT_ID=$(curl -s http://169.254.169.254/opc/v1/instance/metadata/compartment_id)
+TENANCY_ID=$(curl -s http://169.254.169.254/opc/v1/instance/metadata/tenancy_id)
+
+## Enable instance_principal auth by default
+{
+    echo "export OCI_CLI_AUTH=instance_principal"
+    echo "export OCI_CLI_TENANCY=${TENANCY_ID}"
+} >> $HOME_FOLDER/.bashrc
+
+## Define COMPARTMENT_ID to instance's Parent compartment-id by default
+
+/bin/su -c "oci setup oci-cli-rc" - "$SYSTEM_USER"
+sed -i "1i [DEFAULT]" $HOME_FOLDER/.oci/oci_cli_rc
+sed -i "2i compartment-id= ${PARENT_COMPARTMENT_ID}" $HOME_FOLDER/.oci/oci_cli_rc
+sed -i "3i tenancy-id= ${TENANCY_ID}" $HOME_FOLDER/.oci/oci_cli_rc
+
+# install and initialize project_o (oci cli helpers)
 # https://github.com/oracle/oci-cli/tree/master/scripts/examples/project_o
 
 where=$(which oci) && wget -q https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/examples/project_o/o -O "${where%ci}" && chmod a+x "${where%ci}"
+/bin/su -c "o oci_commands" - "$SYSTEM_USER"
+/bin/su -c "o ${TENANCY_ID}" - "$SYSTEM_USER"
 
 # installing Ansible, collections and roles
 python -m pip install ansible # dnf install ansible ansible-doc -y

diff --git a/files/iacbox.drawio b/files/iacbox.drawio
diff --git a/files/images/iacbox_about.png b/files/images/iacbox_about.png
diff --git a/iam.tf b/iam.tf
@@ -0,0 +1,27 @@
+/*
+Last update : October, 2021
+Author: [email protected]
+Description: provision iam context for iacbox instance
+*/
+
+resource "oci_identity_dynamic_group" "iacbox" {
+  #Required
+  compartment_id = var.tenancy_ocid
+  description    = "dynamic group for iacbox compute instance"
+  matching_rule  = "instance.id = '${module.instance_iacbox.instance_id[0]}'"
+  name           = "iacbox_instance"
+}
+
+resource "oci_identity_policy" "dynamic_group_iacbox" {
+  #Required
+  compartment_id = var.tenancy_ocid
+  description    = "dynamic-group iacbox manage all-resources in tenancy"
+  name           = "iacbox_tenancy_admin"
+  statements     = local.iacbox_policy_statements
+}
+
+locals {
+  iacbox_policy_statements = [
+    "Allow dynamic-group ${oci_identity_dynamic_group.iacbox.name} to manage all-resources in tenancy"
+  ]
+}
diff --git a/main.tf b/main.tf
@@ -8,37 +8,6 @@ locals {
   formatted_timestamp = formatdate("YYYY-MM-DD hh:mm:ss", timestamp())
 }
 
-module "vcn_iacbox" {
-  source  = "oracle-terraform-modules/vcn/oci"
-  version = "3.0.0"
-
-  # general oci parameters
-  compartment_id = var.compartment_id
-
-  # vcn parameters
-  create_drg               = false           # boolean: true or false
-  create_internet_gateway  = true            # boolean: true or false
-  lockdown_default_seclist = false           # boolean: true or false
-  create_nat_gateway       = false           # boolean: true or false
-  create_service_gateway   = false           # boolean: true or false
-  vcn_cidrs                = ["10.0.0.0/16"] # List of IPv4 CIDRs
-  vcn_dns_label            = "iac"
-  vcn_name                 = "iac"
-}
-
-resource "oci_core_subnet" "vcn_iacbox_public" {
-  #Required
-  cidr_block     = "10.0.0.0/24"
-  compartment_id = var.compartment_id
-  vcn_id         = module.vcn_iacbox.vcn_id
-
-  #Optional
-  display_name               = "public"
-  dns_label                  = "public"
-  prohibit_public_ip_on_vnic = false
-  route_table_id             = module.vcn_iacbox.ig_route_id
-}
-
 module "instance_iacbox" {
   source  = "kral2/compute-instance/oci"
   version = "2.3.0-RC1"
@@ -59,6 +28,10 @@ module "instance_iacbox" {
   # operating system parameters
   ssh_public_keys = var.ssh_public_keys
   user_data       = filebase64(var.user_data)
+  extended_metadata = {
+    tenancy_id     = var.tenancy_ocid
+    compartment_id = var.compartment_id
+  }
   # networking parameters
   public_ip    = var.public_ip
   subnet_ocids = [oci_core_subnet.vcn_iacbox_public.id] # var.subnet_ocids

diff --git a/network.tf b/network.tf
@@ -0,0 +1,36 @@
+/*
+Last update : October, 2021
+Author: [email protected]
+Description: provision network context for iacbox instance
+*/
+
+module "vcn_iacbox" {
+  source  = "oracle-terraform-modules/vcn/oci"
+  version = "3.0.0"
+
+  # general oci parameters
+  compartment_id = var.compartment_id
+
+  # vcn parameters
+  create_drg               = false           # boolean: true or false
+  create_internet_gateway  = true            # boolean: true or false
+  lockdown_default_seclist = false           # boolean: true or false
+  create_nat_gateway       = false           # boolean: true or false
+  create_service_gateway   = false           # boolean: true or false
+  vcn_cidrs                = ["10.0.0.0/16"] # List of IPv4 CIDRs
+  vcn_dns_label            = "iac"
+  vcn_name                 = "iac"
+}
+
+resource "oci_core_subnet" "vcn_iacbox_public" {
+  #Required
+  cidr_block     = "10.0.0.0/24"
+  compartment_id = var.compartment_id
+  vcn_id         = module.vcn_iacbox.vcn_id
+
+  #Optional
+  display_name               = "public"
+  dns_label                  = "public"
+  prohibit_public_ip_on_vnic = false
+  route_table_id             = module.vcn_iacbox.ig_route_id
+}
diff --git a/release-notes/relnote-v0.5.0.md b/release-notes/relnote-v0.5.0.md
@@ -0,0 +1,15 @@
+# 2021-10-13
+
+## New features
+
+`Bootstrap.sh` installs new and tooling:
+
+- project_o : a smart oci-cli wrapper
+- GitHub cli
+- full HashiCorp stack: Packer, Terraform, Consul, Vault, Nomad, Boundary, Waypoint
+- container tooling (podman)
+
+## Changes
+
+- Hashistack-installer bumped to v0.3.1
+- Base image OCID is now dynamically retrieved, using the latest available version for the operating system family
diff --git a/release-notes/relnote-v0.6.0.md b/release-notes/relnote-v0.6.0.md
@@ -0,0 +1,10 @@
+# 2021-10-24
+
+## New features
+
+- OCI API: Add instance_principal authentication (Fix #2)
+- Auto-configure `project_o` cli (Fix #4)
+
+## Fixes
+
+- Hashistack-installer bumped to v0.3.2 : fix waypoint installation on Linux arm architecture