SFD Updates and IAM Domain Audit (#61)

* Trend of Identity API Calls widget

* SFD updates and repo maint

* Region Filter for SFD dashboards

* SFD Security Operations screenshot update

* SFD Region Filter

* Added Deploy to Oracle Cloud link

* Removed old readme.md

* Support to enabling flow logs

* SFD Terraform and IAM Domain Audit

* SFD release sfd-la-3.1 update

* SFD sfd-la-2.1 release update

---------

Co-authored-by: gustavo_saurez <[email protected]>
Co-authored-by: KGV <[email protected]>

knowlege-content/MAP/security-fundamentals-dashboards/README.md → knowledge-content/MAP/security-fundamentals-dashboards/README.md

@@ -1,6 +1,6 @@
 # Security Fundamentals Dashboards for MAP
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-o11y-solutions/releases/download/sfd-updates/sfd-la-2.0.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/jujufugh/oci-o11y-solutions/releases/download/sfd-la-2.1/sfd-la-2.1.zip)
 
 
 ### Dashboards screenshots

knowlege-content/MAP/security-fundamentals-dashboards/modules/sfd/provider.tf → knowledge-content/MAP/security-fundamentals-dashboards/modules/sfd/provider.tf

@@ -28,3 +28,5 @@ provider "oci" {
   private_key_path     = var.private_key_path
   private_key_password = var.private_key_password
 }
+
+

knowlege-content/MAP/security-fundamentals-dashboards/modules/sfd/schema.yml → knowledge-content/MAP/security-fundamentals-dashboards/modules/sfd/schema.yml

@@ -18,6 +18,9 @@ variableGroups:
       - "create_service_connector_audit"
       - "logging_analytics_log_group_name"
       - "service_connector_audit_state"
+      - "configure_flow_logs"
+      - "flow_logs_log_groups_ids"
+
 
   - title: "Hidden Variables"
     visible: false
@@ -28,6 +31,8 @@ variableGroups:
       - "private_key_path"
       - "private_key_password"
       - "iam_dashboard_import_custom_content_file"
+      - "subnet_flow_logs_compartment_ids"
+
 
 variables:
   region:
@@ -63,11 +68,33 @@ variables:
   logging_analytics_log_group_name:
     type: string
     required: true
-    default: "sfd_identity_domain_audit"
-    description: "Name of the Logging Analytics Log Group that will have the Audit Logs"
+    default: "sfd_la_log_group"
+    description: "Name of the Logging Analytics Log Group that will have the Logs.  The log group is create in the same compartment as the dasboard."
     title: "Logging Analytic Log Group Name"
     visible: create_service_connector_audit
 
+  configure_flow_logs:
+    type: boolean
+    title: "Include Subnet Flow Logs?"
+    description: "Allows to include OCI Log Groups with Flow Logs as sources for the Service Connector."
+    required: true
+    default: false
+    visible: create_service_connector_audit
+
+  flow_logs_log_groups_ids:
+    type: array
+    required: false
+    items:
+      type: string
+    uniqueItems: true
+    maxItems: 10
+    minItems: 1
+    description: "List of existing OCI Log Group OCIDs that contain the flow logs.  These log groups will be added as a source of the Service Connector."
+    title: "Existing OCI Flow Log Groups OCIDs"
+    visible: configure_flow_logs
+
+
+
 # Variables not required to display to user
   user_ocid:
     type: string

knowlege-content/MAP/security-fundamentals-dashboards/modules/sfd/sfd_dashboard.tf → knowledge-content/MAP/security-fundamentals-dashboards/modules/sfd/sfd_dashboard.tf

@@ -7,7 +7,8 @@ locals {
     regions_map              = { for r in data.oci_identity_regions.these.regions : r.key => r.name } # All regions indexed by region key.
     sfd_repo                 = "https://raw.githubusercontent.com/oracle-quickstart/oci-o11y-solutions/main/knowlege-content/MAP/security-fundamentals-dashboards/"
     dashboard_names          = toset(["Identity%20Security.json","Network%20Security.json","Security%20Operations.json"])
-
+    sch_source_logs          = concat(["_Audit_Include_Subcompartment"], var.configure_flow_logs ? var.flow_logs_log_groups_ids : [] )
+
 }
 
 data "oci_identity_regions" "these" {}
@@ -23,15 +24,20 @@ data "http" "security_dashboards" {
   }
 }
 
-data "oci_logging_log_groups" "oci_log_groups" {
-    #Required
-    compartment_id = var.sfd_compartment_ocid
-
-    #Optional
-    display_name = "_Audit_Include_Subcompartment"
-    #is_compartment_id_in_subtree = var.log_group_is_compartment_id_in_subtree
+data "oci_logging_log_group" "flow_log_group" {
+  for_each = var.flow_logs_log_groups_ids != null ? toset(var.flow_logs_log_groups_ids) : []
+    log_group_id = each.value
 }
 
+# data "oci_logging_log_groups" "oci_log_groups" {
+#     #Required
+#     compartment_id = var.sfd_compartment_ocid
+
+#     #Optional
+#     display_name = "_Audit_Include_Subcompartment"
+#     #is_compartment_id_in_subtree = var.log_group_is_compartment_id_in_subtree
+# }
+
 
 # output "audit_id" {
 #     value = data.oci_logging_log_groups.oci_log_groups.id
@@ -88,20 +94,38 @@ data "oci_log_analytics_log_analytics_log_group" "iam_dashboard_log_group_detail
 
 resource "oci_sch_service_connector" "iam_dashboard_service_connector" {
   count = (var.create_service_connector_audit  == true ) ? 1 : 0
+  lifecycle {
+      ## Check 1: Valid log group ocid.
+      precondition {
+        condition = var.configure_flow_logs == true ? !contains([for logid in var.flow_logs_log_groups_ids : data.oci_logging_log_group.flow_log_group[logid].id == null],true): true
+        error_message = "VALIDATION FAILURE.  A provided OCI Log Group OCID is not valid."
+      }
+  }  
   compartment_id = var.sfd_compartment_ocid
   #defined_tags  = {"${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}" = "updatedValue"}
-  description    = "Used to populate Logging Analytics with OCI Audit Logs"
-  display_name   = "IAM Identity Domain Audit to Logging Analytics"
+  description    = "Used to populate Logging Analytics with OCI Audit Logs and Flow Logs used by SFD"
+  display_name   = "SFD Service Connector for Logging Analytics"
 
 
   source {
     kind = "logging"
     #Audit
-    log_sources {
-      compartment_id = var.sfd_compartment_ocid
-      log_group_id   = "_Audit"
-      log_id = ""
+    # log_sources {
+    #   compartment_id = var.sfd_compartment_ocid
+    #   log_group_id   = "_Audit"
+    #   log_id = ""
+    # }
+  dynamic "log_sources" {
+    for_each = local.sch_source_logs 
+
+    content {
+      #compartment_id = var.sfd_compartment_ocid
+      compartment_id = log_sources.value == "_Audit_Include_Subcompartment" ? var.tenancy_ocid : data.oci_logging_log_group.flow_log_group[log_sources.value].compartment_id
+      log_group_id   = log_sources.value
+      log_id = ""      
     }
+
+  }
   }
   target {
     kind            = "loggingAnalytics"

knowledge-content/MAP/security-fundamentals-dashboards/modules/sfd/terraform.tfvars.template

@@ -0,0 +1,20 @@
+#---------------------------------------
+# Tenancy Connectivity Variables
+#---------------------------------------
+
+tenancy_ocid         = "<REPLACE WITH TENANCY OCID>"             # Get this from OCI Console (after logging in, go to top-right-most menu item and click option "Tenancy: <your tenancy name>").
+user_ocid            = "<REPLACE WITH USER OCID>"                # Get this from OCI Console (after logging in, go to top-right-most menu item and click option "My profile").
+fingerprint          = "<REPLACE WITH API KEY FINGERPRINT>"      # The fingerprint can be gathered from your user account. In the "My profile page, click "API keys" on the menu in left hand side).
+private_key_path     = "<REPLACE WITH PRIVATE API KEY PATH>"  # This is the full path on your local system to the API signing private key.
+private_key_password = ""                           # This is the password that protects the private key, if any.
+region               = "us-ashburn-1" 
+
+#---------------------------------------
+# input Variables
+#---------------------------------------
+
+sfd_compartment_ocid = "<REPLACE WITH SFD COMPARTMENT OCID>"
+logging_analytics_log_group_name = "sfd_log_group"
+subnet_flow_logs_compartment_ids = ["<COMPARTMENT1 OCID>","<COMPARTMENT2 OCID>"]
+configure_flow_logs = true
+create_service_connector_audit = true

knowlege-content/MAP/security-fundamentals-dashboards/modules/sfd/variables.tf → knowledge-content/MAP/security-fundamentals-dashboards/modules/sfd/variables.tf

@@ -42,12 +42,24 @@ variable create_service_connector_audit {
 
 variable logging_analytics_log_group_name {
   type = string
-  default = "sfd_identity_domain_audit"
+  default = null
 }
 
 variable service_connector_audit_state {
   type = string
   default = "INACTIVE"
 }
 
+variable configure_flow_logs {  #RM use
+  type = bool
+  default = false
+}
+
+
+variable flow_logs_log_groups_ids {
+  type = list(string)
+  default = null
+}
+
+