SFD 2.0 Terraform Stack - Deploy option (#49)

* Trend of Identity API Calls widget

* SFD updates and repo maint

* Region Filter for SFD dashboards

* SFD Security Operations screenshot update

* SFD Region Filter

* added to github

---------

Co-authored-by: gustavo_saurez <gustavo.saurez@oracle.com>

Author: jujufugh

knowlege-content/MAP/security-fundamentals-dashboards/README.md

@@ -1,5 +1,7 @@
 # Security Fundamentals Dashboards for MAP
 
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/jujufugh/oci-o11y-solutions/releases/download/security-fundamentals-dashboard/sfd-la-2.0.zip)
+
 ### Dashboards screenshots
 * Identity Dashboard
 ![Out-of-Box Dashboard for Identity Security](images/identity_security_dashboard_identity_domain.png)

knowlege-content/MAP/security-fundamentals-dashboards/modules/sfd/README.md

@@ -0,0 +1,55 @@
+# oci-iam-dashboard
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/gsrz23/oci-iam-dashboard/archive/refs/heads/main.zip)
+
+This repository provides an OCI Logging Analytics Dashboard with some sample widgets to monitor and visualize audit Events for OCI IAM Identity Domains.  The Dashboard will only work in OCI Tenancies that [support IAM Identity Domains](https://docs.oracle.com/en-us/iaas/Content/Identity/getstarted/identity-domains.htm#identity_documentation__updated-identity-domains).  
+
+
+## Overview
+
+The Audit Logs for OCI IAM Identity Domains can be obtained directly from the OCI Audit Service along with the events from other OCI Services.  The IDCS Rest APIs can still be used, but the Audit Service is more convenient since Audit logs can be easily pushed to Streaming, Object Storage, etc.  The solution in this repository deploys Service Connector Hub to send OCI Audit Logs to Logging Analytics.  It also deploys a sample Dashboard to visualize the audit logs for OCI IAM Identity Domains.
+
+![Dashboard1](images/Dashboard1.png)
+![Dashboard3](images/Dashboard3.png)
+![Dashboard2](images/Dashboard2.png)
+
+
+## Resources
+
+The following resources are provisioned with terraform or Resource Manager
+
+- **Logging Analytics**: This is a regional service.  It will be onboarded in the selected region if not available yet.  This can incur  some storage costs.
+- **Custom Logging Analytics Fields**: Some custom fields are provisioned in Logging Analytics to support parsing and querying of the OCI Audit Logs.  The fields include: IAM Domain Name, IAM Event ID, IAM Actor Name, IAM Actor Type, IAM Target Name, IAM CLIENT IP, IAM Identity Provider, etc.
+- **Custom Logging Analytics Parser**: The parser *IAM Audit Log Format* is used to parse the additionalDetails field from the OCI Audit Logs for Identity Audit Logs.
+- **OCI Audit Logs Source**:  The OOB source *OCI Audit Logs* is modified to include the above parser.
+- **Loggin Analytics Log Group**: A Log Group named *iam_identity_domain_audit_${var.iam_dashboard_domainname}* is provisioned as the target for Service Connector Hub.
+- **Service Connector Hub**: A SCH named *IAM Identity Domain Audit to Logging Analytics* is provisioned to push OCI Audit Logs from a specific compartment to Logging Analytics.
+- **IAM Policy**: A Policy named *IAM_Dashboard_ConnectorPolicy_LoggingAnalytics_${var.iam_dashboard_domainname}* that allows SCH to publish logs to the Logging Analytics Log Group.
+- **IAM Dashboard**: A sample Loggin Analytics dashboard and with queries based on the custom fields.
+
+## Deployment Notes
+
+The following variables are used for deployment:
+
+- **iam_dashboard_domain_ocid** is the OCID of the existing OCI IAM Identity Domain to be used in the Dashboard queries.  
+- **region** is Base Region of the IAM Identity Domain.  Logging Analytics will be onboarded in this region if needed.
+- **iam_dashboard_compartmentid** is the compartment ID where the OCI IAM Identity Domain resides and where the dashboard and saved queries are deployed.
+- **create_service_connector_audit** set to true if a SCH is needed to push OCI Audit Logs to Logging Analytics.  It's provisioned in the compartment *iam_dashboard_compartmentid*.  The default is *false*
+- **service_connector_audit_state** is the initial stated of the SCH if provisioned.  Allowed values are *INACTIVE* (default) and *ACTIVE*
+- **logging_analytics_log_group_name** is the name of the Logging Analytics Log Group that will have the Audit Logs.
+- **am_dashboard_details**  a template to import dashboards, it's based on the variables *iam_dashboard_domainname* and *iam_dashboard_compartmentid*
+
+To deploy multiple Dashboards use a different stack for each one specifying the respective variables.  
+
+If multiple dashboards are created in the same compartment, there's no need to create a SCH for each.  They can all share one SCH.  The same goes for the Logging Analytics Log Group.
+
+A provisioned Dashboard can't be modified with terraform, any modification to the variable *am_dashboard_details* will create a new dashboard and new saved queries.
+
+Some considerations when using the terraform *destroy* command:
+- The Logging Analytics dashboard and customizations are removed from the terraform state but not from Logging Analytics.
+- A Dashboard and its Saved Queries have to be removed manually from the console or with API calls.
+- The Logging Analytics Log Group won't be destroyed if it contains data.
+- Logging Analytics service is not offboarded with the destroy command.
+- To remove the Logging Analytics customizations do the following from the Logging Analytics Administration Menu:
+    - Edit the OOB Source *OCI Audit Logs* and in the Parser section click Default and then save the source
+    - Delete the custom Parser *IAM Audit Log Format*
+    - Delete all the custom fields with name that starts with IAM:  IAM Domain Name, IAM EventID, IAM Actor Name, etc.

knowlege-content/MAP/security-fundamentals-dashboards/modules/sfd/provider.tf

@@ -0,0 +1,30 @@
+# Copyright (c) 2021 Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+
+
+provider "oci" {
+  region               = var.region
+  tenancy_ocid         = var.tenancy_ocid
+  user_ocid            = var.user_ocid
+  fingerprint          = var.fingerprint
+  private_key_path     = var.private_key_path
+  private_key_password = var.private_key_password
+}
+
+provider "oci" {
+  alias = "token"
+  auth = "SecurityToken"
+  config_file_profile = "IDDomain"
+  region               = var.region
+}
+
+provider "oci" {
+  alias                = "home"
+  region               = lookup(local.regions_map, data.oci_identity_tenancy.tenancy.home_region_key)
+  tenancy_ocid         = var.tenancy_ocid
+  user_ocid            = var.user_ocid
+  fingerprint          = var.fingerprint
+  private_key_path     = var.private_key_path
+  private_key_password = var.private_key_password
+}

knowlege-content/MAP/security-fundamentals-dashboards/modules/sfd/schema.yml

@@ -0,0 +1,84 @@
+# Copyright (c) 2021 Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+title: "OCI Security Fundamentals Dashboards Deployment"
+stackDescription: "A stack to deploy Logging Analytics Dashboards for OCI."
+schemaVersion: 1.1.0
+version: "0.0.1"
+locale: "en"
+
+variableGroups:
+  - title: "Dashboards Region and Compartment Information"
+    variables:
+      - "region"
+      - "sfd_compartment_ocid"
+
+  - title: "Service Connector for Logging Analytics"
+    variables:
+      - "create_service_connector_audit"
+      - "logging_analytics_log_group_name"
+      - "service_connector_audit_state"
+
+  - title: "Hidden Variables"
+    visible: false
+    variables:
+      - "tenancy_ocid"
+      - "user_ocid"
+      - "fingerprint"
+      - "private_key_path"
+      - "private_key_password"
+      - "iam_dashboard_import_custom_content_file"
+
+variables:
+  region:
+    type: oci:identity:region:name
+    title: "Dashboards Region"
+    description: "Base Region of Dashboards.  Note: Logging Analytics will be onboarded on this region"
+    required: true
+
+  sfd_compartment_ocid:
+    type: oci:identity:compartment:id
+    title: "Dashboard Compartment Name"
+    description: "Compartment where the dashboards and saved queries will be deployed"
+    required: true
+
+  create_service_connector_audit:
+    type: boolean
+    title: "Create Service Connector for IAM Identity Domain Audit?"
+    description: "Creates a Service Connector for IAM Identity Domain Audit logs with Logging Analytics as the Target.  It's created in the same compartment as the Dashboard"
+    required: true
+    default: false
+
+  service_connector_audit_state:
+    type: enum
+    required: false
+    title: "Service Connector Hub State"
+    description: "Initial state in which to create the Service Connector Hub for Audit logs."
+    default: INACTIVE
+    visible: create_service_connector_audit
+    enum:
+      - INACTIVE
+      - ACTIVE
+
+  logging_analytics_log_group_name:
+    type: string
+    required: true
+    default: "sfd_identity_domain_audit"
+    description: "Name of the Logging Analytics Log Group that will have the Audit Logs"
+    title: "Logging Analytic Log Group Name"
+    visible: create_service_connector_audit
+
+# Variables not required to display to user
+  user_ocid:
+    type: string
+
+  fingerprint:
+    type: string
+
+  private_key_path:
+    type: string
+
+  private_key_password:
+    type: password
+
+  

knowlege-content/MAP/security-fundamentals-dashboards/modules/sfd/sfd_dashboard.tf

@@ -0,0 +1,124 @@
+# Copyright (c) 2021 Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+
+locals { 
+    # iam_dashboard_domainname = data.oci_identity_domain.oci_dashboard_identity_domain.display_name
+    regions_map              = { for r in data.oci_identity_regions.these.regions : r.key => r.name } # All regions indexed by region key.
+    sfd_repo                 = "https://raw.githubusercontent.com/oracle-quickstart/oci-o11y-solutions/main/knowlege-content/MAP/security-fundamentals-dashboards/"
+    dashboard_names          = toset(["Identity%20Security.json","Network%20Security.json","Security%20Operations.json"])
+    
+}
+
+data "oci_identity_regions" "these" {}
+data oci_identity_tenancy tenancy {
+    tenancy_id = var.tenancy_ocid
+}
+
+data "http" "security_dashboards" {
+  for_each = local.dashboard_names
+    url = "${local.sfd_repo}${each.value}"
+    request_headers = {
+      Accept = "application/json"
+  }
+}
+
+data "oci_logging_log_groups" "oci_log_groups" {
+    #Required
+    compartment_id = var.sfd_compartment_ocid
+
+    #Optional
+    display_name = "_Audit_Include_Subcompartment"
+    #is_compartment_id_in_subtree = var.log_group_is_compartment_id_in_subtree
+}
+
+
+# output "audit_id" {
+#     value = data.oci_logging_log_groups.oci_log_groups.id
+# }
+
+data "oci_objectstorage_namespace" "ns" {
+  compartment_id             = var.sfd_compartment_ocid
+}
+
+data "oci_log_analytics_namespaces" "sfd_dashboard_namespaces" {
+  compartment_id = var.tenancy_ocid
+}
+
+resource "oci_log_analytics_namespace" "sfd_dashboard_namespace" {
+  count = data.oci_log_analytics_namespaces.sfd_dashboard_namespaces.namespace_collection.0.items.0.is_onboarded ? 0 : 1
+  namespace = data.oci_objectstorage_namespace.ns.namespace
+  is_onboarded = true
+  compartment_id = var.tenancy_ocid
+}
+
+
+resource "time_sleep" "wait_40_seconds" {
+  count = data.oci_log_analytics_namespaces.sfd_dashboard_namespaces.namespace_collection.0.items.0.is_onboarded ? 0 : 1
+  depends_on = [oci_log_analytics_namespace.sfd_dashboard_namespace]
+  create_duration = "40s"
+}
+
+resource "oci_management_dashboard_management_dashboards_import" "iam_dashboard_import" {
+  for_each = local.dashboard_names
+    #import_details = replace(replace(data.http.security_dashboards[each.key].response_body,"${"$"}{compartment_ocid}","${var.sfd_compartment_ocid}"),"2507e19d927d458a0cafe461cd07c5ae","${var.sfd_compartment_ocid}")
+    #import_details = replace(data.http.security_dashboards[each.key].response_body,"/(\"compartmentId\":\\s*\")\\S+\"/","\"compartmentId\": \"${var.sfd_compartment_ocid}\"")
+    import_details = replace(data.http.security_dashboards[each.key].response_body,"/(\"compartmentId\":\\s*\")\\S+\"/","$${1}${var.sfd_compartment_ocid}\"")
+    #import_details = templatefile(format("%s/%s/%s", path.root,"resources", each.value), {"compartment_ocid" : "${var.sfd_compartment_ocid}"})
+}
+
+
+# Create a log group with required parameters
+resource "oci_log_analytics_log_analytics_log_group" "iam_dashboard_log_group" {
+
+  count = (var.create_service_connector_audit  == true ) ? 1 : 0
+  compartment_id             = var.sfd_compartment_ocid
+  #namespace                  = oci_log_analytics_namespace.iam_dashboard_namespace.namespace
+  namespace = data.oci_log_analytics_namespaces.sfd_dashboard_namespaces.namespace_collection.0.items.0.is_onboarded ? data.oci_log_analytics_namespaces.sfd_dashboard_namespaces.namespace_collection.0.items.0.namespace : oci_log_analytics_namespace.sfd_dashboard_namespace[count.index].namespace
+  display_name               = var.logging_analytics_log_group_name
+}
+
+# Get details of above created log group with required parameters
+data "oci_log_analytics_log_analytics_log_group" "iam_dashboard_log_group_details" {
+  count = (var.create_service_connector_audit  == true ) ? 1 : 0
+  #namespace                  = data.oci_log_analytics_namespaces.iam_dashboard_namespaces.namespace_collection.0.items.0.namespace
+  namespace = data.oci_log_analytics_namespaces.sfd_dashboard_namespaces.namespace_collection.0.items.0.is_onboarded ? data.oci_log_analytics_namespaces.sfd_dashboard_namespaces.namespace_collection.0.items.0.namespace : oci_log_analytics_namespace.sfd_dashboard_namespace[count.index].namespace
+  log_analytics_log_group_id = oci_log_analytics_log_analytics_log_group.iam_dashboard_log_group[count.index].id
+}
+
+resource "oci_sch_service_connector" "iam_dashboard_service_connector" {
+  count = (var.create_service_connector_audit  == true ) ? 1 : 0
+  compartment_id = var.sfd_compartment_ocid
+  #defined_tags  = {"${oci_identity_tag_namespace.tag-namespace1.name}.${oci_identity_tag.tag1.name}" = "updatedValue"}
+  description    = "Used to populate Logging Analytics with OCI Audit Logs"
+  display_name   = "IAM Identity Domain Audit to Logging Analytics"
+
+
+  source {
+    kind = "logging"
+    #Audit
+    log_sources {
+      compartment_id = var.sfd_compartment_ocid
+      log_group_id   = "_Audit"
+      log_id = ""
+    }
+  }
+  target {
+    kind            = "loggingAnalytics"
+    log_group_id    = data.oci_log_analytics_log_analytics_log_group.iam_dashboard_log_group_details[count.index].id
+  }
+
+  state = var.service_connector_audit_state
+}
+
+resource "oci_identity_policy" "connectorpolicy_logginganalytics" {
+  count = (var.create_service_connector_audit  == true ) ? 1 : 0
+  name           = "SFD_Dashboard_ConnectorPolicy_LoggingAnalytics"
+  description    = "Policy to allow Service Connector to upload logs to a Logging Analytics Log Group"
+  compartment_id = var.sfd_compartment_ocid
+  provider = oci.home
+
+  statements = [
+    "allow any-user to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in compartment id ${var.sfd_compartment_ocid} where all {request.principal.type='serviceconnector', target.loganalytics-log-group.id='${data.oci_log_analytics_log_analytics_log_group.iam_dashboard_log_group_details[count.index].id}', request.principal.compartment.id='${var.sfd_compartment_ocid}'}"
+  ]
+}

knowlege-content/MAP/security-fundamentals-dashboards/modules/sfd/terraform.tfvars.template

@@ -0,0 +1,16 @@
+#---------------------------------------
+# Tenancy Connectivity Variables
+#---------------------------------------
+
+tenancy_ocid         = "ocid1.tenancy.oc1..aaaaaaaaa3qmjxr43tjexx75r6gwk6vjw22ermohbw2vbxyhczksgjir7xdq"             # Get this from OCI Console (after logging in, go to top-right-most menu item and click option "Tenancy: <your tenancy name>").
+user_ocid            = "ocid1.user.oc1..aaaaaaaaag3xbwgruyx5q6xlbpvdkgfhpe5l76lzy4wgaoji5wwrx6e7ha6a"                # Get this from OCI Console (after logging in, go to top-right-most menu item and click option "My profile").
+fingerprint          = "93:13:4d:f4:74:86:91:5e:50:c5:6d:34:2c:af:7b:b0"      # The fingerprint can be gathered from your user account. In the "My profile page, click "API keys" on the menu in left hand side).
+private_key_path     = "/Users/gsaurez/.oci/gs_oci_api_key.pem"  # This is the full path on your local system to the API signing private key.
+private_key_password = ""                           # This is the password that protects the private key, if any.
+region               = "mx-queretaro-1"  #"us-ashburn-1" 
+
+#---------------------------------------
+# input Variables
+#---------------------------------------
+
+sfd_compartment_ocid = "ocid1.compartment.oc1..aaaaaaaaib4damcmimkx7c4u75wz4n6kknbc6rjaxex5rb2zxdxn47rdsh2q"

knowlege-content/MAP/security-fundamentals-dashboards/modules/sfd/variables.tf

@@ -0,0 +1,53 @@
+# Copyright (c) 2021 Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+
+
+variable "sfd_compartment_ocid" {
+    type = string
+  }
+
+variable "tenancy_ocid" {}
+
+variable "user_ocid" {
+  default = ""
+}
+variable "fingerprint" {
+  default = ""
+}
+variable "private_key_path" {
+  default = ""
+}
+variable "private_key_password" {
+  default = ""
+}
+variable "region" {}
+
+
+# variable iam_dashboard_import_custom_content_file {
+#   default = "./resources/ociAuditLogSource.zip"
+# }
+
+# #variable iam_dashboard_import_custom_content_namespace {}
+
+# variable iam_dashboard_custom_content_is_overwrite {
+#   type = bool
+#   default = true
+# }
+
+variable create_service_connector_audit {
+  type = bool
+  default = false
+}
+
+variable logging_analytics_log_group_name {
+  type = string
+  default = "sfd_identity_domain_audit"
+}
+
+variable service_connector_audit_state {
+  type = string
+  default = "INACTIVE"
+}
+
+