Bug-Fix: Discovery policy placement & scope updated (#69)

* policy scope bug fix

Author: paliwalparitosh

.gitignore

@@ -62,6 +62,9 @@ charts/tests/
 charts/**/Chart.lock
 charts/**/charts/
 
+# RM Schema Validation
+meta-schema.yaml
+
 # zip artifacts
 releases/
 

terraform/modules/helm/helm.tf

@@ -5,9 +5,11 @@ locals {
   helm_repo_url   = "https://oracle-quickstart.github.io/oci-kubernetes-monitoring"
   helm_repo_chart = "oci-onm"
 
+  k8s_namespace = var.deploy_mushop_config ? "livelab-test" : var.kubernetes_namespace
+
   helm_inputs = {
     # global
-    "global.namespace"             = var.deploy_mushop_config ? "livelab-test" : var.kubernetes_namespace
+    "global.namespace"             = local.k8s_namespace
     "global.kubernetesClusterID"   = var.oke_cluster_ocid
     "global.kubernetesClusterName" = var.oke_cluster_name
 

terraform/modules/helm/outputs.tf

@@ -1,4 +1,35 @@
+locals {
+  cmd_1_helm_repo_add    = "helm repo add oci-onm https://oracle-quickstart.github.io/oci-kubernetes-monitoring"
+  cmd_2_helm_repo_update = "helm repo update"
+
+  helm_install_opt_entity_id = var.oke_cluster_entity_ocid == "DEFAULT" ? "" : "--set oci-onm-logan.ociLAClusterEntityID=${var.oke_cluster_entity_ocid}"
+
+  cmd_3_helm_install = join(" ", [
+    "helm install oci-kubernetes-monitoring oci-onm/oci-onm",
+    "--set global.namespace=${local.k8s_namespace}",
+    "--set global.kubernetesClusterID=${var.oke_cluster_ocid}",
+    "--set global.kubernetesClusterName=${var.oke_cluster_name}",
+    "--set oci-onm-logan.ociLALogGroupID=${var.oci_la_logGroup_id}",
+    "--set oci-onm-logan.ociLANamespace=${var.oci_la_namespace}",
+    local.helm_install_opt_entity_id,
+    "--set oci-onm-mgmt-agent.deployMetricServer=${var.opt_deploy_metric_server}",
+    "--set oci-onm-mgmt-agent.mgmtagent.installKeyFileContent=${var.mgmt_agent_install_key_content}"
+  ])
+}
+
 # Helm release artifacts for local testing and validation.
 output "helm_template" {
   value = var.generate_helm_template ? data.helm_template.oci-kubernetes-monitoring[0].manifest : null
+}
+
+output "cmd_1_helm_repo_add" {
+  value = local.cmd_1_helm_repo_add
+}
+
+output "cmd_2_helm_repo_update" {
+  value = local.cmd_2_helm_repo_update
+}
+
+output "cmd_3_helm_install" {
+  value = local.cmd_3_helm_install
 }

terraform/modules/iam/iam.tf

@@ -2,38 +2,24 @@
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 locals {
-  # Compartments
-  oci_onm_compartment_name = data.oci_identity_compartment.oci_onm_compartment.name
-  oke_compartment_name     = data.oci_identity_compartment.oke_compartment.name
+  cluster_ocid_md5 = md5(var.oke_cluster_ocid)
 
   # Dynmaic Group
-  uuid_dynamic_group            = md5(var.oke_cluster_ocid)
-  dynamic_group_name            = "oci-kubernetes-monitoring-${local.uuid_dynamic_group}"
+  dynamic_group_name            = "oci-kubernetes-monitoring-${local.cluster_ocid_md5}"
   dynamic_group_desc            = "Auto generated by Resource Manager Stack - oci-kubernetes-monitoring. Required for monitoring OKE Cluster - ${var.oke_cluster_ocid}"
   instances_in_compartment_rule = ["ALL {instance.compartment.id = '${var.oke_compartment_ocid}'}"]
   management_agent_rule         = ["ALL {resource.type='managementagent', resource.compartment.id='${var.oci_onm_compartment_ocid}'}"]
   dynamic_group_matching_rules  = concat(local.instances_in_compartment_rule, local.management_agent_rule)
   complied_dynamic_group_rules  = "ANY {${join(",", local.dynamic_group_matching_rules)}}"
 
   # Policy
-  uuid_policy          = md5("${local.dynamic_group_name}${local.oci_onm_compartment_name}")
-  policy_name          = "oci-kubernetes-monitoring-${local.uuid_policy}"
-  policy_desc          = "Auto generated by Resource Manager Stack - oci-kubernetes-monitoring. Allows Fluentd and MgmtAgent Pods running inside Kubernetes Cluster to send the data to OCI Logging Analytics and OCI Monitoring respectively."
-  policy_scope         = var.root_compartment_ocid == var.oci_onm_compartment_ocid ? "tenancy" : "compartment ${local.oci_onm_compartment_name}"
-  mgmt_agent_policy    = ["Allow dynamic-group ${local.dynamic_group_name} to use METRICS in ${local.policy_scope} WHERE target.metrics.namespace = 'mgmtagent_kubernetes_metrics'"]
-  fluentd_agent_policy = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in ${local.policy_scope}"]
-  discovery_api_policy = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_DISCOVERY_UPLOAD} in ${local.policy_scope}"]
-  policy_statements    = concat(local.fluentd_agent_policy, local.mgmt_agent_policy, local.discovery_api_policy)
-}
-
-# Logging Analytics Compartment
-data "oci_identity_compartment" "oci_onm_compartment" {
-  id = var.oci_onm_compartment_ocid
-}
-
-# OKE Compartment
-data "oci_identity_compartment" "oke_compartment" {
-  id = var.oke_compartment_ocid
+  policy_name                = "oci-kubernetes-monitoring-${local.cluster_ocid_md5}"
+  policy_scope               = var.root_compartment_ocid == var.oci_onm_compartment_ocid ? "tenancy" : "compartment id ${var.oci_onm_compartment_ocid}"
+  policy_desc                = "Auto generated by Resource Manager Stack - oci-kubernetes-monitoring. Allows Fluentd and MgmtAgent Pods running inside Kubernetes Cluster to send the data to OCI Logging Analytics and OCI Monitoring respectively."
+  mgmt_agent_stmt            = ["Allow dynamic-group ${local.dynamic_group_name} to use METRICS in ${local.policy_scope} WHERE target.metrics.namespace = 'mgmtagent_kubernetes_metrics'"]
+  fluentd_agent_stmt         = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in ${local.policy_scope}"]
+  discovery_api_stmt         = ["Allow dynamic-group ${local.dynamic_group_name} to {LOG_ANALYTICS_DISCOVERY_UPLOAD} in tenancy"]
+  compiled_policy_statements = concat(local.fluentd_agent_stmt, local.mgmt_agent_stmt, local.discovery_api_stmt)
 }
 
 # Dynmaic Group
@@ -49,8 +35,8 @@ resource "oci_identity_dynamic_group" "oke_dynamic_group" {
 resource "oci_identity_policy" "oke_monitoring_policy" {
   name           = local.policy_name
   description    = local.policy_desc
-  compartment_id = var.oci_onm_compartment_ocid
-  statements     = local.policy_statements
+  compartment_id = var.root_compartment_ocid
+  statements     = local.compiled_policy_statements
   #provider       = oci.home_region
 
   depends_on = [oci_identity_dynamic_group.oke_dynamic_group]

terraform/oke/main.tf

@@ -18,8 +18,7 @@ locals {
   module_controls_enable_iam_module        = alltrue([var.toggle_iam_module, var.opt_create_dynamicGroup_and_policies, !var.livelab_switch])
   module_controls_enable_logan_module      = alltrue([var.toggle_logan_module])
   module_controls_enable_mgmt_agent_module = alltrue([var.toggle_mgmt_agent_module])
-  module_controls_enable_helm_module = alltrue([var.toggle_helm_module, local.deploy_helm,
-  local.module_controls_enable_mgmt_agent_module, local.module_controls_enable_logan_module])
+  module_controls_enable_helm_module       = alltrue([var.toggle_helm_module, local.module_controls_enable_mgmt_agent_module, local.module_controls_enable_logan_module])
 }
 
 // Only execute for livelab stack
@@ -78,7 +77,7 @@ module "helm_release" {
   source                         = "./modules/helm"
   helm_abs_path                  = abspath("./charts/oci-onm")
   use_local_helm_chart           = var.toggle_use_local_helm_chart
-  install_helm                   = var.toggle_install_helm
+  install_helm                   = local.deploy_helm && var.toggle_install_helm
   generate_helm_template         = var.toggle_generate_helm_template
   oke_compartment_ocid           = var.oke_compartment_ocid
   oke_cluster_ocid               = var.oke_cluster_ocid
@@ -101,6 +100,6 @@ module "import_kubernetes_dashbords" {
   source           = "./modules/dashboards"
   compartment_ocid = var.oci_onm_compartment_ocid
 
-  count = local.module_controls_enable_dashboards_module ? 1 : 0
-  depends_on = [ module.helm_release ]
+  count      = local.module_controls_enable_dashboards_module ? 1 : 0
+  depends_on = [module.helm_release]
 }

terraform/oke/outputs.tf

@@ -1,69 +1,22 @@
 # Copyright (c) 2023, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
-locals {
-  # generate_helm_output evaluates to true in production
-  generate_helm_output = alltrue([local.module_controls_enable_mgmt_agent_module, local.module_controls_enable_logan_module])
-
-  output_helm_external_values = local.generate_helm_output ? yamlencode({
-    "global" = {
-      "kubernetesClusterID"   = var.oke_cluster_ocid
-      "kubernetesClusterName" = local.oke_cluster_name
-    }
-    "oci-onm-logan" = {
-      "ociLANamespace"       = module.loggingAnalytics[0].oci_la_namespace
-      "ociLALogGroupID"      = module.loggingAnalytics[0].oci_la_logGroup_ocid
-      "ociLAClusterEntityID" = var.oke_cluster_entity_ocid == "DEFAULT" ? null : var.oke_cluster_entity_ocid
-    }
-    "oci-onm-mgmt-agent" = {
-      "mgmtagent" = {
-        "installKeyFileContent" = module.management_agent[0].mgmt_agent_install_key_content
-      }
-    }
-  }) : null
-
-
-  cmd_1_helm_repo_add = "helm repo add oci-onm https://oracle-quickstart.github.io/oci-kubernetes-monitoring"
-
-  cmd_2_helm_repo_update = "helm repo update"
-
-  helm_install_opt_entity_id = var.oke_cluster_entity_ocid == "DEFAULT" ? "" : "--set oci-onm-logan.ociLAClusterEntityID=${var.oke_cluster_entity_ocid}"
-
-  cmd_3_helm_install = local.generate_helm_output ? join(" ", [
-    "helm install oci-kubernetes-monitoring oci-onm/oci-onm",
-    "--set global.kubernetesClusterID=${var.oke_cluster_ocid}",
-    "--set global.kubernetesClusterName=${local.oke_cluster_name}",
-    "--set oci-onm-logan.ociLALogGroupID=${module.loggingAnalytics[0].oci_la_logGroup_ocid}",
-    "--set oci-onm-logan.ociLANamespace=${module.loggingAnalytics[0].oci_la_namespace}",
-    local.helm_install_opt_entity_id,
-    "--set oci-onm-mgmt-agent.mgmtagent.installKeyFileContent=${module.management_agent[0].mgmt_agent_install_key_content}"
-  ]) : null
-}
-
 ###
-# helm outputs
+# Module outputs
 ###
 
 output "cmd_1_helm_repo_add" {
-  value = local.generate_helm_output ? local.cmd_1_helm_repo_add : null
+  value = local.module_controls_enable_helm_module ? module.helm_release[0].cmd_1_helm_repo_add : null
 }
 
 output "cmd_2_helm_repo_update" {
-  value = local.generate_helm_output ? local.cmd_2_helm_repo_update : null
+  value = local.module_controls_enable_helm_module ? module.helm_release[0].cmd_2_helm_repo_update : null
 }
 
 output "cmd_3_helm_install" {
-  value = local.generate_helm_output ? local.cmd_3_helm_install : null
+  value = local.module_controls_enable_helm_module ? module.helm_release[0].cmd_3_helm_install : null
 }
 
-/* output "external_values_yaml" {
-  value = local.output_helm_external_values
-} */
-
-###
-# Module outputs
-###
-
 output "oke_cluster_name" {
   value = local.oke_cluster_name
 }