Removed policies (#11)

* Application information + output for LB IP + deploy script

* Version

* gitattributes

* Dynamic names for subnet and subnet dns

* Choice of compartement for project and DNS

* Removed comments and unused fields

* Removed policies and moved token creation

* Inverted token condition

* Update README.md

* Readme + bug fix

* added branche name to objects + added commit or version to image

* Readme

Author: fmeheust

README.md

@@ -36,11 +36,25 @@ For deploying your Java App with the App Stack, here is the list of OCI prerequi
 
 - **DevOps project (optional):** A Java application in an OCI DevOps project (can be a mirror of an existing GitHub repo). This isn't required if the application is provided as a container image.
 - **Database:** an existing Autonomous Database  - Shared Infrastructure (ADB-S) can be used with the stack. The stack may create a new one, if specified during the Stack configuration. 
-- **Vault (optional):** A new user in IAM (<application_name>-user) is created and its token used for connectng to the DevOps repo, is stored in the vault. When the stack is destroyed this user is removed. A Vault is necessary to avoid the limit on the number of tokens the current user has however, the Vault isn't required if the application is provided as a container image.
+- **Vault (optional):** An authentication token can either be provided or created by the stack. It is used for connecting to the DevOps repos. A Vault is necessary to store this token, the Vault isn't required if the application is provided as a container image.
 - **DNS (optional):** A DNS zone for creating the application URL (for example https://myapp.domain.com). If not provided during the stack configuration, the application will be available through the load balancer's public IP. You can then configure your third-party DNS provider to point to this IP address.
 - **HTTPS certificate (optional):** is needed for the load balancer. If no certificate is provided, HTTP will be used against the IP address.
-
-
+- **IAM:** The following rights are needed:
+  - Two *dynamic groups* need to be created, one for *container instances* and the other for *DevOps*.
+  - *Container instances* should be allowed to **read** **repos**. This will allow container instances to fetch the container image generated by the stack from the container registry.
+  - *DevOps* should be allowed to: **read** **secret-family** and **all-artifacts**; **use** **ons-topics**, **load-balancers** and **virtual-network-family**; and **manage** **devops-family**, **compute-container-instances**, **compute-containers** and **devops-family**. This will allow *DevOps* to build and deploy the application.
+  ```
+  Allow dynamic-group 'appstack-container-instances' to read repos in tenancy 
+  Allow dynamic-group 'appstack-devops' to read secret-family in tenancy
+  Allow dynamic-group 'appstack-devops' to read all-artifacts in tenancy
+  Allow dynamic-group 'appstack-devops' to use ons-topics in tenancy
+  Allow dynamic-group 'appstack-devops' to use load-balancers in tenancy
+  Allow dynamic-group 'appstack-devops' to use virtual-network-family in tenancy
+  Allow dynamic-group 'appstack-devops' to manage compute-container-instances in tenancy
+  Allow dynamic-group 'appstack-devops' to manage compute-containers in tenancy
+  Allow dynamic-group 'appstack-devops' to manage devops-family in tenancy
+  ```
+  
 ## Which Cloud Resources will be used?
 
 The [Oracle Cloud Free Tier service](https://www.oracle.com/cloud/free/) allows you to  build, test, and deploy your applications on Oracle Cloud for free. Upon signing up, the service comes with a $300 credit with 30 days expiration; following the expiration or the exhaustion of the credit, most of the provisioned services remain available  as [Always Free](https://www.oracle.com/cloud/free/#always-free). You may add additional credit for services that do not fall under Always-Free.

apm.tf

@@ -5,7 +5,7 @@
 
 resource "oci_apm_apm_domain" "app_apm_domain" {
   compartment_id = var.compartment_id
-  display_name = "${var.application_name}-apm-domain"
+  display_name = "${local.application_name}-apm-domain"
   is_free_tier = var.is_free_tier
 }
 

build-artifact.yaml.template

@@ -13,10 +13,10 @@ env:
 inputArtifacts:
   - name: javaapp
     type: GENERIC_ARTIFACT
-    artifactId: ${artifactId}
+    artifactId: $${artifactId}
     registryId: ${registryId} 
-    path: "javaapp"
-    version: "0.0.1"
+    path: ${artifact_path}
+    version: $${artifact_version}
     location: $${OCI_WORKSPACE_DIR}/${config_repo_name}/${fileName}
 steps: 
   - type: Command
@@ -40,7 +40,7 @@ steps:
     timeoutInSeconds: 600
     failImmediatelyOnError: true
     command: |
-      docker build . --file Dockerfile --tag ${image_remote_tag}
+      docker build . --file Dockerfile --tag ${image_remote_tag}:${image_tag}-$${artifact_version} --tag ${image_latest_tag}
   - type: Command
     name: Login to repo
     timeoutInSeconds: 900
@@ -52,4 +52,4 @@ steps:
     timeoutInSeconds: 600
     failImmediatelyOnError: true
     command: |
-      docker push ${image_remote_tag}
+      docker push ${image_remote_tag} --all-tags

build-repo.yaml.template

@@ -66,7 +66,10 @@ steps:
     timeoutInSeconds: 600
     failImmediatelyOnError: true
     command: |
-      docker build . --file Dockerfile --tag ${image_remote_tag}
+      cd $${OCI_WORKSPACE_DIR}/${repo_name}
+      export commit=$(git rev-list --all --max-count=1 --abbrev-commit)
+      cd $${OCI_WORKSPACE_DIR}/${config_repo_name}
+      docker build . --file Dockerfile --tag ${image_remote_tag}:${image_tag}-$commit --tag ${image_latest_tag}
   - type: Command
     name: Login to repo
     timeoutInSeconds: 900
@@ -78,4 +81,4 @@ steps:
     timeoutInSeconds: 600
     failImmediatelyOnError: true
     command: |
-      docker push ${image_remote_tag}
+      docker push ${image_remote_tag} --all-tags

config-repo.tf

@@ -68,8 +68,7 @@ resource "null_resource" "create_config_repo_war" {
     local_file.wallet,
     local_file.self_signed_certificate,
     local_file.oci_build_config,
-    random_password.wallet_password,
-    oci_identity_policy.user_manage_all_policy
+    random_password.wallet_password
   ]
 
   # clone new repository
@@ -217,8 +216,7 @@ resource "null_resource" "create_config_repo_jar" {
     local_file.wallet,
     local_file.self_signed_certificate,
     local_file.oci_build_config,
-    random_password.wallet_password,
-    oci_identity_policy.user_manage_all_policy
+    random_password.wallet_password
   ]
 
   # clone new repository
@@ -334,7 +332,7 @@ resource "oci_artifacts_repository" "application_repository" {
   compartment_id = var.compartment_id
   is_immutable = true
   repository_type = "GENERIC"
-  display_name = "${var.application_name}-repository"
+  display_name = "${local.application_name}-repository"
 }
 
 resource "oci_generic_artifacts_content_artifact_by_path" "update_container_instance_script" {

container_instance.tf

@@ -2,26 +2,18 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 # this file creates the container instances that tun the application
 
-# wait for policy to be active
-resource "time_sleep" "wait_60_seconds" {
-  depends_on = [ oci_identity_policy.container_instances_read_repo ]
-  create_duration = "60s"
-}
 
 # create container instances
 resource "oci_container_instances_container_instance" "app_container_instance" {
   depends_on = [
     oci_devops_build_run.create_docker_image,
     oci_core_subnet.app_oci_core_subnet,
-    oci_core_network_security_group.app_nsg,
-    oci_identity_user_group_membership.user_group_membership,
-    oci_identity_policy.image_access_to_user,
-    time_sleep.wait_60_seconds
+    oci_core_network_security_group.app_nsg
   ]
   availability_domain = var.availability_domain
   compartment_id = var.compartment_id
   containers {
-    image_url = local.image-remote-tag
+    image_url = local.image-latest-tag
     display_name = "${local.instance-name}-${count.index}container"
     environment_variables = merge(local.env_variables, local.other_env_variables)
   }

datasources.tf

@@ -90,6 +90,11 @@ data "template_file" "oci_config" {
   }
 }
 
+data "oci_artifacts_generic_artifact" "app_artifact" {
+  artifact_id = var.artifact_id
+  count = local.use-artifact ? 1 : 0
+}
+
 # build spec file
 data "template_file" "oci_build_config" {
   depends_on = [
@@ -98,11 +103,15 @@ data "template_file" "oci_build_config" {
   template = "${(local.use-repository ? file("${path.module}/build-repo.yaml.template") : file("${path.module}/build-artifact.yaml.template"))}"
   vars = {
     image_remote_tag = "${local.image-remote-tag}"
+    image_latest_tag = "${local.image-latest-tag}"
+    image_tag = "${local.image-name}"
     container_registry_repo = "${local.container-registry-repo}"
     login = local.login_container
     build_command = var.build_command
     artifact_location = var.artifact_location
-    oci_token = oci_vault_secret.auth_token_secret.id
+    artifact_path = (local.use-artifact ? data.oci_artifacts_generic_artifact.app_artifact[0].artifact_path : "")
+    artifact_version = (local.use-artifact ? data.oci_artifacts_generic_artifact.app_artifact[0].version : "")
+    oci_token = local.auth_token_secret
     repo_name = (local.use-repository ? data.oci_devops_repository.devops_repository[0].name : "")
     config_repo_name = local.config_repo_name
     artifactId = (local.use-artifact ? var.artifact_id : "")
@@ -122,7 +131,7 @@ data "template_file" "oci_deploy_config" {
   ]
   template = "${file("${path.module}/deploy.yaml.template")}"
   vars = {
-    oci_token = oci_vault_secret.auth_token_secret.id
+    oci_token = local.auth_token_secret
     config_repo_url = local.config_repo_url
     config_repo_name = local.config_repo_name
     artifact_ocid = oci_generic_artifacts_content_artifact_by_path.update_container_instance_script.id
@@ -140,7 +149,7 @@ data "template_file" "deploy_script" {
   template = "${file("${path.module}/deploy.sh.template")}"
   vars = {
     "backend_name" = "${oci_container_instances_container_instance.app_container_instance[count.index].vnics[0].private_ip}:${var.exposed_port}"
-    "backend_set_name" = "${local.load-balancer-name}_bset"
+    "backend_set_name" = "${var.application_name}_bset"
     "load_balancer_id" = oci_load_balancer.flexible_loadbalancer.id
     "container_instance_id" = oci_container_instances_container_instance.app_container_instance[count.index].id
   }
@@ -157,7 +166,7 @@ data "oci_devops_repository" "devops_repository" {
 }
 
 data "oci_dns_zones" "zones" {
-    compartment_id = var.compartment_id
+    compartment_id = (var.dns_compartment == "" ? var.compartment_id : var.dns_compartment)
     name = var.zone
     zone_type = "PRIMARY"
 }

devops.tf

@@ -6,7 +6,7 @@
 # create container registry in case the application is not an image (so
 # either source code or artifact)
 resource "oci_artifacts_container_repository" "application-container-repository" {
-  compartment_id = var.compartment_id
+  compartment_id = var.devops_compartment
   display_name = local.repository-name
 
   is_immutable = false
@@ -30,14 +30,14 @@ resource "oci_identity_api_key" "dbconnection_api_key" {
 # if the app is an artifact (jar/war), we need to create a topic in order
 # to create a project in devops to host the config repo
 resource "oci_ons_notification_topic" "topic" {
-  compartment_id = var.compartment_id
+  compartment_id = var.devops_compartment
   name = var.application_name
   count = local.use-artifact ? 1 : 0 # app is an artifact
 }
 
 # now we can create the project (jar/war case)
 resource "oci_devops_project" "project" {
-  compartment_id = var.compartment_id
+  compartment_id = var.devops_compartment
   name = var.application_name
   notification_config {
     topic_id = oci_ons_notification_topic.topic[0].id
@@ -46,13 +46,13 @@ resource "oci_devops_project" "project" {
 }
 
 resource "oci_logging_log_group" "devops_log_group" {
-  compartment_id = var.compartment_id
-  display_name = "logGroup"
+  compartment_id = var.devops_compartment
+  display_name = "logGroup-${formatdate("MMDDhhmm", timestamp())}"
   count = local.use-artifact ? 1 : 0
 }
 
 resource "oci_logging_log" "devops_log" {
-  display_name = "log"
+  display_name = "log-${formatdate("MMDDhhmm", timestamp())}"
   log_group_id = oci_logging_log_group.devops_log_group[0].id
   log_type     = "SERVICE"
   configuration {
@@ -72,14 +72,14 @@ resource "oci_logging_log" "devops_log" {
 resource "oci_devops_build_pipeline" "build_pipeline" {
   project_id = local.project_id
   description = "Build container image"
-  display_name = "${var.application_name}-build"
+  display_name = "${local.application_name}-build"
   count = local.use-repository ? 1 : 0
 }
 
 resource "oci_devops_build_pipeline" "build_pipeline_artifact" {
   project_id = local.project_id
   description = "Build container image"
-  display_name = "${var.application_name}-build"
+  display_name = "${local.application_name}-build"
   build_pipeline_parameters {
     items {
       default_value = local.use-artifact ? var.artifact_id : "none"
@@ -88,6 +88,13 @@ resource "oci_devops_build_pipeline" "build_pipeline_artifact" {
       #Optional
       description = "Artifact to deploy"
     }
+    items {
+      default_value = local.use-artifact ? data.oci_artifacts_generic_artifact.app_artifact[0].version : "none"
+      name = "artifact_version"
+
+      #Optional
+      description = "Artifact version"
+    }
   }
   count = local.use-artifact ? 1 : 0
 }
@@ -164,7 +171,7 @@ resource "oci_devops_build_pipeline_stage" "art_build_pipeline_stage" {
   }
   build_spec_file = "build_spec.yaml"
   description = "Build container image"
-  display_name = "${var.application_name}-build-stage"
+  display_name = "${local.application_name}-build-stage"
   image = var.devops_pipeline_image
   is_pass_all_parameters_enabled = false
   primary_build_source = oci_devops_repository.config_repo[0].name
@@ -208,7 +215,7 @@ resource "oci_devops_trigger" "generated_oci_devops_trigger" {
 	  }
 	}
 	}
-	display_name = "${var.application_name}-trigger"
+	display_name = "${local.application_name}-trigger"
 	project_id = local.project_id
 	repository_id = data.oci_devops_repository.devops_repository[0].id
 	trigger_source = "DEVOPS_CODE_REPOSITORY"
@@ -218,16 +225,27 @@ resource "oci_devops_trigger" "generated_oci_devops_trigger" {
 # run the pipeline
 resource "oci_devops_build_run" "create_docker_image" {
   depends_on = [
-    oci_identity_policy.devops_secrets_policy,
     oci_artifacts_container_repository.application-container-repository,
     oci_devops_build_pipeline.build_pipeline,
     oci_devops_build_pipeline.build_pipeline_artifact,
     oci_devops_build_pipeline_stage.repo_build_pipeline_stage,
     oci_devops_build_pipeline_stage.art_build_pipeline_stage,
     null_resource.create_config_repo_jar,
-    null_resource.create_config_repo_war,
-    oci_identity_policy.devops_secrets_policy
+    null_resource.create_config_repo_war
   ]
+  dynamic "build_run_arguments" {
+    for_each = local.use-artifact ? [1] : []
+    content {
+      items {
+        value = local.use-artifact ? var.artifact_id : "none"
+        name = "artifactId"
+      }
+      items {
+        value = local.use-artifact ? data.oci_artifacts_generic_artifact.app_artifact[0].version : "none"
+        name = "artifact_version"
+      }
+    }
+  }
   build_pipeline_id = (local.use-artifact ? oci_devops_build_pipeline.build_pipeline_artifact[0].id : oci_devops_build_pipeline.build_pipeline[0].id)
   display_name = "triggered-by-terraform"
   count = (local.use-image ? 0 : 1)
@@ -251,7 +269,7 @@ resource "oci_devops_deploy_pipeline" "deploy_pipeline" {
   ]
   project_id   = local.project_id
   description  = "Deploy pipeline"
-  display_name = "${var.application_name}-deploy"
+  display_name = "${local.application_name}-deploy"
 }
 
  resource "oci_devops_deploy_stage" "deploy_stage" {
@@ -289,14 +307,14 @@ resource "oci_devops_deploy_pipeline" "deploy_pipeline" {
 
 # Create a projet to contain deploy pipeline when deploying for container image
 resource "oci_ons_notification_topic" "deploy_image_topic" {
-  compartment_id = var.compartment_id
-  name = "topic-${var.application_name}"
+  compartment_id = var.devops_compartment
+  name = "topic-${local.application_name}"
   count = (local.use-image ? 1 : 0)
 }
 
 resource "oci_devops_project" "deploy_image_project" {
-  compartment_id = var.compartment_id
-  name = "deploy-${var.application_name}"
+  compartment_id = var.devops_compartment
+  name = "deploy-${local.application_name}"
   notification_config {
     topic_id = oci_ons_notification_topic.deploy_image_topic[0].id
   }