Securing Resource Manager
This topic provides security information and recommendations for Resource Manager.
Resource Manager allows you to automate the provisioning of Oracle Cloud Infrastructure resources by committing the instructions to configuration files. By doing so, you ensure that provisioned resources follow the security guidelines of your organization. These configuration files capture the step-by-step provisioning instructions using a declarative language that follows the "infrastructure-as-code" model. The provisioning instructions are run as jobs.
Security Responsibilities
To use Resource Manager securely, learn about your security and compliance responsibilities.
Oracle is responsible for the following security requirements:
- Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
Your security responsibilities are described on this page, which include the following areas:
- Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
- Confidentiality: Limit the use of sensitive data in configuration and output files
Initial Security Tasks
Use this checklist to identify the tasks you perform to secure Resource Manager in a new Oracle Cloud Infrastructure tenancy.
| Task | More Information | 
|---|---|
| Use IAM policies to grant access to users and resources | IAM Policies | 
Routine Security Tasks
After getting started with Resource Manager use this checklist to identify security tasks that we recommend you perform regularly.
| Task | More Information | 
|---|---|
| Limit the use of sensitive information in configuration and output files | Confidentiality | 
| Perform a security audit | Auditing | 
IAM Policies
Use policies to limit access to Resource Manager.
Policies for managing Oracle Cloud Infrastructure resources are also required for Resource Manager operations that access resources. For example, running an apply job on a stack that includes Compute instances and subnets requires policies that grant you permissions for those resource types, in the compartments where you want to provision the resources. To see examples of policies for managing Oracle Cloud Infrastructure resources, see Common Policies.
A policy specifies who can access Oracle Cloud Infrastructure resources and how. For more information, see How Policies Work.
Assign a group the least privileges that are required to perform their responsibilities. Each policy has a verb that describes what actions the group is allowed to do. From the least amount of access to the most, the available verbs are: inspect, read, use, and manage.
For more information about Resource Manager policies, see Details for Resource Manager.
Manage Stacks and Jobs
Create this policy to allow a group to managing stacks and jobs in the tenancy, as well as manage Oracle Cloud Infrastructure resources on the tenancy stacks.
Allow group <group_name> to manage orm-stacks in tenancy
Allow group <group_name> to manage orm-jobs in tenancyCreate this policy to explicitly prevent a group from running destroy jobs.
In this policy statement, you must include the new permission to
read orm-jobs because the third statement includes a condition that uses variables that are not relevant to listing or getting jobs. Allow group <group_name> to use orm-stacks in tenancy
Allow group <group_name> to read orm-jobs in tenancy
Allow group <group_name> to manage orm-jobs in tenancy where any {target.job.operation = 'PLAN', target.job.operation = 'APPLY'}
For more details about stack permissions, see orm-stacks. For more details about job permissions, see orm-jobs.
Manage Configuration Source Providers
Create this policy to grant a group permission to create, update, move, and delete configuration source providers in the tenancy.
Allow group <group_name> to manage orm-config-source-providers in tenancyCreate this policy to grant a group permission to create stacks from configuration files in source code control systems (using existing configuration source providers), in addition to managing stacks and jobs.
Allow group <group_name> to read orm-config-source-providers in tenancy
Allow group <group_name> to manage orm-stacks in tenancy
Allow group <group_name> to manage orm-jobs in tenancyFor more details about configuration source provider permissions, see orm-config-source-providers.
Manage Private Templates
Create this policy to grant a group permission to create, update, move, and delete private templates in the tenancy.
Allow group <group_name> to manage orm-template in tenancyCreate this policy to grant a group permission to create stacks from private templates, in addition to managing stacks and jobs.
Allow group <group_name> to manage orm-stacks in tenancy
Allow group <group_name> to manage orm-jobs in tenancy
Allow group <group_name> to read orm-templates in tenancyFor more details about private template permissions, see orm-templates.
Manage Private Endpoints
Create this policy to grant a group permission to create, update, move, and delete private endpoints in the tenancy, including the ability to select VCNs and subnets when creating private endpoints.
Allow group <group_name> to manage orm-private-endpoints in tenancy
  where any request.operation={'CreatePrivateEndpoint'}"
Allow group <group_name> to use virtual-network-family in tenancyFor more details about private endpoint permissions, see orm-private-endpoints.
Confidentiality
Manage and control access to sensitive information in Resource Manager.
Terraform State Files
Terraform state (.tfstate) can contain sensitive data, including resource IDs, passwords, and SSH keys. Use the Vault service to manage and rotate secret credentials that you use with 
Resource Manager.
A vault includes the encryption keys and secrets that you use to protect your data and connect to secured resources. Secrets are encrypted using master encryption keys, and store credentials such as passwords, certificates, SSH keys, or authentication tokens. Before you create and use secrets, you must create a vault and a master encryption key if they don't exist.
For example, you require an SSH key to run remote commands and scripts on a compute instance. See Using Remote Exec.
Each secret is automatically assigned a secret version. When you rotate a secret, you generate a new secret version by providing new secret contents to the Vault service. Periodically rotating secret contents reduces the impact in case a secret is exposed.
To control access to the Terraform state file, you can create a security policy that limits access to reading jobs, such as the following:
Allow group <group_name> to read orm-jobs in compartmentAny user with the 
ORM_JOB_READ
 permission can access Terraform states files.
Because the permission
read orm-jobs also affects other operations such as getting logs and Terraform configurations, we recommend segregating state files in a compartment on which a restrictive policy does not limit the ability to perform other operations.Terraform Configurations
The Resource Manager workflow typically includes writing or generating a Terraform configuration that is then used to manage your stack. Because the Terraform configuration can be accessed using the Resource Manager API GetJobTfConfig, we recommend that you do not include sensitive information in your configuration files.
Any user with the 
ORM_JOB_READ
 permission can access Terraform configurations.
Network Security
Secure network access to your resources in the Resource Manager service, including private Git servers and cloud resources that you access from Resource Manager.
Instead of exposing private resources and corresponding network traffic to the public, use private endpoints for remote access to these resources.
Use security lists , network security groups , or a combination of both to control packet-level traffic in and out of the resources in your VCN (virtual cloud network) . See Access and Security.
When you set up a network security group (NSG) for use with a private endpoint, include the following rules.
- 
Egress rule allowing traffic to the nonpublic resource. Examples for a nonpublic compute instance at the IP address 192.168.227.87:- Minimum access: 192.168.227.87/32
- General access to VCN and subnet CIDR: 192.168.0.0/16
 
- Minimum access: 
- 
Ingress rule allowing traffic from the private endpoint. Examples for a nonpublic compute instance at the IP address 192.168.227.87:- Minimum access: 192.168.198.204/32(Source Type: CIDR)
- General access from subnet CIDR: 192.168.0.0/16
 
- Minimum access: 
When you create a subnet in a VCN, by default the subnet is considered public and internet communication is permitted. Use private subnets to host resources that do not require internet access. You can also configure a service gateway in your VCN to allow resources on a private subnet to access other cloud services. See Connectivity Choices.
You can use Zero Trust Packet Routing (ZPR) along with or in place of network security groups to manage network access to OCI resources . To do this, define ZPR policies that govern how resources communicate with each other, and then add security attributes to those resources. For more information, see Zero Trust Packet Routing.
If an endpoint has a Zero Trust Packet Routing (ZPR) security attribute, traffic to the endpoint must satisfy ZPR policies and also all NSG and security list rules. For example, if you're already using NSGs and you add a security attribute to an endpoint, all traffic to the endpoint is blocked. From then onward, a ZPR policy must explicitly allow traffic to the endpoint.
Auditing
Locate access logs and other security data for Resource Manager.
The Audit service automatically records all API calls to Oracle Cloud Infrastructure resources. You can achieve your security and compliance goals by using the Audit service to monitor all user activity within your tenancy. Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those sources is included. Audit records are available through an authenticated, filterable query API or they can be retrieved as batched files from Object Storage. Audit log contents include what activity occurred, the user that initiated it, the date and time of the request, as well as source IP, user agent, and HTTP headers of the request. See Viewing Audit Log Events.
An audit log for a CreateJob event
{
  "datetime": 1639092316856,
  "logContent": {
    "data": {
      "additionalDetails": {
        "X-Real-Port": 31720
      },
      "availabilityDomain": "AD1",
      "compartmentId": "ocid1.tenancy.oc1..<unique_id>",
      "compartmentName": "mytenancy",
      "definedTags": null,
      "eventGroupingId": "<unique_id>",
      "eventName": "CreateJob",
      "freeformTags": null,
      "identity": {
        "authType": "natv",
        "callerId": null,
        "callerName": null,
        "consoleSessionId": "<unique_id>",
        "credentials": "<key>",
        "ipAddress": "<ip_address>",
        "principalId": "ocid1.user.oc1..<unique_id>",
        "principalName": "<user_name>",
        "tenantId": "ocid1.tenancy.oc1..<unique_id>",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0"
      },
      "message": "apply-job-20211209152516 CreateJob succeeded",
      "request": {
        "action": "POST",
        "headers": {
          "Accept": [
            "*/*"
          ],
          "Accept-Encoding": [
            "gzip, deflate, br"
          ],
          "Accept-Language": [
            "en"
          ],
          "Authorization": [
            "Signature keyId=\"<key>",version=\"1\",algorithm=\"rsa-sha256\",headers=\"(request-target) host content-length accept-language content-type opc-request-id x-content-sha256 x-date\",signature=\"*****\""
          ],
          "Connection": [
            "keep-alive"
          ],
          "Content-Length": [
            "207"
          ],
          "Content-Type": [
            "application/json"
          ],
          "Origin": [
            "https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com"
          ],
          "Referer": [
            "https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/"
          ],
          "Sec-Fetch-Dest": [
            "empty"
          ],
          "Sec-Fetch-Mode": [
            "cors"
          ],
          "Sec-Fetch-Site": [
            "same-site"
          ],
          "User-Agent": [
            "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0"
          ],
          "opc-request-id": [
            "<unique_id>"
          ],
          "x-content-sha256": [
            "<key>"
          ],
          "x-date": [
            "Thu, 09 Dec 2021 23:25:16 GMT"
          ]
        },
        "id": "<unique_id>,
        "parameters": {},
        "path": "/20180917/jobs"
      },
      "resourceId": "ocid1.ormjob.oc1.phx.<unique_id>",
      "response": {
        "headers": {
          "Access-Control-Allow-Credentials": [
            "true"
          ],
          "Access-Control-Allow-Origin": [
            "https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com"
          ],
          "Access-Control-Expose-Headers": [
            "opc-previous-page,opc-next-page,opc-client-info,ETag,opc-total-items,opc-request-id,Location"
          ],
          "Cache-Control": [
            "no-cache, no-store, must-revalidate"
          ],
          "Content-Length": [
            "1135"
          ],
          "Content-Type": [
            "application/json"
          ],
          "Date": [
            "Thu, 09 Dec 2021 23:25:16 GMT"
          ],
          "ETag": [
            "<unique_id>"
          ],
          "Pragma": [
            "no-cache"
          ],
          "Strict-Transport-Security": [
            "max-age=31536000; includeSubDomains;"
          ],
          "Timing-Allow-Origin": [
            "https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com"
          ],
          "Vary": [
            "Origin"
          ],
          "X-Content-Type-Options": [
            "nosniff"
          ],
          "X-XSS-Protection": [
            "1; mode=block"
          ],
          "opc-request-id": [
            "<unique_id>"
          ]
        },
        "message": null,
        "payload": {
          "id": "ocid1.ormjob.oc1.phx.<unique_id>",
          "resourceName": "apply-job-<unique_id>"
        },
        "responseTime": "2021-12-09T23:25:16.856Z",
        "status": "200"
      },
      "stateChange": {
        "current": {
          "applyJobPlanResolution": {
            "isAutoApproved": true
          },
          "cancellationDetails": {
            "isForced": false
          },
          "compartmentId": "ocid1.tenancy.oc1..<unique_id>",
          "configSource": {
            "configSourceRecordType": "ZIP_UPLOAD"
          },
          "definedTags": {},
          "displayName": "apply-job-<unique_id>",
          "freeformTags": {},
          "id": "ocid1.ormjob.oc1.phx.<unique_id>",
          "jobOperationDetails": {
            "executionPlanStrategy": "AUTO_APPROVED",
            "operation": "APPLY"
          },
          "lifecycleState": "ACCEPTED",
          "operation": "APPLY",
          "stackId": "ocid1.ormstack.oc1.phx.<unique_id>",
          "timeCreated": "2021-12-09T23:25:16.707Z",
          "variables": {
            "compartment_ocid": "ocid1.tenancy.oc1..<unique_id>",
            "region": "us-phoenix-1",
            "tenancy_ocid": "ocid1.tenancy.oc1..<unique_id>",
            "wp_admin_password": "<example-password>",
            "wp_admin_user": "<user_name>"
          }
        },
        "previous": {}
      }
    },
    "dataschema": "2.0",
    "id": "<unique_id>",
    "oracle": {
      "compartmentid": "ocid1.tenancy.oc1..<unique_id>",
      "ingestedtime": "2021-12-09T23:25:19.071Z",
      "loggroupid": "_Audit",
      "tenantid": "ocid1.tenancy.oc1..<unique_id>"
    },
    "source": "apply-job-<unique_id>",
    "specversion": "1.0",
    "time": "2021-12-09T23:25:16.856Z",
    "type": "com.oraclecloud.OracleResourceManager.CreateJob.begin"
  }
}