Securing Resource Manager

Resource Manager allows you to automate installing and provisioning Oracle Cloud Infrastructure resources by committing the provisioning instructions to configuration files. These configuration files capture the step-by-step provisioning instructions using a declarative language that follows the "infrastructure-as-code" model. The provisioning instructions are executed as "jobs"; the Oracle Cloud Infrastructure resources that are provisioned when you run the jobs are organized into "stacks."

Executing jobs and provisioning stacks is gated using role-based access control (RBAC), which is enabled by Oracle Cloud Infrastructure Identity and Access Management (IAM). This gives administrators granular control over user access to Oracle Cloud Infrastructure resources and the actions that users can take on these resources.

The Resource Manager security scheme rests on three pillars:

Security groups. Administrator-defined groups that have permission to perform specific operations on stacks and jobs. Individual users are assigned to security groups and can then perform operations that are allowed by that group.
Permission sets. Sets of permissions that are specific to jobs and stacks. Permission sets for jobs and stacks are listed in Table 1.
Operations. The operations (or actions) that are allowed and the permissions that are required to perform each one. These are listed in Table 2.

Resource Manager Operations and Permissions

The Resource Manager supports two permission sets: one for stack resources and another for job resources. Table 1 lists permission sets that are associated with each resource type.

Table 1. Resource Types and Permission Sets

Resource Type Permissions

Resource Type	Permissions
Stacks (`orm-stacks`)	inspect orm-stackread orm-stack use orm-stack create orm-stack update orm-stack delete orm-stack
Jobs (`orm-jobs`)	inspect orm-job read orm-job manage orm-job

Stacks (orm-stacks)

inspect orm-stackread orm-stack

use orm-stack

create orm-stack

update orm-stack

delete orm-stack

Jobs (orm-jobs)

inspect orm-job

read orm-job

manage orm-job

Each of the permissions in the preceding table are associated with specific Resource Manager operations. The table that follows lists Resource Manager operations, then shows which permissions are required to execute each of the operations. Notice that the CreateJob operation requires two permissions.

Table 2. Resource Operations and Required Permissions

Operation	Permission
Generate a list of stacks (`ListStacks`)	inspect orm-stack
Create a stack (`CreateStack`)	create orm-stack
Get a stack (`GetStack`)	read orm-stack
Update a stack (`UpdateStack`)	update orm-stack
Delete a stack (`DeleteStack`)	delete orm-stack
Get a stack Terraform configuration (`GetStackTfConfig`)	read orm-stack
List jobs (`ListJobs`)	inspect orm-job
Create a job (`CreateJob`)	use orm-stack and manage orm-job
Get a job (`GetJob`)	read orm-jobs
Update a job (`UpdateJob`)	manage orm-job
Cancel a job (`CancelJob`)	manage orm-job
Get a job Terraform state file (`GetJobTfState`)	read orm-job
Get a job Terraform configuration (`GetJobTfConfig`)	read orm-job
Get a job Terraform execution plan (`GetJobTfExecutionPlan`)	read orm-job
Get job logs (`GetJobLogs`)	read orm-job

Recommended Security Policies

Following are policy recommendations for securing Resource Manager. For more information about security policies, see Getting Started with Policies. See also How Policies Work and Policy Syntax.

Permission to Manage Stacks and Jobs

The following policy grants permission to a specified group to manage both stacks and jobs, and also to manage resources on the tenancy stacks.

Allow group <group_name> to manage orm-stacks in compartment
Allow group <group_name> to manage orm-jobs in compartment

Prevent Users from Running Destroy Jobs

In addition to granting permission to perform specific operations, you can also create a policy that prevents certain actions. The following policy example explicitly prevents members of a specified group from running Destroy jobs on a stack.

Allow group <group_name> to use orm-stacks in compartment
Allow group <group_name> to read orm-jobs in compartment
Allow group <group_name> to manage orm-jobs in compartment where any {target.job.operation = 'PLAN', target.job.operation = 'APPLY'}

Notice that you must include the new permission to read orm-jobs in compartment because the statement includes a where condition that references variables that are not relevant to listing or getting jobs.

Potential Security Risks and Mitigations

Terraform State Files

Terraform state (.tfstate) can contain sensitive data, including resource IDs and in some cases sensitive user data like passwords. HashiCorp provides recommendations for handling Terraform state in the article Sensitive Data in State.

To control access to the Terraform state file, you can create a security policy that limits access to reading jobs, such as the following:

Allow group <group_name> to read orm-jobs in compartment

Note

Because the permission read orm-jobs also affects other operations such as getting logs and Terraform configurations, you should segregate state files in a compartment on which a restrictive policy will not limit the ability to perform other operations.

Terraform Configuration .Zip Files

The Resource Manager workflow includes uploading your Terraform configuration to the service as a .zip file. Because the Terraform configuration can be accessed using the ORM API (GetJobTfConfig), it is highly recommended that you do not include sensitive information in your configuration files.

Oracle Cloud Infrastructure Documentation