OCI

This topic describes the process of connecting your Oracle Cloud environment to Sysdig. You can connect your Oracle Cloud Tenancy using Terraform. Oracle Cloud coverage includes Cloud Security Posture Management (CSPM).

Review Oracle Cloud IAM

Sysdig Oracle Cloud integration leverages Cross-Tenancy Policies to manage access to your environment. An Admit Policy will be created in the root Compartment of your Tenancy, granting access to a Sysdig owned Oracle Tenancy that contains the corresponding Endorse policy. The Endorse policy exists in the Sysdig Tenant, and defines the general set of actions that a groups in the Sysdig Tenancy can perform in your tenancy.

OCI IAM Resources do not support Cross Tenancy Access, and thus a User will also be created in your OCI Tenancy to collect these resources.

The onboarding process involves the following concepts:

  • Customer Tenancy: The Tenancy that you are connecting to Sysdig.
  • Installer: An OCI User role that will be used to perform the onboarding. This User must exist in the Customer Tenancy. Sysdig does not have access to this identity.
  • Sysdig: A Sysdig owned OCI Tenancy that contains a set of IAM Groups organized by feature. Sysdig has access to these Groups, and they will be granted specific permissions within your Tenancy.

Prerequisites

  • Sysdig Secure SaaS with Admin permissions.
  • Terraform v1.3.1+ installed or access to CloudFormation.
  • Access to a User with the permissions required to install.

Permissions Required to Install

The Installer must have at least the following permission assigned:

  • Permission to create policies, users and groups in the root Compartment.

Permissions Granted to Sysdig

The installation creates two Policies that grant the following permissions to Sysdig:

  • AdmitSysdigSecureTenantOnboarding-XXXX policy to manage the base integration with Sysdig
    • inspect tenancies in tenancy
    • inspect compartments in tenancy
  • AllowSysdigSecureTenantConfigPosture-XXXX policy to collect an Inventory of cloud resources, and perform CSPM
    • read all-resources in tenancy

Prepare Your Environment

Configure Installation Permissions

Ensure the User you use to log in to OCI has the necessary permissions to install.

You can:

  • Use an existing User who meets the permissions requirements.
  • Create a new User and set up permissions.
  • Add permissions to an existing User.
  1. Log into Oracle Cloud and navigate to Identity & Security>Policies.
  2. Under Policies, verify and add necessary policies.

Authenticate and Configure Terraform

Configure Terraform to use Oracle Cloud Credentials for the User from step 1. A simple way is to configure your ~/.oci/config file using Oracle’s How to Generate an API Signing Key document.

For alternative ways to authenticate Terraform, see the OCI Terraform Provider documentation.

Collect your Tenancy Details

Tenancy OCID & Home Region

  1. Sign in to the OCI Console.
  2. Navigate to Governance & Administration > Tenancy details.
  3. Copy the OCID shown under Tenancy information.
  4. Note the Home region shown under Tenancy information.

(Optional) Compartment OCID

By default, your entire OCI Tenancy will be onboarded. If you would like to restrict the onboarding to a subset of Compartments, you can specify the top level compartment that will be onboarded. All subcompartments under this top level compartment will also be onboarded.

To onboard multiple independent compartments (and their subcomparments), you must complete the onboarding once per top level compartment.

Connect Oracle Cloud using the Terraform

  1. Log in to Sysdig Secure
  2. Select Integrations > Cloud Accounts > Oracle Cloud, and select Add Oracle Account in the top right corner.
  3. Enter your:
    • Tenancy OCID: The OCID of your Oracle Tenancy.
    • Home Region: The home region of your tenancy.
    • (optional) Compartment OCID: To a specific compartment of Tenancy, enter the compartment OCID. Leave this field blank to onboard your entire Tenancy.
  4. Generate and apply the Terraform code:
    1. Create a main.tf file.
    2. Copy the snippet provided into the file.
    3. Run the command: terraform init && terraform apply.

After deployment, your Compartments will appear on the Cloud Accounts page.

Validate

To validate the successful connection of your Oracle Cloud environment

  1. In Sysdig Secure, select Integrations > Cloud Accounts > Oracle Cloud.

    The Status column shows the overall connection status (Connected/Partial Error/Error/Unknown)

  2. Select the desired account to review the individual services in the detail drawer.