{"id":18802205,"url":"https://github.com/oracle-quickstart/oci-caas-pci","last_synced_at":"2025-04-13T18:31:17.626Z","repository":{"id":106379911,"uuid":"327780876","full_name":"oracle-quickstart/oci-caas-pci","owner":"oracle-quickstart","description":null,"archived":true,"fork":false,"pushed_at":"2021-10-04T21:10:44.000Z","size":302,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-02-19T21:12:42.819Z","etag":null,"topics":["oracle-led"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"upl-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oracle-quickstart.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-08T02:45:01.000Z","updated_at":"2024-05-10T09:11:13.000Z","dependencies_parsed_at":null,"dependency_job_id":"cc866ce9-38c4-4e6c-8d7a-5264a257d122","html_url":"https://github.com/oracle-quickstart/oci-caas-pci","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oracle-quickstart%2Foci-caas-pci","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oracle-quickstart%2Foci-caas-pci/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oracle-quickstart%2Foci-caas-pci/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oracle-quickstart%2Foci-caas-pci/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oracle-quickstart","download_url":"https://codeload.github.com/oracle-quickstart/oci-caas-pci/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248760326,"owners_count":21157338,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["oracle-led"],"created_at":"2024-11-07T22:27:00.461Z","updated_at":"2025-04-13T18:31:17.613Z","avatar_url":"https://github.com/oracle-quickstart.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Welcome\nThis repository contains Terraform code and initial setup scripts\nto deploy an ecommerce application that meets \ncommon international standards for security, such as ISO 27001,\nAICPA SOC-2, or the PCI-DSS. For more information, please refer to\nthe architecture documentation [here](https://docs.oracle.com/en/solutions/pci-compliant-webapp-terraform).\n\n## Requirements\nTo successfully build and manage this project, you will need to meet the requirements below.\n\n### OCI Console \u0026 Cloud Shell\nThe initialization process utilizes the OCI Cloud Shell, so you'll need\naccess to the OCI Console and [Cloud Shell](https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/cloudshellintro.htm).\n\n### Externally registerred DNS domain\nTo support public facing SSL certificates and the\n[OCI WAF](https://docs.cloud.oracle.com/en-us/iaas/Content/WAF/Concepts/overview.htm),\nyou will need an\nexternally registerred DNS zone with SOA records pointing to OCI managed DNS zone.\nFor more information see [DNS Setup](#dns-setup).\n\n### External software requirements\nOn your management workstation, you will need the following:\n* Terraform \u003e= 0.14.x\n* SSH client\n* SQL client (For example, SQL Developer)\n* Git\n\nFor two-factor authentication:\n* Authenticator app (For example, FreeOTP, but any popular authenticator app should work)\n\n### Stripe API keys\nTo utilize Stripe, you will need to have access to a pair of\n[Stripe Publishable \u0026 Secret keys](https://stripe.com/docs/keys).\nThese are stored in an OCI Vault and then used by the application server upon bootstrapping.\n\n### Install acme.sh on your OCI Cloud Shell\nWe utilize [acme.sh](https://github.com/acmesh-official/acme.sh)\nfor SSL certificate creation. You should install this within your \nOCI Cloud Shell environment. Our installer checks for the default installation path in\n**$HOME/.acme.sh**\n\nFollow the instructions below.\nYou will need to pass the --force option to install, which will bypass the\ncheck for cron.\n\n```\ngit clone https://github.com/acmesh-official/acme.sh.git --branch 2.9.0\ncd ./acme.sh\n./acme.sh --install --force\n```\n\n## DNS Setup\nIn the tenancy you plan on using, you will need to\n[create a new compartment](https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm) -\nthis compartment is separate from the one we will create for the application. We do \nthis to be able to manage DNS across multiple compartments.\n\nOnce your compartment is created, you need to create a *Primary* DNS Zone in\nthe console under\nNetworking -\u003e DNS Management -\u003e Zones - or via the CLI/API.\n\nFurther reading:\nhttps://docs.cloud.oracle.com/en-us/iaas/Content/DNS/Tasks/managingdnszones.htm\n\nUpdate your DNS Registrar nameservers to the ones provided by Oracle in the console.\nThese will look similar to ns4.p68.dns.oraclecloud.net - and you'll want to use all\nfour addresses that are provided.\n\n_Why we do this_\n\nWe automate DNS record creation using the OCI DNS service, including the registration steps\nwith Let's Encrypt (via ACME and a txt record for validation). The records and\ncertificates are used for connections to the OCI WAF/WAAS endpoint. Currently,\nthese are not optional components.\n\nFor example, we can have a my-admin compartment, and in there a DNS Zone called\n\"pci-demo.cloud\". When we build the SSL certificate and verify with ACME, we\ncreate _acme-challenge.pci-demo.cloud. Later in the build process, in a new compartment,\nwe create a DNS zone for (example) foo.pci-demo.cloud - and then create records\ninside of that zone through Terraform.\n\n## Getting started with OCI CAAS\nTo begin, you'll need to log into the OCI Console and launch the Cloud Shell.\nThis is the icon in the top-right corner - it looks like this: *\u003e_*\n\nSee [Getting Started with Cloud Shell](https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/devcloudshellgettingstarted.htm)\nfor detailed instructions on using the Cloud Shell.\n\nClone the repository from Github:\n```\ngit clone https://github.com/oracle-quickstart/oci-caas-pci.git\n```\n\nNote: All of the scripts we're going to run are contained within the *admin-scripts* directory.\n\n### Initialize CAAS Environment\nThe first script creates a new compartment, object storage bucket, and caches \ndependencies into the bucket. See the below note on setting a Unique Identifier,\nor move on with the script and accept the defaults.\n\n```\nadmin-scripts/caas-init.sh\n```\n\n#### Unique Identifier (environment naming)\nBy default, we will generate a 4 character string to use for uniquely naming resources,\nincluding the compartment, DNS zones, vault resources, and much more. This string\ncan be overridden before initialization - This identifier can not be changed later.\n\nTo set a custom identifier, set a value for **OVERRIDE_IDENT** before\nrunning caas-init.sh\n```\nexport OVERRIDE_IDENT=\"dev1\"\n```\n\n### Populate the application vault\nThe next script you need to run takes in secret values, creates a new vault,\nand stores new vault objects. For this to run successfully, you'll need three values:\n1. The Stripe API publishable key\n1. The Stripe API secret key\n1. Generate a password which will be used for the ECOM DB user\n\n```\npython3 admin-scripts/app_vault.py\n```\n\n### Configuration file\nFor troubleshooting, overriding values, and resetting values - the configuration these\nscripts rely on is at **$HOME/.oci-caas/oci-caas-pci.conf**\n\n## Generate Public SSL Certificate\nThis step should be run after the Getting Started section, before the Terraform steps.\n\nFrom the root of this repo, use the `admin-scripts/ssl_certificate.py` to generate\na new wildcard certificate for the zone that you will be managing. This script will\nutilize the DNS zone you created earlier to create a validation txt record and \nthen upload the new certificate and private key to the OCI WAF/WAAS certificate store.\n\n```\npython3 admin-scripts/ssl_certificate.py \u003cyour domain\u003e \u003ccompartment OCID\u003e\n```\n\nRequired: The Domain and Compartment OCID. \n\nNote: If you want to create multiple sites using the same\ncertificate, specify the Compartment OCID as the Admin Compartment OCID you created the DNS zone in earlier. This\nis ideal if you want to create multiple compartments (like dev, test, staging)\nin the same tenancy.\n\nThis will echo the certificate OCID back to the terminal, and store it for later use in the\nconfiguration file. You'll need this value for the Terraform stack.\n\n### Certificate renewal\nThe certificate you created is **only valid for 90 days**. To renew the certificate, you can\nrun the same process again - ideally every 2 months. This creates a new certificate\nstore entry, which can then be passed onto Terraform for a new update.\n\nOnce the WAF has been updated via Terraform, the new certificate is active.\n\n## Terraform Variables\nThe **admin-scripts/get_tf_values.sh** script will parse the configuration file\ncreated during initialization. Run this and you'll have a good starting point for moving onto Terraform.\n\n```\nadmin-scripts/get_tf_values.sh\n```\n\n## How to call this Terraform module\nSee the **/examples** directory for an example client, and descriptions for\nimportant variables. You will be using variables from the previous step here. \n\nIf you are using our example client, clone this repository into your local machine. Then you can run Terraform commands in examples/ directory to utilize the client.\n\n## Things To Do After Terraform\nOnce the Terraform initialization is complete, there are a couple more steps. At\nthe time of this writing, these things can not be managed through Terraform.\nThese are required for compliance reasons.\n\n### Database Audit Logs\nOCI Data Safe should already be enabled via Terraform, but you'll need to turn on specific audit features you may require.\n\nhttps://docs.cloud.oracle.com/en-us/iaas/data-safe/doc/activity-auditing-overview.html\n\n### Setting up WAF / WAAS rules\nBy default, no rules are enabled on the WAF, and you'll need to run a script to update them in bulk.\n\n```\nadmin-scripts/activate_waf_rules.sh \u003cWAF OCID\u003e\n```\n\n### First time Bastion pin\nIn order to log into the Bastion the first time, you will need your private SSH key (public key should have been provided as an input\nfor Terraform). With that, you'll be prompted for a \"One-time password (OATH) for `opc'\" - the default value is: **560000**\n\nImmediately scan the barcode using your authenticator of choice, or you will lose access to this host. If you can't log in, you will have to\nterminate the bastion and recreate it via Terraform.\n\n### Wazuh\nThis stack deploys a [Wazuh](https://wazuh.com/) instance for security monitoring, threat detection, integrity monitoring, and more. You can log\nin by using an SSH tunnel through the Bastion. The wazuh IP address and password will be in the output of Terraform. The username is: _wazuh_","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foracle-quickstart%2Foci-caas-pci","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foracle-quickstart%2Foci-caas-pci","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foracle-quickstart%2Foci-caas-pci/lists"}