Onboard an OCI Tenant

This topic explains how to onboard an OCI tenant.

Background

An OCI tenant is a service Oracle provides that allows you to consolidate multiple compartments and manage them centrally. The hierarchy of OCI is as follows:

  • Tenant - The parent container for all accounts. It consists of compartments
  • Compartment- The standard OCI account that contains the OCI resources

When the OCI tenant is onboarded into CloudSecure, all the compartments (accounts) are onboarded, up to six parent-child levels deep. CloudSecure supports onboarding tenants. It does not support onboarding individual compartments.

Onboarding of an OCI tenant is a two-step process.

  1. Run a Terraform script on a root account.

  2. Use the information to populate CloudSecure onboarding dialog fields.

Prerequisites

  • Access to CloudSecure
  • Access to the OCI Console
  • The user must have an IAM management policy in OCI Cloud. (The CloudSecure onboarding script runs terraform to create a group, a user for CloudSecure, and add permissions to the group.)
  • The OCI Tenant ID and home region of the OCI Root Tenant
  • See Prerequisites for Onboarding OCI for additional information

Onboard OCI Tenants in CloudSecure

The following instructions describe how to begin the tenant onboarding sequence in CloudSecure.

Connect to OCI

  1. Launch the onboarding wizard in either of the following ways:
    • Click + Add OCI in the Onboarding page to onboard your first tenant when you sign in for the first time
    • From the left navigation, choose Onboarding and click + Add OCI at the top of the page
  2. Provide the following information about your OCI tenant:
    • Name for the tenant
    • This name is what appears in CloudSecure. The name should be descriptive so that you can easily identify it.
    • The Root Tenancy/Compartment OCID of the root account you are onboarding. It might look something like ocid1.tenancy.oc1..xxxxxxxyz1a2b3c....
    • The home region
      This is the geographic area that applies to your tenant. Select one from the list.
  3. NOTE:

    The page contains a toggle below the Account ID field to specify the type of access CloudSecure has to your OCI tenant. At time of writing, Illumio supports only Read Only for OCI. To view the permissions you are granting CloudSecure to your OCI tenant, click Download Permissions.

  4. Click Next.
    The wizard advances to step two: Set up Access.
  5. Click Download Terraform File to get the .zip file containing the necessary terraform scripts.
    Before you proceed in the onboarding wizard, you first need to open the OCI console and perform some steps.

Running the Terraform Scripts in the OCI Console

  1. Open the OCI Console at https://cloud.oracle.com. From the menu, navigate to Developer Services > Resource Manager > Stacks and click Create Stack.
  2. Select My configuration, and in the stack, configuration click the .Zip file radio button, and upload the cs_connector.zip file.
    This will auto populate the Name for the stack.
  3. Provide a description if needed, and make sure that the root compartment is selected under the Create in Compartment option. Leave the rest of the defaults if desired, and click Next.
  4. In the Configuration variables page, all the values will be auto populated. If needed, the username can be changed. Click Next.
  5. Verify all the values in the review page and, in the Run apply on the created stack option, make sure to select the Run Apply check box and click Create. The stack will run and create the required resources in the OCI console.
  6. Once the stack completes running, select the output page and copy the values from the following fields:
  • User OCID. It might look something like ocid1.user.oc1..xxxxxxxyz1a2b3c....
  • Group Name. It might look something like <username>-group.
  • API Fingerprint. It might look something like 12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:....

Now you will return to the CloudSecure onboarding wizard.

Set up Access

  1. Click the Terraform script was successfully run check box.
  2. Paste the outputs from your OCI console into the following fields and click Next:
  • User OCID. It might look something like ocid1.user.oc1..xxxxxxxyz1a2b3c....
  • Group Name. It might look something like <username>-group.
  • API Fingerprint. It might look something like 12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:....

The final step of the onboarding wizard (Confirm and Save) appears.

Confirm and Save

  1. Review the account information and if everything looks correct, click Save and Confirm. If you see issues you need to correct, click Back and return to that wizard step.
  2. To edit the account information, such as the name and read/write access, click the account in the Onboarding page and click Edit.

Next Steps

For the next steps after onboarding your OCI tenant including enabling access to flow logs and viewing traffic, see After Onboarding Cloud Accounts and What to Do Next.

Remove the Integration

You can delete the integration for a given organization by selecting the it in the Onboarding page and clicking Remove > Remove.

Once the OCI onboarding is removed from CloudSecure, open the OCI console, navigate to the stack details, and click the Destroy button. Once the access is destroyed, select More actions > Delete stack. This will completely remove the resources created during the onboarding and granting flow access processes.