1. Monitor audit logs for Autonomous Transaction Processing databases
  2. Secure Your Implementation

Secure Your Implementation

Securing your implementation requires that you set up a vault secret, obtain a Log Group Oracle Cloud Identifier (OCID), and create the default policies.

Set Up Vault secrets

The Vault secret must be created containing the ATP password prior to using this stack. The password is stored in Vault to ensure their use is not captured in clear text in any of the Terraform configuration or state files. Creating a vault secret is beyond the scope of this playbook. Please refer to the Vault documentation cited in the Exlore More section, below, for complete information on creating and managing secrets.

Obtain the Log Group OCID

To obtain the log group OCID, use this procedure.

  1. Navigate to https://cloud.oracle.com/loganalytics/loggroups.
  2. Select an existing log group. If one doesn't exist, create it.
  3. Open the Log Group Information view and from there, copy the Log Group's OCID.
    The Log Group OCID should be of this format:

    ocid1.loganalyticsloggroup.oc1.phx.amaa...SNIP...75w5fa

Create Default Policies

Finally, verify that the correct default policies have been created. These policies are:

  1. A Dynamic group to include all resources in a given compartment that matches the resource type = 'managementagent'. 
    ALL {resource.type='managementagent', resource.compartment.id='compartment-id-selected-in-resource-manager'}
  2. a Policy to allow compute instances to enable entity auto association and Management Agent to upload logs to Logging Analytics. These policies are created at the Tenancy level .
    Allow DYNAMIC-GROUP dynamic-group-name_resource-type_managementagent to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} in tenancy
  3. a Dynamic group to select compute instances that match the compartment selected in the stack. 
    ANY {instance.compartment.id = 'compartment-id-selected-in-resource-manager'}
  4. Policies to allow managing management agents, read secrets and read autonomous-database applied for compute instances that match the dynamic group from the previous step. These policies are created at the compartment level.
    ALLOW DYNAMIC-GROUP dynamic-group-name_matching_computeinstances TO MANAGE management-agents IN COMPARTMENT 
ID compartment-id-selected-in-resource-manager 
ALLOW DYNAMIC-GROUP dynamic-group-name_matching_computeinstances TO READ secret-family in COMPARTMENT ID 
compartment-id-selected-in-resource-manager where target.secret.id = secret-id_selected-in-resource-manager 
Allow DYNAMIC-GROUP dynamic-group-name_matching_computeinstances to READ autonomous-database in COMPARTMENT 
ID compartment-id-selected-in-resource-manager where target.workloadType = 'OLTP' 
Allow DYNAMIC-GROUP dynamic-group-name_matching_computeinstances to {LOG_ANALYTICS_SOURCE_ENABLE_AUTOASSOC} in tenancy