Oracle Enterprise Landing Zone v2 Configuration
This information provides details about the required and available configurations for deploying Oracle Enterprise Landing Zone (OELZ) v2 in Oracle Cloud Infrastructure (OCI).
Prerequisites
OELZ v2 is designed for deployment to a tenancy owned by a tenancy administrator. To deploy OELZ v2, you must be a member of the administrators group for the tenancy. The tenancy must have the required resource limits and have the OCI Logging Analytics service enabled. For details about the prerequisites, how to check if your tenancy meets them, and how to enable features, see Oracle Enterprise Landing Zone v2 Implementation.
Minimum Required Configuration
Deployment of OELZ v2 is controlled by several Terraform input variables. The following information provides the minimum required configurations to deploy OELZ v2.
Basic Terraform Connection
The following information supplies the required provider variables for OELZ v2.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| current_user_ocid | ID of user to deploy the OELZ v2 | string | "" | No |
| api_fingerprint | API fingerprint that can be retrieved from the OCI Console | string | "" | No |
| api_private_key | API private key | string | "" | No |
| api_private_key_path | Local path to the API private key | string | "" | No |
| tenancy_ocid | ID of tenancy | string | Not applicable | Yes |
| region | OCI region to deploy the OELZ v2 resources to | string | Not applicable | Yes |
| resource_label | Prefix used to avoid naming conflict | string | Not applicable | No |
Compartment Module
The following diagram illustrates the compartments that the landing zone deploys.
The OELZ v2 home compartment is created in the landing zone. The other compartments are created in:
- elz-environment
- elz-workload
Required arguments for the OELZ v2 home compartment are:
- compartment_parent_id: Oracle Cloud Identifier (OCID) of the compartment and tenancy in which you create OELZ v2.
- compartment_name: Name of the OELZ v2 home compartment.
- compartment_description: Description of the OELZ v2 home compartment.
- enable_compartment_delete: Unless enable_delete is explicitly set to true, Terraform doesn’t delete compartments on destroy.
The following information provides required input for configuring the compartment.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| enable_compartment_delete | Set to true to allow the compartments to be deleted on Terraform destroy. | bool | true | No |
| home_compartment_name | Name of the home compartment in which all OELZ v2 resources are deployed. | string | "OCI-ELZ-CMP-HOME" | No |
Identity Module
Each environment has its own identity domain. The identity domain applies to all resources in the environment compartment. OELZ v2 only supports the new identity domains in OCI (Henosis), and not previous IDCS domains.
Required attributes are:
- Display Name: Display name of the identity domain. The default is OCI-ELZ--IDT.
- Description: Description of the identity domain. The default is OCI OELZ v2 Identity Domain.
- Domain Type: Premium.
- Domain Admin: Email address for the domain admin.
- Compartment: OCID for the compartment where the domain is stored. This compartment should be the L4-Security compartment.
- Tags: Optional free-form tags.
Identity Domain Configurations
The following information provides required arguments and parameters for the identity domain.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| nonprod_domain_admin_email | Email address for the NonProd identity domain admin. | string | Not applicable | Yes |
| prod_domain_admin_email | Email address for the Prod identity domain admin. | string | Not applicable | Yes |
| break_glass_user_email_list | Unique list of break glass user Email addresses that don't exist in the tenancy. These users are added to the Administrator group. | list(string) | [] | No |
Groups and Policies
For control over users and user groups, create a federate-able identity domain in the L4-Security compartment for each environment. If you're deploying OELZ v2, set up federation after the OELZ v2 has been deployed.
OELZ v2 creates six different user groups for managing individually deployed environments (two by default for production and non-production).
- Network Admin: OCI OELZ v2 Network Administrators Group that manages all network resources
- SecOps Admin: OCI OELZ v2 Security Administrators Group
- IAM Admin: OCI OELZ v2 IAM Group
- Ops Admin: OCI OELZ v2 Ops Admin Group
- Platform Admin: OCI OELZ v2 Platform Admin Group
When you create these user groups, the inputs are optional since there are default values for the group name; however, if you want to set up federation, you need to update the user groups with the names that exist in the federated domain.
The following information provides required arguments and parameters for the groups.
Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| prod_network_admin_group_name | The group name for the OCI OELZ v2 Network Administrators Group | string | "OCI-ELZ-UGP-<Env>-NET-ADMIN" | No |
| prod_ops_admin_group_name | The group name for the OCI OELZ v2 Ops Administrators Group | string | "OCI-ELZ-UGP-<Env>-OPS-ADMIN" | No |
| prod_iam_admin_group_name | The group name for the OCI OELZ v2 IAM Administrators Group | string | "OCI-ELZ-UGP-<Env>-IAM-ADMIN" | No |
| input_prod_security_admin_group_name | The group name for the OCI OELZ v2 Security Administrators Group | string | "OCI-ELZ-UGP-<Env>-SEC-ADMIN" | No |
| prod_platform_admin_group_name | The group name for the OCI OELZ v2 Platform Administrators Group | string | "OCI-ELZ-UGP-<Env>-PLT-ADMIN" | No |
Non-Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| nonprod_network_admin_group_name | The group name for the OCI OELZ v2 Network Administrators Group | string | "OCI-ELZ-UGP-<Env>-NET-ADMIN" | No |
| input_nonprod_ops_admin_group_name | The group name for the OCI OELZ v2 Ops Administrators Group | string | "OCI-ELZ-UGP-<Env>-OPS-ADMIN" | No |
| input_nonprod_iam_admin_group_name | The group name for the OCI OELZ v2 IAM Administrators Group | string | "OCI-ELZ-UGP-<Env>-IAM-ADMIN" | No |
| nonprod_security_admin_group_name | The group name for the OCI OELZ v2 Security Administrators Group | string | "OCI-ELZ-UGP-<Env>-SEC-ADMIN" | No |
| nonprod_platform_admin_group_name | The group name for the OCI OELZ v2 Platform Administrators Group | string | "OCI-ELZ-UGP-<Env>-PLT-ADMIN" | No |
OELZ v2 deploys policies that grant administrative privileges to members of each group over resources in their respective compartments.
Budget and Tagging Module
Budget and Tagging modules let you enable or disable budgets and tags in individual environments during and after deployment without impacting the landing zone operation.
The deployment mode of the modules is the same for each additional environment you create.
Budget Module
The Budget module is responsible for deploying the budget component in a single environment. OELZ v2 creates the following components:
- 1 budget per environment
- Budget scope: Environment (Production and Non-Production)
The following information provides the arguments and parameters for the Budget module.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| nonprod_enable_budget | Not applicable | bool | Not applicable | Yes |
| input_prod_enable_budget | Not applicable | bool | Not applicable | Yes |
Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| input_prod_budget_amount | Amount of the budget expressed as a whole number in the currency of the rate card | string | "" | No |
| prod_budget_alert_rule_threshold | Threshold for the budget alert | string | "" | No |
| prod_domain_admin_email" | string | Not applicable | Yes | |
| prod_budget_alert_rule_message | Alert message for budget alerts | string | "" | No |
Non-Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| nonprod_budget_amount | Amount of the budget expressed as a whole number in the currency of the rate card | string | "" | No |
| input_nonprod_budget_alert_rule_threshold | Threshold for the budget alert | string | "" | No |
| input_nonprod_domain_admin_email | Email address for the Non Prod identity domain admin | string | Not applicable | Yes |
| nonprod_budget_alert_rule_message | Alert message for budget alerts | string | "" | No |
Tagging Module
The Tagging module is responsible for deploying tags in the L2 Environment compartment.
OELZ v2 creates the following components:
- Tag namespace per environment containing the following defined tags and tag defaults:
- Cost Center
- Geo Location
- Environment Prefix
The following information provides the arguments and parameters for the Tagging module.
Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| prod_enable_tagging | Option to enable Tagging gateway in the production environment | bool | false | No |
| prod_cost_center_tagging | Production cost center | string | Not applicable | Yes |
| prod_geo_location_tagging | Production geo center | string | Not applicable | Yes |
Non-Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| nonprod_enable_tagging | Option to enable Tagging gateway in the non-production environment | bool | false | No |
| nonprod_cost_center_tagging | Non-production geo location | string | Not applicable | Yes |
| nonprod_geo_location_tagging | Non-production geo location | string | Not applicable | Yes |
Monitoring Module
The Monitoring module lets you actively and passively monitor resources by using metrics and alarms features. By default, the Monitoring module creates all the components in each environment. Alerts are disabled.
Monitoring Module Known Limitation
The Monitoring module configures at least 100 Alarms. Make sure the tenancy meets the required service limit.
Required Arguments and Parameters for the Monitoring Module
Production Environment
| Variable | Description | Default Value | Usage |
|---|---|---|---|
| prod_enable_security_monitoring_alarms | Enable Security Monitoring Alarms | false (bool) | Set to true |
| prod_enable_network_monitoring_alarms | Enable Network Monitoring Alarms | false (bool) | Set to true |
| prod_enable_workload_monitoring_alarms | Enable Workload Monitoring Alarms | false (bool) | Set to true |
| prod_network_topic_endpoints | Enable Network Notifications Topic | empty (list) | Email Address |
| prod_secops_topic_endpoints | Enable Security OPS Notifications Topic | empty (list) | Email Address |
| prod_platform_topic_endpoints | Enable Platform Notifications Topic | empty (list) | Email Address |
| prod_identity_topic_endpoints | Enable Identity Notifications Topic | empty (list) | Email Address |
Non-Production Environment
| Variable | Description | Default Value | Usage |
|---|---|---|---|
| nonprod_enable_security_monitoring_alarms | Enable Security Monitoring Alarms | false (bool) | Set to true |
| nonprod_enable_network_monitoring_alarms | Enable Network Monitoring Alarms | false (bool) | Set to true |
| nonprod_enable_workload_monitoring_alarms | Enable Workload Monitoring Alarms | false (bool) | Set to true |
| nonprod_network_topic_endpoints | Enable Network Notifications Topic | empty (list) | Email Address |
| nonprod_secops_topic_endpoints | Enable Security OPS Notifications Topic | empty (list) | Email Address |
| nonprod_platform_topic_endpoints | Enable Platform Notifications Topic | empty (list) | Email Address |
| nonprod_identity_topic_endpoints | Enable Identity Notifications Topic | empty (list) | Email Address |
Networking Module
The Networking module deploys the hub-and-spoke distribution paradigm, VPN, and OCI FastConnect in the landing zone environment.
Networking Module Known Limitation
- The following CIDR ranges can't be used during OELZ v2 deployment:
- 169.254.10.0-169.254.19.255
- 169.254.100.0-169.254.109.255
- 169.254.192.0-169.254.201.255
- 100.64.0.0–100.127.255.255 (Used by Exadata X8M/X9M for the interconnect)
Required Arguments and Parameters for the Networking Module
Production Environment
Hub-Related Variables
| Variable | Description | Default Value | Usage |
|---|---|---|---|
| prod_hub_vcn_cidr_block | HUB VCN CIDR Block | "" (string) | Provide CIDR IP |
| prod_enable_internet_gateway_hub | Enable Internet Gateway In Hub | "false" (string) | To Enable Set to "true" |
| prod_enable_service_gateway_hub | Enable Service Gateway In Hub | "false" (string) | To Enable Set to "true" |
| prod_enable_nat_gateway_hub | Enable NAT Gateway In Hub | "false" (string) | To Enable Set to "true" |
Spoke-Related Variables
| Variable | Description | Default Value | Usage |
|---|---|---|---|
| prod_spoke_vcn_cidr | Spoke VCN CIDR Block | "" (string) | Provide CIDR IP |
| prod_enable_service_gateway_spoke | Enable Service Gateway In Spoke | "false" (string) | To Enable Set to "true" |
| prod_enable_nat_gateway_spoke | Enable NAT Gateway In Spoke | "false" (string) | To Enable Set to "true" |
| prod_spoke_subnet_web_cidr_block | Spoke Web CIDR Block | "" (string) | Provide CIDR IP |
| prod_spoke_subnet_app_cidr_block | Spoke App CIDR Block | "" (string) | Provide CIDR IP |
| prod_spoke_subnet_db_cidr_block | Spoke DB CIDR Block | "" (string) | Provide CIDR IP |
VPN-Related Variables
| Variable | Description | Default Value | Usage |
|---|---|---|---|
| enable_vpn_or_fastconnect | Enable VPN or Fastconnect Service | "VPN | FASTCONNECT" (string) | Set to "VPN" or "FASTCONNECT" |
| prod_enable_vpn | Enable VPN on Environment | false (bool) | Set to true |
| prod_cpe_ip_address | VPN CPE IP Address | "" (string) | CPE Public IP Address |
| prod_cpe_display_name | VPN CPE Display Name | "" (string) | CPE Display Name |
| prod_cpe_vendor | VPN CPE Vender | 0 (number) | Follow CPE Vendor List |
| prod_ipsec_connection_static_routes | Ipsec Static Route | "" (list) | Onpremise IPsec Static Route |
| prod_shared_secret | Shared Key for IPSec Tunnel | "EXAMPLE" (string) | Provide IpSec Tunnel Shared Key |
| prod_ipsec_routing_type | Ipsec Routing Type | "STATIC" (string) | Set to "STATIC" or "BGP" to use |
| prod_customer_bgp_asn | BGP ASN(IF BGP Selected) | "" (string) | Provide BGP ASN |
| prod_bgp_cust_tunnela_ip | CPE Side Tunnel End IP Address | "" (string) | Provide IP Address |
| prod_customer_bgp_asn | OCI Side Tunnel End IP Address | "" (string) | Provide IP Address |
OCI FastConnect-Related Variables (By design, FastConnect-related variables are deployed only in the production environment.)
| Variable | Description | Default Value | Usage |
|---|---|---|---|
| enable_vpn_or_fastconnect | Enable VPN or Fastconnect Service | "VPN | FASTCONNECT" (string) | Set to "VPN" or "FASTCONNECT" |
| fastconnect_provider | Enable VPN on Environment | "" (string) | Follow FastConnect List |
| virtual_circuit_bandwidth_shape | Provisioned Bandwidth | "1500" (string) | Provide Bandwidth |
| virtual_circuit_display_name | Provisioned VC Name | ""(string) | VC Display Name |
| fastconnect_routing_policy | Fastconnect Routing Policy | "" (list) | Follow Fastconnect Routing Policy |
| virtual_circuit_type | VC IP Address Type | "PRIVATE | PUBLIC" (string) | Provide VC Type |
| customer_primary_bgp_peering_ip | Customer End BGP Peering IPv4 Address | "" (string) | Provide IP Address |
| oracle_primary_bgp_peering_ip | Oracle End BGP Peering IPv4 Address | "" (string) | Provide IP Address |
| virtual_circuit_customer_asn | VC BGP ASN | ""(string) | VC BGP ASN |
| customer_onprem_ip_cidr | On Premise IP CIDR | "" (list) | On Premise IP CIDR |
| bgp_md5auth_key | Optional : BGP Authentication MD5 | ""(string) | Provide Key |
| virtual_circuit_is_bfd_enabled | Optional : Enable BFD on VC | false(bool) | To Enable Set to true |
FastConnect Provider List
| FastConnect Provider |
|---|
| AT&T |
| Azure |
| Megaport |
| QTS |
| CEintro |
| Cologix |
| CoreSite |
| Digital Realty |
| EdgeConneX |
| Epsilon |
| Equinix |
| InterCloud |
| Lumen |
| Neutrona |
| OMCS |
| OracleL2ItegDeployment |
| OracleL3ItegDeployment |
| Orange |
| Verizon |
| Zayo |
FastConnect Routing Policy
| FastConnect Routing Policy |
|---|
| ORACLE_SERVICE_NETWORK |
| REGIONAL |
| MARKET_LEVEL |
| GLOBAL |
Non-Production Environment Variables
Hub-Related Variables
| Variable | Description | Default Value | Usage |
|---|---|---|---|
| nonprod_hub_vcn_cidr_block | HUB VCN CIDR Block | "" (string) | Provide IP Address |
| nonprod_enable_internet_gateway_hub | Enable Internet Gateway In Hub | "false" (string) | To Enable Set to "true" |
| nonprod_enable_service_gateway_hub | Enable Service Gateway In Hub | "false" (string) | To Enable Set to "true" |
| nonprod_enable_nat_gateway_hub | Enable NAT Gateway In Hub | "false" (string) | To Enable Set to "true" |
Spoke-Related Variables
| Variable | Description | Default Value | Usage |
|---|---|---|---|
| nonprod_spoke_vcn_cidr | Spoke VCN CIDR Block | "" (string) | Provide IP Address |
| nonprod_enable_service_gateway_spoke | Enable Service Gateway In Spoke | "false" (string) | To Enable Set to "true" |
| nonprod_enable_nat_gateway_spoke | Enable NAT Gateway In Spoke | "false" (string) | To Enable Set to "true" |
| nonprod_spoke_subnet_web_cidr_block | Spoke Web CIDR Block | "" (string) | Provide IP Address |
| nonprod_spoke_subnet_app_cidr_block | Spoke App CIDR Block | "" (string) | Provide IP Address |
| nonprod_spoke_subnet_db_cidr_block | Spoke DB CIDR Block | "" (string) | Provide IP Address |
VPN-Related Variables
| Variable | Description | Default Value | Usage |
|---|---|---|---|
| enable_vpn_or_fastconnect | Enable VPN or Fastconnect Service | "VPN | FASTCONNECT" (string) | Set to "VPN" or "FASTCONNECT" |
| nonprod_enable_vpn | Enable VPN on Environment | false (bool) | Set to true |
| nonprod_cpe_ip_address | VPN CPE IP Address | "" (string) | CPE Public IP Address |
| nonprod_cpe_display_name | VPN CPE Display Name | "" (string) | CPE Display Name |
| nonprod_cpe_vendor | VPN CPE Vender | 0 (number) | Follow CPE Vendor List |
| nonprod_ipsec_connection_static_routes | Ipsec Static Route | (list) | IPsec Static Route |
| nonprod_shared_secret | Shared Key for IPSec Tunnel | "EXAMPLE" (string) | Provide IpSec Tunnel Shared Key |
| nonprod_ipsec_routing_type | Ipsec Routing Type | "STATIC" (string) | Set to "STATIC" or "BGP" to use |
| nonprod_customer_bgp_asn | BGP ASN(IF BGP Selected) | "" (string) | Provide BGP ASN |
| nonprod_bgp_cust_tunnela_ip | CPE Side Tunnel End IP Address | "" (string) | Provide IP Address |
| nonprod_customer_bgp_asn | OCI Side Tunnel End IP Address | "" (string) | Provide IP Address |
CPE Vendor List
| Number | CPE Vendor |
|---|---|
| 0 | Yamaha-RTX1210 |
| 1 | Other |
| 2 | Cisco-9.7.1-or-later |
| 3 | Yamaha-RTX830 |
| 4 | Libreswan |
| 5 | Fortinet |
| 6 | NEC |
| 7 | Cisco-8.5+ |
| 8 | Cisco-IOS |
| 9 | WatchGuard |
| 10 | Juniper-MX |
| 11 | Juniper-SRX |
| 12 | Furukawa |
| 13 | Check_Point |
| 14 | Palo_Alto |
Hub-and-Spoke Network
The hub-and-spoke distribution paradigm allows workloads to interconnect. Hub instances are configured on shared network compartments and spoke instances are deployed in workload compartments.
Hub Module
Naming Convention
| Resource | Deployed Name |
|---|---|
| Hub VCN Name | OCI-ELZ-VCN-<Environment>-HUB-<Region> |
| Hub Public Subnet Name | OCI-ELZ-VCN-<Environment>-HUB-<Region> 001 |
| Hub Private Subnet Name | OCI-ELZ-VCN-<Environment>-HUB-<Region> 002 |
| Hub Internet Gateway Name* | OCI-ELZ-IGW-<Environment>-HUB |
| Hub Service Gateway Name | OCI-ELZ-SGW-<Environment>-HUB |
| Hub NAT Gateway Name | OCI-ELZ-NGW-<Environment>-HUB |
| Hub Public Route Table Name | OCI-ELZ-RTPUB-<Environment>-HUB001 |
| Hub Private Route Table Name | OCI-ELZ-RTPRV-<Environment>-HUB002 |
Route Rule
Public Route Table information:
- If Internet Gateway is enabled, it will act as default gateway.
- All Spoke Subnet destination will be forwarded to DRG.
Private Route Table information:
- If NAT Gateway is enabled, it will act as default gateway.
- If Service Gateway is enabled, all OCI services can access Hub resources.
- All Spoke Subnet destinations are forwarded to DRG.
Security Rule
- Ingress Rule: Allow All ICMP Traffic.
- Egress Rule: Allow All Protocol Traffic.
Spoke Module
Naming Convention
| Resource | Deployed Name |
|---|---|
| Spoke VCN Name | OCI-ELZ-VCN-<Environment>-SPK-<Region> |
| Spoke Web Subnet Name | OCI-ELZ-VCN-<Environment>-SPK-<Region>001 |
| Spoke App Subnet Name | OCI-ELZ-VCN-<Environment>-SPK-<Region>002 |
| Spoke DB Subnet Name | OCI-ELZ-VCN-<Environment>-SPK-<Region>003 |
| Spoke Service Gateway Name | OCI-ELZ-SGW-<Environment>-SPK |
| Spoke NAT Gateway Name | OCI-ELZ-NGW-<Environment>-SPK |
| Spoke Route Table | OCI-ELZ-RTPRV-<Environment>-SPK001 |
Route Rule
Public Route Table Information:
- If NAT Gateway is enabled, it acts as default gateway.
- If Service Gateway is enabled, all OCI services can access Spoke resources.
- All Hub Subnet destinations are forwarded to DRG.
- All Spoke Subnet destination are forwarded to DRG.
Security Rule
- Ingress Rule: Allow All ICMP Traffic.
- Egress Rule: Allow All Protocol Traffic.
VPN Module
The VPN module is deployed in the Shared Infrastructure Network compartment. The IPsec connection is deployed using the Static or BGP connection.
Naming Convention
| Resource | Deployed Name |
|---|---|
| CPE Name | OCI-ELZ-CPE-<Environment>-HUB-<REGION]001 |
| IPsec Connection Name | OCI-ELZ-IPC-<Environment>-HUB-<REGION]001 |
Route Rule
Route Table Information OCI-ELZ-RTPUB-<Environment>-HUB001 Route Will be Updated
- On Premise IPSec static route will be forwarded to DRG.
Route Rule
Route Table Information OCI-ELZ-RTPRV-<Environment>-HUB001 Route Will be Updated
- On-premises IPSec static route will be forwarded to DRG.
Route Table Information OCI-ELZ-RTPRV-<Environment>-SPK001 Route Will be Updated
- On-premises IPSec static route will be forwarded to DRG.
FastConnect Module
Naming Convention
| Resource | Deployed Name |
|---|---|
| FastConnect Circuit Name | OCI-ELZ-FCN-<Environment>-HUB-<REGION]001 |
Route Rule
Route Table Information: OCI-ELZ-RTPUB-<Environment>-HUB001 Route Table Will be Updated
- On-premises IP CIDR Route will be forwarded to DRG.
Route Table Information: OCI-ELZ-RTPRV-<Environment>-HUB001 Route Table Will be Updated
- On-premises IP CIDR Route will be forwarded to DRG.
Route Table Information: OCI-ELZ-RTPRV-<Environment>-SPK001 Route Table Will be Updated
- On-premises IP CIDR Route will be forwarded to DRG.
RPC Attachment
The on-premises subnet route doesn't propagate over the RPC connection to the second hub-and-spoke, and conversely. To accomplish this, create two separate route tables in the DRG called "OCI-ELZ-DRG-P-HUB", one for the IPSec/VC attachment and the other for the RPC attachment. Specify the types of routes to import.
To update DRG OCI-ELZ-DRG-<Environment>-HUB:
- Create Import Route Distribution for On Prem.
- Create Import Route Distribution for RPC.
- Create Route Table for On Prem.
- Create Route Table for RPC.
- Apply the new route tables to the attachments.
Security
To provide a secure environment, OELZ v2 deploys several Oracle security services, such as Oracle Cloud Guard to monitor for insecure cloud resource deployments, OCI Vulnerability Scanning Service to scan compute instances for open ports and known vulnerabilities, and OCI OS Management Service to manage updates and patches.
To provide secure storage and key management, OELZ v2 deploys a vault and creates a master encryption key stored in the vault, which can be used to encrypt data in object storage.
For secure storage and future analysis of logging data, OELZ v2 directs all logging data, including general log data, service events, and audit logs, to secure storage. This can be secure object storage buckets created by OELZ v2 and encrypted with the master encryption key stored in the central vault.
For secure access to workload resources, OELZ v2 deploys a bastion in the L4 Security compartment.
Security Services
OELZ v2 deploys configurations for multiple security services. Vulnerability Scanning scans compute instances deployed in OELZ v2 (for example, as part of the workloads) for open ports and known security vulnerabilities. OS Management Service works with operating systems on deployed compute instances, such as Oracle Autonomous Linux, to manage patches and updates, helping to ensure a secure environment.
Cloud Guard Sub Module
Cloud Guard can monitor multiple security conditions. OELZ v2 configures Cloud Guard with several Oracle-managed security recipes for up-to-date best practice security monitoring.
By default, Cloud Guard is configured to monitor only the resources deployed in the OELZ v2 home compartment and sub compartments. An option is for Cloud Guard to monitor the entire tenancy. It's controlled by the cloud_guard_target_tenancy variable.
This is a Boolean variable that defaults to false. If it's set to true Cloud Guard is configured to monitor the entire tenancy, instead of the OELZ v2 home compartment.
Cloud Guard Target is deployed in the base compartment of both L2-Prod and L2-Non-Prod environments with related IAM policies. All Oracle managed responder recipes reside in the L4 Security compartment of each environment.
The following target_detector_recipes are Oracle managed:
- OCI Config Detector Recipes
- OCI Threat Detector Recipes
- OCI Activity Detector Recipe
For more information about Cloud Guard, see Cloud Guard.
Required Arguments and Parameters in the Cloud Guard Module
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| input_enable_cloud_guard | True if you don't have Cloud Guard enabled, and false if you have Cloud Guard enabled. | bool | true | No |
| cloud_guard_target_tenancy | True if Cloud Guard targets to tenancy, and false if Cloud Guard targets to the OELZ v2 home compartment | bool | false | No |
Bastion Sub Module
The OCI Bastion service is created in the L4 Security compartment within the L2-Prod compartment, with a second one created in the L4 Security compartment within the L2-Non-Prod compartment. It allows secure access to compute resources in the respective environments. The CIDR Block provided gives the address range of all the resources the Bastion service can host sessions for.
The following information provides the required arguments and parameters in the Bastion module.
Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| prod_enable_bastion | Option to enable the Bastion service | bool | Not applicable | Yes |
| prod_bastion_client_cidr_block_allow_list | List of address ranges in the CIDR notation that you want to allow to connect to sessions hosted by the bastion | list(string) | Not applicable | Yes |
Non-Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| nonprod_enable_bastion | Option to enable Bastion service | bool | Not applicable | Yes |
| nonprod_bastion_client_cidr_block_allow_list | List of address ranges in the CIDR notation that you want to allow to connect to sessions hosted by the bastion | list(string) | Not applicable | Yes |
Vulnerability Scanning Sub Module
Vulnerability Scanning is part of many security services deployed in OELZ v2. It scans compute instances deployed in OELZ v2 (for example, as part of workloads) for open ports and other known security vulnerabilities.
Key Features:
- Vulnerability Scanning recipes are created in the L4-Security compartment in both the production and non-production environments to manage instances and read components and VNICs.
- Network and agent based scanning in enabled by default.
- Scans are configured with a "Daily" schedule.
- Qualys integration lets you to run reports on the Qualys Dashboard instead of Cloud Guard. This feature is not currently available from Terraform Code Support, but might be available for later versions.
There are no input parameters required for the Vulnerability Scanning module.
OS Management Sub Module
The OS Management service works with operating systems on deployed compute instances, such as Oracle Autonomous Linux, to manage patches and updates, helping you ensure a secure environment.
Key Features:
- IAM policy is created at the tenancy level for the OS Management service to emit metrics for instances in the tenancy.
- Dynamic group is created with name: $-"OCI-ELZ-DG".
- Matching rules are created with compartment OCIDs (where instances reside), such as L4-Security, Logging, Network, Workload, and Base compartment OCIDs.
- IAM policy for the dynamic group is created in the landing zone home compartment.
There are no input parameters required for the OS Management module.
Vault and Key Management Sub Module
The OCI Vault service is a key management service that stores and manages master encryption keys and secrets for secure access to resources.
Key Features
- A virtual vault is created for secure storage of cryptographic keys within L4-Security compartment of both production and non-production environments.
- A user-manageable master encryption key is also created, stored in the vault, and is usable for encryption of data in OCI storage services.
- Vault supports the bring your own key (BYOK) scenario and can store all user keys.
- IAM policies for storage services to use keys are created in the landing zone Base compartment.
Required Arguments and Parameters for the Vault and Key Management Module
Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| prod_vault_type | Type of vault to create | string | "DEFAULT" | No |
| prod_vault_replica_region | Region to create replica to | string | "" | No |
| prod_enable_vault_replication | Option to enable vault replication | bool | false | No |
| prod_create_master_encryption_key | Option to create master encryption key | bool | true | No |
Non-Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| nonprod_vault_type | Type of vault to create | string | "DEFAULT" | No |
| nonprod_vault_replica_region | Region to create replica to | string | "" | No |
| nonprod_enable_vault_replication | Option to enable vault replication | bool | false | No |
| nonprod_create_master_encryption_key | Option to create master encryption key | bool | true | No |
For a typical enterprise adopting OCI, Vault must be configured to address the most common enterprise use cases. For common enterprise scenarios and the corresponding recommended guidance, see Vault Best Practices After Landing Zone Implementation.
Logging
OELZ v2 sets up secure storage of all log data generated by resources and services in the landing zone. For both environments in L2-Prod and L2-NonProd compartments, a logging compartment “L3-Logging Compartment” is created. This compartment hosts the following three listed immutable storage buckets:
- AuditLogs_standard: Bucket for audit logs
- DefaultLogs_standard: Bucket for general logging
- ServiceEvents_standard: Bucket for service events
The buckets are encrypted with the master encryption key (MEK) stored in the vault. Retention policies are also applied to the buckets to manage data retention, disallowing deletion or modifications of data for a configurable time period.
The default log group (Name: Default_Group) is created in the L4-Security compartment. Service logs for all supported services (VCN Flow logs, Object Storage, and so on) are enabled and stored in the L3-Logging compartment.
All the events in the OELZ v2 environment are streamed to standard object storage. The stream pool is created in the L4-Security compartment and encrypted with the MEK. The service events are stored in the standard object storage bucket in the Logging compartment.
OCI Service Connector Hub is used to ship all the audit, service logs, and events in OELZ v2 to the buckets in the Logging compartment. All IAM policies for Service Connector Hub are created in the L2 level home compartment of each environment.
Required Arguments and Parameters for Bucket Retention Policies
Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| prod_retention_policy_duration_amount | The timeAmount is interpreted in units defined by the timeUnit parameter, and is calculated in relation to each object's Last-Modified timestamp. | string | "1" | No |
| prod_retention_policy_duration_time_unit | The unit that should be used to interpret timeAmount. | string | "DAYS" | No |
Non-Production Environment
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| nonprod_retention_policy_duration_amount | The timeAmount is interpreted in units defined by the timeUnit parameter, and is calculated in relation to each object's Last-Modified timestamp. | string | "1" | No |
| nonprod_retention_policy_duration_time_unit | The unit that should be used to interpret timeAmount. | string | "DAYS" | No |
Archive Log
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| archive_log_retention_policy_duration_amount | The timeAmount is interpreted in units defined by the timeUnit parameter, and is calculated in relation to each object's Last-Modified timestamp. | string | "1" | No |
| archive_log_retention_policy_duration_time_unit | The unit that should be used to interpret timeAmount. | string | "DAYS" | No |