Skip to content

Latest commit



711 lines (500 loc) · 59.9 KB

File metadata and controls

711 lines (500 loc) · 59.9 KB

Oracle Enterprise Landing Zone Configuration Guide

This configuration guide will detail the required and available configurations needed to deploy an Oracle Enterprise Landing Zone(OELZ) on Oracle Cloud Infrastructure.


The Oracle Enterprise Landing Zone is designed to be deployed to a tenancy owned by the individual Tenancy Administrator. The user deploying the OELZ must be a member of the Administrators group for the tenancy. The tenancy must have the required Resource Limits and have the Logging Analytics feature turned on. Detailed information on these prerequisites, and how to check that your tenancy meets them, and enable needed features can be found in the Implementation Document

Minimum Required Configuration

Deployment of the OELZ is controlled by several Terraform input variables, however most of these have sensible default values. Here are the minimum required configurations to deploy a OELZ:

Basic Terraform Connection Information

The required provider variables for the OELZ:

Name Description Type Default Required
current_user_ocid The ID of user to deploy the OELZ. string "" no
api_fingerprint The API fingerprint which can be retrieved from the console. string "" no
api_private_key The API private key string "" no
api_private_key_path The local path to the API private key string "" no
tenancy_ocid The ID of tenancy string n/a yes
region The OCI region to deploy the OELZ resources to. string n/a yes
resource_label The prefix used to avoid naming conflict string n/a no

Compartment Module

This architecture diagram illustrates the compartments Enterprise LZ deploys.


The OELZ Home Compartment would be created in enterprise-landing-zone. The other compartments would be created in elz-environment and in elz-workload.

The required arguments for OELZ Home Compartment:

  • compartment_parent_id: the OCID of compartment/tenancy that you create the OELZ in
  • compartment_name: the name of OELZ home compartment
  • compartment_description: the description of OELZ home compartment
  • enable_compartment_delete: unless enable_delete is explicitly set to true, Terraform will not delete compartments on destroy

To configure the compartment the required user inputs are:

Name Description Type Default Required
enable_compartment_delete Set to true to allow the compartments to delete on terraform destroy. bool true no
home_compartment_name The name of the home compartment under which all OELZ resources will be deployed. string "OCI-ELZ-CMP-HOME" no

Identity Module

Each environment will have its own identity domain. The identity domain applies to all resources under the environment compartment. OELZ will only support the new identity domains in OCI(Henosis) and not the old IDCS domains.

Required attributes:

  • Display Name: The display name of Identity Domain. Default: OCI-ELZ--IDT
  • Description: The description of Identity Domain. Default: OCI OELZ Identity Domain
  • Domain Type: Premium
  • Domain Admin: Email address for the domain admin
  • Compartment: OCID for the compartment where the domain will be stored. This should be the L4-Security compartment
  • Tags: Optional freeform tags

Identity Domain Configurations

  • Required Arguments/Parameters for Identity Domain:

    Name Description Type Default Required
    nonprod_domain_admin_email The email address for the non prod identity domain admin. string n/a yes
    prod_domain_admin_email The email address for the prod identity domain admin. string n/a yes
    break_glass_user_email_list Unique list of break glass user email addresses that do not exist in the tenancy. These users are added to the Administrator group. list(string) [] yes

Groups and Policies

For control over users and user groups, a federate-able Identity Domain is created in the L4-Security Compartment for each environment. To do so, the user deploying the OELZ will need set up federation after the OELZ has been deployed.

The OELZ also will create 6 different User Groups, meant for managing individual deployed environments(by default 2, prod and non-prod).

  • Network Admin : OCI OELZ Network Administrators Group - manages all network resources
  • SecOps Admin: OCI OELZ Security Administrators Group
  • IAM Admin: OCI OELZ IAM Group
  • Ops Admin: OCI OELZ Ops Admin Group
  • Platform Admin: OCI OELZ Platform Admin Group

While creating these user-groups the user inputs will be optional as there will be default value with group name, however if customer who want to setup federation, they will need to update the user-groups with the names as how those exist in their federated domain.

The OELZ deploys policies that will grant administrative privileges to members of each of those groups over resources in their respective compartments.

Budget and Tagging Module

The budget and tagging modules will give the ability to enable or disable budgets and tags in individual environments during the deployment as well as after the deployment without impacting the operation of LZ. The deployment mode of the modules will be the same for each additional environment the client wants to create.

Budget Module

The budgets module is responsible for deploying the budget component in a single environment. The OELZ should create following components:

Tagging Module

The tags module is responsible for deploying Tags within the L2 Environment compartment.

The OELZ should create following components:

  • Tag namespace per environment containing the following defined tags and tag defaults

    • Cost Center
    • Geo Location
    • Environment Prefix
  • Required Arguments/Parameters for Tagging Module:

    1. Prod Environment
    Name Description Type Default Required
    prod_enable_tagging Option to enable Tagging gateway in Production environment bool false no
    prod_cost_center_tagging Production Cost Center. string n/a yes
    prod_geo_location_tagging Production Geo Center. string n/a yes
    1. Non-Prod Environment
    Name Description Type Default Required
    nonprod_enable_tagging Option to enable Tagging gateway in Non-Production environment bool false no
    nonprod_cost_center_tagging Non-ProductionGeo Location. string n/a yes
    nonprod_geo_location_tagging Non-Production Geo Location. string n/a yes

Monitoring Module

The monitoring module will enable you to actively and passively monitor resources using the Metrics and Alarms features. By Default the monitoring module will create all the components in each environment but alerts are disabled.

Monitoring Module Known Limitation

  1. Monitoring Module will configure at least 100 Alarms, so make sure tenancy have proper service limit.

Required Arguments/Parameters for Monitoring Module

Production Environment

Variable Description Default Value Usage
prod_enable_security_monitoring_alarms Enable Security Monitoring Alarms false (bool) Set to true
prod_enable_network_monitoring_alarms Enable Network Monitoring Alarms false (bool) Set to true
prod_enable_workload_monitoring_alarms Enable Workload Monitoring Alarms false (bool) Set to true
prod_network_topic_endpoints Enable Network Notifications Topic empty (list) Email Address
prod_secops_topic_endpoints Enable Security OPS Notifications Topic empty (list) Email Address
prod_platform_topic_endpoints Enable Platform Notifications Topic empty (list) Email Address
prod_identity_topic_endpoints Enable Identity Notifications Topic empty (list) Email Address

Non-Production Environment

Variable Description Default Value Usage
nonprod_enable_security_monitoring_alarms Enable Security Monitoring Alarms false (bool) Set to true
nonprod_enable_network_monitoring_alarms Enable Network Monitoring Alarms false (bool) Set to true
nonprod_enable_workload_monitoring_alarms Enable Workload Monitoring Alarms false (bool) Set to true
nonprod_network_topic_endpoints Enable Network Notifications Topic empty (list) Email Address
nonprod_secops_topic_endpoints Enable Security OPS Notifications Topic empty (list) Email Address
nonprod_platform_topic_endpoints Enable Platform Notifications Topic empty (list) Email Address
nonprod_identity_topic_endpoints Enable Identity Notifications Topic empty (list) Email Address

Networking Module

Network Module will deploy Hub and Spoke distribution paradigm, VPN and Fastconnect on the LZ Environment.

Network Module Known Limitation

  • CIDR ranges which can't be used during the OELZ deployment:
    •– (Used by Exadata X8M/X9M for the interconnect)

Required Arguments/Parameters for Network Module

Production Environment Variable

  1. Hub Related Variable
Variable Description Default Value Usage
prod_hub_vcn_cidr_block HUB VCN CIDR Block "" (string) Provide CIDR IP
prod_enable_internet_gateway_hub Enable Internet Gateway In Hub "false" (string) To Enable Set to "true"
prod_enable_service_gateway_hub Enable Service Gateway In Hub "false" (string) To Enable Set to "true"
prod_enable_nat_gateway_hub Enable NAT Gateway In Hub "false" (string) To Enable Set to "true"
  1. Spoke Related Variable
Variable Description Default Value Usage
prod_spoke_vcn_cidr Spoke VCN CIDR Block "" (string) Provide CIDR IP
prod_enable_service_gateway_spoke Enable Service Gateway In Spoke "false" (string) To Enable Set to "true"
prod_enable_nat_gateway_spoke Enable NAT Gateway In Spoke "false" (string) To Enable Set to "true"
prod_spoke_subnet_web_cidr_block Spoke Web CIDR Block "" (string) Provide CIDR IP
prod_spoke_subnet_app_cidr_block Spoke App CIDR Block "" (string) Provide CIDR IP
prod_spoke_subnet_db_cidr_block Spoke DB CIDR Block "" (string) Provide CIDR IP
  1. VPN Related Variable
Variable Description Default Value Usage
enable_vpn_or_fastconnect Enable VPN or Fastconnect Service "VPN | FASTCONNECT" (string) Set to "VPN" or "FASTCONNECT"
prod_enable_vpn Enable VPN on Environment false (bool) Set to true
prod_cpe_ip_address VPN CPE IP Address "" (string) CPE Public IP Address
prod_cpe_display_name VPN CPE Display Name "" (string) CPE Display Name
prod_cpe_vendor VPN CPE Vender 0 (number) Follow CPE Vendor List
prod_ipsec_connection_static_routes Ipsec Static Route [""] (list) Onpremise IPsec Static Route
prod_shared_secret Shared Key for IPSec Tunnel "EXAMPLE" (string) Provide IpSec Tunnel Shared Key
prod_ipsec_routing_type Ipsec Routing Type "STATIC" (string) Set to "STATIC" or "BGP" to use
prod_customer_bgp_asn BGP ASN(IF BGP Selected) "" (string) Provide BGP ASN
prod_bgp_cust_tunnela_ip CPE Side Tunnel End IP Address "" (string) Provide IP Address
prod_customer_bgp_asn OCI Side Tunnel End IP Address "" (string) Provide IP Address
  1. FastConnect Related Variable (By Design FastConnect will be deployed only on Production Environment)
Variable Description Default Value Usage
enable_vpn_or_fastconnect Enable VPN or Fastconnect Service "VPN | FASTCONNECT" (string) Set to "VPN" or "FASTCONNECT"
fastconnect_provider Enable VPN on Environment "" (string) Follow FastConnect List
virtual_circuit_bandwidth_shape Provisioned Bandwidth "1500" (string) Provide Bandwidth
virtual_circuit_display_name Provisioned VC Name ""(string) VC Display Name
fastconnect_routing_policy Fastconnect Routing Policy [""] (list) Follow Fastconnect Routing Policy
virtual_circuit_type VC IP Address Type "PRIVATE | PUBLIC" (string) Provide VC Type
customer_primary_bgp_peering_ip Customer End BGP Peering IPv4 Address "" (string) Provide IP Address
oracle_primary_bgp_peering_ip Oracle End BGP Peering IPv4 Address "" (string) Provide IP Address
virtual_circuit_customer_asn VC BGP ASN ""(string) VC BGP ASN
customer_onprem_ip_cidr On Premise IP CIDR [""] (list) On Premise IP CIDR
bgp_md5auth_key Optional : BGP Authentication MD5 ""(string) Provide Key
virtual_circuit_is_bfd_enabled Optional : Enable BFD on VC false(bool) To Enable Set to true

FastConnect Provider List

FastConnect Provider
Digitial Realty

FastConnect Routing Policy

FastConnect Routing Policy

Non Production Environment Variable

  1. Hub Related Variable
Variable Description Default Value Usage
nonprod_hub_vcn_cidr_block HUB VCN CIDR Block "" (string) Provide IP Address
nonprod_enable_internet_gateway_hub Enable Internet Gateway In Hub "false" (string) To Enable Set to "true"
nonprod_enable_service_gateway_hub Enable Service Gateway In Hub "false" (string) To Enable Set to "true"
nonprod_enable_nat_gateway_hub Enable NAT Gateway In Hub "false" (string) To Enable Set to "true"
  1. Spoke Related Variable
Variable Description Default Value Usage
nonprod_spoke_vcn_cidr Spoke VCN CIDR Block "" (string) Provide IP Address
nonprod_enable_service_gateway_spoke Enable Service Gateway In Spoke "false" (string) To Enable Set to "true"
nonprod_enable_nat_gateway_spoke Enable NAT Gateway In Spoke "false" (string) To Enable Set to "true"
nonprod_spoke_subnet_web_cidr_block Spoke Web CIDR Block "" (string) Provide IP Address
nonprod_spoke_subnet_app_cidr_block Spoke App CIDR Block "" (string) Provide IP Address
nonprod_spoke_subnet_db_cidr_block Spoke DB CIDR Block "" (string) Provide IP Address
  1. VPN Related Variable
Variable Description Default Value Usage
enable_vpn_or_fastconnect Enable VPN or Fastconnect Service "VPN | FASTCONNECT" (string) Set to "VPN" or "FASTCONNECT"
nonprod_enable_vpn Enable VPN on Environment false (bool) Set to true
nonprod_cpe_ip_address VPN CPE IP Address "" (string) CPE Public IP Address
nonprod_cpe_display_name VPN CPE Display Name "" (string) CPE Display Name
nonprod_cpe_vendor VPN CPE Vender 0 (number) Follow CPE Vendor List
nonprod_ipsec_connection_static_routes Ipsec Static Route [""] (list) IPsec Static Route
nonprod_shared_secret Shared Key for IPSec Tunnel "EXAMPLE" (string) Provide IpSec Tunnel Shared Key
nonprod_ipsec_routing_type Ipsec Routing Type "STATIC" (string) Set to "STATIC" or "BGP" to use
nonprod_customer_bgp_asn BGP ASN(IF BGP Selected) "" (string) Provide BGP ASN
nonprod_bgp_cust_tunnela_ip CPE Side Tunnel End IP Address "" (string) Provide IP Address
nonprod_customer_bgp_asn OCI Side Tunnel End IP Address "" (string) Provide IP Address

CPE Vendor List

Number CPE Vendor
0 Yamaha-RTX1210
1 Other
2 Cisco-9.7.1-or-later
3 Yamaha-RTX830
4 Libreswan
5 Fortinet
7 Cisco-8.5+
8 Cisco-IOS
9 WatchGuard
10 Juniper-MX
11 Juniper-SRX
12 Furukawa
13 Check_Point
14 Palo_Alto

Hub and Spoke Network

Hub and Spoke distribution paradigm will allow workload to interconnect with each other. Hub instance will configured on shared network compartment and spoke instance will be deployed on workload compartment.

HUB Module

  1. Naming Convention
Resource Deployed Name
Hub VCN Name OCI-ELZ-VCN-<Environment>-HUB-<Region>
Hub Public Subnet Name OCI-ELZ-VCN-<Environment>-HUB-<Region>001
Hub Private Subnet Name OCI-ELZ-VCN-<Environment>-HUB-<Region>002
Hub Internet Gateway Name* OCI-ELZ-IGW-<Environment>-HUB
Hub Service Gateway Name OCI-ELZ-SGW-<Environment>-HUB
Hub NAT Gateway Name OCI-ELZ-NGW-<Environment>-HUB
Hub Public Route Table Name OCI-ELZ-RTPUB-<Environment>-HUB001
Hub Private Route Table Name OCI-ELZ-RTPRV-<Environment>-HUB002
  1. Route Rule

    Public Route Table Information

    1. If Internet Gateway is enabled, it will act as default gateway.
    2. All Spoke Subnet destination will be forwarded to DRG.

    Private Route Table Information

    1. If NAT Gateway is enabled, it will act as default gateway.
    2. If Service Gateway is enabled , all OCI services can access Hub resources.
    3. All Spoke Subnet destination will be forwarded to DRG.
  2. Security Rule

    1. Ingress Rule : Allow All ICMP Traffic
    2. Egress Rule : Allow All Protocol Traffic

Spoke Module

  1. Naming Convention
Resource Deployed Name
Spoke VCN Name OCI-ELZ-VCN-<Environment>-SPK-<Region>
Spoke Web Subnet Name OCI-ELZ-VCN-<Environment>-SPK-<Region>001
Spoke App Subnet Name OCI-ELZ-VCN-<Environment>-SPK-<Region>002
Spoke DB Subnet Name OCI-ELZ-VCN-<Environment>-SPK-<Region>003
Spoke Service Gateway Name OCI-ELZ-SGW-<Environment>-SPK
Spoke NAT Gateway Name OCI-ELZ-NGW-<Environment>-SPK
Spoke Route Table OCI-ELZ-RTPRV-<Environment>-SPK001
  1. Route Rule

    Public Route Table Information

    1. If NAT Gateway is enabled, it will act as default gateway.
    2. If Service Gateway is enabled , all OCI services can access Spoke resources.
    3. All Hub Subnet destination will be forwarded to DRG.
    4. All Spoke Subnet destination will be forwarded to DRG.
  2. Security Rule

    1. Ingress Rule : Allow All ICMP Traffic
    2. Egress Rule : Allow All Protocol Traffic

VPN Module

VPN Module will be deployed under Shared Infrasturture Network Compartment. IPsec connection will be deployed using Static or BGP connection.

  1. Naming Convention
Resource Deployed Name
CPE Name OCI-ELZ-CPE-<Environment>-HUB-[REGION]001
IPsec Connection Name OCI-ELZ-IPC-<Environment>-HUB-[REGION]001
  1. Route Rule

    Route Table Information OCI-ELZ-RTPUB-<Environment>-HUB001 Route Will be Updated

    1. On Premise IPSec static route will be forwarded to DRG.

    Route Table Information OCI-ELZ-RTPRV-<Environment>-HUB001 Route Will be Updated

    1. On Premise IPSec static route will be forwarded to DRG.

    Route Table Information OCI-ELZ-RTPRV-<Environment>-SPK001 Route Will be Updated

    1. On Premise IPSec static route will be forwarded to DRG.

FastConnect Module

  1. Naming Convention
Resource Deployed Name
FastConnect Circuit Name OCI-ELZ-FCN-<Environment>-HUB-[REGION]001
  1. Route Rule

    Route Table Information : OCI-ELZ-RTPUB-<Environment>-HUB001 Route Table Will be Updated

    1. On Premise IP CIDR Route will be forwarded to DRG.

    Route Table Information : OCI-ELZ-RTPRV-<Environment>-HUB001 Route Table Will be Updated

    1. On Premise IP CIDR Route will be forwarded to DRG.

    Route Table Information : OCI-ELZ-RTPRV-<Environment>-SPK001 Route Table Will be Updated

    1. On Premise IP CIDR Route will be forwarded to DRG.
  2. RPC Attachment
    On Premise Subnet route will not propagate over the RPC connection to the second Hub & Spoke, and vice versa. In order to accomplish this, we will create two separate route tables in on the DRG called "OCI-ELZ-DRG-P-HUB", one for the IPSec/VC attachment and the other for the RPC attachment and we will be specific on what types of routes to import.

    Update DRG OCI-ELZ-DRG-<Environment>-HUB

    1. Create Import Route Distribution for On Prem
    2. Create Import Route Distribution for RPC
    3. Create Route Table for On Prem
    4. Create Route Table for RPC
    5. Apply the new Route Tables to the Attachments

Network Firewall

The Network Firewall service offers simple setup and deployment and gives you visibility into traffic entering your cloud environment (North-south network traffic) as well traffic between subnets (East-west network traffic). Network Firewall can be Prod or Non Prod Enviornment.

Required Arguments/Parameters For Baseline Deployment on Prod:

Descripation TFVAR Variable Default Value
Network Firewall Deployment enable_network_firewall_prod false (bool)
Enable NFW Threat and Traffic Log enable_traffic_threat_log_prod false (bool)
Enable NFW on Subnet nfw_subnet_type_prod "public"(string)(public|private)
Network Firewall Name nfw_instance_name_prod "" (string)
Network Firewall Policy Name nfw_instance_policy_prod "" (string)
Network Firewall Subnet CIDR nfw_subnet_cidr_block_prod "" (string)

Required Arguments/Parameters For Baseline Deployment on Non-Prod:

Descripation TFVAR Variable Default Value
Network Firewall Deployment enable_network_firewall_nonprod false (bool)
Enable NFW Threat and Traffic Log enable_traffic_threat_log_nonprod false (bool)
Enable NFW on Subnet nfw_subnet_type_nonprod "public"(string)(public|private)
Network Firewall Name nfw_instance_name_nonprod "" (string)
Network Firewall Policy Name nfw_instance_policy_nonprod "" (string)
Network Firewall Subnet CIDR nfw_subnet_cidr_block_nonprod "" (string)


To provide for a secure environment, the OELZ deploys several Oracle security services, such as CloudGuard to monitor for insecure cloud resource deployments, Vulnerability Scanning Service to scan compute instances for open ports and known vulnerabilities, and OS Management Service to manage updates and patches.

To provide secure storage and key management, the OELZ deploys a Vault and a creates a Master Encryption Key stored in that vault, which can be used to encrypt data in Object Storage.

For secure storage and future analysis of logging data, the OELZ directs all logging data, including general log data, service events, and audit logs, to secure storage. This can be secure object storage buckets created by the OELZ, and encrypted with the Master Encryption Key stored in the central Vault.

For secure access to workload resources, the OELZ deploys a Bastion in the L4 Security Compartment.

Security Services

The OELZ deploys configurations for multiple security services. VSS (Vulnerability Scanning Service) will scan compute instances deployed in the OELZ (i.e. as part of workloads) for open ports, and known security vulnerabilities. OSMS (OS Management Service) works with operating systems on deployed compute instances (such as Oracle Autonomous Linux) to manage patches and updates to ensure a secure environment.

Cloud Guard Sub Module

CloudGuard can monitor for a multitude of security conditions. The OELZ configures CloudGuard with several Oracle-managed security recipes for up-to-date best practice security monitoring.

By default, CloudGuard is configured to monitor just the resources deployed in the OELZ Home compartment, and compartments within that. An option is for CloudGuard to monitor the entire tenancy is there and it is controlled by the cloud_guard_target_tenancy variable. This is a Boolean variable that defaults to false. If it is set to true CloudGuard will be configured to monitor the entire tenancy, instead of just the OELZ Home compartment.

Cloud Guard Target will be deployed in base compartment of both L2-Prod and L2-Non-Prod environments along with related IAM policies. All Oracle managed responder recipes will reside in L4 Security compartment of each environment.

The target_detector_recipes which are Oracle managed:

  • OCI Config Detector Recipes
  • OCI Threat Detector Recipes
  • OCI Activity Detector Recipe

The target_responder_recipes: OCI Responder Recipe (enabling CloudGuard events and other responds)

For further details on CloudGuard, see the Cloud Guard documentation.

  • Required Arguments/Parameters Under Cloud Guard Module:

    Name Description Type Default Required
    enable_cloud_guard true if you don't have cloud guard enabled, false if you've already have cloud guard enabled. bool true no
    cloud_guard_target_tenancy true if cloud guard targets to tenancy, false if cloud guard targets to OELZ home compartment bool false no

Bastion Sub Module

Bastion service is created in the L4 Security Compartment within the L2 prod Compartment and second one in the L4 Security Compartment within the L2 non-Prod Compartment as depicted in the Security Architecture shown above. It allows secure access to compute resources in the respective environments. CIDR Block provided will give the address range of all the resources for which Bastion Service can host sessions for.

  • Required Arguments/Parameters Under Bastion Module:

    1. Prod Environment
    Name Description Type Default Required
    prod_enable_bastion Option to enable bastion service bool n/a yes
    prod_bastion_client_cidr_block_allow_list A list of address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion. list(string) n/a yes
    1. Non-Prod Environment
    Name Description Type Default Required
    nonprod_enable_bastion Option to enable bastion service bool n/a yes
    nonprod_bastion_client_cidr_block_allow_list A list of address ranges in CIDR notation that you want to allow to connect to sessions hosted by this bastion. list(string) n/a yes

VSS Sub Module

VSS (Vulnerability Scanning Service) is part of many security services deployed under OELZ. It scans compute instances deployed in the OELZ (i.e. as part of workloads) for open ports, and other known security vulnerabilities.

Key Features:

  • VSS Recipes are created in L4-Security Compartment in both prod/nonprod environments to manage instances, read components and VNICs.
  • Network and agent based scanning in enabled by default
  • Scans are configured with "Daily" Schedule
  • Qualys integration allows to run reports on Qualys Dashboard instead of CloudGuard. This feature might be available on later releases, as it is not currently on Terraform Code Support.

No Input Parameters Required for VSS Module

OSMS Sub Module

OSMS (OS Management Service) works with operating systems on deployed compute instances (such as Oracle Autonomous Linux) to manage patches and updates to ensure a secure environment.

Key Features:

  • IAM Policy is created at Tenancy Level for OSMS service to emit metrics for instances in Tenancy
  • Dynamic Group is created, name: ${var.resource_label}-"OCI-ELZ-DG"
  • Matching Rules are created with compartment OCIDs (where instances reside), eg: L4-Security, Logging, Network, Workload and Base Compartment OCIDs
  • IAM Policy for Dynamic Group is created in LZ home compartment

No Input Parameters Required for OSMS Module

Vault and Key Management Sub Module

OCI Vault service is a key management service that stores and manages master encryption keys and secrets for secure access to resources.

Key Features:

  • A Virtual Vault is created for secure storage of cryptographic keys within L4-Security Compartment of both Prod and NonProd Environments

  • A user-manageable Master Encryption Key is also created, stored in the Vault, and is usable for encryption of data in OCI Storage Services

  • Vault does support BYOK scenario and can store all user keys as well

  • IAM Policy for Storage Services to use keys are created in LZ Base Compartment

  • Required Arguments/Parameters for Vault and Key Management Module:

    1. Prod Environment
    Name Description Type Default Required
    prod_vault_type The type of vault to create. string "DEFAULT" no
    prod_vault_replica_region the region to be created replica to. string "" no
    prod_enable_vault_replication Option to enable vault replication bool false no
    prod_create_master_encryption_key Option create master encryption key bool true no
    1. Non-Prod Environment
    Name Description Type Default Required
    nonprod_vault_type The type of vault to create. string "DEFAULT" no
    nonprod_vault_replica_region the region to be created replica to. string "" no
    nonprod_enable_vault_replication Option to enable vault replication bool false no
    nonprod_create_master_encryption_key Option create master encryption key bool true no


The OELZ sets up secure storage of all log data generated by resources and services in the OELZ. For both environments in L2-Prod and L2-NonProd compartment a logging compartment “L3-Logging Compartment” is created. This compartment hosts the below listed 3 immutable storage buckets:

  • AuditLogs_standard (for audit logs)
  • DefaultLogs_standard (for general logging)
  • ServiceEvents_standard (for service events)

These buckets are encrypted with the Master Encryption Key(MEK) stored in the vault. Retention policies are also applied to these buckets to manage data retention, disallowing deletion, or modifications of data for a configurable time-period.

Default Log group (Name: Default_Group) is created is L4-Security compartment and service logs for all supported services (VCN Flow logs, Object Storage etc.) are enabled and stored in L3-Logging compartment.

All the events in OELZ environment are streamed to standard object storage. The Stream Pool is created in L4-Security compartment and encrypted with MEK and the service evens are stored in standard Object storage bucket in Logging compartment.

Service connector is used to ship all the audit, service logs and events in OELZ to these buckets in logging compartment. All IAM Policies for Service Connector are created in the L2 level Home compartment of each environment.

Workload Expansion

The variables used for rerun the baseline stack after deploying workload expansion stack.

In Non-Prod:

Name Description Type Default Required
nonprod_additional_workload_subnets_cidr_blocks List of 3 subnets CIDR Block used in workload expansion. (Do not include the cidr blocks created in baseline) list(string) yes
nonprod_workload_compartment_names Workload compartment name. (Also include the workload name created in baseline) list(string) yes

In Prod:

Name Description Type Default Required
prod_additional_workload_subnets_cidr_blocks List of 3 subnets CIDR Block used in workload expansion.(Do not include the cidr blocks created in baseline) list(string) yes
prod_workload_compartment_names Workload compartment name. (Also include the workload name created in baseline) list(string) yes


Copyright (c) 2022,2023 Oracle and/or its affiliates.

Licensed under the Universal Permissive License (UPL), Version 1.0.

See LICENSE for more details.