From a0831a08bd4cd0078364ba035ebf191784ac8e41 Mon Sep 17 00:00:00 2001
From: jason-chong <jason.c.chong@oracle.com>
Date: Fri, 28 Apr 2023 15:33:09 -0400
Subject: [PATCH] gh-workload expansion merge 4-28-23

---
 .gitignore                                    |   2 +
 .gitlab-ci.yml                                |  56 +++++++-
 README.md                                     |  13 +-
 RELEASE.md                                    |   4 +-
 templates/README.md                           |   2 +-
 .../elz-environment/logging-variables.tf      |   5 +
 templates/elz-environment/logging.tf          |   1 +
 templates/elz-environment/outputs.tf          |  11 ++
 templates/elz-logging/main.tf                 |  13 +-
 templates/elz-logging/variables.tf            |   4 +
 templates/elz-workload/Architecture_Guide.md  |   3 -
 templates/elz-workload/CONFIGURATION.md       |  87 ++++++------
 templates/elz-workload/IMPLEMENTATION.md      | 107 ++++++++++++--
 templates/elz-workload/iam.tf                 |   5 +
 templates/elz-workload/monitoring.tf          |  36 ++---
 templates/elz-workload/outputs.tf             |   7 +
 templates/elz-workload/tagging.tf             |  40 ++++++
 templates/elz-workload/variables.tf           |   6 +
 .../Architecture_Guide.md                     | 130 ++++++++++++------
 .../enterprise-landing-zone/CONFIGURATION.md  | 115 +++++++++-------
 .../enterprise-landing-zone/IMPLEMENTATION.md |  54 ++++----
 templates/enterprise-landing-zone/README.md   |   4 +-
 .../enterprise-landing-zone/environment.tf    |   6 +-
 .../enterprise-landing-zone/example.tfvars    |   4 +-
 .../integration.tfvars                        |   4 +-
 templates/enterprise-landing-zone/outputs.tf  |   6 +
 .../read_workload_vars.py                     |  65 +++++++++
 templates/enterprise-landing-zone/schema.yaml |  22 ++-
 .../enterprise-landing-zone/variables.tf      |   5 +
 .../Architecture_Guide.md                     |   4 +-
 .../freetrial-landing-zone/IMPLEMENTATION.md  |  20 +--
 templates/freetrial-landing-zone/README.md    |   4 +-
 .../freetrial-landing-zone/environment.tf     |   1 +
 .../freetrial-landing-zone/livelab.tfvars     |   2 +-
 templates/freetrial-landing-zone/logging.tf   |  61 +-------
 templates/freetrial-landing-zone/schema.yaml  |  19 ++-
 templates/freetrial-landing-zone/variables.tf |   7 +-
 37 files changed, 636 insertions(+), 299 deletions(-)
 delete mode 100644 templates/elz-workload/Architecture_Guide.md
 create mode 100644 templates/elz-workload/tagging.tf
 create mode 100644 templates/enterprise-landing-zone/read_workload_vars.py

diff --git a/.gitignore b/.gitignore
index 237345fd..f85c43c0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,6 +24,8 @@ terraform.tfstate
 terraform.tfvars
 .terraform.tfstate.lock.info
 
+test/terraform/*/provider.tf
+
 .tfcache
 **/.terraform.lock.hcl
 **/tf_resources.json
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 8c6eb2c2..bafb767a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,6 +7,8 @@ stages:          # List of stages for jobs, and their order of execution
   - test-unit
   - TF-Plan-e2e
   - TF-Apply-e2e
+  - TF-Workload-Apply-e2e
+  - TF-Reapply-e2e
   - TF-Destroy-e2e
 
 
@@ -30,7 +32,7 @@ unit-test-job:   # This job runs in the test stage.
   extends: .testing_pipeline
   stage: test-unit
   script:
-    - pytest  -m unit --junit-xml=pytest.xml test
+    - pytest  -c test/pytest.ini -m "unit and not expensive" --junit-xml=pytest.xml
   # # Orahub's artifact upload seems broken. Possibly a config issue...  
   # artifacts:
   #   when: always
@@ -39,7 +41,7 @@ unit-test-job:   # This job runs in the test stage.
   #   reports:
   #     junit: pytest.xml
   rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
+    - if: ($CI_COMMIT_BRANCH != "main")
 
 e2e-full-plan-job:   # This job runs terraform plan.
   extends: .testing_pipeline
@@ -49,9 +51,13 @@ e2e-full-plan-job:   # This job runs terraform plan.
     - cd templates/enterprise-landing-zone
     - ./BackEnd.sh
     - cat backend.tf
+    - curl $BASE_LAST_OUTPUT > base_output.json 
+    - curl $WE_LAST_OUTPUT > we_output.json 
+    - cp $ENV_TFVARS_FILE_NAME  updated-$ENV_TFVARS_FILE_NAME
+    - python3 read_workload_vars.py -f base_output.json -p we_output.json >> updated-$ENV_TFVARS_FILE_NAME
     - terraform init -backend-config="address=$REMOTE_STATE_BACKEND" -backend-config="update_method=PUT"
     - terraform validate
-    - terraform plan -var-file=$ENV_TFVARS_FILE_NAME
+    - terraform plan -var-file=updated-$ENV_TFVARS_FILE_NAME
   rules:
     - if: ($CI_COMMIT_BRANCH == "LANZ-Integration")
 
@@ -63,13 +69,23 @@ e2e-full-deploy-job:   # This job runs terraform apply.
     - cd templates/enterprise-landing-zone
     - ./BackEnd.sh
     - cat backend.tf
+    - curl $BASE_LAST_OUTPUT > base_output.json 
+    - curl $WE_LAST_OUTPUT > we_output.json 
+    - cp $ENV_TFVARS_FILE_NAME  updated-$ENV_TFVARS_FILE_NAME
+    - python3 read_workload_vars.py -f base_output.json -p we_output.json >> updated-$ENV_TFVARS_FILE_NAME
     - terraform init -backend-config="address=$REMOTE_STATE_BACKEND" -backend-config="update_method=PUT"
     - terraform validate
-    - terraform apply -var-file=$ENV_TFVARS_FILE_NAME -auto-approve #neeed to look at pasing a plan file but have to understan gitlab artifiacts issue
+    - terraform apply -var-file=updated-$ENV_TFVARS_FILE_NAME -auto-approve #neeed to look at pasing a plan file but have to understan gitlab artifiacts issue
+    - terraform output -json > base_output.json
+    - 'curl -X PUT -H "Content-Type: application/json"  -d @base_output.json $BASE_LAST_OUTPUT'
   rules:
     - if: ($CI_COMMIT_BRANCH == "LANZ-Integration")
   retry: 1
 
+e2e-redeploy-job:
+  extends: e2e-full-deploy-job
+  stage: TF-Reapply-e2e
+
 e2e-full-destroy-job:   # This job runs terraform destroy.
   extends: .testing_pipeline
   stage: TF-Destroy-e2e
@@ -79,8 +95,36 @@ e2e-full-destroy-job:   # This job runs terraform destroy.
     - cd templates/enterprise-landing-zone
     - ./BackEnd.sh
     - cat backend.tf
+    - curl $BASE_LAST_OUTPUT > base_output.json 
+    - curl $WE_LAST_OUTPUT > we_output.json 
+    - cp $ENV_TFVARS_FILE_NAME  updated-$ENV_TFVARS_FILE_NAME
+    - python3 read_workload_vars.py -f base_output.json -p we_output.json >> updated-$ENV_TFVARS_FILE_NAME
     - terraform init -backend-config="address=$REMOTE_STATE_BACKEND" -backend-config="update_method=PUT"
     - terraform validate
-    - terraform destroy -var-file=$ENV_TFVARS_FILE_NAME -auto-approve #neeed to look at pasing a plan file but have to understand gitlab artifiacts issue
+    - terraform destroy -var-file=updated-$ENV_TFVARS_FILE_NAME -auto-approve #neeed to look at pasing a plan file but have to understand gitlab artifiacts issue
+    - terraform output -json > base_output.json
+    - 'curl -X PUT -H "Content-Type: application/json"  -d @base_output.json $BASE_LAST_OUTPUT'
   rules:
-    - if: ($CI_COMMIT_BRANCH == "LANZ-Integration")
\ No newline at end of file
+    - if: ($CI_COMMIT_BRANCH == "LANZ-Integration")
+
+e2e-workload-deploy-job:   # This job runs terraform apply on Workload Expansion.
+  extends: .testing_pipeline
+  stage: TF-Workload-Apply-e2e
+  when: on_success
+  script:
+    - cd templates
+    - elz-workload/add_workload.sh TestWE P
+    - cd elz-workload-P-TestWE
+    - ./BackEnd.sh
+    - cat backend.tf
+    - curl $BASE_LAST_OUTPUT > base_output.json 
+    - curl $WE_LAST_OUTPUT > we_output.json 
+    - python3 read_base_vars.py -e P -f base_output.json >> $ENV_TFVARS_FILE_NAME
+    - terraform init -backend-config="address=$WE_REMOTE_STATE_BACKEND" -backend-config="update_method=PUT"
+    - terraform validate
+    - terraform apply -var-file=$ENV_TFVARS_FILE_NAME -auto-approve #need to look at pasing a plan file but have to understan gitlab artifiacts issue
+    - terraform output -json > we_output.json
+    - 'curl -X PUT -H "Content-Type: application/json"  -d @we_output.json $WE_LAST_OUTPUT'
+  rules:
+    - if: ($CI_COMMIT_BRANCH == "LANZ-Integration")
+  retry: 1
\ No newline at end of file
diff --git a/README.md b/README.md
index 5b37b275..5e319c45 100644
--- a/README.md
+++ b/README.md
@@ -2,18 +2,25 @@
 
 This repository contains different types of Landing Zones to deploy to the Oracle Cloud Infrastructure platform. The landing zones are assembled from modules and templates that users can use in their default configuration or fork this repo and customize for your own scenarios.
 
-## Enterprise Scale Baseline Landing Zone v2.0 (ESBLZ v2.0)
+## Oracle Enterprise Landing Zone v2 (OELZ v2)
 
-The Enterprise Scale Baseline Landing Zone v2.0 (ESBLZ v2.0) deploys a typical architecture used by enterprise customers. The root template for this landing zone is located at [templates/enterprise-landing-zone](./templates/enterprise-landing-zone). Users can use the guides below to get strated with the Enterprise Scale Baseline Landing Zone v2.0 (ESBLZ v2.0).
+The Oracle Enterprise Landing Zone v2 (OELZ v2) deploys a typical architecture used by enterprise customers. The root template for this landing zone is located at [templates/enterprise-landing-zone](./templates/enterprise-landing-zone). Users can use the guides below to get started with the Oracle Enterprise Landing Zone v2 (OELZ v2).
 
 - [Architecture Guide](./templates/enterprise-landing-zone/Architecture_Guide.md)
 - [Implementation Guide](./templates/enterprise-landing-zone/IMPLEMENTATION.md)
 - [Configuration Guide](./templates/enterprise-landing-zone/CONFIGURATION.md)
 
+### Workload Expansion
+The Oracle Enterprise Landing Zone v2 (OELZ v2) deploys a workload in each environment (Prod and Non-Prod) by default.
+The user can use the workload expansion stack to deploy additional customized workload. The template for the workload expansion is located
+at [templates/elz-workload](./templates/elz-workload). Users can use the guides below to get started with Workload Expansion.
+- [Implementation Guide](./templates/elz-workload/IMPLEMENTATION.md)
+- [Configuration Guide](./templates/elz-workload/CONFIGURATION.md)
+
 ## Deploy Using Oracle Resource Manager
 1. Click to deploy the stack
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-landing-zones/archive/refs/tags/v2.0.0.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/oci-landing-zones/archive/refs/tags/v2.zip)
 
     If you aren't already signed in, when prompted, enter the tenancy and user credentials. Review and accept the terms and conditions.
 
diff --git a/RELEASE.md b/RELEASE.md
index 1f41eaa4..bd7f30c5 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -3,11 +3,11 @@
 ----
 ## v2.0.0 - 2023-02-28
 - Initial Release of new version 2 codebase with Hub and Spoke Networking, Multi-Environment support and more modular architecture. see the [Architecture Guide](./templates/enterprise-landing-zone/Architecture_Guide.md) for details.
-- CIS Security Benchmark Compliance: Enterprise Scale Baseline Landing Zone v2 was designed to include a foundational set of security controls from the Center for Internet Security (CIS). We are happy to share that this release of Landing Zones will support the recommended CIS 1.2 Level 1 controls. The security controls implemented by this Landing Zone are prescriptive and practical in nature with the primary focus to help provide best practices for security hardening of the technologies that are deployed in our customers' tenancies.
+- CIS Security Benchmark Compliance: Oracle Enterprise Landing Zone v2 was designed to include a foundational set of security controls from the Center for Internet Security (CIS). We are happy to share that this release of Landing Zones will support the recommended CIS 1.2 Level 1 controls. The security controls implemented by this Landing Zone are prescriptive and practical in nature with the primary focus to help provide best practices for security hardening of the technologies that are deployed in our customers' tenancies.
 While many of the CIS Level 1 recommendations are included in the Landing Zone deployment, however, there are some that require administrators to configure manually. Please be advised that for recommendations # 1.5 - 1.13, 2.6 - 2.8 and 3.16, it will be the customer administrators' responsibility to implement and enforce.
 For recommendation #1.7, we recommend that Multi-Factor Authentication (MFA) be fully tested before restricting access only to MFA-verified users. Please note each user must enable MFA for themselves and an administrator cannot enable MFA for another user. For more information, please see [OCI Managing Multi-Factor Authentication documentation][v2.0.0-1].
 For more information on the CIS Security Benchmark, please visit the official [Oracle Cloud CIS Benchmark site][v2.0.0-2].
-- Certain CIDR ranges should not be used when deploying ESBLZv2, as the can conflict with IP addresses reserved for special use. These are:
+- Certain CIDR ranges should not be used when deploying OELZv2, as the can conflict with IP addresses reserved for special use. These are:
     * 169.254.10.0-169.254.19.255
     * 169.254.100.0-169.254.109.255
     * 169.254.192.0-169.254.201.255
diff --git a/templates/README.md b/templates/README.md
index 5ccd7a7c..cb9ef500 100644
--- a/templates/README.md
+++ b/templates/README.md
@@ -4,4 +4,4 @@ This templates directory holds the base composition modules(templates) for our
 Enterprise Landing Zone. These templates consist of individual definitions of our 
 intended OELZ configuration. As they are individual entries they can be combined or 
 iterated over to allow for creation of multiple infrastructure pieces. The [enterprise-landing-zone](./enterprise-landing-zone/) directory 
-contains the template for Oracle Enterprise Scale Baseline Landing Zone v2.0.
+contains the template for Oracle Enterprise Landing Zone v2.
diff --git a/templates/elz-environment/logging-variables.tf b/templates/elz-environment/logging-variables.tf
index 2a3b467e..f97e5397 100644
--- a/templates/elz-environment/logging-variables.tf
+++ b/templates/elz-environment/logging-variables.tf
@@ -7,3 +7,8 @@ variable "retention_policy_duration_time_unit" {
   type        = string
   description = "The unit that should be used to interpret timeAmount."
 }
+
+variable "is_service_connector_limit" {
+  type        = bool
+  description = "Restrict Number of Service Connector Deployment"
+}
\ No newline at end of file
diff --git a/templates/elz-environment/logging.tf b/templates/elz-environment/logging.tf
index 3dfc11ff..cd9a38f2 100644
--- a/templates/elz-environment/logging.tf
+++ b/templates/elz-environment/logging.tf
@@ -5,6 +5,7 @@ module "logging" {
   tenancy_ocid                        = var.tenancy_ocid
   home_compartment_id                 = var.home_compartment_id
   home_compartment_name               = var.home_compartment_name
+  is_service_connector_limit          = var.is_service_connector_limit
   security_compartment_id             = module.compartment.compartments.security.id
   master_encryption_key               = module.security.key_id
   logging_compartment_id              = module.compartment.compartments.logging.id
diff --git a/templates/elz-environment/outputs.tf b/templates/elz-environment/outputs.tf
index d5741c46..03a0ae8f 100644
--- a/templates/elz-environment/outputs.tf
+++ b/templates/elz-environment/outputs.tf
@@ -31,6 +31,17 @@ output "workload_compartment_id" {
   value = module.workload.compartment_id
 }
 
+output "workload_compartment_name" {
+  value = module.workload.compartment_name
+}
+
+output "workload_subnet_cidr_blocks" {
+  value = [var.private_spoke_subnet_app_cidr_block,
+           var.private_spoke_subnet_db_cidr_block,
+           var.private_spoke_subnet_web_cidr_block,
+  ]
+}
+
 output "stream_id" {
   value = module.logging.stream_id
 }
diff --git a/templates/elz-logging/main.tf b/templates/elz-logging/main.tf
index 963b1f9a..b842b07c 100644
--- a/templates/elz-logging/main.tf
+++ b/templates/elz-logging/main.tf
@@ -70,6 +70,9 @@ locals {
     AUDIT: "${var.resource_label}_${var.environment_prefix}_auditLogs_standard",
     SERVICE_EVENT: "${var.resource_label}_${var.environment_prefix}_serviceEvents_standard"
   }
+  buckets_map_service_conector_limit = {
+    SERVICE_EVENT: "${var.resource_label}_${var.environment_prefix}_serviceEvents_standard"
+  }
 
   os_read_log = {
     log_display_name    = "${var.resource_label}-OCI-ELZ-OS-READ-LOG-${var.environment_prefix}"
@@ -139,6 +142,7 @@ module "service_event_stream" {
 }
 
 module "audit_log_bucket" {
+  count                               = var.is_service_connector_limit   ? 0 : 1
   source                              = "../../modules/bucket"
   tenancy_ocid                        = var.tenancy_ocid
   compartment_id                      = var.logging_compartment_id
@@ -152,6 +156,7 @@ module "audit_log_bucket" {
 }
 
 module "default_log_bucket" {
+  count                               = var.is_service_connector_limit   ? 0 : 1
   source                              = "../../modules/bucket"
   tenancy_ocid                        = var.tenancy_ocid
   compartment_id                      = var.logging_compartment_id
@@ -178,6 +183,7 @@ module "service_event_log_bucket" {
 }
 
 module "audit_log_service_connector" {
+  count                 = var.is_service_connector_limit   ? 0 : 1
   source                = "../../modules/service-connector"
   tenancy_ocid          = var.tenancy_ocid
   compartment_id        = var.security_compartment_id
@@ -192,6 +198,7 @@ module "audit_log_service_connector" {
 }
 
 module "default_log_service_connector" {
+  count                 = var.is_service_connector_limit   ? 0 : 1
   source                = "../../modules/service-connector"
   tenancy_ocid          = var.tenancy_ocid
   compartment_id        = var.security_compartment_id
@@ -229,7 +236,8 @@ resource "time_sleep" "first_log_delay" {
 module "os_read_log" {
   source = "../../modules/service-log"
 
-  service_log_map     = local.buckets_map
+  #service_log_map     = local.buckets_map
+  service_log_map     = var.is_service_connector_limit == true ? local.buckets_map_service_conector_limit : local.buckets_map
   log_display_name    = local.os_read_log.log_display_name
   log_type            = local.os_read_log.log_type
   log_group_id        = module.default_log_group.log_group_id
@@ -243,7 +251,8 @@ module "os_read_log" {
 module "os_write_log" {
   source = "../../modules/service-log"
 
-  service_log_map     = local.buckets_map
+  #service_log_map     = local.buckets_map
+  service_log_map     = var.is_service_connector_limit == true ? local.buckets_map_service_conector_limit : local.buckets_map
   log_display_name    = local.os_write_log.log_display_name
   log_type            = local.os_write_log.log_type
   log_group_id        = module.default_log_group.log_group_id
diff --git a/templates/elz-logging/variables.tf b/templates/elz-logging/variables.tf
index 9de4e7be..eb5aba93 100644
--- a/templates/elz-logging/variables.tf
+++ b/templates/elz-logging/variables.tf
@@ -57,3 +57,7 @@ variable "subnets_map" {
   type        = map(string)
   description = ""
 }
+variable "is_service_connector_limit" {
+  type        = bool
+  description = "Restrict Number of Service Connector Deployment"
+}
\ No newline at end of file
diff --git a/templates/elz-workload/Architecture_Guide.md b/templates/elz-workload/Architecture_Guide.md
deleted file mode 100644
index 5ac21cd3..00000000
--- a/templates/elz-workload/Architecture_Guide.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Architectural Guide
-
-# **Intro**
diff --git a/templates/elz-workload/CONFIGURATION.md b/templates/elz-workload/CONFIGURATION.md
index d1168f85..66122079 100644
--- a/templates/elz-workload/CONFIGURATION.md
+++ b/templates/elz-workload/CONFIGURATION.md
@@ -1,62 +1,60 @@
-## Enterprise Scale Baseline Landing Zone Workload Extension Configuration Guide
+## Oracle Enterprise Landing Zone Workload Extension Configuration Guide
 
-This configuration guide will detail the required and available configurations needed to deploy an Enterprise Scale Baseline Landing Zone(ESBLZ) 2.0 Workload Expansion on Oracle Cloud Infrastructure. 
+This configuration guide will detail the required and available configurations needed to deploy an Oracle Enterprise Landing Zone(OELZ) 2.0 Workload Expansion on Oracle Cloud Infrastructure. 
 
 ## Prerequisites
 
-Enterprise Scale Baseline Landing Zone(ESBLZ) stack will be fully deployed on the OCI Tenanacy.
+Oracle Enterprise Landing Zone(OELZ) stack will be fully deployed on the OCI Tenanacy.
 
 
 ## Minimum Required Configuration
 
-Deployment of the ESBLZ is controlled by several Terraform [input variables](README.md#inputs), however most of these have sensible default values. Here are the minimum required configurations to deploy a ESBLZ Workload Expansion:
+Deployment of the OELZ is controlled by several Terraform [input variables](README.md#inputs), however most of these have sensible default values. Here are the minimum required configurations to deploy a OELZ Workload Expansion:
 
 ### Basic Terraform Connection Information
-The required provider variables for the ESBLZ:
+The required provider variables for the OELZ:
 
 | Name                                                                                                 | Description                                                  | Type     | Default | Required |
-| ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | -------- | ------- | :------: |
-| <a name="input_current_user_ocid"></a> [current\_user\_ocid](#input\_current\_user\_ocid)            | The ID of user to deploy the ESBLZ.                   | `string` | `""`    |    no    |
-| <a name="input_api_fingerprint"></a> [api\_fingerprint](#input\_api\_fingerprint)                    | The API fingerprint which can be retrieved from the console. | `string` | `""`    |    no    |
-| <a name="input_api_private_key"></a> [api\_private\_key](#input\_api\_private\_key)                  | The API private key                                          | `string` | `""`    |    yes    |
-| <a name="input_api_private_key_path"></a> [api\_private\_key\_path](#input\_api\_private\_key\_path) | The local path to the API private key                        | `string` | `""`    |    no    |
+| ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | -------- | ------- |:--------:|
+| <a name="input_current_user_ocid"></a> [current\_user\_ocid](#input\_current\_user\_ocid)            | The ID of user to deploy the OELZ.                   | `string` | `""`    |   yes    |
+| <a name="input_api_fingerprint"></a> [api\_fingerprint](#input\_api\_fingerprint)                    | The API fingerprint which can be retrieved from the console. | `string` | `""`    |   yes    |
+| <a name="input_api_private_key_path"></a> [api\_private\_key\_path](#input\_api\_private\_key\_path) | The local path to the API private key                        | `string` | `""`    |   yes    |
 | <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid)                             | The ID of tenancy                                            | `string` | n/a     |   yes    |
-| <a name="input_region"></a> [region](#input\_region)                                                 | The OCI region to deploy the ESBLZ resources to.      | `string` | n/a     |   yes    |
+| <a name="input_region"></a> [region](#input\_region)                                                 | The OCI region to deploy the OELZ resources to.      | `string` | n/a     |   yes    |
 
 
 ## Compartment Module
 
 This architecture diagram illustrates the compartments for Enterprise LZ deploys Workload Expansion.
 
-![Architecture](<../images/LZ-v2.0.png> "Architecture")
+![](../../images/lz-v2.0.png)
 
-The ESBLZ Workload Expansion will create L3 workload compartment on the user defined Parent Compartment OCID . 
+The OELZ Workload Expansion will create L3 workload compartment on the user defined Parent Compartment OCID . 
 
-The required arguments for ESBLZ Workload Compartment:
-* **compartment_parent_id**: the OCID of compartment/tenancy that you create the ESBLZ Workload Compartment
-* **compartment_name**: the name of ESBLZ Workload Compartment 
-* **compartment_description**: the description of ESBLZ Workload Compartment
-* **enable_compartment_delete**: unless enable_delete is explicitly set to true, Terraform will not delete compartments on destroy
+The required arguments for OELZ Workload Compartment:
+
+| Name                                                                                                              | Description                                                                               | Type     | Default                           | Required |
+|-------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------| -------- |-----------------------------------| :------: |
+| <a name="input_enable_compartment_delete"></a> [enable\_compartment\_delete](#input\_enable\_compartment\_delete) | Set to true to allow the compartments to delete on terraform destroy.                     | `bool`   | `true`                            |    yes    |
+| <a name="workload_compartment_name"></a> [workload\_compartment\_name](#input\_home\_compartment\_name)           | The name of the workload compartment under which all Workload resources will be deployed. | `string` | `"OCI-ELZ-Workload1-[Region]-01"` |    yes    |
+| <a name="environment_compartment_id"></a> [environment\_compartment\_id](#input\_home\_compartment\_name)         | The name of parent compartment where workload compartment will be created                 | `string` | `"OCID Value"`                    |    yes    |
+| <a name="workload_expansion_flag "></a> [workload\_expansion\_flag](#input\_home\_compartment\_name)              | Flag to enable workload expansion                                                         | `bool` | `true`                            |    yes    |
+| <a name="environment_prefix"></a> [environment\_prefix](#input\_home\_compartment\_name)                          | The unique prefix for environment created in baseline stack (e.g. N, P)                   | `string` |                                   |    yes    |
 
-| Name                                                                                                              | Description                                                                               | Type     | Default              | Required |
-| ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -------- | -------------------- | :------: |
-| <a name="input_enable_compartment_delete"></a> [enable\_compartment\_delete](#input\_enable\_compartment\_delete) | Set to true to allow the compartments to delete on terraform destroy.                     | `bool`   | `true`               |    yes    |
-| <a name="workload_compartment_name"></a> [workload\_compartment\_name](#input\_home\_compartment\_name)             | The name of the workload compartment under which all Workload resources will be deployed. | `string` | `"OCI-ELZ-Workload1-[Region]-01"` |    yes    |
-| <a name="environment_compartment_id"></a> [environment\_compartment\_id](#input\_home\_compartment\_name)             | The name of parent compartment where workload compartment will be created | `string` | `"OCID Value"` |    yes    |
 
 ## Network Module
 
-The required arguments for ESBLZ Workload Network:
-* **ESBLZ Workload Spoke VCN Related Variables**
+The required arguments for OELZ Workload Network:
+* **OELZ Workload Spoke VCN Related Variables**
 
-| Name                                                                                                              | Description                                                                               | Type     | Default              | Required |
-| ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -------- | -------------------- | :------: |
-| <a name="workload_prefix"></a> [workload\_prefix](#workload\_prefix) | Workload Prefix.                     | `string`   | `"WRK1"`               |    yes    |
+| Name                                                                                                              | Description                                                                               | Type     | Default        | Required |
+| ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -------- | -------------- | :------: |
+| <a name="workload_prefix"></a> [workload\_prefix](#workload\_prefix) | Workload Prefix.                     | `string`   | `"WRK1"`        |    yes    |
 | <a name="vcn_display_name"></a> [vcn\_display\_name](#vcn\_display\_name) | Workload Spoke VCN Display Name.                     | `string`   | `"OCI-ELZ-${var.workload_prefix}-EXP-SPK-VCN-${local.region_key[0]}"`|    no   |
-| <a name="workload_spoke_vcn_cidr"></a> [workload\_spoke\_vcn\_cidr](#workload\_spoke\_vcn\_cidr) | Workload Spoke VCN IPv4 CIDR Block.                     | `list(string)`   | `[" "]`               |    yes   |
+| <a name="workload_spoke_vcn_cidr"></a> [workload\_spoke\_vcn\_cidr](#workload\_spoke\_vcn\_cidr) | Workload Spoke VCN IPv4 CIDR Block.                     | `string`   |                |    yes   |
 | <a name="vcn_dns_label"></a> [vcn\_dns\_label](#vcn\_dns\_label)             | Workload Spoke VCN DNS Label. | `string` | `"wrkspokevcn"` |    yes    |
 
-* **ESBLZ Workload Spoke VCN Subnet Related Variables** 
+* **OELZ Workload Spoke VCN Subnet Related Variables** 
   
 | Name                                                                                                              | Description                                                                               | Type     | Default              | Required |
 | ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -------- | -------------------- | :------: |
@@ -70,7 +68,7 @@ The required arguments for ESBLZ Workload Network:
 | <a name="workload_private_spoke_subnet_app_dns_label"></a> [workload\_private\_spoke\_subnet\_app\_dns\_label](#workload\_private\_spoke\_subnet\_app\_dns\_label)             | Workload Spoke VCN App Subnet DNS Label | `string` | `"wrkapplabel"` |    yes    |
 | <a name="workload_private_spoke_subnet_db_dns_label"></a> [workload\_private\_spoke\_subnet\_db\_dns\_label](#workload\_private\_spoke\_subnet\_db\_dns\_label)             | Workload Spoke VCN Db Subnet DNS Label | `string` | `"wrkdblabel"` |    yes    |
 
-* **ESBLZ Workload Spoke VCN Gateway Related Variables**
+* **OELZ Workload Spoke VCN Gateway Related Variables**
 
 | Name                                                                                                              | Description                                                                               | Type     | Default              | Required |
 | ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -------- | -------------------- | :------: |
@@ -79,15 +77,12 @@ The required arguments for ESBLZ Workload Network:
 | <a name="enable_service_gateway_spoke"></a> [enable\_service\_gateway\_spoke](#enable\_service\_gateway\_spoke)             | Workload Spoke VCN Enable Service Gateway | `bool` | `false` |    yes    |
 | <a name="service_gateway_display_name"></a> [service\_gateway\_display\_name](#service\_gateway\_display\_name)             | Workload Spoke VCN  Service Gateway Display Name | `string` | `"OCI-ELZ-${var.workload_prefix}-EXP-SPK-SGW-${local.region_key[0]}"` |    no    |
 
-* **ESBLZ Workload Spoke VCN Route Table and Security List Related Variables** 
+* **OELZ Workload Spoke VCN Route Table and Security List Related Variables** 
 
 | Name                                                                                                              | Description                                                                               | Type     | Default              | Required |
 | ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -------- | -------------------- | :------: |
 | <a name="hub_public_subnet_cidr_block"></a> [hub\_public\_subnet\_cidr\_block](#hub\_public\_subnet\_cidr\_block)             | Provide Hub Public Subnet IPv4 CIDR Block. | `string` | `""(Valid IPv4 CIDR Block)` |    yes    |
 | <a name="hub_private_subnet_cidr_block"></a> [hub\_private\_subnet\_cidr\_block](#hub\_private\_subnet\_cidr\_block)             | Provide Hub Private Subnet IPv4 CIDR Block. | `string` | `""(Valid IPv4 CIDR Block)` |    yes    |
-| <a name="hub_vcn_parent_compartment_id"></a> [hub\_vcn\_parent\_compartment\_id](#hub\_vcn\_parent\_compartment\_id)             | Provide Hub VCN Parent Compartment OCID. | `string` | `""(Valid Compartment OCID)` |    yes    |
-| <a name="hub_vcn_id"></a> [hub\_vcn\_id](#hub\_vcn\_id])             | Provide Hub VCN OCID. | `string` | `""(Valid VCN OCID)` |    yes    |
-
 
 ## IAM 
 
@@ -103,17 +98,21 @@ The required arguments Workload Expansion IAM:
 
 The required arguments Workload Expansion Policy:
 
-| Name                                                                                                              | Description                                                                               | Type     | Default              | Required |
-| ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -------- | -------------------- | :------: |
-| <a name="security_compartment_name"></a> [security\_compartment\_name](#security\_compartment\_name)             | Provide Security Compartment Name. | `string` | `""` |    yes    |
-| <a name="security_compartment_ocid"></a> [security\_compartment\_ocid](#security\_compartment\_ocid)             | Provide Security Compartment OCID. | `string` | `""` |    yes    |
-| <a name="security_admin_group_name"></a> [security\_admin\_group\_name](#security\_admin\_group\_name)             | Provide Security Admin Group Name. | `string` | `""` |    yes    |
-| <a name="network_admin_group_name"></a> [network\_admin\_group\_name](#network\_admin\_group\_name)             | Provide Network Admin Group Name. | `string` | `""` |    yes    |
+| Name                                                                                                 | Description                        | Type     | Default              | Required |
+|------------------------------------------------------------------------------------------------------|------------------------------------| -------- | -------------------- | :------: |
+| <a name="security_compartment_name"></a> [security\_compartment\_name](#security\_compartment\_name) | Provide Security Compartment Name. | `string` | `""` |    yes    |
+| <a name="security_compartment_ocid"></a> [security\_compartment\_ocid](#security\_compartment\_ocid) | Provide Security Compartment OCID. | `string` | `""` |    yes    |
+| <a name="identity_domain_name"></a> [identity\_domain\_name](#security\_compartment\_name)           | Identity Domain Name.              | `string` | `""` |    yes    |
+| <a name="identity_domain_id"></a> [identity\_domain\_ocid](#security\_compartment\_ocid)             | Identity Domain OCID.              | `string` | `""` |    yes    |
 
 ## Monitoring 
 
 These are the configuration options for Workload Monitoring: 
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_workload_topic_endpoints"></a> [workload\_topic\_endpoints](#input\_workload\_topic\_endpoints) | List of email addresses for Workload notifications. | `list(string)` | `[]` | no |
+| Name                                                                                                           | Description                                         | Type           | Default | Required |
+|----------------------------------------------------------------------------------------------------------------|-----------------------------------------------------|----------------|---------|:--------:|
+| <a name="input_workload_topic_endpoints"></a> [workload\_topic\_endpoints](#input\_workload\_topic\_endpoints) | List of email addresses for Workload notifications. | `list(string)` | `[]`    | no |
+| <a name="input_workload_name"></a> [workload\_name](#input\_workload\_name)                                    | Prefix to avoid name conflicts in Topic             | `string`       | `W`     | no |
+| <a name="input_enable_network_monitoring_alarms"></a> [enable_network_monitoring_alarms](#input\_workload\_name)                                    | Enable network alarm in workload expansion          | `bool`         | `false` | no |
+| <a name="input_enable_security_monitoring_alarms"></a> [enable_security_monitoring_alarms](#input\_workload\_name)                                    | Enable security alarm in workload expansion         | `bool`         | `false` | no |
+| <a name="input_enable_workload_monitoring_alarms"></a> [enable_enable_workload_monitoring_alarms](#input\_workload\_name)                                    | Enable workload alarm in workload expansion         | `bool`         | `false` | no |
\ No newline at end of file
diff --git a/templates/elz-workload/IMPLEMENTATION.md b/templates/elz-workload/IMPLEMENTATION.md
index f4372c48..9d3a68ea 100644
--- a/templates/elz-workload/IMPLEMENTATION.md
+++ b/templates/elz-workload/IMPLEMENTATION.md
@@ -1,17 +1,101 @@
-# Enterprise Scale Baseline Landing Zone Workload Extension
+# Oracle Enterprise Landing Zone Workload Extension
 
 ## Prerequisites
 
-1) To deploy the Enterprise Scale Baseline Landing Zone Workload Expansion from the terraform cli you will need the following prerequisites.
+1) To deploy the Oracle Enterprise Landing Zone Workload Expansion from the terraform cli you will need the following prerequisites.
 - [Latest Version of Terrafom](https://developer.hashicorp.com/terraform/downloads)
 - [OCI Terraform provider](https://registry.terraform.io/providers/oracle/oci/latest/docs) v4.109.0 or later
 - [oci - cli](https://github.com/oracle/oci-cli)
 
-2) Enterprise Scale Baseline Landing Zone is deployed. 
+2) **Oracle Enterprise Landing Zone is deployed.**
+3) If users need to deploy multiple workloads, they need to copy and paste elz-worload folder to deploy each workload separately.
 
+## Deployment
+
+### Terraform CLI
+
+1. Have Terraform installed on the system you will deploy from. The Oracle Enterprise Landing Zone should work with any version of Terraform greater than 1.0.0, including the latest version (currently 1.3.9).  If you do not have Terraform already installed, the [Terraform Download page](https://developer.hashicorp.com/terraform/downloads) will have links for the proper package for your system, and installation instructions.
+
+2. Set up API keys to work with your OCI account. Follow the instructions [here](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm).
+
+3. Visit the [GitHub page](https://github.com/oracle-quickstart/oci-landing-zones) to clone the Terraform template.
+
+4. In the repository, cd to the `templates/elz-workload/` directory. This is the main template for the Workload Expansion.
+
+5. **Create a terraform.tfvars file in the directory and populate it with the required variables or override existing variables.**
+   **For reference on the configuration variable values read the [Configuration Guide](CONFIGURATION.md). For a full list of all available configuration variables see the [Input Variables Reference in the README](README.md#inputs)**
+
+   **Note: An example tfvars file (workload_extension.tfvars) included for reference. Using this file is the preferred way to run the stack from the CLI, because of the large number of variables to manage.**
+
+6. From the root of the module run the following commands to deploy the terraform.
+    * `terraform init`
+    * `terraform plan`
+    * `terraform apply`
+
+7. Terraform will provision your resources and provide outputs once it completes.
+
+### Resource Manager
+1. From the console home page, navigate to `Developer Services -> Resource Manager -> Stacks`
+2. Select the compartment you want to create the stack in and select `Create stack`.
+3. Select `Source code control system` for the Terraform source.
+4. In the `Stack Configuration` box, under `Source Code Management Type`, select `GitHub`.
+5. Under `Configuration source provider`, if you have a provider set up for public GitHub, you can select it, then skip to step 9. Otherwise select `Create configuration source provider`.
+6. If you do not already have a Personal Access Token for your GitHub account, log in to GitHub and create one. The option can be found under `Settings -> Developer settings -> Personal access tokens -> Tokens (classic)` on the [GitHub site](https://github.com). The token must have the `repo` scope.
+7. To create the configuration provider for GitHub in OCI, fill in the "Create configuration source provider" form as follows:
+    * Name: GitHub
+    * Description: (optional) Public Github Repositories
+    * Select the `Public Endpoint` option
+    * Type: GitHub
+    * Server URL: https://github.com/
+    * Personal Access Token: #Your Personal Access Token#
+8. Click `Create` to create the config provider
+9. For Repository select `oci-landing-zones`
+10. For Branch select `main`
+11. for Working directory, select `templates/elz-workload`
+
+12. For Name, give the stack a name or accept the default.
+13. For the Create in Compartment dropdown, select the compartment to store the Stack.
+14. For Terraform Version dropdown, make sure to select 1.0.x at least. Lower Terraform versions are not supported.
+
+After completing the Stack Creation Wizard, the subsequent step prompts for variables values. **For reference on the configuration variable values read the [Configuration Guide](CONFIGURATION.md). For a full list of all available configuration variables see the [Input Variables Reference in the README](README.md#inputs)**
+
+After filling in the required input variables, click next to review the stack values and create the stack.
+
+In the Stack page use the appropriate buttons to plan/apply/destroy your stack.
+
+### After Deploying Workload Expansion
+Users need to go back to the baseline stack `enterprise-landing-zone` to re-run terraform apply to update baseline configuration.
+
+#### Terraform CLI
+1. Navigate to the baseline stack `enterprise-landing-zone`.
+2. Add two variables into your tfvars file
+
+| Name                                                                                                              | Description                                                                                                   | Type           | Default         | Required |
+| ----------------------------------------------------------------------------------------------------------------- |---------------------------------------------------------------------------------------------------------------|----------------| --------------- | :------: |
+| <a name="nonprod_additional_workload_subnets_cidr_blocks"></a> [nonprod_additional_workload_subnets_cidr_blocks](#workload\_admin\_group\_name)             | List of 3 subnets CIDR Block used in workload expansion. (Do not include the cidr blocks created in baseline) | `list(string)` |  |    yes    |
+| <a name="nonprod_workload_compartment_names"></a> [nonprod_workload_compartment_names](#application\_admin\_group\_name)             | Workload compartment name. (Also include the workload name created in baseline)                               | `list(string)` |  |    yes    |
+
+or your workload expansion was deployed in Prod:
+
+| Name                                                                                                              | Description                                                                      | Type           | Default         | Required |
+| ----------------------------------------------------------------------------------------------------------------- |----------------------------------------------------------------------------------|----------------| --------------- | :------: |
+| <a name="prod_additional_workload_subnets_cidr_blocks"></a> [prod_additional_workload_subnets_cidr_blocks](#workload\_admin\_group\_name)       | List of 3 subnets CIDR Block used in workload expansion.(Do not include the cidr blocks created in baseline)                         | `list(string)` |  |    yes    |
+| <a name="prod_workload_compartment_names"></a> [prod_workload_compartment_names](#application\_admin\_group\_name)             | Workload compartment name.  (Also include the workload name created in baseline) | `list(string)` |  |    yes    |
+
+3. From the root of the module run the following commands to deploy the terraform.
+    * `terraform init`
+    * `terraform plan`
+    * `terraform apply`
+4. The subnet CIDR blocks are used to update the route table in Hub.
+5. The workload name is used to update the related policy in the environment.
+
+#### Resource Manager
+1. Navigate to the baseline stack in Resource Manager.
+2. Go to Variables section of the baseline stack, add the value of `nonprod_additional_workload_subnets_cidr_blocks` and `nonprod_workload_compartment_names` or `prod_additional_workload_subnets_cidr_blocks` and `prod_workload_compartment_names`.
+3. Click "Terraform Apply" to update the stack
 ## User
 
-The Enterprise Scale Baseline Landing Zone Workload Expansion should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an api key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble.
+The Oracle Enterprise Landing Zone Workload Expansion should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an api key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble.
 
 ```text
 [DEFAULT]
@@ -23,17 +107,14 @@ key_file=<path to your private keyfile> # TODO
 ```
 
 ## Region
+The Oracle Enterprise Landing Zone Workload will be deployed as L3 on user defined Parent Compartment OCID.
 
-The Enterprise Scale Baseline Landing Zone Workload will be deployed as L3 on user defined Parent Compartment OCID.
-
-### Resource Limits
-TBD
 
 ### Compartment Structure
 
-For the Enterprise Scale Baseline Landing Zone, we have the below compartment architecture:
+For the Oracle Enterprise Landing Zone, we have the below compartment architecture:
 
-* Enterprise Scale Baseline Landing Zone Workload Compartment will be deployed on user defined Parent Compartment OCID. So there are two deployment scenario.
+* Oracle Enterprise Landing Zone Workload Compartment will be deployed on user defined Parent Compartment OCID. So there are two deployment scenario.
 
 1) First Case : Workload Expansion will be deployed On Prod Environment.
   * Prod
@@ -57,10 +138,10 @@ For the Enterprise Scale Baseline Landing Zone, we have the below compartment ar
 
 ### Workload Expansion : Network
 
-ESBLZ Workload Expansion Stack will deploy one Spoke VCN on user defined Compartment. It will deploy VCN Gateway like Nat Gateway and Service Gateway, Security Rules and Route Tables as per the User prefence and will attach the VCN to configured DRG. There will be three Subnets for Web ,App and DB Application Resources.
+OELZ Workload Expansion Stack will deploy one Spoke VCN on user defined Compartment. It will deploy VCN Gateway like Nat Gateway and Service Gateway, Security Rules and Route Tables as per the User prefence and will attach the VCN to configured DRG. There will be three Subnets for Web ,App and DB Application Resources.
 
 
-Logging for the Enterprise Scale Baseline Landing Zone is configured at the Environment level, with logs for all Workloads within a given Environment being sent to object storage buckets set up per-environment, as well as an archive bucket for all Environments, with a long term retention policy. No logging configuration per Workload is necessary. 
+Logging for the Oracle Enterprise Landing Zone is configured at the Environment level, with logs for all Workloads within a given Environment being sent to object storage buckets set up per-environment, as well as an archive bucket for all Environments, with a long term retention policy. No logging configuration per Workload is necessary. 
 
 ### Workload Expansion : Policy 
 
@@ -68,4 +149,4 @@ As part of Workload Expansion three user groups will be created Workload Admin,
 
 ### Workload Expansion : Monitoring
 
-The Workload Expansion will create a series of monitoring alarms (11 Critical alarms, and 6 Warning alarms) for each Workload it creates. Notifications created by these alarms being triggered will be delivered by email to a list of email addresses (The workload_topic_endpoints) specified for that Workload. 
\ No newline at end of file
+The Workload Expansion will create a series of monitoring alarms (11 Critical alarms, and 6 Warning alarms) for each Workload it creates. Notifications created by these alarms being triggered will be delivered by email to a list of email addresses (The workload_topic_endpoints) specified for that Workload. 
diff --git a/templates/elz-workload/iam.tf b/templates/elz-workload/iam.tf
index 8e52f279..25d254e3 100644
--- a/templates/elz-workload/iam.tf
+++ b/templates/elz-workload/iam.tf
@@ -13,6 +13,10 @@ locals {
     database_admin_group_name : var.database_admin_group_name != "" ? var.database_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-DB-ADMIN",
   }
 
+  base_group_names = {
+    network_admin_group_name : var.network_admin_group_name != "" ? var.network_admin_group_name : "OCI-ELZ-UGP-${var.environment_prefix}-NET-ADMIN",
+  }
+
   workload_expansion_policy = {
     name        = "OCI-ELZ-WRK-EXP-${var.workload_prefix}-POLICY"
     description = "OCI Workload Expansion Policy"
@@ -35,6 +39,7 @@ locals {
 
       "Allow group ${var.identity_domain_name}/${local.group_names["database_admin_group_name"]} to read autonomous-database-family in compartment ${module.workload_compartment.compartment_name}",
       "Allow group ${var.identity_domain_name}/${local.group_names["database_admin_group_name"]} to read database-family in compartment ${module.workload_compartment.compartment_name}",
+      "Allow group ${var.identity_domain_name}/${local.base_group_names["network_admin_group_name"]} to read metrics in compartment ${module.workload_compartment.compartment_name}",
     ]
   }
 
diff --git a/templates/elz-workload/monitoring.tf b/templates/elz-workload/monitoring.tf
index ecbd0c43..cda9f5f0 100644
--- a/templates/elz-workload/monitoring.tf
+++ b/templates/elz-workload/monitoring.tf
@@ -13,25 +13,25 @@ locals {
     topic_description     = "OCI Landing Zone Warning Workload Topic"
     subscription_protocol = "EMAIL"
   }
-  alarm_policy = {
-    name        = "${var.environment_prefix}-Policy"
-    description = "OCI Alarm Policy"
+  # alarm_policy = {
+  #   name        = "${var.environment_prefix}-Policy"
+  #   description = "OCI Alarm Policy"
 
-    statements = [
-      <<EOT
-        Allow group OCI-ELZ-${var.environment_prefix}-IDT/OCI-ELZ-UGP-${var.environment_prefix}-NET-ADMIN  to read metrics in compartment id ${var.environment_compartment_id} where any {
-          target.metrics.namespace='oci_vcn',
-          target.metrics.namespace='oci_vpn',
-          target.metrics.namespace='oci_fastconnect',
-          target.metrics.namespace='oci_service_gateway',
-          target.metrics.namespace='oci_nat_gateway',
-          target.metrics.namespace='oci_internet_gateway',
-          target.metrics.namespace='oci_lbaas',
-          target.metrics.namespace='oci_network_firewall'
-        }
-      EOT
-    ]
-  }
+  #   statements = [
+  #     <<EOT
+  #       Allow group OCI-ELZ-${var.environment_prefix}-IDT/OCI-ELZ-UGP-${var.environment_prefix}-NET-ADMIN  to read metrics in compartment id ${var.environment_compartment_id} where any {
+  #         target.metrics.namespace='oci_vcn',
+  #         target.metrics.namespace='oci_vpn',
+  #         target.metrics.namespace='oci_fastconnect',
+  #         target.metrics.namespace='oci_service_gateway',
+  #         target.metrics.namespace='oci_nat_gateway',
+  #         target.metrics.namespace='oci_internet_gateway',
+  #         target.metrics.namespace='oci_lbaas',
+  #         target.metrics.namespace='oci_network_firewall'
+  #       }
+  #     EOT
+  #   ]
+  # }
   
   workload_alarms = {
     metric_compartment_id_in_subtree = false
diff --git a/templates/elz-workload/outputs.tf b/templates/elz-workload/outputs.tf
index 3e3fd557..8b1005f9 100644
--- a/templates/elz-workload/outputs.tf
+++ b/templates/elz-workload/outputs.tf
@@ -6,3 +6,10 @@ output "compartment_name" {
   value = module.workload_compartment.compartment_name
   description = "The Workload Compartment Name"
 }
+
+output "subnet_cidr_blocks" {
+  value = [var.workload_private_spoke_subnet_app_cidr_block, 
+           var.workload_private_spoke_subnet_db_cidr_block,
+           var.workload_private_spoke_subnet_web_cidr_block,
+  ]
+}
\ No newline at end of file
diff --git a/templates/elz-workload/tagging.tf b/templates/elz-workload/tagging.tf
new file mode 100644
index 00000000..f2282b65
--- /dev/null
+++ b/templates/elz-workload/tagging.tf
@@ -0,0 +1,40 @@
+
+locals {
+  architecture_tag = {
+    tag_namespace_description = "ArchitectureCenterTagNamespace"
+    tag_namespace_name        = "ArchitectureCenter\\oracle-enterprise-landing-zone-workload-expansion-v2-${random_id.tag.hex}"
+    is_namespace_retired      = false
+    tag_map = {
+      architecture_tag = {
+        description      = "ArchitectureCenterTag"
+        name             = "release"
+        validator_type   = "ENUM"
+        validator_values = ["release", "1.0.0", "2.0.0"]
+        is_cost_tracking = false
+        is_retired       = false
+      }
+    }
+    tag_default_map = {
+      architecture_tag = {
+        compartment_id      = module.workload_compartment.compartment_id
+        tag_definition_name = "architecture_tag"
+        value               = "2.0.0"
+        is_required         = false
+      }
+    }
+  }
+}
+
+resource "random_id" "tag" {
+  byte_length = 2
+}
+
+module "architecture_tag" {
+  source                    = "../../modules/tag"
+  compartment_id            = var.tenancy_ocid
+  tag_namespace_description = local.architecture_tag.tag_namespace_description
+  tag_namespace_name        = local.architecture_tag.tag_namespace_name
+  is_namespace_retired      = local.architecture_tag.is_namespace_retired
+  tag_map                   = local.architecture_tag.tag_map
+  tag_default_map           = local.architecture_tag.tag_default_map
+}
diff --git a/templates/elz-workload/variables.tf b/templates/elz-workload/variables.tf
index d69706b4..6a16edf4 100644
--- a/templates/elz-workload/variables.tf
+++ b/templates/elz-workload/variables.tf
@@ -192,3 +192,9 @@ variable "database_admin_group_name" {
   description = "the name of workload database admin group"
   default     = ""
 }
+
+variable "network_admin_group_name" {
+  type        = string
+  description = "the name of landing zone Network admin group"
+  default     = ""
+}
\ No newline at end of file
diff --git a/templates/enterprise-landing-zone/Architecture_Guide.md b/templates/enterprise-landing-zone/Architecture_Guide.md
index 39df9c1b..cddafbfd 100644
--- a/templates/enterprise-landing-zone/Architecture_Guide.md
+++ b/templates/enterprise-landing-zone/Architecture_Guide.md
@@ -2,17 +2,17 @@
 
 # **Intro**
 
-As described in the previous version of the Oracle Enterprise Scale Baseline Landing Zone v1, the new Oracle Enterprise Scale Baseline Landing Zone v2.0 (ESBLZ v2.0)  is a set of foundational services and components that are deployed in a customer's OCI tenancy to establish a secure and scalable network foundation for running enterprise workloads.
+As described in the previous version of the Oracle Oracle Enterprise Landing Zone v1, the new Oracle Oracle Enterprise Landing Zone v2.0 (OELZ v2.0)  is a set of foundational services and components that are deployed in a customer's OCI tenancy to establish a secure and scalable network foundation for running enterprise workloads.
 
-The new version of Oracle Cloud Infrastructure (OCI) Enterprise Scale Baseline Landing Zone is a set of Terraform modules that are designed to make it easy to set up a secure and compliant multi-account infrastructure on OCI. Some common use cases for OCI Enterprise Scale Baseline Landing Zone include:
+The new version of Oracle Cloud Infrastructure (OCI) Oracle Enterprise Landing Zone is a set of Terraform modules that are designed to make it easy to set up a secure and compliant multi-account infrastructure on OCI. Some common use cases for OCI Oracle Enterprise Landing Zone include:
 
-- Multi-cloud architectures: The ESBLZv2 can be used to create a landing zone for connecting to other clouds, such as Azure, for a hybrid cloud architecture.
-- Governance and compliance: The ESBLZv2 provides a set of pre-built policies and guardrails that help ensure that your OCI environment is compliant with industry standards, such as ISO27001 and PCI DSS (these and other compliance standards will be part of ongoing releases).
+- Multi-cloud architectures: The OELZv2 can be used to create a landing zone for connecting to other clouds, such as Azure, for a hybrid cloud architecture.
+- Governance and compliance: The OELZv2 provides a set of pre-built policies and guardrails that help ensure that your OCI environment is compliant with industry standards, such as ISO27001 and PCI DSS (these and other compliance standards will be part of ongoing releases).
 - Automation and scalability: The Landing Zone can be used to automate the creation of new accounts, users, and resources on OCI, making it easy to scale your infrastructure as your organization grows.
 
 # **Primary Objectives**
 
-The primary objectives of the ESBLZv2 zone include the following items:
+The primary objectives of the OELZv2 zone include the following items:
 
 - Reduce time-to-start and deploy.
 - Provide an architecturally strong foundation.
@@ -20,7 +20,7 @@ The primary objectives of the ESBLZv2 zone include the following items:
 
 # **Key Design Principles**
 
-Key design principles for resiliency and security ensure that the ESBLZv2 zone deploys a strong foundation for your cloud environment.
+Key design principles for resiliency and security ensure that the OELZv2 zone deploys a strong foundation for your cloud environment.
 
 ## **_Resiliency_**
 
@@ -32,7 +32,7 @@ Resiliency depends on the nature, architecture, and implementation of the worklo
 
 ## **_Security_**
 
-The Enterprise Scale Baseline Landing Zone follows best practices for security design principles.
+The Oracle Enterprise Landing Zone follows best practices for security design principles.
 
 - Design for attackers
   - Limit permissions based on requirements
@@ -53,7 +53,7 @@ For more information, see the security design principles in [Best practices fram
 
 # **Architecture Overview**
 
-The ESBLZv2 creates an architectural framework that's ready for you to launch new projects and workloads on OCI.
+The OELZv2 creates an architectural framework that's ready for you to launch new projects and workloads on OCI.
 
 - [Compartments](https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/landing-zone.htm#compartments): Use compartments to organize and isolate your resources to make it easier to manage and secure access to them.
 - [Tags](https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/landing-zone.htm#tags): Use tags to organize and list resources based on your business needs.
@@ -62,17 +62,17 @@ The ESBLZv2 creates an architectural framework that's ready for you to launch ne
 - [Networking and connectivity](https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/landing-zone.htm#networking-connectivity): Create a virtual cloud network (VCN), subnets, and other networking and connectivity resources that are required to run your workloads and connect to the internet or your on-premises network.
 - [Security](https://docs.oracle.com/en-us/iaas/Content/cloud-adoption-framework/landing-zone.htm#security): Enable a strong security posture by enabling OCI security services such as Oracle Cloud Guard, Oracle Vulnerability Scanning Service, and Oracle Cloud Infrastructure Bastion.
 
-The following diagram illustrates the ESBLZv2.0 reference architecture.
+The following diagram illustrates the OELZv2.0 reference architecture.
 
 ![](./images/enterprise-landing-zone-v2.svg)
 
 ## **_Network and Connectivity_**
 
-One of the key components of the Enterprise Scale Baseline Landing Zone v2.0 (ESBLZ v2.0) is the network architecture and its segmentation. With the adoption of the ESBLZ v2.0, you can have a highly segregated, functional environment to securely deploy your workloads. One of the key components of the network architecture is the use of the Hub & Spoke architecture the ESBLZ v2.0 will provide two distinct Hub & Spoke architectures (one for the Production environment and one for non-Production environments) that are segregated from each other.
+One of the key components of the Oracle Enterprise Landing Zone v2.0 (OELZ v2.0) is the network architecture and its segmentation. With the adoption of the OELZ v2.0, you can have a highly segregated, functional environment to securely deploy your workloads. One of the key components of the network architecture is the use of the Hub & Spoke architecture the OELZ v2.0 will provide two distinct Hub & Spoke architectures (one for the Production environment and one for non-Production environments) that are segregated from each other.
 
 In Oracle Cloud Infrastructure (OCI), the [Hub & Spoke architecture](https://docs.oracle.com/en/solutions/hub-spoke-network-drg/index.html#GUID-FB5990CB-A23B-482D-80F4-AE4A548DEC9C) is a network design pattern in which a central hub network is connected to multiple spoke networks. The hub network is typically used for shared resources, such as security appliances and core services, while the spoke networks are used for individual workloads or applications.
 
-The Hub & Spoke architecture deployed within the ESBLZ  can provide several benefits, including:
+The Hub & Spoke architecture deployed within the OELZ  can provide several benefits, including:
 
 1. Isolation: Each spoke is its own compartment, which provides an additional layer of isolation and security for resources. This allows for better management and control over access to resources and limits the blast radius of any security incident.
 2. Scalability: Spokes can be added or removed as needed to support different use cases or teams. This allows for a flexible and scalable architecture that can adapt to changing business needs.
@@ -83,17 +83,17 @@ The Hub & Spoke architecture deployed within the ESBLZ  can provide several bene
 
 It's important to notice that this architecture is really flexible, so some of the components in the hub, like load balancer, could be moved to the Spoke, depending on the use case or need.
 
-In ESBLZ v2.0 OCI, the hub network is created using a Virtual Cloud Network (VCN) in the Network Shared Infrastructure compartment in each environment, and the spoke networks are created in each Application compartment, using VCN Attachment through a [Dynamic Routing Gateway (DRG)](https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm). This allows the spoke networks to access the shared resources in the hub network while maintaining their isolation from each other.
+In OELZ v2.0 OCI, the hub network is created using a Virtual Cloud Network (VCN) in the Network Shared Infrastructure compartment in each environment, and the spoke networks are created in each Application compartment, using VCN Attachment through a [Dynamic Routing Gateway (DRG)](https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm). This allows the spoke networks to access the shared resources in the hub network while maintaining their isolation from each other.
 
-Overall, the Hub & Spoke architecture is a flexible and scalable design pattern that can be used to build complex network architectures in OCI and this is one of the main reasons why ESBLZ v2.0 will allow you to have a pre-configured environment ready to use within minutes.
+Overall, the Hub & Spoke architecture is a flexible and scalable design pattern that can be used to build complex network architectures in OCI and this is one of the main reasons why OELZ v2.0 will allow you to have a pre-configured environment ready to use within minutes.
 
 For more information on the network architecture components, please refer to the sections of the modules that compose it.
 
 ## **_Logging and Monitoring_**
 
-Two other key components of the ESBLZ are the monitoring and logging of the resources that will be part of it. These two areas are particularly important within the IT Governance and Operations of each enterprise.
+Two other key components of the OELZ are the monitoring and logging of the resources that will be part of it. These two areas are particularly important within the IT Governance and Operations of each enterprise.
 
-[Monitoring](https://docs.oracle.com/en-us/iaas/Content/Monitoring/Concepts/monitoringoverview.htm) and [logging](https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/loggingoverview.htm) are important in the ESBLZ v2.0 because they help you to understand the performance and availability of your cloud resources and applications. They can also help you to identify and troubleshoot issues and maintain compliance with regulatory requirements.
+[Monitoring](https://docs.oracle.com/en-us/iaas/Content/Monitoring/Concepts/monitoringoverview.htm) and [logging](https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/loggingoverview.htm) are important in the OELZ v2.0 because they help you to understand the performance and availability of your cloud resources and applications. They can also help you to identify and troubleshoot issues and maintain compliance with regulatory requirements.
 
 By monitoring your resources, you can ensure that they are performing as expected and that they have sufficient capacity to meet the demands of your applications. This can help you optimize your cloud environment's performance and cost efficiency.
 
@@ -131,31 +131,31 @@ We recommend that you create one or more [break-glass users](https://docs.oracle
 
 **Federating with Microsoft Active Directory**
 
-With the ESBLZv2, you can optionally federate with Microsoft Active Directory.
+With the OELZv2, you can optionally federate with Microsoft Active Directory.
 
-Use the same group names in Oracle Cloud Infrastructure as you use for Active Directory. To do this, pass the Active Directory group names as variables to the ESBLZv2 Terraform module. The groups will be created by the landing zone and mapped to your Active Directory groups.
+Use the same group names in Oracle Cloud Infrastructure as you use for Active Directory. To do this, pass the Active Directory group names as variables to the OELZv2 Terraform module. The groups will be created by the landing zone and mapped to your Active Directory groups.
 
 For more information about federating with Active Directory, see [Federating with Microsoft Active Directory](https://docs.oracle.com/iaas/Content/Identity/Tasks/federatingADFS.htm).
 
 ## _Compliance_
 
-ESBLZv2 includes a set of pre-built policies and guardrails that help ensure that your OCI environment has a strong security foundation to help your organization achieve your security compliance goals.  The security controls that have been implemented in ESBLZv2 include recommendations that help our customers attain [CIS 1.2](https://www.cisecurity.org/benchmark/oracle_cloud) compliance Level 1.
+OELZv2 includes a set of pre-built policies and guardrails that help ensure that your OCI environment has a strong security foundation to help your organization achieve your security compliance goals.  The security controls that have been implemented in OELZv2 include recommendations that help our customers attain [CIS 1.2](https://www.cisecurity.org/benchmark/oracle_cloud) compliance Level 1.
 
 The Center for Internet Security, Inc. (CIS®) is a community-driven non-profit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. The goal of CIS is to prevent and mitigate new cyber threats that are identified in the industry today. For many OCI customers, this has been a go-to benchmark that guides their architecture to help them secure their workloads in Oracle Cloud Infrastructure (OCI).  Recognizing the importance of adhering to best practice guidance from both OCI teams and the industry, OCI Landing Zones continues to implement support for CIS Benchmarks today.
 
-For more information, please refer to ["CIS 1.2 Level 1"](./images/CIS1.2Level1.xlsx) for a list of security controls that are included in ESBLZv2.
+For more information, please refer to ["CIS 1.2 Level 1"](./images/CIS1.2Level1.xlsx) for a list of security controls that are included in OELZv2.
 
 # **Functional Modules**
 
-The ESBLZ is comprised out of different functional modules. Each of these modules is a set of terraform scripts that groups a functional area of the landing zone.
- These modules have been designed so they can be customized and run independently. This makes the ESBLZv2 more flexible and allows the customers to tweak it to their needs.
+The OELZ is comprised out of different functional modules. Each of these modules is a set of terraform scripts that groups a functional area of the landing zone.
+ These modules have been designed so they can be customized and run independently. This makes the OELZv2 more flexible and allows the customers to tweak it to their needs.
 
 Below is a detailed description of the different modules
 
-## **ESBLZ _Landing Zone Module_**
+## **OELZ _Landing Zone Module_**
 
 The Landing Zone Module is the module that brings everything together. It creates the entire Landing Zone by invoking the other modules.
- The ESBLZv2 deploys two isolated environments as depicted on the diagram above.
+ The OELZv2 deploys two isolated environments as depicted on the diagram above.
  This module invokes the environment module twice, each for a distinct isolated environment:
 
 - Environment Module to create the production environment
@@ -179,9 +179,9 @@ The module in its own doesn't create any additional resources. It only aggregate
 
 ## **_Budgets and Tagging Module_**
 
-Budget & Tagging are another two key components to achieve strong Governance within the ESBLZ v2.0.
+Budget & Tagging are another two key components to achieve strong Governance within the OELZ v2.0.
 
-Budgeting and tagging are important in the Oracle Cloud Infrastructure (OCI) ESBLZ v2.0 because they help you to manage and optimize the cost of your cloud resources.
+Budgeting and tagging are important in the Oracle Cloud Infrastructure (OCI) OELZ v2.0 because they help you to manage and optimize the cost of your cloud resources.
 
 Budgeting allows you to set limits on your cloud spending, and to receive notifications when your usage approaches or exceeds those limits. This can help you to avoid unexpected charges and to better control your cloud costs.
 
@@ -208,7 +208,7 @@ The main components that the Tagging module will have been as follows:
 
 You use compartments to organize and isolate your resources to make it easier to manage and secure access to them.
 
-The ESBLZv2 creates a compartment structure for your organization. You control access to compartment by creating policies that specify what actions groups of users can take on the resources in those compartments. The following diagram shows the compartment structure that is created by the landing zone:
+The OELZv2 creates a compartment structure for your organization. You control access to compartment by creating policies that specify what actions groups of users can take on the resources in those compartments. The following diagram shows the compartment structure that is created by the landing zone:
 
 ![](./images/Compartment.png)
 
@@ -237,7 +237,7 @@ In order to isolate access between resources, groups are created together with p
 
 ## **_Logging Module_**
 
-The Logging Module implemented by ESBLZv2 will use the below services to help your organization meet your Security Policy and Compliance requirements.
+The Logging Module implemented by OELZv2 will use the below services to help your organization meet your Security Policy and Compliance requirements.
 
 - Vault (Key Management)
 - Log Archiving Storage Bucket
@@ -247,15 +247,15 @@ The Logging Module implemented by ESBLZv2 will use the below services to help yo
 
 **Log Archiving Storage Bucket (optional)**
 
-An optional immutable storage bucket will be deployed by default for the purposes of archiving logs and events within the defined retention period according to user input.  The ESBLZv2 is deployed with a 1 day retention duration to facilitate environment clean up and this should be revised accordingly to comply with the retention requirements of your organization's security policies.
+An optional immutable storage bucket will be deployed by default for the purposes of archiving logs and events within the defined retention period according to user input.  The OELZv2 is deployed with a 1 day retention duration to facilitate environment clean up and this should be revised accordingly to comply with the retention requirements of your organization's security policies.
 
 **Default Log Group**
 
-OCI generates service logs for supported services and accordingly, users can enable or disable logging for each supported service.  TheESBLZ default setting is to enable and store all service logs.  For more information regarding [Service Logs](https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/service_logs.htm).
+OCI generates service logs for supported services and accordingly, users can enable or disable logging for each supported service.  TheOELZ default setting is to enable and store all service logs.  For more information regarding [Service Logs](https://docs.oracle.com/en-us/iaas/Content/Logging/Concepts/service_logs.htm).
 
 **Streams & Events**
 
-OCI Streaming service is used for real-time ingestion of high-volume data streams.  It can be used where data is continually produced and published sequentially such as with log events.  The ESBLZv2 will utilize the OCI Streaming Service in conjunction with OCI events.   OCI services generate _events_ that provide notifications when there are any resource changes in your environment.
+OCI Streaming service is used for real-time ingestion of high-volume data streams.  It can be used where data is continually produced and published sequentially such as with log events.  The OELZv2 will utilize the OCI Streaming Service in conjunction with OCI events.   OCI services generate _events_ that provide notifications when there are any resource changes in your environment.
 
 Please refer to [Services Event Types](https://docs.oracle.com/en-us/iaas/Content/Events/Reference/eventsproducers.htm#Services_that_Produce_Events) for a full list and refer to these links for more information regarding [Streaming](https://docs.oracle.com/en-us/iaas/Content/Streaming/home.htm) and [Events](https://docs.oracle.com/en-us/iaas/Content/Events/home.htm).
 
@@ -267,14 +267,14 @@ For more details regarding [Service Connector Hub](https://docs.oracle.com/en-us
 
 ## **_Monitoring Module_**
 
-The following module will allow the customer to be able to monitor their resources and receive the correct alerts in case of malfunctioning ESBLZ v2.0 components/ OCI tenancy.
+The following module will allow the customer to be able to monitor their resources and receive the correct alerts in case of malfunctioning OELZ v2.0 components/ OCI tenancy.
 
 It provides a starting point that administrators can tweak according to their operational model.
 
 Services inside OCI provide metrics and events that can be monitored through the metrics dashboard. In addition to this, alerts can be created based on certain queries of these metrics and events. To organize these alerts, topics are created that will group certain alerts. In the landing zone, these topics are defined per the severity of the alert (critical and warning). Different topics are also created per compartment and environment (ex, PRD-Network, NPRD-Security and PRD-workload, etc.). Please refer to the next sub-paragraph for a detailed overview of these topics.
  Each of these topics will have different monitoring rules assigned to them for each environment.
 
-To avoid excessive costs and a lot of messages, the ESBLZ v2.0 deployment will have all these alerts disabled by default. Based on your operational model, you can enable the relevant alerts from the OCI console.
+To avoid excessive costs and a lot of messages, the OELZ v2.0 deployment will have all these alerts disabled by default. Based on your operational model, you can enable the relevant alerts from the OCI console.
 
 The monitoring structure contains following elements:
 
@@ -318,14 +318,14 @@ Admins of each compartment are able to subscribe to these topics so they will re
 
 **Monitoring Rules**
 
-The ESBLZ v2.0 will create many monitoring rules that can trigger alerts. These are disabled by default. You can enable the rules that apply to your operational needs from the OCI Console.
+The OELZ v2.0 will create many monitoring rules that can trigger alerts. These are disabled by default. You can enable the rules that apply to your operational needs from the OCI Console.
 
-For a complete list of events/alerts refer to the **ESBLZ v2.0 Deployment guide/ User Guide.**
+For a complete list of events/alerts refer to the **OELZ v2.0 Deployment guide/ User Guide.**
 
 ## **_Network Module_**
 
 The network module includes two main Functional Modules, the first will deploy a type of network called "Hub & Spoke" (H&P) that will allow the various workloads to interconnect with each other. The second one called "Network Extension Module" will extend connectivity with the on-premises network as well using the H&P created previously.
-By default, the ESBLZ v2.0 will deploy the H&P module within the " **L2 - OCI-ELZ-\<Environment Name\>**" compartment (for **PROD** and **NO-PROD** ). Also, the Network Extension Module will be an optional module and it will only be allowed to be deployed in the production environment. As a result, it will be shared between the two environments prod and non-prod.
+By default, the OELZ v2.0 will deploy the H&P module within the " **L2 - OCI-ELZ-\<Environment Name\>**" compartment (for **PROD** and **NO-PROD** ). Also, the Network Extension Module will be an optional module and it will only be allowed to be deployed in the production environment. As a result, it will be shared between the two environments prod and non-prod.
 
 The main components that the Hub module will have been as follows:
 
@@ -345,7 +345,7 @@ The main components that the Spoke module will have are as follows:
 - A **NAT Gateways** [Optional] which enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections, deployed in the **L3 - Workload compartment**
 - A **Service gateway** [Optional] which provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet, deployed in the **L3 - Workload compartment.**
 
-**NOTE :** In a scenario in which the customer wishes to publish its Web Servers using the ESBLZ v2.0, an Public Load Balancer must be deployed within the public subnet in the HUB ( **L4 - Network Compartment** ), which will have as endpoints the Web Servers present in the subnet that will be part of the **L3 - Workload compartment.** Since connectivity is already configured via the Hub & Spoke architecture, all that needs to be done is to change the Security Lists associated with the subnets to enable traffic between the Load Balancer and the endpoints.
+**NOTE :** In a scenario in which the customer wishes to publish its Web Servers using the OELZ v2.0, an Public Load Balancer must be deployed within the public subnet in the HUB ( **L4 - Network Compartment** ), which will have as endpoints the Web Servers present in the subnet that will be part of the **L3 - Workload compartment.** Since connectivity is already configured via the Hub & Spoke architecture, all that needs to be done is to change the Security Lists associated with the subnets to enable traffic between the Load Balancer and the endpoints.
 
 The Network extension module consists of two sub-modules that will allow the customer to decide whether to deploy a Site-to-Site VPN in each environment rather than share Fast Connect between environments.
 
@@ -366,7 +366,7 @@ Using this module, you can decide during deployment to create a Site-to-Site VPN
 The main components that the Fast Connect module will have been as follows:
 
 - A **Fast Connect circuit** dedicated, private connection between your data center and Oracle Cloud Infrastructure, using your choice of Oracle partners deployed in the **L4 - Network compartment **
-- A **Remote Peering Connections (RPC) attachment** which will peer the DRGs of the two environments created during the ESBLZ v2.0 deployment.
+- A **Remote Peering Connections (RPC) attachment** which will peer the DRGs of the two environments created during the OELZ v2.0 deployment.
 
 Using this module, the customer can decide whether or not to deploy a Fast Connect circuit by sharing it between environments. This decision was made because the Fast Connect service is generally more expensive than a Site-to-Site VPN.
 
@@ -374,20 +374,20 @@ After deployment, if it is necessary to have other Fast Connect circuits, the cu
 
 . While enabling this module, environments will continue to be segregated as traffic will be allowed or denied by the security lists applied to each subnet.
 
-The security lists implemented during the ESBLZ v2.0 deployment are CIS 1.2.0 compliant, so all incoming traffic will be blocked except the ICMP protocol. For more information please refer to the CIS Benchmark 1.2.0 for Oracle Cloud Infrastructure: [CIS Oracle Cloud Infrastructure Benchmarks (cisecurity.org)](https://www.cisecurity.org/benchmark/oracle_cloud)
+The security lists implemented during the OELZ v2.0 deployment are CIS 1.2.0 compliant, so all incoming traffic will be blocked except the ICMP protocol. For more information please refer to the CIS Benchmark 1.2.0 for Oracle Cloud Infrastructure: [CIS Oracle Cloud Infrastructure Benchmarks (cisecurity.org)](https://www.cisecurity.org/benchmark/oracle_cloud)
 
 ## **_Security Module_**
 
 Oracle Cloud Infrastructure (OCI) is a Security-first Cloud Service that helps organizations reduce the risk of security threats for cloud workloads by putting our customers' Data Security and Privacy first.  This is achieved via the automation of security operations with simple, prescriptive, and integrated cloud-native security capabilities built into the OCI platform.  Oracle helps customers easily adopt OIC services and secure their cloud infrastructure, data, and applications.
 
-The ESBLZv2 further supports Oracle's Security-First Cloud strategy tenets:
+The OELZv2 further supports Oracle's Security-First Cloud strategy tenets:
 
 - Security should be simple—easy to use, deploy, and operate
 - Security tools should offer guidance to help customers achieve strong security more easily
 - Security should be integrated and automated, reducing manual security tasks and human errors
 - Cloud security should be economically attractive, improving the cost of securing cloud workloads
 
-The following OCI cloud-native services will be implemented by ESBLZv2 to help your organization meet your Security Policy and Compliance requirements.
+The following OCI cloud-native services will be implemented by OELZv2 to help your organization meet your Security Policy and Compliance requirements.
 
 - Cloud Guard
 - Vulnerability Scanning Service (VSS)
@@ -396,7 +396,7 @@ The following OCI cloud-native services will be implemented by ESBLZv2 to help y
 
 **Cloud Guard**
 
-Cloud Guard is the OCI native security service that helps our customers monitor, identify threats/configuration issues, achieve a strong security posture and maintain compliance with their security policies.  When issues are detected, Cloud Guard can recommend, assist or execute corrective actions based on how you configure Cloud Guard to respond.  The ESBLZv2 will enable Cloud Guard services by default, and it will use your organization's tenancy home region as its reporting region.  Cloud Guard is used in conjunction with VSS detector recipes.  The following default Oracle Managed Detector Recipes will be enabled to provide a strong secure baseline for your organization's OCI environment:
+Cloud Guard is the OCI native security service that helps our customers monitor, identify threats/configuration issues, achieve a strong security posture and maintain compliance with their security policies.  When issues are detected, Cloud Guard can recommend, assist or execute corrective actions based on how you configure Cloud Guard to respond.  The OELZv2 will enable Cloud Guard services by default, and it will use your organization's tenancy home region as its reporting region.  Cloud Guard is used in conjunction with VSS detector recipes.  The following default Oracle Managed Detector Recipes will be enabled to provide a strong secure baseline for your organization's OCI environment:
 
 - Configuration Detector Recipe - Set of rules designed specifically to detect resource configuration settings that could pose a security problem.
 - Threat Detector Recipe - Set of rules designed to specifically to detect rogue user activity and high-risk activity based on our Threat Intelligence Service.
@@ -422,7 +422,7 @@ For additional detail, please refer to our [Vulnerability Scanning Service (VSS)
 
 **Vault (Key Management)**
 
-OCI Vault is our cloud-native encryption management service that will be used in this Landing Zone to store and manage Master Encryption Keys and Secrets that are used to secure your OCI resources and will be used to encrypt your logs.  This ESBLZv2 landing zone will default to VIRTUAL.   A Master Encryption Key (MEK) AES 256 will be generated by default as part of your Landing Zone deployment.  This MEK will be used to encrypt your log object storage buckets.  Customers can choose to "bring your own key" (BYOK) and import key material from your on-premises or 3rd-party cloud environments.  In addition, OCI can provide a Hardware Security Module (HSM) dedicated vault service as an option.
+OCI Vault is our cloud-native encryption management service that will be used in this Landing Zone to store and manage Master Encryption Keys and Secrets that are used to secure your OCI resources and will be used to encrypt your logs.  This OELZv2 landing zone will default to VIRTUAL.   A Master Encryption Key (MEK) AES 256 will be generated by default as part of your Landing Zone deployment.  This MEK will be used to encrypt your log object storage buckets.  Customers can choose to "bring your own key" (BYOK) and import key material from your on-premises or 3rd-party cloud environments.  In addition, OCI can provide a Hardware Security Module (HSM) dedicated vault service as an option.
 
 Please refer to [Vault (Key Management)](https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Concepts/keyoverview.htm) for more details.
 
@@ -430,4 +430,48 @@ Please refer to [Vault (Key Management)](https://docs.oracle.com/en-us/iaas/Cont
 
 OCI Bastions provides restricted and time-limited access to target resources that don't have public endpoints, letting authorized users connect from specific IP addresses to target resources using Secure Shell (SSH) sessions.  This Landing Zone deployment will also include the OCI Bastion service which allows privileged users to connect from specified IP Addresses to target resources over Secure Shell (SSH).   When connected via Bastion, users can interact with the target OCI resource by using any software or protocol supported by SSH. For example, you can use the Remote Desktop Protocol (RDP) to connect to a Windows host or use Oracle Net Services to connect to a database.  The Bastion Service is associated with a single VCN and there is a limit of 5 Bastions per region.
 
-For more information, please see [OCI Bastion](https://docs.oracle.com/en-us/iaas/Content/Bastion/Concepts/bastionoverview.htm).
\ No newline at end of file
+For more information, please see [OCI Bastion](https://docs.oracle.com/en-us/iaas/Content/Bastion/Concepts/bastionoverview.htm).
+
+## **_Workload Module_**
+The workload expansion module is responsible for deploying the resources for an empty workload. It will deploy following resources:
+* Compartment
+* Network (Spoke)
+* Logging
+* Monitoring
+* Policies and workload group
+
+**Compartment**
+
+One workload compartment would be created in the L3 - Workload compartment.
+
+**Network (Spoke)**
+
+The main components that the Spoke module will have are as follows:
+
+- A **VCN** which will host the different subnets of the Spoke deployed in the **L3 - Workload compartment**
+- Three **private subnets** to host all components of your application using different tier such as Web, App and DB.
+- A **VCN Attachments** which will be connected to the DRG of the HUB.
+- A **NAT Gateways** [Optional] which enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections, deployed in the **L3 - Workload compartment**
+- A **Service gateway** [Optional] which provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet, deployed in the **L3 - Workload compartment.**
+
+**Logging**
+
+The Logging service would be applied in the Landing Zone Home compartment level. Therefore, all the logs from
+Workload Expansion would also be captured.
+
+**Monitoring**
+
+Same as the default workload, the monitoring structure contains following elements:
+
+- Monitor Alert Channels - Create Notification Topics (Workload-Critical, Workload-Warning) and subscription (i.e. email)
+- Monitor OCI service incidents and action required from OCI maintenance by subscribing to Console Announcements
+- Monitor Cloud Guard status (e.g. problemthresholdreached) by subscribing Cloud Guard events
+- Monitor VSS and Cloud Guard detected problem by subscribing Cloud Guard events
+- Enable metrics-based monitoring of Network, Security, Logging and Workload compartments by creating sample alarm rules for the deployed service metrics namespaces
+
+**Policies and workload group**
+
+Three admin groups are created in the workload expansion:
+- workload admin group: User group that have access to the workload related resources inside your environment
+- application admin group: User group that have access to the application (volume family, object, file, instance, etc) resources inside your environment
+- database admin group: User group that have access to the database resources inside your environment
\ No newline at end of file
diff --git a/templates/enterprise-landing-zone/CONFIGURATION.md b/templates/enterprise-landing-zone/CONFIGURATION.md
index 77ae3612..f9d3051b 100644
--- a/templates/enterprise-landing-zone/CONFIGURATION.md
+++ b/templates/enterprise-landing-zone/CONFIGURATION.md
@@ -1,27 +1,27 @@
-## Enterprise Scale Baseline Landing Zone Configuration Guide
+## Oracle Enterprise Landing Zone Configuration Guide
 
-This configuration guide will detail the required and available configurations needed to deploy an Enterprise Scale Baseline Landing Zone(ESBLZ) on Oracle Cloud Infrastructure. 
+This configuration guide will detail the required and available configurations needed to deploy an Oracle Enterprise Landing Zone(OELZ) on Oracle Cloud Infrastructure. 
 
 ## Prerequisites
 
-The Enterprise Scale Baseline Landing Zone is designed to be deployed to a tenancy owned by the individual Tenancy Administrator. The user deploying the ESBLZ must be a member of the Administrators group for the tenancy.  The tenancy must have the required Resource Limits and have the Logging Analytics feature turned on.  Detailed information on these prerequisites, and how to check that your tenancy meets them, and enable needed features can be found in the [Implementation Document](Implementation.md)
+The Oracle Enterprise Landing Zone is designed to be deployed to a tenancy owned by the individual Tenancy Administrator. The user deploying the OELZ must be a member of the Administrators group for the tenancy.  The tenancy must have the required Resource Limits and have the Logging Analytics feature turned on.  Detailed information on these prerequisites, and how to check that your tenancy meets them, and enable needed features can be found in the [Implementation Document](Implementation.md)
 
 
 ## Minimum Required Configuration
 
-Deployment of the ESBLZ is controlled by several Terraform [input variables](README.md#inputs), however most of these have sensible default values. Here are the minimum required configurations to deploy a ESBLZ:
+Deployment of the OELZ is controlled by several Terraform [input variables](README.md#inputs), however most of these have sensible default values. Here are the minimum required configurations to deploy a OELZ:
 
 ### Basic Terraform Connection Information
-The required provider variables for the ESBLZ:
+The required provider variables for the OELZ:
 
 | Name                                                                                                 | Description                                                  | Type     | Default | Required |
 | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | -------- | ------- | :------: |
-| <a name="input_current_user_ocid"></a> [current\_user\_ocid](#input\_current\_user\_ocid)            | The ID of user to deploy the ESBLZ.                   | `string` | `""`    |    no    |
+| <a name="input_current_user_ocid"></a> [current\_user\_ocid](#input\_current\_user\_ocid)            | The ID of user to deploy the OELZ.                   | `string` | `""`    |    no    |
 | <a name="input_api_fingerprint"></a> [api\_fingerprint](#input\_api\_fingerprint)                    | The API fingerprint which can be retrieved from the console. | `string` | `""`    |    no    |
 | <a name="input_api_private_key"></a> [api\_private\_key](#input\_api\_private\_key)                  | The API private key                                          | `string` | `""`    |    no    |
 | <a name="input_api_private_key_path"></a> [api\_private\_key\_path](#input\_api\_private\_key\_path) | The local path to the API private key                        | `string` | `""`    |    no    |
 | <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid)                             | The ID of tenancy                                            | `string` | n/a     |   yes    |
-| <a name="input_region"></a> [region](#input\_region)                                                 | The OCI region to deploy the ESBLZ resources to.      | `string` | n/a     |   yes    |
+| <a name="input_region"></a> [region](#input\_region)                                                 | The OCI region to deploy the OELZ resources to.      | `string` | n/a     |   yes    |
 | <a name="input_resource_label"></a> [resource\_label](#input\_resource\_label)                       | The prefix used to avoid naming conflict                     | `string` | n/a     |    no    |
 
 
@@ -31,13 +31,13 @@ This architecture diagram illustrates the compartments Enterprise LZ deploys.
 
 ![Architecture](<../../images/LZ-v2.0.png> "Architecture")
 
-The ESBLZ Home Compartment would be created in enterprise-landing-zone. The other
+The OELZ Home Compartment would be created in enterprise-landing-zone. The other
 compartments would be created in elz-environment and in elz-workload.
 
-The required arguments for ESBLZ Home Compartment:
-* **compartment_parent_id**: the OCID of compartment/tenancy that you create the ESBLZ in
-* **compartment_name**: the name of ESBLZ home compartment
-* **compartment_description**: the description of ESBLZ home compartment
+The required arguments for OELZ Home Compartment:
+* **compartment_parent_id**: the OCID of compartment/tenancy that you create the OELZ in
+* **compartment_name**: the name of OELZ home compartment
+* **compartment_description**: the description of OELZ home compartment
 * **enable_compartment_delete**: unless enable_delete is explicitly set to true, Terraform will not delete compartments on destroy
 
 To configure the compartment the required user inputs are:
@@ -45,15 +45,15 @@ To configure the compartment the required user inputs are:
 | Name                                                                                                              | Description                                                                               | Type     | Default              | Required |
 | ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -------- | -------------------- | :------: |
 | <a name="input_enable_compartment_delete"></a> [enable\_compartment\_delete](#input\_enable\_compartment\_delete) | Set to true to allow the compartments to delete on terraform destroy.                     | `bool`   | `true`               |    no    |
-| <a name="input_home_compartment_name"></a> [home\_compartment\_name](#input\_home\_compartment\_name)             | The name of the home compartment under which all ESBLZ resources will be deployed. | `string` | `"OCI-ELZ-CMP-HOME"` |    no    |
+| <a name="input_home_compartment_name"></a> [home\_compartment\_name](#input\_home\_compartment\_name)             | The name of the home compartment under which all OELZ resources will be deployed. | `string` | `"OCI-ELZ-CMP-HOME"` |    no    |
 
 ## Identity Module
 Each environment will have its own identity domain. The identity domain applies to all resources under the environment compartment.
-ESBLZ will only support the new identity domains in OCI(Henosis) and not the old IDCS domains.
+OELZ will only support the new identity domains in OCI(Henosis) and not the old IDCS domains.
 
 Required attributes:
 * Display Name: The display name of Identity Domain. Default: OCI-ELZ-<Env>-IDT
-* Description: The description of Identity Domain. Default: OCI ESBLZ <Environment> Identity Domain
+* Description: The description of Identity Domain. Default: OCI OELZ <Environment> Identity Domain
 * Domain Type: Premium
 * Domain Admin: Email address for the domain admin
 * Compartment: OCID for the compartment where the domain will be stored. This should be the L4-Security compartment
@@ -73,15 +73,15 @@ Required attributes:
 ## Groups and Policies 
 
 For control over users and user groups, a federate-able Identity Domain is created in the L4-Security Compartment for each environment. 
-To do so, the user deploying the ESBLZ will need set up federation after the ESBLZ has been deployed. 
+To do so, the user deploying the OELZ will need set up federation after the OELZ has been deployed. 
 
-The ESBLZ also will create 6 different User Groups, meant for managing individual deployed environments(by default 2, prod and non-prod). 
+The OELZ also will create 6 different User Groups, meant for managing individual deployed environments(by default 2, prod and non-prod). 
 
-* **Network Admin** : OCI ESBLZ Network Administrators Group - manages all network resources
-* **SecOps Admin**: OCI ESBLZ Security Administrators Group
-* **IAM Admin**: OCI ESBLZ IAM Group
-* **Ops Admin**:  OCI ESBLZ Ops Admin Group 
-* **Platform Admin**: OCI ESBLZ Platform Admin Group
+* **Network Admin** : OCI OELZ Network Administrators Group - manages all network resources
+* **SecOps Admin**: OCI OELZ Security Administrators Group
+* **IAM Admin**: OCI OELZ IAM Group
+* **Ops Admin**:  OCI OELZ Ops Admin Group 
+* **Platform Admin**: OCI OELZ Platform Admin Group
 
 While creating these user-groups the user inputs will be optional as there will be default value with group name, however if customer who want to setup federation, they will need to update the user-groups with the names as how those exist in their federated domain. 
 
@@ -91,23 +91,23 @@ While creating these user-groups the user inputs will be optional as there will
 
     | Name                                                                                                                                 | Description                                                           | Type     | Default                         | Required |
     | ------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------- | -------- | ------------------------------- | :------: |
-    | <a name="input_prod_network_admin_group_name"></a> [prod\_network\_admin\_group\_name](#input\_prod\_network\_admin\_group\_name)    | The group name for the OCI ESBLZ Network Administrators Group  | `string` | `"OCI-ELZ-UGP-<Env>-NET-ADMIN"` |    no    |
-    | <a name="input_prod_ops_admin_group_name"></a> [prod\_ops\_admin\_group\_name](#input\_prod\_ops\_admin\_group\_name)                | The group name for the OCI ESBLZ Ops Administrators Group      | `string` | `"OCI-ELZ-UGP-<Env>-OPS-ADMIN"` |    no    |
-    | <a name="input_prod_iam_admin_group_name"></a> [prod\_iam\_admin\_group\_name](#input\_prod\_iam\_admin\_group\_name)                | The group name for the OCI ESBLZ IAM Administrators Group      | `string` | `"OCI-ELZ-UGP-<Env>-IAM-ADMIN"` |    no    |
-    | <a name="input_prod_security_admin_group_name"></a> [prod\_security\_admin\_group\_name](#input\_prod\_security\_admin\_group\_name) | The group name for the OCI ESBLZ Security Administrators Group | `string` | `"OCI-ELZ-UGP-<Env>-SEC-ADMIN"` |    no    |
-    | <a name="input_prod_platform_admin_group_name"></a> [prod\_platform\_admin\_group\_name](#input\_prod\_platform\_admin\_group\_name) | The group name for the OCI ESBLZ Platform Administrators Group | `string` | `"OCI-ELZ-UGP-<Env>-PLT-ADMIN"` |    no    |
+    | <a name="input_prod_network_admin_group_name"></a> [prod\_network\_admin\_group\_name](#input\_prod\_network\_admin\_group\_name)    | The group name for the OCI OELZ Network Administrators Group  | `string` | `"OCI-ELZ-UGP-<Env>-NET-ADMIN"` |    no    |
+    | <a name="input_prod_ops_admin_group_name"></a> [prod\_ops\_admin\_group\_name](#input\_prod\_ops\_admin\_group\_name)                | The group name for the OCI OELZ Ops Administrators Group      | `string` | `"OCI-ELZ-UGP-<Env>-OPS-ADMIN"` |    no    |
+    | <a name="input_prod_iam_admin_group_name"></a> [prod\_iam\_admin\_group\_name](#input\_prod\_iam\_admin\_group\_name)                | The group name for the OCI OELZ IAM Administrators Group      | `string` | `"OCI-ELZ-UGP-<Env>-IAM-ADMIN"` |    no    |
+    | <a name="input_prod_security_admin_group_name"></a> [prod\_security\_admin\_group\_name](#input\_prod\_security\_admin\_group\_name) | The group name for the OCI OELZ Security Administrators Group | `string` | `"OCI-ELZ-UGP-<Env>-SEC-ADMIN"` |    no    |
+    | <a name="input_prod_platform_admin_group_name"></a> [prod\_platform\_admin\_group\_name](#input\_prod\_platform\_admin\_group\_name) | The group name for the OCI OELZ Platform Administrators Group | `string` | `"OCI-ELZ-UGP-<Env>-PLT-ADMIN"` |    no    |
 
     2. NonProd Environment
 
     | Name                                                                                                                                          | Description                                                           | Type     | Default                         | Required |
     | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | -------- | ------------------------------- | :------: |
-    | <a name="input_nonprod_network_admin_group_name"></a> [nonprod\_network\_admin\_group\_name](#input\_nonprod\_network\_admin\_group\_name)    | The group name for the OCI ESBLZ Network Administrators Group  | `string` | `"OCI-ELZ-UGP-<Env>-NET-ADMIN"` |    no    |
-    | <a name="input_nonprod_ops_admin_group_name"></a> [nonprod\_ops\_admin\_group\_name](#input\_nonprod\_ops\_admin\_group\_name)                | The group name for the OCI ESBLZ Ops Administrators Group      | `string` | `"OCI-ELZ-UGP-<Env>-OPS-ADMIN"` |    no    |
-    | <a name="input_nonprod_iam_admin_group_name"></a> [nonprod\_iam\_admin\_group\_name](#input\_nonprod\_iam\_admin\_group\_name)                | The group name for the OCI ESBLZ IAM Administrators Group      | `string` | `"OCI-ELZ-UGP-<Env>-IAM-ADMIN"` |    no    |
-    | <a name="input_nonprod_security_admin_group_name"></a> [nonprod\_security\_admin\_group\_name](#input\_nonprod\_security\_admin\_group\_name) | The group name for the OCI ESBLZ Security Administrators Group | `string` | `"OCI-ELZ-UGP-<Env>-SEC-ADMIN"` |    no    |
-    | <a name="input_nonprod_platform_admin_group_name"></a> [nonprod\_platform\_admin\_group\_name](#input\_nonprod\_platform\_admin\_group\_name) | The group name for the OCI ESBLZ Platform Administrators Group | `string` | `"OCI-ELZ-UGP-<Env>-PLT-ADMIN"` |    no    |
+    | <a name="input_nonprod_network_admin_group_name"></a> [nonprod\_network\_admin\_group\_name](#input\_nonprod\_network\_admin\_group\_name)    | The group name for the OCI OELZ Network Administrators Group  | `string` | `"OCI-ELZ-UGP-<Env>-NET-ADMIN"` |    no    |
+    | <a name="input_nonprod_ops_admin_group_name"></a> [nonprod\_ops\_admin\_group\_name](#input\_nonprod\_ops\_admin\_group\_name)                | The group name for the OCI OELZ Ops Administrators Group      | `string` | `"OCI-ELZ-UGP-<Env>-OPS-ADMIN"` |    no    |
+    | <a name="input_nonprod_iam_admin_group_name"></a> [nonprod\_iam\_admin\_group\_name](#input\_nonprod\_iam\_admin\_group\_name)                | The group name for the OCI OELZ IAM Administrators Group      | `string` | `"OCI-ELZ-UGP-<Env>-IAM-ADMIN"` |    no    |
+    | <a name="input_nonprod_security_admin_group_name"></a> [nonprod\_security\_admin\_group\_name](#input\_nonprod\_security\_admin\_group\_name) | The group name for the OCI OELZ Security Administrators Group | `string` | `"OCI-ELZ-UGP-<Env>-SEC-ADMIN"` |    no    |
+    | <a name="input_nonprod_platform_admin_group_name"></a> [nonprod\_platform\_admin\_group\_name](#input\_nonprod\_platform\_admin\_group\_name) | The group name for the OCI OELZ Platform Administrators Group | `string` | `"OCI-ELZ-UGP-<Env>-PLT-ADMIN"` |    no    |
 
-The ESBLZ deploys policies that will grant administrative privileges to members of each of those groups over resources in their respective compartments.
+The OELZ deploys policies that will grant administrative privileges to members of each of those groups over resources in their respective compartments.
 
 ## Budget and Tagging Module
 
@@ -117,7 +117,7 @@ The deployment mode of the modules will be the same for each additional environm
 ## Budget Module
 
 The budgets module is responsible for deploying the budget component in a single environment. 
-The ESBLZ should create following components:
+The OELZ should create following components:
 
 * 1 Budget per environment
     * **Budget scope**: Environment (Prod/Non-Prod)
@@ -157,7 +157,7 @@ The ESBLZ should create following components:
 
 The tags module is responsible for deploying Tags within the L2 Environment compartment. 
 
-The ESBLZ should create following components:
+The OELZ should create following components:
 
 
 * Tag namespace per environment containing the following defined tags and tag defaults
@@ -223,7 +223,7 @@ The monitoring module will enable you to actively and passively monitor resource
 Network Module will deploy Hub and Spoke distribution paradigm, VPN and Fastconnect on the LZ Environment. 
 
 ## Network Module Known Limitation 
-* CIDR ranges which can't be used during the ESBLZ deployment:
+* CIDR ranges which can't be used during the OELZ deployment:
     * 169.254.10.0-169.254.19.255
     * 169.254.100.0-169.254.109.255
     * 169.254.192.0-169.254.201.255
@@ -494,24 +494,24 @@ On Premise Subnet route will not propagate over the RPC connection to the second
 
 ## Security
 
-To provide for a secure environment, the ESBLZ deploys several Oracle security services, such as CloudGuard to monitor for insecure cloud resource deployments, Vulnerability Scanning Service to scan compute instances for open ports and known vulnerabilities, and OS Management Service to manage updates and patches. 
+To provide for a secure environment, the OELZ deploys several Oracle security services, such as CloudGuard to monitor for insecure cloud resource deployments, Vulnerability Scanning Service to scan compute instances for open ports and known vulnerabilities, and OS Management Service to manage updates and patches. 
 
-To provide secure storage and key management, the ESBLZ deploys a Vault and a creates a Master Encryption Key stored in that vault, which can be used to encrypt data in Object Storage. 
+To provide secure storage and key management, the OELZ deploys a Vault and a creates a Master Encryption Key stored in that vault, which can be used to encrypt data in Object Storage. 
 
-For secure storage and future analysis of logging data, the ESBLZ directs all logging data, including general log data, service events, and audit logs, to secure storage. This can be secure object storage buckets created by the ESBLZ, and encrypted with the Master Encryption Key stored in the central Vault.
+For secure storage and future analysis of logging data, the OELZ directs all logging data, including general log data, service events, and audit logs, to secure storage. This can be secure object storage buckets created by the OELZ, and encrypted with the Master Encryption Key stored in the central Vault.
 
-For secure access to workload resources, the ESBLZ deploys a Bastion in the L4 Security Compartment.
+For secure access to workload resources, the OELZ deploys a Bastion in the L4 Security Compartment.
 
 
 ### Security Services
 
-The ESBLZ deploys configurations for multiple security services. VSS (Vulnerability Scanning Service) will scan compute instances deployed in the ESBLZ (i.e. as part of workloads) for open ports, and known security vulnerabilities.  OSMS (OS Management Service) works with operating systems on deployed compute instances (such as Oracle Autonomous Linux) to manage patches and updates to ensure a secure environment.  
+The OELZ deploys configurations for multiple security services. VSS (Vulnerability Scanning Service) will scan compute instances deployed in the OELZ (i.e. as part of workloads) for open ports, and known security vulnerabilities.  OSMS (OS Management Service) works with operating systems on deployed compute instances (such as Oracle Autonomous Linux) to manage patches and updates to ensure a secure environment.  
 
 ### Cloud Guard Sub Module
 
-CloudGuard can monitor for a multitude of security conditions. The ESBLZ configures CloudGuard with several Oracle-managed security recipes for up-to-date best practice security monitoring.
+CloudGuard can monitor for a multitude of security conditions. The OELZ configures CloudGuard with several Oracle-managed security recipes for up-to-date best practice security monitoring.
 
-By default, CloudGuard is configured to monitor just the resources deployed in the ESBLZ Home compartment, and compartments within that. An option is for CloudGuard to monitor the entire tenancy is there and it is controlled by the [cloud_guard_target_tenancy](cloud_guard_target_tenancy) variable. This is a Boolean variable that defaults to `false`. If it is set to `true` CloudGuard will be configured to monitor the entire tenancy, instead of just the ESBLZ Home compartment. 
+By default, CloudGuard is configured to monitor just the resources deployed in the OELZ Home compartment, and compartments within that. An option is for CloudGuard to monitor the entire tenancy is there and it is controlled by the [cloud_guard_target_tenancy](cloud_guard_target_tenancy) variable. This is a Boolean variable that defaults to `false`. If it is set to `true` CloudGuard will be configured to monitor the entire tenancy, instead of just the OELZ Home compartment. 
 
 Cloud Guard Target will be deployed in base compartment of both L2-Prod and L2-Non-Prod environments along with related IAM policies. All Oracle managed responder recipes will reside in L4 Security compartment of each environment.
 
@@ -530,7 +530,7 @@ For further details on CloudGuard, see the [Cloud Guard documentation](https://d
     | Name                                                                                                                   | Description                                                                                           | Type   | Default | Required |
     | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------ | ------- | :------: |
     | <a name="input_enable_cloud_guard"></a> [enable\_cloud\_guard](#input\_enable\_cloud\_guard)                           | true if you don't have cloud guard enabled, false if you've already have cloud guard enabled.         | `bool` | `true`  |    no    |
-    | <a name="input_cloud_guard_target_tenancy"></a> [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to ESBLZ home compartment | `bool` | `false` |    no    |
+    | <a name="input_cloud_guard_target_tenancy"></a> [cloud\_guard\_target\_tenancy](#input\_cloud\_guard\_target\_tenancy) | true if cloud guard targets to tenancy, false if cloud guard targets to OELZ home compartment | `bool` | `false` |    no    |
 
 ### Bastion Sub Module
 
@@ -554,7 +554,7 @@ Bastion service is created in the L4 Security Compartment within the L2 prod Com
 
 ### VSS Sub Module
 
-VSS (Vulnerability Scanning Service) is part of many security services deployed under ESBLZ. It scans compute instances deployed in the ESBLZ (i.e. as part of workloads) for open ports, and other known security vulnerabilities.  
+VSS (Vulnerability Scanning Service) is part of many security services deployed under OELZ. It scans compute instances deployed in the OELZ (i.e. as part of workloads) for open ports, and other known security vulnerabilities.  
 
 **Key Features**:
 
@@ -613,7 +613,7 @@ OCI Vault service is a key management service that stores and manages master enc
 
 ### Logging
 
-The ESBLZ sets up secure storage of all log data generated by resources and services in the ESBLZ. For both environments in L2-Prod and L2-NonProd compartment a logging compartment **“L3-Logging Compartment”** is created. This compartment hosts the below listed 3 immutable storage buckets:
+The OELZ sets up secure storage of all log data generated by resources and services in the OELZ. For both environments in L2-Prod and L2-NonProd compartment a logging compartment **“L3-Logging Compartment”** is created. This compartment hosts the below listed 3 immutable storage buckets:
 
 * **AuditLogs_standard** (for audit logs)
 * **DefaultLogs_standard** (for general logging)
@@ -623,9 +623,9 @@ These buckets are encrypted with the Master Encryption Key(MEK) stored in the va
 
 Default Log group (Name: Default_Group) is created is L4-Security compartment and service logs for all supported services (VCN Flow logs, Object Storage etc.) are enabled and stored in L3-Logging compartment.
 
-All the events in ESBLZ environment are streamed to standard object storage. The Stream Pool is created in L4-Security compartment and encrypted with MEK and the service evens are stored in standard Object storage bucket in Logging compartment. 
+All the events in OELZ environment are streamed to standard object storage. The Stream Pool is created in L4-Security compartment and encrypted with MEK and the service evens are stored in standard Object storage bucket in Logging compartment. 
 
-Service connector is used to ship all the audit, service logs and events in ESBLZ to these buckets in logging compartment. All IAM Policies for Service Connector are created in the L2 level Home compartment of each environment. 
+Service connector is used to ship all the audit, service logs and events in OELZ to these buckets in logging compartment. All IAM Policies for Service Connector are created in the L2 level Home compartment of each environment. 
 
 * **Required Arguments/Parameters for Bucket Retention Policies**:
 
@@ -649,3 +649,22 @@ Service connector is used to ship all the audit, service logs and events in ESBL
     | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | :------: |
     | <a name="input_archive_log_retention_policy_duration_amount"></a> [archive\_log\_retention\_policy\_duration\_amount](#input\_archive\_log\_retention\_policy\_duration\_amount)            | The timeAmount is interpreted in units defined by the timeUnit parameter, and is calculated in relation to each object's Last-Modified timestamp. | `string` | `"1"`    |    no    |
     | <a name="input_archive_log_retention_policy_duration_time_unit"></a> [archive\_log\_retention\_policy\_duration\_time\_unit](#input\_archive\_log\_retention\_policy\_duration\_time\_unit) | The unit that should be used to interpret timeAmount.                                                                                             | `string` | `"DAYS"` |    no    |
+
+## Workload Expansion
+
+The variables used for rerun the baseline stack after deploying workload expansion stack.
+
+In Non-Prod:
+
+| Name                                                                                                              | Description                                                                                                   | Type           | Default         | Required |
+| ----------------------------------------------------------------------------------------------------------------- |---------------------------------------------------------------------------------------------------------------|----------------| --------------- | :------: |
+| <a name="nonprod_additional_workload_subnets_cidr_blocks"></a> [nonprod_additional_workload_subnets_cidr_blocks](#workload\_admin\_group\_name)             | List of 3 subnets CIDR Block used in workload expansion. (Do not include the cidr blocks created in baseline) | `list(string)` |  |    yes    |
+| <a name="nonprod_workload_compartment_names"></a> [nonprod_workload_compartment_names](#application\_admin\_group\_name)             | Workload compartment name. (Also include the workload name created in baseline)                               | `list(string)` |  |    yes    |
+
+In Prod:
+
+
+| Name                                                                                                              | Description                                                                      | Type           | Default         | Required |
+| ----------------------------------------------------------------------------------------------------------------- |----------------------------------------------------------------------------------|----------------| --------------- | :------: |
+| <a name="prod_additional_workload_subnets_cidr_blocks"></a> [prod_additional_workload_subnets_cidr_blocks](#workload\_admin\_group\_name)       | List of 3 subnets CIDR Block used in workload expansion.(Do not include the cidr blocks created in baseline)                         | `list(string)` |  |    yes    |
+| <a name="prod_workload_compartment_names"></a> [prod_workload_compartment_names](#application\_admin\_group\_name)             | Workload compartment name.  (Also include the workload name created in baseline) | `list(string)` |  |    yes    |
diff --git a/templates/enterprise-landing-zone/IMPLEMENTATION.md b/templates/enterprise-landing-zone/IMPLEMENTATION.md
index 4ab06a03..19c9e6bc 100644
--- a/templates/enterprise-landing-zone/IMPLEMENTATION.md
+++ b/templates/enterprise-landing-zone/IMPLEMENTATION.md
@@ -1,15 +1,15 @@
-# Enterprise Scale Baseline Landing Zone
+# Oracle Enterprise Landing Zone
 
 ## Prerequisites
 
-To deploy the Enterprise Scale Baseline Landing Zone from the terraform cli you will need the following prerequisites.
+To deploy the Oracle Enterprise Landing Zone from the terraform cli you will need the following prerequisites.
 - [Latest Version of Terrafom](https://developer.hashicorp.com/terraform/downloads)
 - [OCI Terraform provider](https://registry.terraform.io/providers/oracle/oci/latest/docs) v4.109.0 or later
 - [oci - cli](https://github.com/oracle/oci-cli)
 
 ## User
 
-The Enterprise Scale Baseline Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an api key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble.
+The Oracle Enterprise Landing Zone should be deployed by a user who is a member of the Administrators group for the tenancy. This user need to have an api key entry defined as decribed [here](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformproviderconfiguration.htm). Once the user and API Key are defined your oci-cli config should resemble.
 
 ```text
 [DEFAULT]
@@ -22,23 +22,23 @@ key_file=<path to your private keyfile> # TODO
 
 ## Region
 
-The Enterprise Scale Baseline Landing Zone should be deployed to the tenancy's Home Region.
+The Oracle Enterprise Landing Zone should be deployed to the tenancy's Home Region.
 
 ## Tenancy
 
-The tenancy you intend to deploy the Enterprise Scale Baseline Landing Zone to.
+The tenancy you intend to deploy the Oracle Enterprise Landing Zone to.
 
 ### Logging Analytics
 
 The Logging Analytics service should be enabled for the tenancy.
 To check the current status of Logging Analytics for a tenancy, visit the [Logging Analytics home page][1].
-There will be a dark grey box at the top of the page. On the right hand side of that box, if Logging analytics has *not* been enabled, there will be a notice that Logging Analytics has not been enabled for the tenancy, and a blue button to enable it.  To enable it, click the blue button, and wait for the 3 onboarding steps to complete.  No further action will be required, as the Enterprise Scale Baseline Landing Zone will configure the needed datasources.
+There will be a dark grey box at the top of the page. On the right hand side of that box, if Logging analytics has *not* been enabled, there will be a notice that Logging Analytics has not been enabled for the tenancy, and a blue button to enable it.  To enable it, click the blue button, and wait for the 3 onboarding steps to complete.  No further action will be required, as the Oracle Enterprise Landing Zone will configure the needed datasources.
 
 ### Resource Limits
 
-Most of the initial resource limits a new tenancy comes with should be sufficient to deploy 1 Enterprise Scale Baseline Landing Zone, with 2 environments and 1 workload each. 
+Most of the initial resource limits a new tenancy comes with should be sufficient to deploy 1 Oracle Enterprise Landing Zone, with 2 environments and 1 workload each. 
 
-However, there are some resource limits that will need to be increased in order to deploy the Enterprise Scale Baseline Landing Zone. Below is a table listing the Terraform OCI resource names and numbers deployed please ensure your tenancy has sufficient limts before deploying the Enterprise Scale Baseline Landing Zone:
+However, there are some resource limits that will need to be increased in order to deploy the Oracle Enterprise Landing Zone. Below is a table listing the Terraform OCI resource names and numbers deployed please ensure your tenancy has sufficient limts before deploying the Oracle Enterprise Landing Zone:
 |OCI Terraform Resource Name | Count   |
 | ---------------------------- | ------- |
 |oci_announcements_service_announcement_subscription| 2|
@@ -105,7 +105,7 @@ Requests to raise these limits can be done through the [request a service limit
 [1]: https://cloud.oracle.com/loganalytics/home "Logging Analytics Home page."
 [2]: https://cloud.oracle.com/support/create?type=limit "Request a service Limit Increase."
 
-## Enterprise Scale Baseline Landing Zone Compartment Architecture
+## Oracle Enterprise Landing Zone Compartment Architecture
 
 ---
 ![Architecture](<../../images/LZ-v2.0.png> "Architecture")
@@ -114,9 +114,9 @@ This architecture diagram illustrates the compartments Enterprise LZ deployments
 
 ### Compartment Structure
 
-For the Enterprise Scale Baseline Landing Zone, we have the below compartment architecture:
+For the Oracle Enterprise Landing Zone, we have the below compartment architecture:
 
-* Enterprise Scale Baseline Landing Zone Home Compartment
+* Oracle Enterprise Landing Zone Home Compartment
   * Prod
     * Shared Infrastructure
       * Network
@@ -139,9 +139,9 @@ Environments are each full infrastructure deployments with their own hub-and-spo
 
 They are designed to ensure isolation between each environment. They can each contain multiple Workloads.
 
-The Enterprise Scale Baseline Landing Zone will initially set up two Environments: `Prod` and `Nonprod`.  Infrastructure resources within each Environment will have a single letter abbreviation (such as `N` or `P`) to indicate which environment they are part of.
+The Oracle Enterprise Landing Zone will initially set up two Environments: `Prod` and `Nonprod`.  Infrastructure resources within each Environment will have a single letter abbreviation (such as `N` or `P`) to indicate which environment they are part of.
 
-In the future, the `elz-environment` template will allow you to easily add new Environments to an existing Enterprise Scale Baseline Landing Zone.
+In the future, the `elz-environment` template will allow you to easily add new Environments to an existing Oracle Enterprise Landing Zone.
 
 ## Workloads
 
@@ -150,7 +150,7 @@ Workloads are the "shell" for you to deploy an application or service into. They
 
 Workloads exist within Environments.
 
-The Enterprise Scale Baseline Landing Zone will set up one initial workload configuration in each Environment. In the future, the `elz-workload` template  will allow you to easily add additional workloads to a deployed Environment within the Enterprise Scale Baseline Landing Zone.
+The Oracle Enterprise Landing Zone will set up one initial workload configuration in each Environment. In the future, the `elz-workload` template  will allow you to easily add additional workloads to a deployed Environment within the Oracle Enterprise Landing Zone.
 
 Note that Workload compartments and networks all contain a user provided *workload_name* suffix in their names. This allows multiple workloads, each with their own separate compartment and networks, to be deployed.
 
@@ -158,7 +158,7 @@ Note that Workload compartments and networks all contain a user provided *worklo
 
 ---
 Each environment will have its own identity domain. This lives in the Security compartment of each environment.  The identity domain applies to all resources under the environment compartment.
-Enterprise Scale Baseline Landing Zone will only support the new identity domains in OCI(Henosis) and not the old IDCS domains.
+Oracle Enterprise Landing Zone will only support the new identity domains in OCI(Henosis) and not the old IDCS domains.
 
 Each domain has it's own users and groups, and can be federated and configured separately.
 
@@ -173,28 +173,28 @@ For *each* workload deployed in an environment, there will be one Spoke network.
 
 The `elz-network-extension` template can add VPN or FastConnect links between an environment's DRG and an on-prem network.
 
-## Deployment of The Enterprise Scale Baseline Landing Zone
+## Deployment of The Oracle Enterprise Landing Zone
 
 ## For customers who already have Infrastructure in OCI
 
-If you already have infrastructure deployed in OCI and are looking to explore a best-practices infrastructure architecture with Enterprise Scale Baseline Landing Zone, you may want to create a new [Child Tenancy](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/organization_management_overview.htm) to deploy the Enterprise Scale Baseline Landing Zone in. This will guarantee there are no conflicts with existing infrastructure.  
+If you already have infrastructure deployed in OCI and are looking to explore a best-practices infrastructure architecture with Oracle Enterprise Landing Zone, you may want to create a new [Child Tenancy](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/organization_management_overview.htm) to deploy the Oracle Enterprise Landing Zone in. This will guarantee there are no conflicts with existing infrastructure.  
 
-Note that child tenancies have their own [resource limits](#resource-limits), which should be checked to confirm the Enterprise Scale Baseline Landing Zone can be deployed. 
+Note that child tenancies have their own [resource limits](#resource-limits), which should be checked to confirm the Oracle Enterprise Landing Zone can be deployed. 
 
 ## How to Deploy
 
 ---
-The Enterprise Scale Baseline Landing Zone can be launched through Oracle Resource Manager or from the Terraform CLI.
+The Oracle Enterprise Landing Zone can be launched through Oracle Resource Manager or from the Terraform CLI.
 
 ## Terraform CLI
 
-1. Have Terraform installed on the system you will deploy from. The Enterprise Scale Baseline Landing Zone should work with any version of Terraform greater than 1.0.0, including the latest version (currently 1.3.9).  If you do not have Terraform already installed, the [Terraform Download page](https://developer.hashicorp.com/terraform/downloads) will have links for the proper package for your system, and installation instructions. 
+1. Have Terraform installed on the system you will deploy from. The Oracle Enterprise Landing Zone should work with any version of Terraform greater than 1.0.0, including the latest version (currently 1.3.9).  If you do not have Terraform already installed, the [Terraform Download page](https://developer.hashicorp.com/terraform/downloads) will have links for the proper package for your system, and installation instructions. 
 
 2. Set up API keys to work with your OCI account. Follow the instructions [here](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm).
 
 3. Visit the [GitHub page](https://github.com/oracle-quickstart/oci-landing-zones) to clone the Terraform template.
 
-4. In the repository, cd to the `templates/enterprise-landing-zone/` directory. This is the main template for the Enterprise Scale Baseline Landing Zone. (the other templates will allow you to deploy other components, such as additional Environments or Workloads, or to deploy pieces of the Enterprise Scale Baseline Landing Zone architecture for use in your own custom infrastructure designs.)
+4. In the repository, cd to the `templates/enterprise-landing-zone/` directory. This is the main template for the Oracle Enterprise Landing Zone. (the other templates will allow you to deploy other components, such as additional Environments or Workloads, or to deploy pieces of the Oracle Enterprise Landing Zone architecture for use in your own custom infrastructure designs.)
 
 5. Create a terraform.tfvars file in the directory and populate it with the required variables or override existing variables. 
 **For reference on the configuration variable values read the [Configuration Guide](CONFIGURATION.md). For a full list of all available configuration variables see the [Input Variables Reference in the README](README.md#inputs)**
@@ -253,9 +253,9 @@ In the Stack page use the appropriate buttons to plan/apply/destroy your stack.
 
 - [Resource Manager Overview](https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm)
 
-## Teardown and destroy of an Enterprise Scale Baseline Landing Zone stack
+## Teardown and destroy of an Oracle Enterprise Landing Zone stack
 
-If you wish to delete an entire Enterprise Scale Baseline Landing Zone stack, there are a few resources that will require some manual intervention due to dependancies or conditions that are outside of Terraform's knowledge. 
+If you wish to delete an entire Oracle Enterprise Landing Zone stack, there are a few resources that will require some manual intervention due to dependancies or conditions that are outside of Terraform's knowledge. 
 
 The steps to clean up these resources is as follows: 
 
@@ -274,15 +274,15 @@ The steps to clean up these resources is as follows:
 3. Vault/Key (For each Environment)
 
     * The vault cannot be deleted right away. Vaults have a minimum 7-Day waiting period before deletion. This is because once the Vault is deleted, all data encrypted with keys in that Vault becomes unreadable. 
-    * You can move the vault and the Master Encryption Key to another compartment outside the Enterprise Scale Baseline Landing Zone home before deleting it in order to delete the landing zone.
-    * Or you can schedule a deletion for the key and the vault, and then wait to delete the Enterprise Scale Baseline Landing Zone when the Vault and key have been deleted. 
+    * You can move the vault and the Master Encryption Key to another compartment outside the Oracle Enterprise Landing Zone home before deleting it in order to delete the landing zone.
+    * Or you can schedule a deletion for the key and the vault, and then wait to delete the Oracle Enterprise Landing Zone when the Vault and key have been deleted. 
 
 4. Logging Analytics
 
     * Purge the log: navigate to the Administration page of Logging Analytics → click the storage under the Resources section → Purge Logs
     * (Optional) Delete the Logging Analytics group.
 
-Once these resources have been removed, you will be able to use Terraform to delete the rest of the Enterprise Scale Baseline Landing Zone. If using terraform CLI: run `terraform destroy` to remove other resources. If using ORM: navigate to the corresponding stack created and click  `Destroy`.
+Once these resources have been removed, you will be able to use Terraform to delete the rest of the Oracle Enterprise Landing Zone. If using terraform CLI: run `terraform destroy` to remove other resources. If using ORM: navigate to the corresponding stack created and click  `Destroy`.
 
 #### Cleanup Script
 A clean up script is provided to assist in cleaning up lingering resources that block terraform destroy.
@@ -317,7 +317,7 @@ python destroy_lz.py  --help
 ## Known Issues
 
 ---
-These are some known temporary issues that can occur while deploying the Enterprise Scale Baseline Landing Zone. 
+These are some known temporary issues that can occur while deploying the Oracle Enterprise Landing Zone. 
 
 * 400-InvalidParameter Error in CreateServiceConnector operation:  This can occasionally happen due to logs taking longer than normal to create while setting up the logging infrastructure.  This will correct itself when the logs finish creating. Later Apply jobs in ORM or invocations of `terraform apply` should succeed. 
 * 429-TooManyRequests Error: A tenancy making a large number of OCI API requests in rapid succession may be throttled by the API.  The solution is to wait some period of time (a few minutes) and retry the terraform operation again.  This is rarely seen on `apply` but may occasionally be seen on `destroy` runs, as the delete operations are much faster than create, and Terraform makes many API calls. 
\ No newline at end of file
diff --git a/templates/enterprise-landing-zone/README.md b/templates/enterprise-landing-zone/README.md
index 0ef2f29a..d6e20604 100644
--- a/templates/enterprise-landing-zone/README.md
+++ b/templates/enterprise-landing-zone/README.md
@@ -1,6 +1,6 @@
-# Enterprise Scale Baseline Landing Zone 
+# Oracle Enterprise Landing Zone 
 
-Version 2 of Enterprise Scale Baseline Landing Zone
+Version 2 of Oracle Enterprise Landing Zone
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
diff --git a/templates/enterprise-landing-zone/environment.tf b/templates/enterprise-landing-zone/environment.tf
index c0afcd29..b345f589 100644
--- a/templates/enterprise-landing-zone/environment.tf
+++ b/templates/enterprise-landing-zone/environment.tf
@@ -39,8 +39,9 @@ module "prod_environment" {
   budget_alert_rule_recipients      = var.prod_budget_alert_rule_recipients
   enable_cloud_guard                = var.enable_cloud_guard
   cloud_guard_target_tenancy        = var.cloud_guard_target_tenancy
-  is_create_alarms                    = var.is_create_alarms
-  domain_license_type                 = var.domain_license_type
+  is_create_alarms                  = var.is_create_alarms
+  is_service_connector_limit        = var.is_service_connector_limit
+  domain_license_type               = var.domain_license_type
 
   home_compartment_name             = var.home_compartment_name
   enable_vpn_or_fastconnect         = var.enable_vpn_or_fastconnect
@@ -174,6 +175,7 @@ module "nonprod_environment" {
   budget_alert_rule_message         = var.nonprod_budget_alert_rule_message
   budget_alert_rule_recipients      = var.nonprod_budget_alert_rule_recipients
   is_create_alarms                  = var.is_create_alarms
+  is_service_connector_limit        = var.is_service_connector_limit
   domain_license_type               = var.domain_license_type
   enable_cloud_guard                = var.enable_cloud_guard
   cloud_guard_target_tenancy        = var.cloud_guard_target_tenancy
diff --git a/templates/enterprise-landing-zone/example.tfvars b/templates/enterprise-landing-zone/example.tfvars
index af8a6599..a7382700 100644
--- a/templates/enterprise-landing-zone/example.tfvars
+++ b/templates/enterprise-landing-zone/example.tfvars
@@ -94,4 +94,6 @@ nonprod_workload_topic_endpoints = []
 
 # Workload Expansion
 prod_additional_workload_subnets_cidr_blocks = []
-nonprod_additional_workload_subnets_cidr_blocks = []
\ No newline at end of file
+nonprod_additional_workload_subnets_cidr_blocks = []
+prod_workload_compartment_names = []
+nonprod_workload_compartment_names = []
\ No newline at end of file
diff --git a/templates/enterprise-landing-zone/integration.tfvars b/templates/enterprise-landing-zone/integration.tfvars
index 28303ecb..346e3016 100644
--- a/templates/enterprise-landing-zone/integration.tfvars
+++ b/templates/enterprise-landing-zone/integration.tfvars
@@ -74,5 +74,5 @@ nonprod_enable_tagging       = true
 onboard_log_analytics = false
 
 # Workload Expansion
-prod_additional_workload_subnets_cidr_blocks = []
-nonprod_additional_workload_subnets_cidr_blocks = []
\ No newline at end of file
+# prod_additional_workload_subnets_cidr_blocks = []
+# nonprod_additional_workload_subnets_cidr_blocks = []
\ No newline at end of file
diff --git a/templates/enterprise-landing-zone/outputs.tf b/templates/enterprise-landing-zone/outputs.tf
index 9bc54a48..85f15e62 100644
--- a/templates/enterprise-landing-zone/outputs.tf
+++ b/templates/enterprise-landing-zone/outputs.tf
@@ -25,6 +25,9 @@ output "prod_environment" {
     hub_private_subnet_cidr = module.prod_environment.hub_private_subnet_cidr
     drg_id = module.prod_environment.drg_id
     identity_domain = module.prod_environment.identity_domain
+    workload_compartment_name = module.prod_environment.workload_compartment_name
+    workload_compartment_id = module.prod_environment.workload_compartment_id
+    workload_subnet_cidr_blocks = module.prod_environment.workload_subnet_cidr_blocks
   }
 }
 
@@ -38,5 +41,8 @@ output "nonprod_environment" {
     hub_private_subnet_cidr = module.nonprod_environment.hub_private_subnet_cidr
     drg_id = module.nonprod_environment.drg_id
     identity_domain = module.nonprod_environment.identity_domain
+    workload_compartment_name = module.nonprod_environment.workload_compartment_name
+    workload_compartment_id = module.nonprod_environment.workload_compartment_id
+    workload_subnet_cidr_blocks = module.nonprod_environment.workload_subnet_cidr_blocks
   }
 }
\ No newline at end of file
diff --git a/templates/enterprise-landing-zone/read_workload_vars.py b/templates/enterprise-landing-zone/read_workload_vars.py
new file mode 100644
index 00000000..737e4c3e
--- /dev/null
+++ b/templates/enterprise-landing-zone/read_workload_vars.py
@@ -0,0 +1,65 @@
+import json 
+import argparse
+
+
+def get_workload_vars(json_file):
+    with open(json_file, 'r') as f:
+        wrk_output = json.load(f)
+    
+    cmp_name = wrk_output.get("compartment_name", {}).get("value")
+    subnets = wrk_output.get("subnet_cidr_blocks", {}).get("value", [])
+
+    return cmp_name, subnets
+
+def get_from_env(base_output, env_name):
+    env_output = base_output.get(env_name, {}).get("value", {})
+    cmp_name = env_output.get("workload_compartment_name")
+    return cmp_name
+
+def hcltuple(items):
+    # HCL is picky about quotes, and we'd rather not add the HCL lib dependency...
+    return "[" + ", ".join([f"\"{i}\"" for i in items]) + "]"
+
+def read_workload_vars(env, base_json_file, we_json_files=None):
+    if not we_json_files:
+        we_json_files = []
+    compartment_names = []
+    subnets = []
+    env_name = f"{env}_environment"
+
+    with open(base_json_file, 'r') as f:
+        terr_out = json.load(f)    
+        cname = get_from_env(terr_out, env_name)
+        if cname:
+            compartment_names.append(cname)
+
+    for wfile in we_json_files:
+        cname, subs = get_workload_vars(wfile)
+        if cname:
+            compartment_names.append(cname)
+        for sn in subs:
+            subnets.append(sn)
+
+    print(f"{env}_additional_workload_subnets_cidr_blocks = {hcltuple(subnets)}")
+    print(f"{env}_workload_compartment_names = {hcltuple(compartment_names)}")
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Script to read workload-related outputs from base and workload expansion(s)")
+
+    parser.add_argument('-f', '--base-output-file',
+                        required=True,
+                        help="File containing output of `terraform output -json` in base landing zone")
+ 
+    parser.add_argument('-p', '--prod-workload-output',
+                        action='append',
+                        help="File containing output of `terraform output -json` in workload expansion")
+
+    parser.add_argument('-n', '--nonprod-workload-output',
+                        action='append',
+                        help="File containing output of `terraform output -json` in workload expansion")
+
+
+    args = parser.parse_args()
+    read_workload_vars("prod", args.base_output_file, args.prod_workload_output)
+    read_workload_vars("nonprod", args.base_output_file, args.nonprod_workload_output)
diff --git a/templates/enterprise-landing-zone/schema.yaml b/templates/enterprise-landing-zone/schema.yaml
index d0d082a0..e89980ad 100644
--- a/templates/enterprise-landing-zone/schema.yaml
+++ b/templates/enterprise-landing-zone/schema.yaml
@@ -1,5 +1,5 @@
-title: Enterprise Scale Baseline Landing Zone 2.0
-description: Enterprise Scale Baseline Landing Zone 2.0 developed by OCI
+title: Oracle Enterprise Landing Zone 2.0
+description: Oracle Enterprise Landing Zone 2.0 developed by OCI
 schemaVersion: 1.0.0
 version: "1.0.0"
 locale: en
@@ -41,6 +41,8 @@ variableGroups:
       - nonprod_workload_admin_group_name
       - nonprod_application_admin_group_name
       - nonprod_database_admin_group_name
+      - prod_workload_compartment_names
+      - nonprod_workload_compartment_names
   - title: Security Variables
     visible: true
     variables:
@@ -1197,4 +1199,18 @@ variables:
     required: false
     default: [ ]
     visible: show_fastconnect_variables
-    title: Customer Onprem IP CIDR
\ No newline at end of file
+    title: Customer Onprem IP CIDR
+  prod_workload_compartment_names:
+    type: array
+    items:
+      type: string
+    required: false
+    title: Workload Compartment Name from Workload Expansion in Prod
+    description: "A list of workload compartment name from Workload Expansion in Prod"
+  nonprod_workload_compartment_names:
+    type: array
+    items:
+      type: string
+    required: false
+    title: Workload Compartment Name from Workload Expansion in Non-Prod
+    description: "A list of workload compartment name from Workload Expansion in Non-Prod"
\ No newline at end of file
diff --git a/templates/enterprise-landing-zone/variables.tf b/templates/enterprise-landing-zone/variables.tf
index ba4485c1..5ad82211 100644
--- a/templates/enterprise-landing-zone/variables.tf
+++ b/templates/enterprise-landing-zone/variables.tf
@@ -643,6 +643,11 @@ variable "is_create_alarms" {
   default     = true
   description = "Enable Alarms Creation in all Compartment"
 }
+variable "is_service_connector_limit" {
+  type        = bool
+  default     = false
+  description = "Restrict Number of Service Connector Deployment in Tenancy if limit is two"
+}
 variable "prod_enable_security_monitoring_alarms" {
   type        = bool
   default     = false
diff --git a/templates/freetrial-landing-zone/Architecture_Guide.md b/templates/freetrial-landing-zone/Architecture_Guide.md
index 16524283..44b17b2d 100644
--- a/templates/freetrial-landing-zone/Architecture_Guide.md
+++ b/templates/freetrial-landing-zone/Architecture_Guide.md
@@ -4,7 +4,7 @@
 
 The Oracle Enterprise Landing Zone "OELZ" provides the baseline architectural framework for your organization to deploy new projects and workloads on OCI. The landing zone consists of Terraform modules, the architectural documentation, and an implementation guide. The landing zone helps you quickly and securely create a foundation for your cloud deployment based on Oracle recommendations, customer experience, and industry-standard best practices.
 
-OELZ is a set of Terraform modules that are designed to make it easy to set up a secure and compliant multi-account infrastructure on OCI. Some common use cases for OCI Enterprise Scale Baseline Landing Zone include:
+OELZ is a set of Terraform modules that are designed to make it easy to set up a secure and compliant multi-account infrastructure on OCI. Some common use cases for OCI Oracle Enterprise Landing Zone include:
 
 - Governance and compliance: The OELZ provides a set of pre-built policies and guardrails that help ensure that your OCI environment is compliant with industry standards, such as ISO27001 and PCI DSS (these and other compliance standards will be part of ongoing releases).
 - Automation and scalability: The Landing Zone can be used to automate the creation of new accounts, users, and resources on OCI, making it easy to scale your infrastructure as your organization grows.
@@ -31,7 +31,7 @@ Resiliency depends on the nature, architecture, and implementation of the worklo
 
 ## **_Security_**
 
-The Enterprise Scale Baseline Landing Zone follows best practices for security design principles.
+The Oracle Enterprise Landing Zone follows best practices for security design principles.
 
 - Design for attackers
   - Limit permissions based on requirements
diff --git a/templates/freetrial-landing-zone/IMPLEMENTATION.md b/templates/freetrial-landing-zone/IMPLEMENTATION.md
index 41dc624a..4abede03 100644
--- a/templates/freetrial-landing-zone/IMPLEMENTATION.md
+++ b/templates/freetrial-landing-zone/IMPLEMENTATION.md
@@ -32,13 +32,13 @@ The tenancy you intend to deploy the OELZ to.
 
 The Logging Analytics service should be enabled for the tenancy.
 To check the current status of Logging Analytics for a tenancy, visit the [Logging Analytics home page][1].
-There will be a dark grey box at the top of the page. On the right hand side of that box, if Logging analytics has *not* been enabled, there will be a notice that Logging Analytics has not been enabled for the tenancy, and a blue button to enable it.  To enable it, click the blue button, and wait for the 3 onboarding steps to complete.  No further action will be required, as the Enterprise Scale Baseline Landing Zone will configure the needed datasources.
+There will be a dark grey box at the top of the page. On the right hand side of that box, if Logging analytics has *not* been enabled, there will be a notice that Logging Analytics has not been enabled for the tenancy, and a blue button to enable it.  To enable it, click the blue button, and wait for the 3 onboarding steps to complete.  No further action will be required, as the Oracle Enterprise Landing Zone will configure the needed datasources.
 
 ### Resource Limits
 
 Most of the initial resource limits a new tenancy comes with should be sufficient to deploy 1 OELZ, with 1 environments and 1 workload each. 
 
-However, there are some resource limits that will need to be increased in order to deploy the Enterprise Scale Baseline Landing Zone. Below is a table listing the Terraform OCI resource names and numbers deployed please ensure your tenancy has sufficient limts before deploying the Enterprise Scale Baseline Landing Zone:
+However, there are some resource limits that will need to be increased in order to deploy the Oracle Enterprise Landing Zone. Below is a table listing the Terraform OCI resource names and numbers deployed please ensure your tenancy has sufficient limts before deploying the Oracle Enterprise Landing Zone:
 
 https://docs.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm
 
@@ -47,7 +47,7 @@ Requests to raise these limits can be done through the [request a service limit
 [1]: https://cloud.oracle.com/loganalytics/home "Logging Analytics Home page."
 [2]: https://cloud.oracle.com/support/create?type=limit "Request a service Limit Increase."
 
-## Enterprise Scale Baseline Landing Zone Compartment Architecture
+## Oracle Enterprise Landing Zone Compartment Architecture
 
 ---
 ![Architecture](<../../images/LZ-v2.0.png> "Architecture")
@@ -56,9 +56,9 @@ This architecture diagram illustrates the compartments Enterprise LZ deployments
 
 ### Compartment Structure
 
-For the Enterprise Scale Baseline Landing Zone, we have the below compartment architecture:
+For the Oracle Enterprise Landing Zone, we have the below compartment architecture:
 
-* Enterprise Scale Baseline Landing Zone Home Compartment
+* Oracle Enterprise Landing Zone Home Compartment
   * Prod
     * Shared Infrastructure
       * Network
@@ -89,18 +89,18 @@ Environment will have its own identity domain with free tier identity domain. Th
 ---
 Each environment will have it's own independent network configuration. The network architecture is a "Hub and Spoke" design. It is built around OCI's Dynamic Routing Gateway (DRG), which acts as central router. It can connect together multiple virtual networks like hub and spoke vcn. 
 
-## Deployment of The Enterprise Scale Baseline Landing Zone
+## Deployment of The Oracle Enterprise Landing Zone
 
 ## For customers who already have Infrastructure in OCI
 
-If you already have infrastructure deployed in OCI and are looking to explore a best-practices infrastructure architecture with Enterprise Scale Baseline Landing Zone, you may want to create a new [Child Tenancy](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/organization_management_overview.htm) to deploy the Enterprise Scale Baseline Landing Zone in. This will guarantee there are no conflicts with existing infrastructure.  
+If you already have infrastructure deployed in OCI and are looking to explore a best-practices infrastructure architecture with Oracle Enterprise Landing Zone, you may want to create a new [Child Tenancy](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/organization_management_overview.htm) to deploy the Oracle Enterprise Landing Zone in. This will guarantee there are no conflicts with existing infrastructure.  
 
-Note that child tenancies have their own [resource limits](#resource-limits), which should be checked to confirm the Enterprise Scale Baseline Landing Zone can be deployed. 
+Note that child tenancies have their own [resource limits](#resource-limits), which should be checked to confirm the Oracle Enterprise Landing Zone can be deployed. 
 
 ## How to Deploy
 
 ---
-The Enterprise Scale Baseline Landing Zone can be launched through Oracle Resource Manager or from the Terraform CLI.
+The Oracle Enterprise Landing Zone can be launched through Oracle Resource Manager or from the Terraform CLI.
 
 ## Terraform CLI
 
@@ -206,7 +206,7 @@ python destroy_lz.py  --help
 ## Known Issues
 
 ---
-These are some known temporary issues that can occur while deploying the Enterprise Scale Baseline Landing Zone. 
+These are some known temporary issues that can occur while deploying the Oracle Enterprise Landing Zone. 
 
 * 400-InvalidParameter Error in CreateServiceConnector operation:  This can occasionally happen due to logs taking longer than normal to create while setting up the logging infrastructure.  This will correct itself when the logs finish creating. Later Apply jobs in ORM or invocations of `terraform apply` should succeed. 
 * 429-TooManyRequests Error: A tenancy making a large number of OCI API requests in rapid succession may be throttled by the API.  The solution is to wait some period of time (a few minutes) and retry the terraform operation again.  This is rarely seen on `apply` but may occasionally be seen on `destroy` runs, as the delete operations are much faster than create, and Terraform makes many API calls. 
\ No newline at end of file
diff --git a/templates/freetrial-landing-zone/README.md b/templates/freetrial-landing-zone/README.md
index 7e242c79..d158a204 100644
--- a/templates/freetrial-landing-zone/README.md
+++ b/templates/freetrial-landing-zone/README.md
@@ -1,6 +1,6 @@
-# Enterprise Scale Baseline Landing Zone 
+# Oracle Enterprise Landing Zone 
 
-Version 2 of Enterprise Scale Baseline Landing Zone
+Version 2 of Oracle Enterprise Landing Zone
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
diff --git a/templates/freetrial-landing-zone/environment.tf b/templates/freetrial-landing-zone/environment.tf
index eb460e08..61106682 100644
--- a/templates/freetrial-landing-zone/environment.tf
+++ b/templates/freetrial-landing-zone/environment.tf
@@ -38,6 +38,7 @@ module "prod_environment" {
   budget_alert_rule_recipients        = var.prod_budget_alert_rule_recipients
   enable_cloud_guard                  = var.enable_cloud_guard
   is_create_alarms                    = var.is_create_alarms
+  is_service_connector_limit          = var.is_service_connector_limit
   domain_license_type                 = var.domain_license_type
   
   cloud_guard_target_tenancy          = var.cloud_guard_target_tenancy
diff --git a/templates/freetrial-landing-zone/livelab.tfvars b/templates/freetrial-landing-zone/livelab.tfvars
index 26ed04a2..4d8ba62d 100644
--- a/templates/freetrial-landing-zone/livelab.tfvars
+++ b/templates/freetrial-landing-zone/livelab.tfvars
@@ -8,7 +8,6 @@
 #api_fingerprint      = ""
 #api_private_key_path = ""
 
-
 # iam
 resource_label             					 = "LIVELAB"
 enable_compartment_delete  					 = false
@@ -16,6 +15,7 @@ prod_domain_admin_email                      = ""
 # security
 enable_cloud_guard                           = false
 cloud_guard_target_tenancy                   = false
+is_service_connector_limit                   = true
 prod_enable_bastion                          = true
 prod_bastion_client_cidr_block_allow_list    = ["0.0.0.0/0"]
 
diff --git a/templates/freetrial-landing-zone/logging.tf b/templates/freetrial-landing-zone/logging.tf
index cff6481d..4e9b84cf 100644
--- a/templates/freetrial-landing-zone/logging.tf
+++ b/templates/freetrial-landing-zone/logging.tf
@@ -87,7 +87,6 @@ locals {
     ]
   }
 }
-
 module "service_connector_policy" {
   source           = "../../modules/policies"
   compartment_ocid = module.home_compartment.compartment_id
@@ -146,6 +145,8 @@ module "archive_bucket" {
 }
 
 module "prod_archive_audit_log_service_connector" {
+  count                 = var.is_service_connector_limit   ? 0 : 1
+
   source                = "../../modules/service-connector"
   tenancy_ocid          = var.tenancy_ocid
   compartment_id        = module.prod_environment.compartment.security.id
@@ -158,23 +159,10 @@ module "prod_archive_audit_log_service_connector" {
 
   depends_on = [module.archive_bucket, module.service_connector_archive_policy]
 }
-/*
-module "nonprod_archive_audit_log_service_connector" {
-  source                = "../../modules/service-connector"
-  tenancy_ocid          = var.tenancy_ocid
-  compartment_id        = module.nonprod_environment.compartment.security.id
-  source_compartment_id = module.home_compartment.compartment_id
-  display_name          = local.nonprod_archive_audit_log_service_connector.display_name
-  source_kind           = local.nonprod_archive_audit_log_service_connector.source_kind
-  target_kind           = local.nonprod_archive_audit_log_service_connector.target_kind
-  log_group_id          = local.nonprod_archive_audit_log_service_connector.log_group_id
-  target_bucket         = local.nonprod_archive_audit_log_service_connector.target_bucket
-
-  depends_on = [module.archive_bucket, module.service_connector_archive_policy]
-}
-*/
 module "prod_archive_default_log_service_connector" {
+  count                 = var.is_service_connector_limit   ? 0 : 1
   source                = "../../modules/service-connector"
+
   tenancy_ocid          = var.tenancy_ocid
   compartment_id        = module.prod_environment.compartment.security.id
   source_compartment_id = module.prod_environment.compartment.security.id
@@ -186,21 +174,6 @@ module "prod_archive_default_log_service_connector" {
 
   depends_on = [module.archive_bucket, module.service_connector_archive_policy]
 }
-/*
-module "nonprod_archive_default_log_service_connector" {
-  source                = "../../modules/service-connector"
-  tenancy_ocid          = var.tenancy_ocid
-  compartment_id        = module.nonprod_environment.compartment.security.id
-  source_compartment_id = module.nonprod_environment.compartment.security.id
-  display_name          = local.nonprod_archive_default_log_service_connector.display_name
-  source_kind           = local.nonprod_archive_default_log_service_connector.source_kind
-  target_kind           = local.nonprod_archive_default_log_service_connector.target_kind
-  log_group_id          = module.nonprod_environment.default_group_id
-  target_bucket         = local.nonprod_archive_default_log_service_connector.target_bucket
-
-  depends_on = [module.archive_bucket, module.service_connector_archive_policy]
-}
-*/
 module "prod_archive_service_events_service_connector" {
   source                = "../../modules/service-connector"
   tenancy_ocid          = var.tenancy_ocid
@@ -215,22 +188,6 @@ module "prod_archive_service_events_service_connector" {
 
   depends_on = [module.archive_bucket, module.service_connector_archive_policy]
 }
-/*
-module "nonprod_archive_service_events_service_connector" {
-  source                = "../../modules/service-connector"
-  tenancy_ocid          = var.tenancy_ocid
-  compartment_id        = module.nonprod_environment.compartment.security.id
-  source_compartment_id = module.nonprod_environment.compartment.security.id
-  display_name          = local.nonprod_archive_service_events_service_connector.display_name
-  source_kind           = local.nonprod_archive_service_events_service_connector.source_kind
-  target_kind           = local.nonprod_archive_service_events_service_connector.target_kind
-  stream_id             = module.nonprod_environment.stream_id
-  cursor_kind           = local.nonprod_archive_service_events_service_connector.cursor_kind
-  target_bucket         = local.nonprod_archive_service_events_service_connector.target_bucket
-
-  depends_on = [module.archive_bucket, module.service_connector_archive_policy]
-}
-*/
 module "prod_platform_admin_policy" {
   source           = "../../modules/policies"
   compartment_ocid = module.home_compartment.compartment_id
@@ -240,14 +197,4 @@ module "prod_platform_admin_policy" {
 
   depends_on = [module.home_compartment]
 }
-/*
-module "nonprod_platform_admin_policy" {
-  source           = "../../modules/policies"
-  compartment_ocid = module.home_compartment.compartment_id
-  policy_name      = local.nonprod_platform_admin_policy.name
-  description      = local.nonprod_platform_admin_policy.description
-  statements       = local.nonprod_platform_admin_policy.statements
 
-  depends_on = [module.home_compartment]
-}
-*/
diff --git a/templates/freetrial-landing-zone/schema.yaml b/templates/freetrial-landing-zone/schema.yaml
index 2462837a..b691dc24 100644
--- a/templates/freetrial-landing-zone/schema.yaml
+++ b/templates/freetrial-landing-zone/schema.yaml
@@ -27,6 +27,9 @@ variableGroups:
   - title: Security Variables
     visible: true
     variables:
+      - enable_cloud_guard
+      - cloud_guard_target_tenancy
+      - is_service_connector_limit
       - prod_enable_bastion
       - prod_bastion_client_cidr_block_allow_list
   - title: Budget Variables
@@ -127,8 +130,6 @@ variableGroups:
       - virtual_circuit_customer_asn
       - virtual_circuit_display_name
       - virtual_circuit_type
-      - cloud_guard_target_tenancy
-      - enable_cloud_guard
       - prod_application_admin_group_name
       - prod_network_admin_group_name
       - prod_security_admin_group_name
@@ -293,16 +294,22 @@ variables:
   # Security Variables
   enable_cloud_guard:
     type: boolean
-    description: "true if you don't have cloud guard enabled, false if you've already have cloud guard enabled."
+    description: "False for Free-Trial OCI Account"
     default: false
-    required: false
+    required: true
     title: Enable Cloud Guard
   cloud_guard_target_tenancy:
     type: boolean
-    description: "true if cloud guard targets to tenancy, false if cloud guard targets to Landing Zone home compartment."
+    description: "False for Free-Trial OCI Account"
     default: false
-    required: false
+    required: true
     title: Cloud Guard Target Tenancy
+  is_service_connector_limit:
+    type: boolean
+    description: "True for Free-Trial OCI Account: As Service Connector Limit is 2"
+    default: true
+    required: true
+    title: Service Connector Limit
   prod_enable_bastion:
     type: boolean
     description: "Option to enable bastion service in prod"
diff --git a/templates/freetrial-landing-zone/variables.tf b/templates/freetrial-landing-zone/variables.tf
index e2687d1c..85966d20 100644
--- a/templates/freetrial-landing-zone/variables.tf
+++ b/templates/freetrial-landing-zone/variables.tf
@@ -231,7 +231,7 @@ variable "nonprod_budget_alert_rule_recipients" {
 # -----------------------------------------------------------------------------
 variable "enable_cloud_guard" {
   type        = bool
-  default     = true
+  default     = false
   description = "true if you don't have cloud guard enabled, false if you've already have cloud guard enabled."
 }
 
@@ -455,6 +455,11 @@ variable "is_create_alarms" {
   default     = false
   description = "Enable Alarms Creation in all Compartment"
 }
+variable "is_service_connector_limit" {
+  type        = bool
+  default     = true
+  description = "Restrict Number of Service Connector Deployment in Tenancy if limit is two"
+}
 variable "prod_enable_security_monitoring_alarms" {
   type        = bool
   default     = false