This template shows how to deploy a CIS compliant landing zone using OCI Core Landing Zone configured with a Hub & Spoke networking topology including a Jump Host with Bastion service enabled. It deploys a Jump Host with Oracle Linux 8 in the Jump Host subnet of the Hub VCN, a Bastion service in the Jump Host, a Three Tier VCN, and an Exadata VCN which are peered through the DRG. The DRG is configured to route traffic across all VCNs.
Please see other templates available for CIS compliant landing zones with custom configurations.
This template has the following parameters set:
| Variable Name | Description | Value |
|---|---|---|
| service_label | A unique identifier to prefix the resources | ocibastion |
| define_net | Check to define networking resources. By default, the Landing Zone does NOT deploy any networks. | true |
| hub_deployment_option | The hub deployment option. In this case, a DRG is deployed to act as the hub in the Hub/Spoke topology. | "VCN or on-premises connectivity routing through DMZ VCN with Network Virtual Appliance (DRG and DMZ VCN will be created)" |
| hub_vcn_cidrs | Hub VCN list of CIDR Blocks | ["192.168.0.0/24"] |
| deploy_bastion_jump_host | The option to deploy the bastion jump host. | true |
| deploy_bastion_service | The option to deploy the bastion service. | true |
| bastion_service_allowed_cidrs | List of the bastion service allowed cidrs. | ["x.x.x.x"] |
| add_tt_vcn1 | When true, deploys three-tier VCN 1, with three subnets: web (public by default), application (private) and database (private). An optional subnet (private by default) for bastion deployment is also available | true |
| tt_vcn1_cidrs | Three-tier VCN 1 CIDR blocks. | ["10.0.0.0/20"] |
| tt_vcn1_attach_to_drg | When true, attaches three-tier VCN 1 to the DRG | true |
| add_exa_vcn1 | VCN configured for Exadata Cloud Service deployment. | true |
| exa_vcn1_cidrs | Exa VCN 1 CIDR blocks. | ["172.16.0.0/20"] |
| exa_vcn1_attach_to_drg | When true, the VCN is attached to a DRG, enabling cross-vcn traffic routing | true |
| network_admin_email_endpoints | List of email addresses that receive notifications for networking related events. | ["[email protected]"] |
| security_admin_email_endpoints | List of email addresses that receive notifications for security related events. | ["[email protected]"] |
| enable_cloud_guard | When true, OCI Cloud Guard Service is enabled. Set to false if it's been already enabled through other means. | false |
For a detailed description of all variables that can be used, see the Variables documentation.
This template can be deployed using OCI Resource Manager Service (RMS) or Terraform CLI:
By clicking the button below, you are redirected to an OCI RMS Stack with variables pre-assigned for deployment.
You are required to review/adjust the following variable settings:
- Make sure to pick an OCI region for deployment.
- Provide real email addresses for Network Admin Email Endpoints and Security Admin Email Endpoints fields.
- Provide real CIDR block(s) used to access the Bastion service for bastion_service_allowed_cidrs field.
- Uncheck Enable Cloud Guard Service option in case it is already enabled in your tenancy.
With the stack created, perform a Plan, followed by an Apply using RMS UI.
- Rename file main.tf.template to main.tf.
- Provide/review the variable assignments in main.tf.
- In this folder, execute the typical Terraform workflow:
- $ terraform init
- $ terraform plan
- $ terraform apply