• Stars
    star
    139
  • Rank 262,954 (Top 6 %)
  • Language HCL
  • License
    Universal Permiss...
  • Created almost 4 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Quickstart Terraform configuration for tenancy setup according to CIS OCI Foundations Benchmark.

Deploy_To_OCI

If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.

  Check our Live Lab for key use cases and hands on deployment experience!

CIS OCI Landing Zone Quick Start Template

Landing_Zone_Logo

Table of Contents

  1. Overview
  2. Deliverables
  3. Architecture
    1. IAM
    2. Network
    3. Diagram
  4. Deployment Guide
  5. Executing Instructions
    1. Terraform Configuration
    2. Compliance Checking
  6. Blog Posts
  7. CIS OCI Foundations Benchmark Modules Collection
  8. Feedback
  9. Known Issues
  10. Contribute
  11. Frequently Asked Questions

Overview

This Landing Zone template deploys a standardized environment in an Oracle Cloud Infrastructure (OCI) tenancy that helps organizations to comply with the CIS OCI Foundations Benchmark v1.2.

The template uses multiple compartments, groups, and IAM policies to segregate access to resources based on job function. The resources within the template are configured to meet the CIS OCI Foundations Benchmark settings related to:

  • IAM (Identity & Access Management)
  • Networking
  • Keys
  • Cloud Guard
  • Logging
  • Vulnerability Scanning
  • Bastion
  • Events
  • Alarms
  • Notifications
  • Object Storage
  • Budgets
  • Security Zone

Deliverables

This repository encloses two deliverables:

  • A reference implementation written in Terraform HCL (Hashicorp Language) that provisions fully functional resources in an OCI tenancy.
  • A Python script that performs compliance checks for most of the CIS OCI Foundations Benchmark recommendations. The script is completely independent of the Terraform code and can be used against any existing tenancy.

Architecture

IAM

The Landing Zone template creates a few compartments in the tenancy root compartment or under an enclosing compartment:

  • Network compartment: for all networking resources.
  • Security compartment: for all logging, key management, scanning, and notifications resources.
  • Application Development compartment: for application development related services, including Compute, Storage, Functions, Streams, Kubernetes, API Gateway, etc.
  • Database compartment: for all database resources.
  • Exadata infrastructure compartment: this is an optional compartment. While preparing for deploying Exadata Cloud Service, customers can choose between creating a specific compartment or using the Database compartment.
  • Enclosing compartment: a compartment at any level in the compartment hierarchy to hold the above compartments.

The compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically split among networking, security, application development and database admin teams. Each compartment is assigned an admin group, with enough permissions to perform its duties. The provided permissions lists are not exhaustive and are expected to be appended with new statements as new resources are brought into the Terraform template.

Networking

The Terraform code provisions a standard three-tier network architecture within one or more Virtual Cloud Network (VCN)s. The three tiers are divided into:

  • One public subnet for load balancers and bastion servers;
  • Two private subnets: one for the application tier and one for the database tier.

Optionally, the Terraform code can provision one or more VCNs configured for Exadata deployments. These VCNs are comprised of:

  • One private client subnet;
  • One private backup subnet.

The VCNs are either stand alone networks or in one of the below Hub and Spoke architectures:

  • Access to multiple VCNs in the same region: This scenario enables communication between an on-premises network and multiple VCNs in the same region over a single FastConnect private virtual circuit or Site-to-Site VPN and uses a DRG as the hub.
  • Access between multiple networks through a single DRG with a firewall between networks: This scenario connects several VCNs to a single DRG, with all routing configured to send packets through a firewall in a hub VCN before they can be sent to another network.

The above can be deployed without the creation of Internet Gateways and NAT Gateways to provide a more isolated network.

Diagram

The diagram below shows services and resources that are deployed in a single VCN deployment:

Architecture_Single_VCN

Get the diagram in SVG format.

The diagram below shows services and resources that are deployed in a Hub & Spoke VCN deployment:

Architecture_HS_VCN

Get the diagram in SVG format.

The greyed out icons in the AppDev and Database compartments indicate services not provisioned by the template.

Executing Instructions

Documentation

CIS OCI Foundations Benchmark Modules

This repository uses a broader collection of repositories containing modules that help customers align their OCI implementations with the CIS OCI Foundations Benchmark recommendations:

The modules in this collection are designed for flexibility, are straightforward to use, and enforce CIS OCI Foundations Benchmark recommendations when possible.

Using these modules does not require a user extensive knowledge of Terraform or OCI resource types usage. Users declare a JSON object describing the OCI resources according to each module’s specification and minimal Terraform code to invoke the modules. The modules generate outputs that can be consumed by other modules as inputs, allowing for the creation of independently managed operational stacks to automate your entire OCI infrastructure.

Feedback

We welcome your feedback. To post feedback, submit feature ideas or report bugs, please use the Issues section on this repository.

Known Issues

  • Terraform Apply Failure 404-NotAuthorizedorNotFound

    • Terraform CLI or Resource Manager fails to apply with a message similar as this:
        2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO]
        2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Error: 404-NotAuthorizedOrNotFound
        2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Provider version: 4.33.0, released on 2021-06-30.  
        2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Service: Identity Policy
        2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Error Message: Authorization failed or requested resource not found
        2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] OPC request ID: f14a700dc5d00272933a327c8feb2871/5053FB2DA16689F6421821A1B178D450/D3F2FE52F3BF8FB2C769AEFF7754A9B0
        2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Suggestion: Either the resource has been deleted or service Identity Policy need policy to access this resource. Policy reference: https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm
    

    This is due to eventual consistency, where resources need to be propagated to all regions before becoming fully available. We have dealt with these type of issues in code by introducing artificial delays. However, they may still arise as the consistency is eventual. If you face errors like this, simply re-plan and re-apply the Terraform configuration (you do not need to destroy and start all over). The errors should go away in the subsequent run. If they still persist, the problem is of a different nature.

    If your plan continues to fail, please ensure the OCI service is available in your realm. All the OCI services in the CIS OCI Landing Zone are available in the commercial (OC1) realm but may not be in others.

  • OCI Tags

    • By design, the CIS OCI Landing Zone Quick Start sets a freeform tag as an indicator for resources created by its Terraform scripts.
    • The OCI Tag Defaults may not be applied to OCI Keys during creation. This issue is currently under investigation.
    • Creating and using Defined Tags requires a two step process:
      1. Create the tag namespace and the tags.
      2. Assign the defined_tags.
    • Assigning an empty map ({}) to defined_tags or freeform_tags deletes all prevouisly set values and also prevents tag defaults to be applied.
    • Tag defaults are applied when providing a null value defined_tags = null.
  • OCI Compartment Deletion

    • By design, OCI compartments are not deleted upon Terraform destroy by default. Deletion can be enabled in Landing Zone by setting enable_cmp_delete variable to true in locals.tf file. However, compartments may take a long time to delete. Not deleting compartments is ok if you plan on reusing them. For more information about deleting compartments in OCI via Terraform, check OCI Terraform provider documentation.
  • OCI Vault Deletion

    • By design, OCI vaults and keys are not deleted immediately upon Terraform destroy, but scheduled for deletion. Both have a default 30 day grace period. For shortening that period, use OCI Console to first cancel the scheduled deletion and then set the earliest possible deletion date (7 days from current date) when deleting.
  • Enabling no internet access on an existing deployment

    • Enabling no_internet_access on currently deployed stack fails to apply due to timeout. This is due to OCI Terraform provider not being able remove Internet Gateway(s) and and NAT Gateway(s) when there are route table rules referencing them. For enabling no_internet_access on a deployed stack, you have to first manually remove the rules from the route tables that reference the gateways.
  • Resource Manager does not allow elements with same value in array type

    • This impacts the ability to deploy custom subnets with the same size, as subnets_sizes is an array of strings. If you need custom subnets sizes, do not use Resource Manager UI. Deploy with either Terraform CLI or Resource Manager APIs.

    ORM Array Issue

  • Support for free tier tenancies*

    • Deploying in a free tier tenancy is not supported at this time as there are some services that are not available. If you want to try the Landing Zone please upgrade your account to a pay-go.

More Repositories

1

oci-cloudnative

MuShop - Cloud Native microservices demo for Oracle Cloud Infrastructure
JavaScript
244
star
2

oci-quickstart

Oracle Cloud Infrastructure Quick Start
Python
67
star
3

oke-unreal-pixel-streaming

Unreal Engine Pixel Streaming Quickstart on OKE
JavaScript
48
star
4

oci-kubernetes-monitoring

Kubernetes Monitoring with OCI Observability & Management Platform
HCL
42
star
5

oci-prerequisites

Instructions to get your environment ready to deploy OCI Quick Start examples
PowerShell
39
star
6

oci-hpc

Terraform examples for deploying HPC clusters on OCI
Python
24
star
7

oci-landing-zones

OCI Landing Zones
HCL
22
star
8

oci-cloudera

Terraform module to deploy Cloudera on Oracle Cloud Infrastructure (OCI)
Python
20
star
9

terraform-oci-open-lz

The OCI Open LZ is an open and secure landing zone blueprint to simplify the onboarding and running of organizations, business units, and subsidiaries into OCI - by customers, partners, or ISVs. Use it to create your own OCI Landing Zone.
HCL
19
star
10

oci-micronaut

Micronaut MuShop - Cloud Native microservices demo for Oracle Cloud Infrastructure
Java
17
star
11

oci-ods-orm

Deploy Oracle Data Science using Resource Manager and Terraform
HCL
17
star
12

oci-azure-interconnect

HCL
15
star
13

oci-airflow

Apache Airflow on Oracle Cloud Infrastructure
Python
14
star
14

oci-observability-and-management

Oracle Cloud Infrastructure Observability and Management
HCL
14
star
15

oci-quickstart-template

Template for OCI Quick Starts
HCL
14
star
16

oci-elastic

Terraform module to deploy an Elastic cluster on Oracle Cloud Infrastructure (OCI)
HCL
14
star
17

terraform-oci-cis-landing-zone-networking

This repository contains Terraform OCI (Oracle Cloud Infrastructure) modules for networking related resources that help customers align their OCI implementations with the CIS (Center for Internet Security) OCI Foundations Benchmark recommendations.
HCL
14
star
18

oci-enterprise-scale-baseline-landing-zone

Baseline Landing Zone
HCL
12
star
19

oci-arch-devops

HCL
12
star
20

oci-arch-wordpress-mds

HCL
11
star
21

oci-tableau

Terraform module to deploy Tableau on Oracle Cloud Infrastructure (OCI)
Shell
11
star
22

oci-arch-ci-cd

Set up a CI/CD pipeline for cloud deployments
HCL
11
star
23

oke-airflow

Python
11
star
24

oci-adoption-framework-thunder

HCL
10
star
25

oci-arch-adw-oac

Deploy Autonomous Data Warehouse and Oracle Analytics Cloud
HCL
9
star
26

oci-ibm-spectrum-scale

Terraform template to deploy IBM Spectrum Scale on Oracle Cloud Infrastructure (OCI)
HCL
9
star
27

oci-openshift

OpenShift cluster creation on Oracle Cloud Infrastructure
HCL
9
star
28

oci-redis

Terraform module to deploy Redis on Oracle Cloud Infrastructure (OCI)
HCL
9
star
29

oci-apex

Ansible playbook to deploy APEX on Oracle Cloud Infrastructure (OCI)
Shell
9
star
30

oci-arch-cross-tenancies

Deploy a cross region private connectivity between tenancies
HCL
9
star
31

oke-kubeflow

Kubeflow on OCI
HCL
9
star
32

oci-ansible-awx

OCI Resource Manager stack to deploy Ansible AWX into a Compute instance under docker.
HCL
9
star
33

oci-apex-workflow-template

Apex application workflow template
Makefile
9
star
34

oci-palo-alto-networks

Terraform module to deploy Palo Alto Networks on Oracle Cloud Infrastructure (OCI)
HCL
9
star
35

terraform-oci-cis-landing-zone-iam

Terraform Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) modules that help with the implementation of CIS (Center for Internet Security) OCI Foundations Benchmark recommendations.
HCL
8
star
36

oci-nfs

NFS server deployment in Highly Available Active Passive mode or Single node NFS with local NVMe or Block Storage.
HCL
8
star
37

oci-essbase

Terraform module to deploy Essbase on Oracle Cloud Infrastructure (OCI)
HCL
8
star
38

terraform-oci-oke-quickstart

Base OKE automated deployment with extras, to be used alone or by other Quickstarts
HCL
8
star
39

oci-confluent

Terraform module to deploy Confluent on Oracle Cloud Infrastructure (OCI)
HCL
8
star
40

oci-ebs

Terraform module to deploy Oracle E-Business Suite (EBS) on Oracle Cloud Infrastructure (OCI)
HCL
8
star
41

fastapi-oracle-database-example

Python
7
star
42

oci-h2o

Terraform module to deploy H2O Driverless AI on Oracle Cloud Infrastructure (OCI)
Shell
7
star
43

oci-byo-image

Shell
7
star
44

oci-arch-logging-splunk

Implement a SIEM System in Splunk Using Logs Streamed from Oracle Cloud
6
star
45

oci-jenkins

Terraform module to deploy Jenkins on Oracle Cloud Infrastructure (OCI)
HCL
6
star
46

oci-check-point

Terraform module to deploy Checkpoint on Oracle Cloud Infrastructure (OCI)
HCL
6
star
47

oci-arch-db-migration

Database migration options from on-premises to Oracle Cloud
HCL
6
star
48

oci-management-agent

OCI O&M Management Agent
HCL
6
star
49

oci-o11y-solutions

Knowledge Content for OCI Observability and Management Services
HCL
5
star
50

oci-sap

Terraform modules to prepare infrastructure and resources for deploying Oracle Database based SAP apps on Oracle Cloud Infrastructure
HCL
5
star
51

oci-mysql

Terraform module to deploy MySQL on Oracle Cloud Infrastructure (OCI)
HCL
5
star
52

oci-logan-fluentd-output-plugin

Ruby
5
star
53

oci-arch-data-science

Oracle Cloud Infrastructure Data Science with Oracle Machine Learning
HCL
5
star
54

oci-slurm

Terraform module to deploy Slurm on Oracle Cloud Infrastructure (OCI)
HCL
5
star
55

oci-lustre

Terraform template to deploy the DDN Lustre distributed file system on OCI
HCL
5
star
56

oci-splunk

Terraform module to deploy Splunk on Oracle Cloud Infrastructure (OCI)
HCL
5
star
57

oci-oracle-data-integrator

Terraform to deploy Oracle Data Integrator on OCI
HCL
5
star
58

oci-fortinet

Terraform module to deploy Fortinet on Oracle Cloud Infrastructure (OCI)
HCL
5
star
59

oci-arch-tomcat-autonomous

HCL
4
star
60

oci-github-actions-runner

Deployment of self-hosted GitHub Actions Runner on Oracle Cloud Infrastructure
HCL
4
star
61

oci-beegfs-beeond-rdma

Deploy BeeGFS BeeOND (BeeGFS ON Demand) on Oracle Cloud Infrastructure HPC 100Gbps RDMA Clustered Network
Shell
4
star
62

oci-arch-hub-spoke

Set up a hub-and-spoke network topology
HCL
4
star
63

oci-ocihpc

Simplifying deployments of HPC applications in Oracle Cloud Infrastructure (OCI).
Go
4
star
64

oci-arch-best-practices

oracle-lead
HCL
4
star
65

appstack

App Stack
HCL
4
star
66

oci-arch-vip

Terraform automation that provisions Floating IP(VIP) emulation on the Oracle Cloud Infrastructure(OCI).
HCL
4
star
67

oci-hpc-oke

This repo includes everything you need to know about deploying GPU nodes on OCI
HCL
4
star
68

oci-arch-atg

Oracle ATG e-commerce
HCL
4
star
69

oci-hyperion

Terraform module to deploy Hyperion on Oracle Cloud Infrastructure (OCI)
HCL
4
star
70

oci-arch-tomcat-mds

Terraform to deploy Apache Tomcat on OCI
HCL
4
star
71

oke-soa

HCL
4
star
72

oci-asp-net

HCL
4
star
73

oci-kafka

Terraform module to deploy Kafka on Oracle Cloud Infrastructure (OCI)
HCL
4
star
74

oci-nginx

Terraform module to deploy Nginx on Oracle Cloud Infrastructure (OCI)
HCL
4
star
75

oci-httpd

Terraform module to deploy httpd on Oracle Cloud Infrastructure (OCI)
HCL
4
star
76

oci-arch-spark

HCL
4
star
77

oci-ipsec-libreswan

Programmatically spin up an environment for quick functional testing of IPSec Customizations leveraging Terraform and Ansible.
HCL
4
star
78

oci-arch-jenkins

HCL
4
star
79

terraform-oci-cis-landing-zone-security

Terraform Oracle Cloud Infrastructure (OCI) Security modules that help with the implementation of CIS (Center for Internet Security) OCI Foundations Benchmark recommendations.
HCL
4
star
80

oci-digital-assistant-external-services

HCL
3
star
81

oci-jde-monitoring

HCL
3
star
82

oci-scylladb

Terraform module to deploy ScyllaDB on Oracle Cloud Infrastructure (OCI)
HCL
3
star
83

oci-couchbase

Terraform module to deploy Couchbase on Oracle Cloud Infrastructure (OCI)
HCL
3
star
84

oci-caas-artifacts

Artifacts and documents to support OCI-CAAS
3
star
85

oci-mlflow

HCL
3
star
86

oci-weblogic-server

Terraform scripts to create and deploy WebLogic domains in OCI
HCL
3
star
87

oci-hpc-runbook-starccm

HCL
3
star
88

oci-arch-spatial

HCL
3
star
89

oci-cloud-native-sftp

Terraform module to deploy a cloud-native SFTP solution on Oracle Cloud Infrastructure (OCI)
HCL
3
star
90

oci-arch-atp-private

ATP Private Endpoint
HCL
3
star
91

oci-beegfs

BeeGFS on Oracle Cloud Infrastructure
Shell
3
star
92

oci-bastion-dbaas

HCL
3
star
93

oci-cockroachdb

Terraform code to deploy CockroachDB on Oracle Cloud Infrastructure (OCI)
HCL
3
star
94

oci-arch-ci-cd-devops

CI/CD using OCI DevOps service for sample Node.JS application
HCL
3
star
95

oci-scca-landingzone

Oracle Cloud Native SCCA Landing Zone
HCL
3
star
96

terraform-oci-cis-landing-zone-observability

Terraform Oracle Cloud Infrastructure (OCI) Observability modules that help with the implementation of CIS (Center for Internet Security) OCI Foundations Benchmark recommendations.
HCL
3
star
97

oke-snyk

Snyk: the platform developers choose to build cloud native applications securely, providing a range of developer-first security products.
HCL
3
star
98

terraform-oci-cis-landing-zone-governance

This repository contains Terraform OCI (Oracle Cloud Infrastructure) modules for Governance related resources that help customers align their OCI implementations with the CIS (Center for Internet Security) OCI Foundations Benchmark recommendations.
HCL
3
star
99

oci-chef

Terraform module to deploy Chef on Oracle Cloud Infrastructure (OCI)
HCL
2
star
100

oci-spark

Terraform module to deploy Spark on Oracle Cloud Infrastructure (OCI)
HCL
2
star