If you are logged into your OCI tenancy, the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.
- Overview
- Deliverables
- Architecture
- Executing Instructions
- Blog Posts
- Acknowledgements
- The Team
- Feedback
- Known Issues
- Contribute
- Frequently Asked Questions
- Deployment Guide
This Landing Zone template deploys a standardized environment in an Oracle Cloud Infrastructure (OCI) tenancy that helps organizations to comply with the CIS OCI Foundations Benchmark v1.2.
The template uses multiple compartments, groups, and IAM policies to segregate access to resources based on job function. The resources within the template are configured to meet the CIS OCI Foundations Benchmark settings related to:
- IAM (Identity & Access Management)
- Networking
- Keys
- Cloud Guard
- Logging
- Vulnerability Scanning
- Bastion
- Events
- Alarms
- Notifications
- Object Storage
- Budgets
- Security Zone
This repository encloses two deliverables:
- A reference implementation written in Terraform HCL (Hashicorp Language) that provisions fully functional resources in an OCI tenancy.
- A Python script that performs compliance checks for most of the CIS OCI Foundations Benchmark recommendations. The script is completely independent of the Terraform code and can be used against any existing tenancy.
The Landing Zone template creates a few compartments in the tenancy root compartment or under an enclosing compartment:
- Network compartment: for all networking resources.
- Security compartment: for all logging, key management, scanning, and notifications resources.
- Application Development compartment: for application development related services, including Compute, Storage, Functions, Streams, Kubernetes, API Gateway, etc.
- Database compartment: for all database resources.
- Exadata infrastructure compartment: this is an optional compartment. While preparing for deploying Exadata Cloud Service, customers can choose between creating a specific compartment or using the Database compartment.
- Enclosing compartment: a compartment at any level in the compartment hierarchy to hold the above compartments.
The compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically split among networking, security, application development and database admin teams. Each compartment is assigned an admin group, with enough permissions to perform its duties. The provided permissions lists are not exhaustive and are expected to be appended with new statements as new resources are brought into the Terraform template.
The Terraform code provisions a standard three-tier network architecture within one or more Virtual Cloud Network (VCN)s. The three tiers are divided into:
- One public subnet for load balancers and bastion servers;
- Two private subnets: one for the application tier and one for the database tier.
Optionally, the Terraform code can provision one or more VCNs configured for Exadata deployments. These VCNs are comprised of:
- One private client subnet;
- One private backup subnet.
The VCNs are either stand alone networks or in one of the below Hub and Spoke architectures:
- Access to multiple VCNs in the same region: This scenario enables communication between an on-premises network and multiple VCNs in the same region over a single FastConnect private virtual circuit or Site-to-Site VPN and uses a DRG as the hub.
- Access between multiple networks through a single DRG with a firewall between networks: This scenario connects several VCNs to a single DRG, with all routing configured to send packets through a firewall in a hub VCN before they can be sent to another network.
The above can be deployed without the creation of Internet Gateways and NAT Gateways to provide a more isolated network.
The diagram below shows services and resources that are deployed in a single VCN deployment:
Get the diagram in SVG format.
The diagram below shows services and resources that are deployed in a Hub & Spoke VCN deployment:
Get the diagram in SVG format.
The greyed out icons in the AppDev and Database compartments indicate services not provisioned by the template.
- Deploy a Secure Landing Zone that Meets the CIS Foundations Benchmark for Oracle Cloud
- CIS OCI Landing Zone Quick Start Template Version 2
- Deployment Modes for CIS OCI Landing Zone
- Tenancy Pre Configuration For Deploying CIS OCI Landing Zone as a non-Administrator
- Strong Security Posture Monitoring with Cloud Guard
- Logging Consolidation with Service Connector Hub
- Vulnerability Scanning in CIS OCI Landing Zone
- How to Deploy OCI Secure Landing Zone for Exadata Cloud Service
- Operational Monitoring and Alerting in the CIS Landing Zone
- How to Deploy Landing Zone for a Security Partner Network Appliance
- Adding Our Security Partners to a CIS OCI Landing Zone
- Advanced Configuration using Terraform Overrides
- Creating a Secure Multi-Region Landing Zone
- The Center for Internet Security Oracle Cloud Infrastructure Foundations Benchmark 1.2 Release update
- Parts of the Terraform code reuses and adapts from Oracle Terraform Modules.
- The Compliance Checking script builds on Adi Zohar's showoci OCI Reporting tool.
- Owners: Andre Correa, Josh Hammer.
- Contributors: Chad Russell, Johannes Murmman, KC Flynn, Logan Kleier, Olaf Heimburger, Pulkit Sharma.
We welcome your feedback. To post feedback, submit feature ideas or report bugs, please use the Issues section on this repository.
-
Terraform Apply Failure 404-NotAuthorizedorNotFound
- Terraform CLI or Resource Manager fails to apply with a message similar as this:
2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] 2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Error: 404-NotAuthorizedOrNotFound 2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Provider version: 4.33.0, released on 2021-06-30. 2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Service: Identity Policy 2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Error Message: Authorization failed or requested resource not found 2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] OPC request ID: f14a700dc5d00272933a327c8feb2871/5053FB2DA16689F6421821A1B178D450/D3F2FE52F3BF8FB2C769AEFF7754A9B0 2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Suggestion: Either the resource has been deleted or service Identity Policy need policy to access this resource. Policy reference: https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm
This is due to eventual consistency, where resources need to be propagated to all regions before becoming fully available. We have dealt with these type of issues in code by introducing artificial delays. However, they may still arise as the consistency is eventual. If you face errors like this, simply re-plan and re-apply the Terraform configuration (you do not need to destroy and start all over). The errors should go away in the subsequent run. If they still persist, the problem is of a different nature.
If your plan continues to fail, please ensure the OCI service is available in your realm. All the OCI services in the CIS OCI Landing Zone are available in the commercial (OC1) realm but may not be in others.
-
OCI Tags
- By design, the CIS OCI Landing Zone Quick Start sets a freeform tag as an indicator for resources created by its Terraform scripts.
- The OCI Tag Defaults may not be applied to OCI Keys during creation. This issue is currently under investigation.
- Creating and using Defined Tags requires a two step process:
- Create the tag namespace and the tags.
- Assign the
defined_tags
.
- Assigning an empty map (
{}
) todefined_tags
orfreeform_tags
deletes all prevouisly set values and also prevents tag defaults to be applied. - Tag defaults are applied when providing a
null
valuedefined_tags = null
.
-
OCI Compartment Deletion
- By design, OCI compartments are not deleted upon Terraform destroy by default. Deletion can be enabled in Landing Zone by setting enable_cmp_delete variable to true in locals.tf file. However, compartments may take a long time to delete. Not deleting compartments is ok if you plan on reusing them. For more information about deleting compartments in OCI via Terraform, check OCI Terraform provider documentation.
-
OCI Vault Deletion
- By design, OCI vaults and keys are not deleted immediately upon Terraform destroy, but scheduled for deletion. Both have a default 30 day grace period. For shortening that period, use OCI Console to first cancel the scheduled deletion and then set the earliest possible deletion date (7 days from current date) when deleting.
-
Enabling no internet access on an existing deployment
- Enabling no_internet_access on currently deployed stack fails to apply due to timeout. This is due to OCI Terraform provider not being able remove Internet Gateway(s) and and NAT Gateway(s) when there are route table rules referencing them. For enabling no_internet_access on a deployed stack, you have to first manually remove the rules from the route tables that reference the gateways.
-
Resource Manager does not allow elements with same value in array type
- This impacts the ability to deploy custom subnets with the same size, as subnets_sizes is an array of strings. If you need custom subnets sizes, do not use Resource Manager UI. Deploy with either Terraform CLI or Resource Manager APIs.
-
Support for free tier tenancies*
- Deploying in a free tier tenancy is not supported at this time as there are some services that are not available. If you want to try the Landing Zone please upgrade your account to a pay-go.