This template shows how to deploy a CIS compliant landing zone using OCI Core Landing Zone configuration.
In this template, a single custom three-tier VCN is deployed. The following VCN parameters are customized:
- VCN name, CIDR blocks and DNS name.
- All subnets name, CIDR block and DNS name.
- A public bastion subnet is deployed, with custom name, CIDR block and DNS name.
- List of CIDR blocks allowed to SSH into jump hosts eventually deployed in Bastion subnet.
Additionally, the following services are enabled:
- Connector Hub, for logging consolidation. Collected logs are sent to an OCI stream.
- A Security Zone is created for the deployment. The Security Zone target is the landing zone top (enclosing) compartment.
- Vulnerability Scanning Service is configured to scan Compute instances that are eventually deployed in the landing zone.
- A basic Budget is created.
Please see other templates available for CIS compliant landing zones with custom configurations.
This template has the following parameters set:
| Variable Name | Description | Value |
|---|---|---|
| service_label | A unique identifier to prefix the resources | custvcn |
| define_net | Check to define networking resources. By default, the Landing Zone does NOT deploy any networks. | true |
| add_tt_vcn1 | Click to add a three-tier VCN, with three subnets: web (public by default), application (private) and database (private). An optional subnet (private by default) for bastion deployment is also available | true |
| tt_vcn1_name | Enter the VCN name. Otherwise a default name is provided. The label above should be used in the 'Routable VCNs' field of other VCNs for constraining network traffic in a Hub/Spoke topology. | my-vcn-1 |
| tt_vcn1_cidrs | Enter the list of CIDR blocks for the VCN. | 192.168.0.0/20 |
| customize_tt_vcn1_subnets | Check to customize default subnets settings. | true |
| tt_vcn1_web_subnet_name | Enter the Web subnet name. | frontend-subnet |
| tt_vcn1_web_subnet_cidr | Enter the Web subnet CIDR block. It must be within the VCN CIDR blocks. | 192.168.0.0/24 |
| tt_vcn1_web_subnet_is_private | Check to make the Web subnet private. It is public by default. | true |
| tt_vcn1_app_subnet_name | Enter the Application subnet name. | middle-subnet |
| tt_vcn1_app_subnet_cidr | Enter the Application subnet CIDR block. It must be within the VCN CIDR blocks. | 192.168.1.0/24 |
| tt_vcn1_db_subnet_name | Enter the Database subnet name. | backend-subnet |
| tt_vcn1_db_subnet_cidr | Enter the Database subnet CIDR block. It must be within the VCN CIDR blocks. | 192.168.2.0/24 |
| deploy_tt_vcn1_bastion_subnet | Check to to deploy a subnet where you can further deploy OCI Bastion service or a jump host. | true |
| tt_vcn1_bastion_subnet_name | Enter the Bastion subnet name. | bastion-subnet |
| tt_vcn1_bastion_subnet_cidr | Enter the Bastion subnet CIDR block. A /29 block is usually enough, unless you plan on deploying a large number of jump hosts. It must be within the VCN CIDR blocks. | 192.168.3.0/29 |
| tt_vcn1_bastion_is_access_via_public_endpoint | If checked, the Bastion subnet is made public where you'd later deploy and manage your jump hosts. By default, the Bastion subnet is private, where OCI Bastion service is expected to be deployed. | true |
| tt_vcn1_bastion_subnet_allowed_cidrs | These CIDRs are allowed to SSH into the the jump host that is eventually deployed in the public Bastion subnet. Leave it empty for no access. | REPLACE_WITH_CIDR_BLOCKS_ALLOWED_FOR_SSH_ACCESS |
| network_admin_email_endpoints | List of email addresses that receive notifications for networking related events. | ["[email protected]"] |
| security_admin_email_endpoints | List of email addresses that receive notifications for security related events. | ["[email protected]"] |
| enable_cloud_guard | When true, OCI Cloud Guard Service is enabled. Set to false if it's been already enabled through other means. | true |
| enable_service_connector | Whether Service Connector should be enabled. If true, a single Service Connector is managed for all services log sources and the designated target specified in 'Service Connector Target Kind'. The Service Connector resource is created in INACTIVE state. To activate, check 'Activate Service Connector?' (costs may incur). | true |
| activate_service_connector | Whether Service Connector should be activated. If true, costs my incur due to usage of Object Storage bucket, Streaming or Function. | true |
| service_connector_target_kind | Service Connector Hub target resource. Valid values are 'objectstorage', 'streaming', 'functions' or 'logginganalytics'. In case of 'objectstorage', a new bucket is created. In case of 'streaming', you can provide an existing stream ocid in 'existing_service_connector_target_stream_id' and that stream is used. If no ocid is provided, a new stream is created. In case of 'functions', you must provide the existing function ocid in 'existing_service_connector_target_function_id'. If case of 'logginganalytics', a log group for Logging Analytics service is created and the service is enabled if not already | streaming |
| enable_security_zones | Determines if Security Zones are enabled in Landing Zone compartments. When set to true, the Security Zone is enabled for the enclosing compartment. If no enclosing compartment is used, then the Security Zone is not enabled. | true |
| create_budget | If checked, a budget will be created at the root or enclosing compartment and based on forecast spend. | true |
For a detailed description of all variables that can be used, see the Variables documentation.
This template can be deployed using OCI Resource Manager Service (RMS) or Terraform CLI:
By clicking the button below, you are redirected to an OCI RMS Stack with variables pre-assigned for deployment.
You are required to review/adjust the following variable settings:
- Make sure to pick an OCI region for deployment.
- Replace REPLACE_WITH_CIDR_BLOCKS_ALLOWED_FOR_SSH_ACCESS with one or more CIDR blocks in List of CIDR blocks allowed to SSH into jump hosts eventually deployed in Bastion subnet field. 0.0.0.0/0 is not allowed.
- Provide real email addresses for Network Admin Email Endpoints and Security Admin Email Endpoints fields.
- Uncheck Enable Cloud Guard Service option in case it is already enabled in your tenancy.
With the stack created, perform a Plan, followed by an Apply using RMS UI.
- Rename file main.tf.template to main.tf.
- Provide/review the variable assignments in main.tf.
- In this folder, execute the typical Terraform workflow:
- $ terraform init
- $ terraform plan
- $ terraform apply