If you are logged into your OCI tenancy in the Commercial Realm (OC1), the button will take you directly to OCI Resource Manager where you can proceed to deploy. If you are not logged, the button takes you to Oracle Cloud initial page where you must enter your tenancy name and login to OCI.
Check [CIS Landing Zone course](https://mylearn.oracle.com/ou/course/oci-landing-zone/123962/193003) in Oracle University for a comprehensive introduction.
Also check our [Live Lab](https://apexapps.oracle.com/pls/apex/r/dbpm/livelabs/view-workshop?wid=3662) for key use cases and hands on deployment experience.
CIS OCI Landing Zone Quick Start Template
Table of Contents
- Overview
- Deliverables
- Architecture
- Deployment Guide
- Executing Instructions
- Blog Posts
- CIS OCI Foundations Benchmark Modules Collection
- Feedback
- Known Issues
- Contribute
- Frequently Asked Questions
Overview
This Landing Zone template deploys a standardized environment in an Oracle Cloud Infrastructure (OCI) tenancy that helps organizations to comply with the CIS OCI Foundations Benchmark v1.2.
The template uses multiple compartments, groups, and IAM policies to segregate access to resources based on job function. The resources within the template are configured to meet the CIS OCI Foundations Benchmark settings related to:
- IAM (Identity & Access Management)
- Networking
- Keys
- Cloud Guard
- Logging
- Vulnerability Scanning
- Bastion
- Events
- Alarms
- Notifications
- Object Storage
- Budgets
- Security Zone
Deliverables
This repository encloses two deliverables:
- A reference implementation written in Terraform HCL (Hashicorp Language) that provisions fully functional resources in an OCI tenancy.
- A Python script that performs compliance checks for most of the CIS OCI Foundations Benchmark recommendations. The script is completely independent of the Terraform code and can be used against any existing tenancy.
Architecture
IAM
The Landing Zone template creates a few compartments in the tenancy root compartment or under an enclosing compartment:
- Network compartment: for all networking resources.
- Security compartment: for all logging, key management, scanning, and notifications resources.
- Application Development compartment: for application development related services, including Compute, Storage, Functions, Streams, Kubernetes, API Gateway, etc.
- Database compartment: for all database resources.
- Exadata infrastructure compartment: this is an optional compartment. While preparing for deploying Exadata Cloud Service, customers can choose between creating a specific compartment or using the Database compartment.
- Enclosing compartment: a compartment at any level in the compartment hierarchy to hold the above compartments.
The compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically split among networking, security, application development and database admin teams. Each compartment is assigned an admin group, with enough permissions to perform its duties. The provided permissions lists are not exhaustive and are expected to be appended with new statements as new resources are brought into the Terraform template.
Networking
The Terraform code provisions a standard three-tier network architecture within one or more Virtual Cloud Network (VCN)s. The three tiers are divided into:
- One public subnet for load balancers and bastion servers;
- Two private subnets: one for the application tier and one for the database tier.
Optionally, the Terraform code can provision one or more VCNs configured for Exadata deployments. These VCNs are comprised of:
- One private client subnet;
- One private backup subnet.
The VCNs are either stand alone networks or in one of the below Hub and Spoke architectures:
- Access to multiple VCNs in the same region: This scenario enables communication between an on-premises network and multiple VCNs in the same region over a single FastConnect private virtual circuit or Site-to-Site VPN and uses a DRG as the hub.
- Access between multiple networks through a single DRG with a firewall between networks: This scenario connects several VCNs to a single DRG, with all routing configured to send packets through a firewall in a hub VCN before they can be sent to another network.
The above can be deployed without the creation of Internet Gateways and NAT Gateways to provide a more isolated network.
Diagram
The diagram below shows services and resources that are deployed in a single VCN deployment:
Get the diagram in SVG format.
The diagram below shows services and resources that are deployed in a Hub & Spoke VCN deployment:
Get the diagram in SVG format.
The greyed out icons in the AppDev and Database compartments indicate services not provisioned by the template.
Executing Instructions
Documentation
- Deploy a Secure Landing Zone that Meets the CIS Foundations Benchmark for Oracle Cloud
- CIS OCI Landing Zone Quick Start Template Version 2
- Deployment Modes for CIS OCI Landing Zone
- Tenancy Pre Configuration For Deploying CIS OCI Landing Zone as a non-Administrator
- Strong Security Posture Monitoring with Cloud Guard
- Logging Consolidation with Service Connector Hub
- Vulnerability Scanning in CIS OCI Landing Zone
- How to Deploy OCI Secure Landing Zone for Exadata Cloud Service
- Operational Monitoring and Alerting in the CIS Landing Zone
- How to Deploy Landing Zone for a Security Partner Network Appliance
- Adding Our Security Partners to a CIS OCI Landing Zone
- Advanced Configuration using Terraform Overrides
- Creating a Secure Multi-Region Landing Zone
- The Center for Internet Security Oracle Cloud Infrastructure Foundations Benchmark 1.2 Release update
CIS OCI Foundations Benchmark Modules Collection
This repository uses a broader collection of repositories containing modules that help customers align their OCI implementations with the CIS OCI Foundations Benchmark recommendations:
The modules in this collection are designed for flexibility, are straightforward to use, and enforce CIS OCI Foundations Benchmark recommendations when possible.
Using these modules does not require a user extensive knowledge of Terraform or OCI resource types usage. Users declare a JSON object describing the OCI resources according to each module’s specification and minimal Terraform code to invoke the modules. The modules generate outputs that can be consumed by other modules as inputs, allowing for the creation of independently managed operational stacks to automate your entire OCI infrastructure.
Feedback
We welcome your feedback. To post feedback, submit feature ideas or report bugs, please use the Issues section on this repository.
Known Issues
- Terraform CLI or Resource Manager fails to apply with a message similar as this:
- By design, the CIS OCI Landing Zone Quick Start sets a freeform tag as an indicator for resources created by its Terraform scripts.
- The OCI Tag Defaults may not be applied to OCI Keys during creation. This issue is currently under investigation.
- Creating and using Defined Tags requires a two step process:
- Create the tag namespace and the tags.
- Assign the
defined_tags
. - Assigning an empty map (
{}
) todefined_tags
orfreeform_tags
deletes all prevouisly set values and also prevents tag defaults to be applied. - Tag defaults are applied when providing a
null
valuedefined_tags = null
. - By design, OCI compartments are not deleted upon terraform destroy by default. Deletion can be enabled in Landing Zone by setting enable_cmp_delete variable to true in locals.tf file. However, compartments may take a long time to delete. Not deleting compartments is ok if you plan on reusing them. For more information about deleting compartments in OCI via Terraform, check OCI Terraform provider documentation.
- By design, OCI vaults and keys are not deleted immediately upon terraform destroy, but scheduled for deletion. Both have a default 30 day grace period. For shortening that period, use OCI Console to first cancel the scheduled deletion and then set the earliest possible deletion date (7 days from current date) when deleting.
- Enabling no_internet_access on a currently deployed stack fails to apply due to timeout. This is due to OCI Terraform provider not being able remove Internet Gateway(s) and NAT Gateway(s) when there are route table rules referencing them. For enabling no_internet_access on a deployed stack, you have to first manually remove the rules from the route tables that reference the gateways.
- This impacts the ability to deploy custom subnets with the same size, as subnets_sizes is an array of strings. If you need custom subnets sizes, do not use Resource Manager UI. Deploy with either Terraform CLI or Resource Manager APIs.
- Deploying in a free tier tenancy is not supported at this time as there are some services that are not available. If you want to try the Landing Zone please upgrade your account to a pay-go.
Terraform Apply Failure 404-NotAuthorizedorNotFound
2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO]
2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Error: 404-NotAuthorizedOrNotFound
2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Provider version: 4.33.0, released on 2021-06-30.
2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Service: Identity Policy
2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Error Message: Authorization failed or requested resource not found
2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] OPC request ID: f14a700dc5d00272933a327c8feb2871/5053FB2DA16689F6421821A1B178D450/D3F2FE52F3BF8FB2C769AEFF7754A9B0
2021/07/01 23:53:25[TERRAFORM_CONSOLE] [INFO] Suggestion: Either the resource has been deleted or service Identity Policy need policy to access this resource. Policy reference: https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm
This is due to eventual consistency, where resources need to be propagated to all regions before becoming fully available. We have dealt with these type of issues in code by introducing artificial delays. However, they may still arise as the consistency is eventual. If you face errors like this, simply re-plan and re-apply the Terraform configuration (you do not need to destroy and start all over). The errors should go away in the subsequent run. If they still persist, the problem is of a different nature.
If your plan continues to fail, please ensure the OCI service is available in your realm. All the OCI services in the CIS OCI Landing Zone are available in the commercial (OC1) realm but may not be in others.
OCI Tags
OCI Compartment Deletion
OCI Vault Deletion
Enabling no internet access on an existing deployment
Resource Manager does not allow elements with same value in array type
Support for free tier tenancies