This Landing Zone template deploys a standardized environment in an Oracle Cloud Infrastructure (OCI) tenancy that helps organizations to comply with the CIS OCI Foundations Benchmark v1.1.

The template uses multiple compartments, groups, and IAM policies to segregate access to resources based on job function. The resources within the template are configured to meet the CIS OCI Foundations Benchmark settings related to:

• IAM (Identity & Access Management)
• Networking
• Keys
• Cloud Guard
• Logging
• Events
• Notifications
• Object Storage

This Landing Zone fork includes Aviatrix providing encrypted Multi-Cloud connectivity with centralized visibility and control. An Aviatrix Controller is required, the controller can be launched from marketplace of your preferred CSP. Please review the Getting Started guide here.

This repository encloses two deliverables:

• A reference implementation written in Terraform HCL (Hashicorp Language) that provisions fully functional resources in an OCI tenancy.
• A Python script that performs compliance checks for most of the CIS OCI Foundations Benchmark recommendations. The script is completely independent of the Terraform code and can be used against any existing tenancy.

• Support for 2 OCI regions (oci_region_1 and oci_region_2)
• Deployment of Aviatrix Transit VCN and High-Availability Gateway
• Remote state in OCI Object Storage delineation between the two regions (Setup secret keys and bucket as a pre-req)
• Deployment of Aviatrix Spoke
• Details, Aviatrix pre-requisites, and instructions can be found in oci_region_1

The Terraform code deploys a standard three-tier network architecture within a single Virtual Cloud Network (VCN). The three tiers are divided into:

• One public subnet for load balancers and bastion servers;
• Two private subnets: one for the application tier and one for the database tier.

The Landing Zone template also creates four compartments in the tenancy:

• A network compartment: for all networking resources.
• A security compartment: for all logging, key management, and notifications resources.
• An application development compartment: for application development related services, including compute, storage, functions, streams, Kubernetes, API Gateway, etc.
• A database compartment: for all database resources.

The compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically split among networking, security, application development and database admin teams. Each compartment is assigned an admin group, with enough permissions to perform its duties. The provided permissions lists are not exhaustive and are expected to be appended with new statements as new resources are brought into the Terraform template.

The diagram below shows services and resources that are deployed:

The greyed out icons in the AppDev and Database compartments indicate services not provisioned by the template.

The resources are provisioned using a single user account with broad tenancy administration privileges.

• Terraform Instructions
• Compliance Checking

• Parts of the Terraform code reuses and adapts from Oracle Terraform Modules.
• The Compliance Checking script builds on Adi Zohar's showoci OCI Reporting tool.
• Aviatrix OCI Transit Terraform module is used in this fork.
• Aviatrix Terraform provider is used to create Transit and Spokes enabling Multi-Cloud connectivity.

• Owners: Andre Correa, Josh Hammer
• Contributors: Logan Kleier, KC Flynn, Ryan Cronk Travis Mitchell

We welcome your feedback. To post feedback, submit feature ideas or report bugs, please use the Issues section on this repository.