X

Best Practices from Oracle Development's A‑Team

CIS OCI Landing Zone Quick Start Template

Andre Correa Neto
Cloud Solutions Architect

Introduction

Customers often ask us how they can automate the process of creating a secure Oracle Cloud Infrastructure (OCI) tenancy. In response to this, we created a Center for Internet Security (CIS) Landing Zone Quick Start template. This template enables OCI customers to quickly implement the CIS OCI Foundations Benchmark and overall OCI best practices within their tenancy. CIS recently released version 1.1 of the OCI Foundations Benchmark and the template provides a reference implementation for those recommendations.

For obtaining the CIS OCI Benchmark document, navigate to https://www.cisecurity.org/cis-benchmarks/, expand the Oracle Cloud Infrastructure section and click the Download link next to the version number, as indicated.

Obtaining CIS OCI benchmark document

The Landing Zone uses multiple compartments, groups, and IAM policies to segregate access to resources based on job function. The resources within the template are configured to meet the CIS OCI Foundations Benchmark settings related to:

  • IAM (Identity & Access Management)
  • Networking
  • Keys
  • Cloud Guard
  • Logging
  • Events
  • Notifications
  • Object Storage

Deliverables

The template encloses two deliverables:

  • An extensible reference implementation written in Terraform HCL (Hashicorp Language) that provisions fully functional resources in an OCI tenancy.
  • An extensible Python script that performs compliance checks for most of the CIS OCI Foundations Benchmark recommendations.

The code is available at https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart and is provided as sample code, which has not been submitted for extensive testing. It should be used “as is”, altered or simply as an inspiration for your projects.

Architecture

The Terraform code deploys a standard three-tier network architecture within a single Virtual Cloud Network (VCN). The three tiers are divided into:

  • One public subnet for load balancers and bastion servers;
  • Two private subnets: one for the application tier and one for the database tier.

The tenancy resources are spread across four compartments:

  • A network compartment: for all networking resources.
  • A security compartment: for all logging, key management, and notifications resources and services.
  • An application development compartment: for application development related services, including compute, storage, functions, streams, Kubernetes, API Gateway, etc.
  • A database compartment: for database resources.

The compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically split among networking, security, application development and database admin teams. Each compartment is assigned an admin group, with enough permissions to perform its duties. The provided permissions lists are not exhaustive and are expected to be appended with new statements as new resources are brought into the Terraform template.

The diagram below shows the services and resources that are deployed:

Landing Zone Architecture

The diagram does not show the database compartment, because no resources are initially provisioned into that compartment. The greyed out icons in the AppDev compartment indicate services not provisioned by the template.

Deployment

Detailed instructions for Terraform deployment and how to run the compliance checking script are available in the repository's README.

Customizing the Terraform Configuration

The Terraform code has a single configuration root module and a few modules that actually perform the provisioning. We encourage any customization to follow this pattern as it enables consistent code reuse.

For bringing new resources into the Terraform configuration, like compartments or VCNs, you can simply reuse the existing modules and add extra module calls similar to the existing ones in the root module. Most modules accept a map of resource objects that are usually keyed by the resource name. For adding extra subnets to the existing VCN, for instance, simply add the extra subnet resources to the existing subnets map.

For more details, see the repository's README.

Cost

As of the publishing time of this post, provisioning the resources in the template incurs no cost.

Feedback

To post feedback, submit feature ideas or report bugs, please use the Issues section of the GitHub repository.

Credits

This template has been jointly created by myself, Josh Hammer and Logan Kleier.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha