From 97a30a155980572f22f9f53ac7c3be7a8d9eefd2 Mon Sep 17 00:00:00 2001 From: Pablo Alonso Date: Mon, 28 Oct 2024 14:06:48 +0100 Subject: [PATCH] One-OE config files for CIS Level 1 & 2 --- .../oci_open_lz_one-oe_iam.auto.tfvars.json | 907 +++++++++---- ...ci_open_lz_one-oe_network.auto.tfvars.json | 1163 ++++++++--------- ...ne-oe_observability_cisl1.auto.tfvars.json | 710 ++++++++++ ...lity_cisl1_addon_flowlogs.auto.tfvars.json | 758 +++++++++++ ...e-oe_observability_cisl2.auto.tfvars.json} | 625 +++++---- ...ity_cisl2_addon_flowlogs.auto.tfvars.json} | 657 ++++++---- ..._lz_one-oe_security_cisl1.auto.tfvars.json | 146 +++ ...curity_cisl1_addon_sz345.auto.tfvars.json} | 0 ...lz_one-oe_security_cisl2.auto.tfvars.json} | 0 ...ecurity_cisl2_addon_sz345.auto.tfvars.json | 181 +++ blueprints/one-oe/runtime/one-stack/readme.md | 14 +- 11 files changed, 3815 insertions(+), 1346 deletions(-) create mode 100644 blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl1.auto.tfvars.json create mode 100644 blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl1_addon_flowlogs.auto.tfvars.json rename blueprints/one-oe/runtime/one-stack/{oci_open_lz_one-oe_observability.auto.tfvars.json => oci_open_lz_one-oe_observability_cisl2.auto.tfvars.json} (65%) rename blueprints/one-oe/runtime/one-stack/{oci_open_lz_one-oe_observability_addon_flowlogs.auto.tfvars.json => oci_open_lz_one-oe_observability_cisl2_addon_flowlogs.auto.tfvars.json} (66%) create mode 100644 blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl1.auto.tfvars.json rename blueprints/one-oe/runtime/one-stack/{oci_open_lz_one-oe_security_addon_sz345.auto.tfvars.json => oci_open_lz_one-oe_security_cisl1_addon_sz345.auto.tfvars.json} (100%) rename blueprints/one-oe/runtime/one-stack/{oci_open_lz_one-oe_security.auto.tfvars.json => oci_open_lz_one-oe_security_cisl2.auto.tfvars.json} (100%) create mode 100644 blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl2_addon_sz345.auto.tfvars.json diff --git a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_iam.auto.tfvars.json b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_iam.auto.tfvars.json index 6cbf1844..3dcc153b 100644 --- a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_iam.auto.tfvars.json +++ b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_iam.auto.tfvars.json @@ -4,35 +4,35 @@ "compartments": { "CMP-LANDINGZONE-P-KEY": { "name": "cmp-landingzone-p", - "description": "One-OE Enclosing Production Landing Zone Compartment", + "description": "Enclosing Production Landing Zone Compartment", "children": { "CMP-LZP-NETWORK-KEY": { "name": "cmp-lzp-network", - "description": "One-OE Shared Network Compartment" + "description": "Shared Network Compartment" }, "CMP-LZP-SECURITY-KEY": { "name": "cmp-lzp-security", - "description": "One-OE Shared Security Compartment" + "description": "Shared Security Compartment" }, "CMP-LZP-PLATFORM-KEY": { "name": "cmp-lzp-platform", - "description": "One-OE Shared Platform Compartment" + "description": "Shared Platform Compartment" }, "CMP-LZP-PROD-KEY": { "name": "cmp-lzp-prod", - "description": "One-OE Prod Environment Compartment", + "description": "Prod Environment Compartment", "children": { "CMP-LZP-P-NETWORK-KEY": { "name": "cmp-lzp-p-network", - "description": "One-OE Prod Workload Environment, Common Network Compartment" + "description": "Prod Workload Environment, Common Network Compartment" }, "CMP-LZP-P-SECURITY-KEY": { "name": "cmp-lzp-p-security", - "description": "One-OE Prod Workload Environment, Common Security Compartment" + "description": "Prod Workload Environment, Common Security Compartment" }, "CMP-LZP-P-PLATFORM-KEY": { "name": "cmp-lzp-p-platform", - "description": "One-OE Prod Workload Environment, Common Platform Compartment" + "description": "Prod Workload Environment, Common Platform Compartment" }, "CMP-LZP-P-PROJECTS-KEY": { "name": "cmp-lzp-p-projects", @@ -40,19 +40,19 @@ "children": { "CMP-LZP-P-PROJ1-KEY": { "name": "cmp-lzp-p-proj1", - "description": "oci-mtlz-customer Production environment, Project 1 compartment", + "description": "Production environment, Project 1 compartment", "children": { "CMP-LZP-P-PROJ1-APP-KEY": { "name": "cmp-lzp-p-proj1-app", - "description": "oci-mtlz-customer Production environment, Project 1, Application layer" + "description": "Production environment, Project 1, Application layer" }, "CMP-LZP-P-PROJ1-DB-KEY": { "name": "cmp-lzp-p-proj1-db", - "description": "oci-mtlz-customer Production environment, Project 1, DB layer" + "description": "Production environment, Project 1, DB layer" }, "CMP-LZP-P-PROJ1-INFRA-KEY": { "name": "cmp-lzp-p-proj1-infra", - "description": "oci-mtlz-customer Production environment, Project 1, Infra layer" + "description": "Production environment, Project 1, Infra layer" } } } @@ -60,47 +60,45 @@ } } }, - "CMP-LZP-UAT-KEY": { - "name": "cmp-lzp-uat", - "description": "One-OE UAT Environment Compartment", + "CMP-LZP-PREPROD-KEY": { + "name": "cmp-lzp-preprod", + "description": "Preprod Environment Compartment", "children": { - "CMP-LZP-U-NETWORK-KEY": { - "name": "cmp-lzp-uat-network", - "description": "One-OE UAT Workload Environment, Common Network Compartment" + "CMP-LZP-PP-NETWORK-KEY": { + "name": "cmp-lzp-pp-network", + "description": "Preprod Workload Environment, Common Network Compartment" }, - "CMP-LZP-U-SECURITY-KEY": { - "name": "cmp-lzp-uat-security", - "description": "One-OE UAT Workload Environment, Common Security Compartment" + "CMP-LZP-PP-SECURITY-KEY": { + "name": "cmp-lzp-pp-security", + "description": "Preprod Workload Environment, Common Security Compartment" }, - "CMP-LZP-U-PLATFORM-KEY": { - "name": "cmp-lzp-uat-platform", - "description": "One-OE UAT Workload Environment, Common Platform Compartment" + "CMP-LZP-PP-PLATFORM-KEY": { + "name": "cmp-lzp-pp-platform", + "description": "Preprod Workload Environment, Common Platform Compartment" }, - "CMP-LZP-U-PROJECTS-KEY": { - "name": "cmp-lzp-uat-projects", - "description": "One-OE UAT Workload Environment, Common Projects Compartment" - } - } - }, - "CMP-LZP-DEV-KEY": { - "name": "cmp-lzp-dev", - "description": "One-OE Dev Environment Compartment", - "children": { - "CMP-LZP-D-NETWORK-KEY": { - "name": "cmp-lzp-dev-network", - "description": "One-OE DEV Workload Environment, Common Network Compartment" - }, - "CMP-LZP-D-SECURITY-KEY": { - "name": "cmp-lzp-dev-security", - "description": "One-OE DEV Workload Environment, Common Security Compartment" - }, - "CMP-LZP-D-PLATFORM-KEY": { - "name": "cmp-lzp-dev-platform", - "description": "One-OE DEV Workload Environment, Common Platform Compartment" - }, - "CMP-LZP-D-PROJECTS-KEY": { - "name": "cmp-lzp-dev-projects", - "description": "One-OE DEV Workload Environment, Common Projects Compartment" + "CMP-LZP-PP-PROJECTS-KEY": { + "name": "cmp-lzp-pp-projects", + "description": "One-OE Preprod Workload Environment, Common Projects Compartment", + "children": { + "CMP-LZP-PP-PROJ1-KEY": { + "name": "cmp-lzp-pp-proj1", + "description": "Preproduction environment, Project 1 compartment", + "children": { + "CMP-LZP-PP-PROJ1-APP-KEY": { + "name": "cmp-lzp-pp-proj1-app", + "description": "Preproduction environment, Project 1, Application layer" + }, + "CMP-LZP-PP-PROJ1-DB-KEY": { + "name": "cmp-lzp-pp-proj1-db", + "description": "Preproduction environment, Project 1, DB layer" + }, + "CMP-LZP-PP-PROJ1-INFRA-KEY": { + "name": "cmp-lzp-pp-proj1-infra", + "description": "Preproduction environment, Project 1, Infra layer" + } + } + } + } } } } @@ -110,52 +108,100 @@ }, "groups_configuration": { "groups": { - "GRP-OE-IAM-ADMINS": { + "GRP-IAM-ADMINS": { "name": "grp-iam-admins", - "description": "GRP.01 Tenancy global Identity and access management administrator." + "description": "Tenancy global Identity and access management administrator group." }, - "GRP-OE-CREDENTIAL-ADMINS": { + "GRP-CREDENTIAL-ADMINS": { "name": "grp-credential-admins", - "description": "GRP.02 Tenancy global credential administrator." + "description": "Tenancy global credential administrator group." }, - "GRP-OE-ANNOUNCEMENT-READERS": { + "GRP-ANNOUNCEMENT-READERS": { "name": "grp-announcement-readers", - "description": "GRP.03 Tenancy global readers of OCI monitoring information." + "description": "Tenancy global readers of OCI monitoring information group." }, - "GRP-OE-BUDGET-ADMINS": { - "name": "grp-budget-admins", - "description": "GRP.04 Tenancy global budget control." + "GRP-COST-ADMINS": { + "name": "grp-cost-admins", + "description": "Tenancy global cost control group." }, - "GRP-OE-AUDITORS": { + "GRP-AUDITORS": { "name": "grp-auditors", - "description": "GRP.05 Tenancy global read access (for security auditing or health checks)." + "description": "Tenancy global read access group(for security auditing or health checks)." }, - "GRP-OE-NETWORK-ADMINS": { - "name": "grp-network-admins", - "description": "GRP.06 Tenancy global and shared network administration group, including common OE network elements." - }, - "GRP-OE-SECURITY-ADMINS": { + "GRP-SECURITY-ADMINS": { "name": "grp-security-admins", - "description": "GRP.07 Tenancy global and shared security administration group." + "description": "Tenancy Security Administrators for global resources as Cloud Guard." + }, + "GRP-LZP-IAM-ADMINS": { + "name": "grp-lzp-iam-admins", + "description": "Production Landing Zone Environment Identity and access management administrator group." }, - "GRP-LZP-P-PROJ1-APP-ADMINS": { - "name": "grp-lzp-p-proj1-app-admins", - "description": "GRP.OE.08 Group responsible for administrating PROD/PROJ1/APP related applications." + "GRP-LZP-NETWORK-ADMINS": { + "name": "grp-lzp-network-admins", + "description": "Production Landing Zone Environment shared network administration group, including common OE network elements." + }, + "GRP-LZP-SECURITY-ADMINS": { + "name": "grp-lzp-security-admins", + "description": "Production Landing Zone Environment shared security administration group, including common OE network elements." }, - "GRP-LZP-P-PROJ1-DB-ADMINS": { - "name": "grp-lzp-p-proj1-db-admins", - "description": "GRP.OE.09 Group responsible for administrating PROD/PROJ1/DB related databases." + "GRP-LZP-PLATFORM-ADMINS": { + "name": "grp-lzp-platform-admins", + "description": "Production Landing Zone Environment shared platform administration group, including common OE network elements." }, - "GRP-LZP-P-PROJ1-INFRA-ADMINS": { - "name": "grp-lzp-p-proj1-infra-admins", - "description": "GRP.OE.10 Group responsible for administrating PROD/PROJ1/INFRA related infrastructure." + "GRP-LZP-PROD-IAM-ADMINS": { + "name": "grp-lzp-prod-iam-admins", + "description": "Production Landing Zone Environment Production environment IAM administrator." + }, + "GRP-LZP-PROD-NETWORK-ADMINS": { + "name": "grp-lzp-prod-network-admins", + "description": "Production Landing Zone Environment, Production environment, network administration group." + }, + "GRP-LZP-PROD-SECURITY-ADMINS": { + "name": "grp-lzp-prod-security-admins", + "description": "Production Landing Zone Environment, Production environment, security administration group." + }, + "GRP-LZP-PREPROD-IAM-ADMINS": { + "name": "grp-lzp-preprod-iam-admins", + "description": "Production Landing Zone Environment Pre-production environment IAM administrator." + }, + "GRP-LZP-PREPROD-NETWORK-ADMINS": { + "name": "grp-lzp-preprod-network-admins", + "description": "Production Landing Zone Environment, Pre-production environment, network administration group." + }, + "GRP-LZP-PREPROD-SECURITY-ADMINS": { + "name": "grp-lzp-preprod-security-admins", + "description": "Production Landing Zone Environment, Pre-production environment, security administration group." + }, + "GRP-LZP-PROD-PROJ1-APP-ADMINS": { + "name": "grp-lzp-prod-proj1-app-admins", + "description": "Production Landing Zone Environment, Production environment, Project 1, Application Administrators." + }, + "GRP-LZP-PROD-PROJ1-DB-ADMINS": { + "name": "grp-lzp-prod-proj1-db-admins", + "description": "Production Landing Zone Environment, Production environment, Project 1, Database Administrators." + }, + "GRP-LZP-PROD-PROJ1-INFRA-ADMINS": { + "name": "grp-lzp-prod-proj1-infra-admins", + "description": "Production Landing Zone Environment, Production environment, Project 1, Infra Administrators." + }, + "GRP-LZP-PREPROD-PROJ1-APP-ADMINS": { + "name": "grp-lzp-preprod-proj1-app-admins", + "description": "Production Landing Zone Environment, Pre-production environment, Project 1, Application Administrators." + }, + "GRP-LZP-PREPROD-PROJ1-DB-ADMINS": { + "name": "grp-lzp-preprod-proj1-db-admins", + "description": "Production Landing Zone Environment, Pre-production environment, Project 1, Database Administrators." + }, + "GRP-LZP-PREPROD-PROJ1-INFRA-ADMINS": { + "name": "grp-lzp-preprod-proj1-infra-admins", + "description": "Production Landing Zone Environment, Pre-production environment, Project 1, Infra Administrators." } } }, "policies_configuration": { "enable_cis_benchmark_checks": "false", "supplied_policies": { - "PCY-OE-SERVICES": { + "PCY-SERVICES": { "name": "pcy-services", "description": "POL.00 Open LZ policy for all supported resources in the tenancy.", "compartment_id": "TENANCY-ROOT", @@ -164,12 +210,12 @@ "allow service cloudguard to read tenancies in tenancy", "allow service cloudguard to read all-resources in tenancy", "allow service cloudguard to use network-security-groups in tenancy", - "Allow any-user to { WLP_BOM_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}", - "Allow any-user to { WLP_CONFIG_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}", - "Endorse any-user to { WLP_LOG_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }", - "Endorse any-user to { WLP_METRICS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }", - "Endorse any-user to { WLP_ADHOC_QUERY_READ } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }", - "Endorse any-user to { WLP_ADHOC_RESULTS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}", + "allow any-user to { WLP_BOM_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}", + "allow any-user to { WLP_CONFIG_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}", + "endorse any-user to { WLP_LOG_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }", + "endorse any-user to { WLP_METRICS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }", + "endorse any-user to { WLP_ADHOC_QUERY_READ } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }", + "endorse any-user to { WLP_ADHOC_RESULTS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}", "allow service vulnerability-scanning-service to manage instances in tenancy", "allow service vulnerability-scanning-service to read compartments in tenancy", "allow service vulnerability-scanning-service to read repos in tenancy", @@ -179,15 +225,15 @@ "allow service blockstorage, oke, streaming, Fssoc1Prod, objectstorage-eu-frankfurt-1 to use keys in tenancy" ] }, - "PCY-OE-IAM-ADMINISTRATION": { + "PCY-IAM-ADMINISTRATION": { "name": "pcy-iam-administration", - "description": "POL.01 Open LZ allows grp-iam-admins group users to manage IAM resoures in the tenancy.", + "description": "Policy to allow grp-iam-admins group users to manage IAM resoures in the tenancy.", "compartment_id": "TENANCY-ROOT", "statements": [ "allow group grp-iam-admins to inspect users in tenancy", "allow group grp-iam-admins to manage users in tenancy where all {request.operation != 'ListApiKeys',request.operation != 'ListAuthTokens',request.operation != 'ListCustomerSecretKeys',request.operation != 'UploadApiKey',request.operation != 'DeleteApiKey',request.operation != 'UpdateAuthToken',request.operation != 'CreateAuthToken',request.operation != 'DeleteAuthToken',request.operation != 'CreateSecretKey',request.operation != 'UpdateCustomerSecretKey',request.operation != 'DeleteCustomerSecretKey'}", "allow group grp-iam-admins to inspect groups in tenancy", - "allow group grp-iam-admins to read policies in tenancy", + "allow group grp-iam-admins to manage policies in tenancy", "allow group grp-iam-admins to manage groups in tenancy where all {target.group.name != 'Administrators',target.group.name != 'grp-credential-admins'}", "allow group grp-iam-admins to inspect identity-providers in tenancy", "allow group grp-iam-admins to manage identity-providers in tenancy where any {request.operation = 'AddIdpGroupMapping', request.operation = 'DeleteIdpGroupMapping'}", @@ -202,9 +248,9 @@ "allow group grp-iam-admins to manage orm-config-source-providers in tenancy" ] }, - "PCY-OE-CREDENTIAL-ADMINISTRATION": { + "PCY-CREDENTIAL-ADMINISTRATION": { "name": "pcy-credential-administration", - "description": "POL.02 Open LZ policy which allows grp-credential-admins group users to manage user credentials of local users in the tenancy .", + "description": "Policy which allows grp-credential-admins group users to manage user credentials of local users in the tenancy.", "compartment_id": "TENANCY-ROOT", "statements": [ "allow group grp-credential-admins to inspect users in tenancy", @@ -213,29 +259,29 @@ "allow group grp-credential-admins to use cloud-shell in tenancy" ] }, - "PCY-OE-ANNOUNCEMENT-READERS": { + "PCY-ANNOUNCEMENT-READERS": { "name": "pcy-announcement-readers", - "description": "POL.03 Open LZ policy which allows grp-announcement-readers group users to read OCI announcements in the tenancy.", + "description": "Policy which allows grp-announcement-readers group users to read OCI announcements in the tenancy.", "compartment_id": "TENANCY-ROOT", "statements": [ "allow group grp-announcement-readers to read announcements in tenancy", "allow group grp-announcement-readers to use cloud-shell in tenancy" ] }, - "PCY-OE-BUDGET-ADMINISTRATION": { - "name": "pcy-budget-administration", - "description": "POL.04 Open LZ policy which allows grp-budget-admins group users to manage all budget resources in the tenancy.", + "PCY-COST-ADMINISTRATION": { + "name": "pcy-cost-administration", + "description": "Policy which allows grp-cost-admins group users to manage all budget resources in the tenancy.", "compartment_id": "TENANCY-ROOT", "statements": [ "define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq", - "endorse group grp-budget-admins to read objects in tenancy usage-report", - "allow group grp-budget-admins to manage usage-report in tenancy", - "allow group grp-budget-admins to manage usage-budgets in tenancy" + "endorse group grp-cost-admins to read objects in tenancy usage-report", + "allow group grp-cost-admins to manage usage-report in tenancy", + "allow group grp-cost-admins to manage usage-budgets in tenancy" ] }, - "PCY-OE-AUDITING": { + "PCY-AUDITING": { "name": "pcy-auditing", - "description": "POL.05 Open LZ policy which allows grp-auditors group users to read all the resources in the tenancy.", + "description": "Policy which allows grp-auditors group users to read all the resources in the tenancy.", "compartment_id": "TENANCY-ROOT", "statements": [ "allow group grp-auditors to inspect all-resources in tenancy", @@ -254,33 +300,18 @@ "allow group grp-auditors to read vss-family in tenancy", "allow group grp-auditors to read usage-budgets in tenancy", "allow group grp-auditors to read usage-reports in tenancy", - "allow group grp-auditors to read data-safe-family in tenancy" + "allow group grp-auditors to read data-safe-family in tenancy", + "allow group grp-auditors to read vaults in tenancy", + "allow group grp-auditors to read keys in tenancy", + "allow group grp-auditors to read tag-namespaces in tenancy", + "allow group grp-auditors to read serviceconnectors in tenancy", + "allow group grp-auditors to use ons-family in tenancy where any {request.operation!=/Create*/, request.operation!=/Update*/, request.operation!=/Delete*/, request.operation!=/Change*/}" + ] }, - "PCY-OE-NETWORK-ADMINISTRATION": { - "name": "pcy-network-administration", - "description": "POL.06 Open LZ policy which allows grp-network-admins group users to manage all network resources in the compartment.", - "compartment_id": "TENANCY-ROOT", - "statements": [ - "allow group grp-network-admins to use cloud-shell in tenancy", - "allow group grp-network-admins to read usage-budgets in tenancy", - "allow group grp-network-admins to read usage-reports in tenancy", - "allow group grp-network-admins to read objectstorage-namespaces in tenancy", - "allow group grp-network-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-network", - "allow group grp-network-admins to manage virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-network", - "allow group grp-network-admins to manage dns in compartment cmp-landingzone-p:cmp-lzp-network", - "allow group grp-network-admins to manage load-balancers in compartment cmp-landingzone-p:cmp-lzp-network", - "allow group grp-network-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-network", - "allow group grp-network-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-network", - "allow group grp-network-admins to manage ons-family in compartment cmp-landingzone-p:cmp-lzp-network", - "allow group grp-network-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-network", - "allow group grp-network-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-network", - "allow group grp-network-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-network" - ] - }, - "PCY-OE-SECURITY-ADMINISTRATION": { + "PCY-SECURITY-ADMINISTRATION": { "name": "pcy-security-administration", - "description": "POL.07 Open LZ policy which allows grp-security-admins group users to manage all security resources in the security compartment.", + "description": "Policy which allows grp-security-admins group users to manage all security resources in the security compartment.", "compartment_id": "TENANCY-ROOT", "statements": [ "allow group grp-security-admins to use cloud-shell in tenancy", @@ -290,126 +321,538 @@ "allow group grp-security-admins to manage cloudevents-rules in tenancy", "allow group grp-security-admins to manage cloud-guard-family in tenancy", "allow group grp-security-admins to read tenancies in tenancy", - "allow group grp-security-admins to manage tag-namespaces in tenancy", - "allow group grp-security-admins to manage tag-defaults in tenancy", - "allow group grp-security-admins to manage repos in tenancy", - "allow group grp-security-admins to read audit-events in tenancy", - "allow group grp-security-admins to read app-catalog-listing in tenancy", - "allow group grp-security-admins to read instance-images in tenancy", - "allow group grp-security-admins to inspect buckets in tenancy", - "allow group grp-security-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage volume-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", - "allow group grp-security-admins to manage object-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", - "allow group grp-security-admins to manage file-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", - "allow group grp-security-admins to manage vaults in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage keys in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage secret-family in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage logging-family in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage serviceconnectors in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage streams in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage ons-family in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage functions-family in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage waas-family in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage security-zone in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage vss-family in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to read work-requests in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage bastion-family in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to read instance-agent-plugins in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage cloudevents-rules in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to use key-delegate in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-security", - "allow group grp-security-admins to read keys in compartment cmp-landingzone-p:cmp-lzp-security" + "allow group grp-security-admins to read objectstorage-namespaces in tenancy" + ] + }, + "PCY-LZP-IAM-ADMINISTRATION": { + "name": "pcy-lzp-iam-administration", + "description": "Policy to allow grp-lzp-iam-admins group users to manage IAM resoures in the Landing Zone Production environment.", + "compartment_id": "TENANCY-ROOT", + "statements": [ + "allow group grp-iam-admins to manage policies in compartment cmp-landingzone-p", + "allow group grp-iam-admins to manage compartments in compartment cmp-landingzone-p" + ] + }, + "PCY-LZP-NETWORK-ADMINISTRATION": { + "name": "pcy-lzp-network-administration", + "description": "Policy which allows grp-lzp-network-admins group users to manage all network resources in the compartment cmp-landingzone-p:cmp-lzp-network.", + "compartment_id": "TENANCY-ROOT", + "statements": [ + "allow group grp-lzp-network-admins to use cloud-shell in tenancy", + "allow group grp-lzp-network-admins to read usage-budgets in tenancy", + "allow group grp-lzp-network-admins to read usage-reports in tenancy", + "allow group grp-lzp-network-admins to read objectstorage-namespaces in tenancy", + "allow group grp-lzp-network-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage dns in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage load-balancers in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to read ons-topics in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-network-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to read audit-events in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to read work-requests in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage volume-family in compartment cmp-landingzone-p:cmp-lzp-network where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", + "allow group grp-lzp-network-admins to manage object-family in compartment cmp-landingzone-p:cmp-lzp-network where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", + "allow group grp-lzp-network-admins to manage file-family in compartment cmp-landingzone-p:cmp-lzp-network where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", + "allow group grp-lzp-network-admins to manage bastion-session in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage cloudevents-rules in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to read instance-agent-plugins in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage keys in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to use key-delegate in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage secret-family in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to manage repos in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to read vss-family in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-network-admins to use bastion in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-network-admins to use bastion-session in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-network-admins to use vaults in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-network-admins to read logging-family in compartment cmp-landingzone-p:cmp-lzp-security" + ] + }, + "PCY-LZP-SECURITY-ADMINISTRATION": { + "name": "pcy-lzp-security-administration", + "description": "Policy which allows grp-security-admins group users to manage all security resources in the Landing Zone Production Environment, shared Security compartment.", + "compartment_id": "TENANCY-ROOT", + "statements": [ + "allow group grp-lzp-security-admins to manage tag-namespaces in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage tag-defaults in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage repos in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to read audit-events in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to read app-catalog-listing in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to read instance-images in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to inspect buckets in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage volume-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", + "allow group grp-lzp-security-admins to manage object-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", + "allow group grp-lzp-security-admins to manage file-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", + "allow group grp-lzp-security-admins to manage vaults in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage keys in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage secret-family in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage logging-family in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage serviceconnectors in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage streams in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage ons-family in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage functions-family in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage waas-family in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage security-zone in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage vss-family in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to read work-requests in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage bastion-family in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to read instance-agent-plugins in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage cloudevents-rules in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to use key-delegate in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-security-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-security-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-security-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-security-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-security-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-security-admins to read keys in compartment cmp-landingzone-p:cmp-lzp-network", + "allow group grp-lzp-security-admins to manage operator-control-family in compartment cmp-landingzone-p:cmp-lzp-security" + ] + }, + "PCY-LZP-PROD-IAM-ADMINISTRATION": { + "name": "pcy-lzp-prod-iam-administration", + "description": "Policy to allow grp-lzp-prod-iam-admins group users to manage IAM resoures in the Landing Zone Production environment, Prod Environment.", + "compartment_id": "TENANCY-ROOT", + "statements": [ + "allow group grp-lzp-prod-iam-admins to manage policies in compartment cmp-landingzone-p:cmp-lzp-prod", + "allow group grp-lzp-prod-iam-admins to manage compartments in compartment cmp-landingzone-p:cmp-lzp-prod" + ] + }, + "PCY-LZP-PREPROD-IAM-ADMINISTRATION": { + "name": "pcy-lzp-preprod-iam-administration", + "description": "Policy to allow grp-lzp-preprod-iam-admins group users to manage IAM resoures in the Landing Zone Production environment, Preprod Environment.", + "compartment_id": "TENANCY-ROOT", + "statements": [ + "allow group grp-lzp-preprod-iam-admins to manage policies in compartment cmp-landingzone-p:cmp-lzp-preprod", + "allow group grp-lzp-preprod-iam-admins to manage compartments in compartment cmp-landingzone-p:cmp-lzp-preprod" + ] + }, + "PCY-LZP-PROD-NETWORK-ADMINISTRATION": { + "name": "pcy-lzp-prod-network-administration", + "description": "Policy which allows grp-lzp-prod-network-admins group users to manage all network resources in the Landing Zone Production Environment, Shared network compartment of Production Environment.", + "compartment_id": "TENANCY-ROOT", + "statements": [ + "allow group grp-lzp-prod-network-admins to use cloud-shell in tenancy", + "allow group grp-lzp-prod-network-admins to read usage-budgets in tenancy", + "allow group grp-lzp-prod-network-admins to read usage-reports in tenancy", + "allow group grp-lzp-prod-network-admins to read objectstorage-namespaces in tenancy", + "allow group grp-lzp-prod-network-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage dns in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to read ons-topics in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-network-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to read audit-events in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to read work-requests in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage volume-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", + "allow group grp-lzp-prod-network-admins to manage object-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", + "allow group grp-lzp-prod-network-admins to manage file-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", + "allow group grp-lzp-prod-network-admins to manage cloudevents-rules in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to read instance-agent-plugins in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage keys in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to use key-delegate in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage secret-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to manage repos in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to read vss-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-network", + "allow group grp-lzp-prod-network-admins to use bastion in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-network-admins to use bastion-session in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-network-admins to use vaults in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-network-admins to read logging-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security" + ] + }, + "PCY-LZP-PROD-SECURITY-ADMINISTRATION": { + "name": "pcy-lzp-prod-security-administration", + "description": "Policy which allows grp-lzp-prod-security-admins group users to manage all security resources in the Landing Zone Production Environment, Shared network compartment of Production Environment.", + "compartment_id": "TENANCY-ROOT", + "statements": [ + "allow group grp-lzp-prod-security-admins to manage tag-namespaces in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage tag-defaults in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage repos in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to read audit-events in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to read app-catalog-listing in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to read instance-images in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to inspect buckets in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage volume-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", + "allow group grp-lzp-prod-security-admins to manage object-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", + "allow group grp-lzp-prod-security-admins to manage file-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", + "allow group grp-lzp-prod-security-admins to manage vaults in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage keys in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage secret-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage logging-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage serviceconnectors in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage streams in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage ons-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage functions-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage waas-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage security-zone in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage vss-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to read work-requests in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage bastion-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to read instance-agent-plugins in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage cloudevents-rules in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to use key-delegate in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to read keys in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security", + "allow group grp-lzp-prod-security-admins to manage operator-control-family in compartment cmp-landingzone-p:cmp-lzp-prod:cmp-lzp-p-security" + ] + }, + "PCY-LZP-PREPROD-NETWORK-ADMINISTRATION": { + "name": "pcy-lzp-preprod-network-administration", + "description": "Policy which allows grp-lzp-preprod-network-admins group users to manage all network resources in the Landing Zone Production Environment, Shared network compartment of Preprod Environment.", + "compartment_id": "TENANCY-ROOT", + "statements": [ + "allow group grp-lzp-preprod-network-admins to use cloud-shell in tenancy", + "allow group grp-lzp-preprod-network-admins to read usage-budgets in tenancy", + "allow group grp-lzp-preprod-network-admins to read usage-reports in tenancy", + "allow group grp-lzp-preprod-network-admins to read objectstorage-namespaces in tenancy", + "allow group grp-lzp-preprod-network-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage dns in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to read ons-topics in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-network-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to read audit-events in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to read work-requests in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage volume-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", + "allow group grp-lzp-preprod-network-admins to manage object-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", + "allow group grp-lzp-preprod-network-admins to manage file-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", + "allow group grp-lzp-preprod-network-admins to manage cloudevents-rules in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to read instance-agent-plugins in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage keys in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to use key-delegate in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage secret-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to manage repos in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to read vss-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-network", + "allow group grp-lzp-preprod-network-admins to use bastion in compartment cmp-landingzone-p:cmp-lzp-security", + "allow group grp-lzp-preprod-network-admins to use bastion-session in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-network-admins to use vaults in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-network-admins to read logging-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security" + ] + }, + "PCY-LZP-PREPROD-SECURITY-ADMINISTRATION": { + "name": "pcy-lzp-preprod-security-administration", + "description": "Policy which allows grp-lzp-preprod-security-admins group users to manage all security resources in the Landing Zone Production Environment, Shared network compartment of Preprod Environment.", + "compartment_id": "TENANCY-ROOT", + "statements": [ + "allow group grp-lzp-preprod-security-admins to manage tag-namespaces in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage tag-defaults in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage repos in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to read audit-events in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to read app-catalog-listing in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to read instance-images in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to inspect buckets in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage volume-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", + "allow group grp-lzp-preprod-security-admins to manage object-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", + "allow group grp-lzp-preprod-security-admins to manage file-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", + "allow group grp-lzp-preprod-security-admins to manage vaults in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage keys in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage secret-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage logging-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage serviceconnectors in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage streams in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage ons-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage functions-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage waas-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage security-zone in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage vss-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to read work-requests in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage bastion-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to read instance-agent-plugins in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage cloudevents-rules in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to use key-delegate in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to read keys in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security", + "allow group grp-lzp-preprod-security-admins to manage operator-control-family in compartment cmp-landingzone-p:cmp-lzp-preprod:cmp-lzp-pp-security" + ] + }, + "PCY-LZP-PROD-PROJ1-APP-ADMINISTRATION": { + "name": "pcy-lzp-prod-proj1-app-administration", + "description": "Policy which allows grp-lzp-prod-proj1-app-admins groups to manage the resources in the Landing Zone Production Environment, Production environment, Project 1, application compartment.", + "compartment_id": "CMP-LZP-PROD-KEY", + "statements": [ + "allow group grp-lzp-prod-proj1-app-admins to read all-resources in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1", + "allow group grp-lzp-prod-proj1-app-admins to use network-security-groups in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage api-gateway-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage streams in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage cluster-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage alarms in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage metrics in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage logging-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage instance-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage volume-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", + "allow group grp-lzp-prod-proj1-app-admins to manage object-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", + "allow group grp-lzp-prod-proj1-app-admins to manage file-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", + "allow group grp-lzp-prod-proj1-app-admins to manage repos in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage orm-stacks in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage orm-config-source-providers in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to read audit-events in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to read work-requests in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage bastion-session in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage cloudevents-rules in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to read instance-agent-plugins in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage keys in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to use key-delegate in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to manage secret-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to use subnets in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-app-admins to use virtual-network-family in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-app-admins to use vnics in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-app-admins to manage private-ips in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-app-admins to use load-balancers in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", + "allow group grp-lzp-prod-proj1-app-admins to read ons-topics in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-app-admins to use vaults in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-app-admins to manage instance-images in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-app-admins to use vss-family in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-app-admins to use bastion in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-app-admins to read logging-family in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-app-admins to read autonomous-database-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-app-admins to read database-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db" + ] + }, + "PCY-LZP-PROD-PROJ1-DB-ADMINISTRATION": { + "name": "pcy-lzp-prod-proj1-db-administration", + "description": "Policy which allows grp-lzp-prod-proj1-db-admins groups to manage the resources in the Landing Zone Production Environment, Production environment, Project 1, database compartment.", + "compartment_id": "CMP-LZP-PROD-KEY", + "statements": [ + "allow group grp-lzp-prod-proj1-db-admins to read all-resources in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1", + "allow group grp-lzp-prod-proj1-db-admins to use network-security-groups in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage database-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage autonomous-database-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage alarms in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage metrics in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage cloudevents-rules in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage logging-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage instance-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage volume-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", + "allow group grp-lzp-prod-proj1-db-admins to manage object-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", + "allow group grp-lzp-prod-proj1-db-admins to manage file-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", + "allow group grp-lzp-prod-proj1-db-admins to manage orm-stacks in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage orm-jobs in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage orm-config-source-providers in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to read audit-events in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to read work-requests in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage bastion-session in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage data-safe-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to read instance-agent-plugins in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to use vnics in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage keys in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to use key-delegate in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage secret-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to manage repos in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", + "allow group grp-lzp-prod-proj1-db-admins to use subnets in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-db-admins to read virtual-network-family in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-db-admins to use vnics in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-db-admins to manage private-ips in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-db-admins to read ons-topics in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-db-admins to use vaults in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-db-admins to use vss-family in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-db-admins to use bastion in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-db-admins to manage bastion-session in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-db-admins to read logging-family in compartment cmp-lzp-p-security" + ] + }, + "PCY-LZP-PROD-PROJ1-INFRA-ADMINISTRATION": { + "name": "pcy-lzp-prod-proj1-infra-administration", + "description": "Policy which allows grp-lzp-prod-proj1-infra-admins groups to manage the resources in the Landing Zone Production Environment, Production environment, Project 1 compartments.", + "compartment_id": "CMP-LZP-PROD-KEY", + "statements": [ + "allow group grp-lzp-prod-proj1-infra-admins to read all-resources in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1", + "allow group grp-lzp-prod-proj1-infra-admins to read bucket in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1", + "allow group grp-lzp-prod-proj1-infra-admins to inspect object in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1", + "allow group grp-lzp-prod-proj1-infra-admins to manage object-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1", + "allow group grp-lzp-prod-proj1-infra-admins to manage volume-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1", + "allow group grp-lzp-prod-proj1-infra-admins to manage file-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1", + "allow group grp-lzp-prod-proj1-infra-admins to use network-security-groups in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage cluster-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage alarms in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage metrics in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage logging-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage instance-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage repos in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage orm-stacks in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage orm-config-source-providers in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to read audit-events in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to read work-requests in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage bastion-session in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage cloudevents-rules in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to read instance-agent-plugins in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage keys in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to use key-delegate in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to manage secret-family in compartment cmp-lzp-p-projects:cmp-lzp-p-proj1:cmp-lzp-p-proj1-infra", + "allow group grp-lzp-prod-proj1-infra-admins to use subnets in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-infra-admins to use virtual-network-family in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-infra-admins to use vnics in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-infra-admins to manage private-ips in compartment cmp-lzp-p-network", + "allow group grp-lzp-prod-proj1-infra-admins to read ons-topics in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-infra-admins to use vaults in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-infra-admins to manage instance-images in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-infra-admins to use vss-family in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-infra-admins to use bastion in compartment cmp-lzp-p-security", + "allow group grp-lzp-prod-proj1-infra-admins to read logging-family in compartment cmp-lzp-p-security" ] }, - "PCY-LZP-PROJECTS-COMMON-NETWORK": { - "name": "pcy-lzp-p-projects-common-network", - "description": "Open LZ policy which allows the different production projects groups to access common networking resources in the Prod. Network.", - "compartment_id": "CMP-LANDINGZONE-P-KEY", + "PCY-LZP-PREPROD-PROJ1-APP-ADMINISTRATION": { + "name": "pcy-lzp-preprod-proj1-app-administration", + "description": "Policy which allows grp-lzp-preprod-proj1-app-admins groups to manage the resources in the Landing Zone Production Environment, Pre-production environment, Project 1, application compartment.", + "compartment_id": "CMP-LZP-PREPROD-KEY", "statements": [ - "allow group grp-lzp-p-proj1-app-admins,grp-lzp-p-proj1-db-admins to read virtual-network-family in compartment cmp-lzp-prod:cmp-lzp-p-network", - "allow group grp-lzp-p-proj1-app-admins,grp-lzp-p-proj1-db-admins to use subnets in compartment cmp-lzp-prod:cmp-lzp-p-network", - "allow group grp-lzp-p-proj1-app-admins,grp-lzp-p-proj1-db-admins to use network-security-groups in compartment cmp-lzp-prod:cmp-lzp-p-network", - "allow group grp-lzp-p-proj1-app-admins,grp-lzp-p-proj1-db-admins to use vnics in compartment cmp-lzp-prod:cmp-lzp-p-network", - "allow group grp-lzp-p-proj1-app-admins,grp-lzp-p-proj1-db-admins to manage private-ips in compartment cmp-lzp-prod:cmp-lzp-p-network", - "allow group grp-lzp-p-proj1-app-admins,grp-lzp-p-proj1-db-admins to use load-balancers in compartment cmp-lzp-prod:cmp-lzp-p-network" + "allow group grp-lzp-preprod-proj1-app-admins to read all-resources in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1", + "allow group grp-lzp-preprod-proj1-app-admins to use network-security-groups in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage api-gateway-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage streams in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage cluster-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage alarms in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage metrics in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage logging-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage instance-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage volume-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", + "allow group grp-lzp-preprod-proj1-app-admins to manage object-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", + "allow group grp-lzp-preprod-proj1-app-admins to manage file-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", + "allow group grp-lzp-preprod-proj1-app-admins to manage repos in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage orm-stacks in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage orm-config-source-providers in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to read audit-events in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to read work-requests in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage bastion-session in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage cloudevents-rules in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to read instance-agent-plugins in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage keys in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to use key-delegate in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to manage secret-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to use subnets in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-app-admins to use virtual-network-family in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-app-admins to use vnics in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-app-admins to manage private-ips in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-app-admins to use load-balancers in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-app", + "allow group grp-lzp-preprod-proj1-app-admins to read ons-topics in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-app-admins to use vaults in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-app-admins to manage instance-images in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-app-admins to use vss-family in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-app-admins to use bastion in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-app-admins to read logging-family in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-app-admins to read autonomous-database-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-app-admins to read database-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db" ] }, - "PCY-LZP-P-PROJ1-APP-ADMINISTRATORS-POLICY": { - "name": "pcy-lzp-p-proj1-app-administration", - "description": "Open LZ policy which allows the grp-lzp-p-proj1-app-admins group users to manage applications in the PROD/PROJ1/APP application compartment.", - "compartment_id": "CMP-LZP-P-PROJECTS-KEY", + "PCY-LZP-PREPROD-PROJ1-DB-ADMINISTRATION": { + "name": "pcy-lzp-preprod-proj1-db-administration", + "description": "Policy which allows grp-lzp-prod-proj1-db-admins groups to manage the resources in the Landing Zone Production Environment, Pre-production environment, Project 1, database compartment.", + "compartment_id": "CMP-LZP-PREPROD-KEY", "statements": [ - "allow group grp-lzp-p-proj1-app-admins to use cloud-shell in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to read all-resources in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to use network-security-groups in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage functions-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage api-gateway-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage ons-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage streams in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage cluster-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage alarms in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage metrics in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage logging-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage instance-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage volume-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", - "allow group grp-lzp-p-proj1-app-admins to manage object-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", - "allow group grp-lzp-p-proj1-app-admins to manage file-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", - "allow group grp-lzp-p-proj1-app-admins to manage repos in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage orm-stacks in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage orm-jobs in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage orm-config-source-providers in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to read audit-events in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to read work-requests in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage bastion-session in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage cloudevents-rules in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to read instance-agent-plugins in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage keys in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to use key-delegate in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to manage secret-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app", - "allow group grp-lzp-p-proj1-app-admins to read repos in compartment cmp-lzp-p-proj1" + "allow group grp-lzp-preprod-proj1-db-admins to read all-resources in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1", + "allow group grp-lzp-preprod-proj1-db-admins to use network-security-groups in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage database-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage autonomous-database-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage alarms in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage metrics in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage cloudevents-rules in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage logging-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage instance-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage volume-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", + "allow group grp-lzp-preprod-proj1-db-admins to manage object-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", + "allow group grp-lzp-preprod-proj1-db-admins to manage file-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", + "allow group grp-lzp-preprod-proj1-db-admins to manage orm-stacks in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage orm-jobs in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage orm-config-source-providers in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to read audit-events in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to read work-requests in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage bastion-session in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage data-safe-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to read instance-agent-plugins in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to use vnics in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage keys in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to use key-delegate in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage secret-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to manage repos in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-db", + "allow group grp-lzp-preprod-proj1-db-admins to use subnets in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-db-admins to read virtual-network-family in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-db-admins to use vnics in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-db-admins to manage private-ips in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-db-admins to read ons-topics in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-db-admins to use vaults in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-db-admins to use vss-family in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-db-admins to use bastion in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-db-admins to manage bastion-session in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-db-admins to read logging-family in compartment cmp-lzp-pp-security" ] }, - "PCY-LZP-P-PROJ1-DB-ADMINISTRATORS-POLICY": { - "name": "pcy-lzp-p-proj1-db-administration", - "description": "Open LZ policy which allows the grp-lzp-p-proj1-db-admins group users to manage databases in the OE1/PROD/DEPTA/PROJ1 database compartment.", - "compartment_id": "CMP-LZP-P-PROJECTS-KEY", + "PCY-LZP-PREPROD-PROJ1-INFRA-ADMINISTRATION": { + "name": "pcy-lzp-preprod-proj1-infra-administration", + "description": "Policy which allows grp-lzp-prod-proj1-infra-admins groups to manage the resources in the Landing Zone Production Environment, Pre-production environment, Project 1 compartments.", + "compartment_id": "CMP-LZP-PREPROD-KEY", "statements": [ - "allow group grp-lzp-p-proj1-db-admins to use cloud-shell in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to read all-resources in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to use network-security-groups in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage database-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage autonomous-database-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage ons-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage alarms in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage metrics in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage logging-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage instance-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage volume-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}", - "allow group grp-lzp-p-proj1-db-admins to manage object-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}", - "allow group grp-lzp-p-proj1-db-admins to manage file-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}", - "allow group grp-lzp-p-proj1-db-admins to manage orm-stacks in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage orm-jobs in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage orm-config-source-providers in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to read audit-events in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to read work-requests in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage bastion-session in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage data-safe-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage cloudevents-rules in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to read instance-agent-plugins in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to use vnics in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage keys in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to use key-delegate in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db", - "allow group grp-lzp-p-proj1-db-admins to manage secret-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db" + "allow group grp-lzp-preprod-proj1-infra-admins to read all-resources in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1", + "allow group grp-lzp-preprod-proj1-infra-admins to read bucket in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1", + "allow group grp-lzp-preprod-proj1-infra-admins to inspect object in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1", + "allow group grp-lzp-preprod-proj1-infra-admins to manage object-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1", + "allow group grp-lzp-preprod-proj1-infra-admins to manage volume-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1", + "allow group grp-lzp-preprod-proj1-infra-admins to manage file-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1", + "allow group grp-lzp-preprod-proj1-infra-admins to use network-security-groups in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage cluster-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage alarms in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage metrics in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage logging-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage instance-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage repos in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage orm-stacks in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage orm-config-source-providers in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to read audit-events in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to read work-requests in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage bastion-session in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage cloudevents-rules in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to read instance-agent-plugins in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage keys in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to use key-delegate in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to manage secret-family in compartment cmp-lzp-pp-projects:cmp-lzp-pp-proj1:cmp-lzp-pp-proj1-infra", + "allow group grp-lzp-preprod-proj1-infra-admins to use subnets in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-infra-admins to use virtual-network-family in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-infra-admins to use vnics in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-infra-admins to manage private-ips in compartment cmp-lzp-pp-network", + "allow group grp-lzp-preprod-proj1-infra-admins to read ons-topics in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-infra-admins to use vaults in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-infra-admins to manage instance-images in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-infra-admins to use vss-family in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-infra-admins to use bastion in compartment cmp-lzp-pp-security", + "allow group grp-lzp-preprod-proj1-infra-admins to read logging-family in compartment cmp-lzp-pp-security" ] } } diff --git a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_network.auto.tfvars.json b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_network.auto.tfvars.json index 476e9fa3..9f46236c 100644 --- a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_network.auto.tfvars.json +++ b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_network.auto.tfvars.json @@ -31,7 +31,7 @@ }, "ingress_rules": { "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP22", + "description": "ingress from 10.0.2.0/24 over TCP22", "dst_port_max": 22, "dst_port_min": 22, "protocol": "TCP", @@ -54,7 +54,7 @@ }, "ingress_rules": { "http_80": { - "description": "ingress from 0.0.0.0/0 over HTTP8080", + "description": "ingress from 0.0.0.0/0 over HTTP 80", "dst_port_max": 80, "dst_port_min": 80, "protocol": "TCP", @@ -63,7 +63,7 @@ "stateless": false }, "https_443": { - "description": "ingress from 0.0.0.0/0 over HTTPs443", + "description": "ingress from 0.0.0.0/0 over HTTPs 443", "dst_port_max": 443, "dst_port_min": 443, "protocol": "TCP", @@ -72,7 +72,7 @@ "stateless": false }, "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP22", + "description": "ingress from 10.0.2.0/24 over TCP 22", "dst_port_max": 22, "dst_port_min": 22, "protocol": "TCP", @@ -95,7 +95,7 @@ }, "ingress_rules": { "http_8080": { - "description": "ingress from 0.0.0.0/0 over HTTP8080", + "description": "ingress from 0.0.0.0/0 over HTTP 80", "dst_port_max": 80, "dst_port_min": 80, "protocol": "TCP", @@ -104,7 +104,7 @@ "stateless": false }, "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP22", + "description": "ingress from 10.0.2.0/24 over TCP 22", "dst_port_max": 22, "dst_port_min": 22, "protocol": "TCP", @@ -116,30 +116,89 @@ } }, "route_tables": { - "RT-00-LZP-HUB-VCN-INGRESS-KEY": { - "display_name": "rt-00-lzp-hub-vcn-ingress", + "RT-00-FRA-LZP-HUB-VCN-INGRESS-KEY": { + "display_name": "rt-fra-lzp-hub-ingress", "route_rules": {} }, - "RT-01-LZP-HUB-VCN-LB-KEY": { - "display_name": "rt-01-lzp-hub-vcn-lb", - "route_rules": {} + "RT-01-FRA-LZP-HUB-VCN-LB-KEY": { + "display_name": "rt-fra-lzp-hub-lb", + "route_rules": { + "rt-vcn-fra-p-projects": { + "description": "Route to VCN Prod Projects through DRG", + "destination": "10.0.8.0/21", + "destination_type": "CIDR_BLOCK", + "network_entity_key": "DRG-FRA-LZP-HUB-KEY" + }, + "rt-vcn-fra-pp-projects": { + "description": "Route to VCN Preprod Projects through DRG", + "destination": "10.0.16.0/21", + "destination_type": "CIDR_BLOCK", + "network_entity_key": "DRG-FRA-LZP-HUB-KEY" + } + } + }, + "RT-02-FRA-LZP-HUB-VCN-FWDMZ-KEY": { + "display_name": "rt-fra-lzp-hub-dmz", + "route_rules": { + "rt-igw": { + "description": "Route to Internet through DMZ FW", + "destination": "0.0.0.0/0", + "destination_type": "CIDR_BLOCK", + "network_entity_key": "IGW-FRA-LZP-HUB-KEY" + } + } + }, + "RT-03-FRA-LZP-HUB-VCN-FWINT-KEY": { + "display_name": "rt-fra-lzp-hub-internal", + "route_rules": { + "rt-natgw": { + "description": "Route to Internet through Private FW", + "destination": "0.0.0.0/0", + "destination_type": "CIDR_BLOCK", + "network_entity_key": "NGW-FRA-LZP-HUB-KEY" + }, + "rt-vcn-fra-p-projects": { + "description": "Route to VCN Prod Projects through DRG", + "destination": "10.0.8.0/21", + "destination_type": "CIDR_BLOCK", + "network_entity_key": "DRG-FRA-LZP-HUB-KEY" + }, + "rt-vcn-fra-pp-projects": { + "description": "Route to VCN Preprod Projects through DRG", + "destination": "10.0.16.0/21", + "destination_type": "CIDR_BLOCK", + "network_entity_key": "DRG-FRA-LZP-HUB-KEY" + } + } }, - "RT-02-LZP-HUB-VCN-NFW-KEY": { - "display_name": "rt-02-lzp-hub-vcn-nfw", + "RT-04-FRA-LZP-HUB-VCN-NATGW-KEY": { + "display_name": "rt-fra-lzp-hub-natgw", "route_rules": {} }, - "RT-03-LZP-HUB-VCN-NATGW-KEY": { - "display_name": "rt-03-lzp-hub-vcn-natgw", + "RT-05-FRA-LZP-HUB-VCN-IGW-KEY": { + "display_name": "rt-fra-lzp-hub-igw", "route_rules": {} }, - "RT-04-LZP-HUB-VCN-OSN-KEY": { - "display_name": "rt-04-lzp-hub-vcn-osn", + "RT-06-LZP-HUB-VCN-MGMT-KEY": { + "display_name": "rt-fra-lzp-hub-mgmt", "route_rules": { - "sgw_route": { + "rt-vcn-fra-p-projects": { + "description": "Route to VCN Prod Projects through DRG", + "destination": "10.0.8.0/21", + "destination_type": "CIDR_BLOCK", + "network_entity_key": "DRG-FRA-LZP-HUB-KEY" + }, + "rt-vcn-fra-pp-projects": { + "description": "Route to VCN Preprod Projects through DRG", + "destination": "10.0.16.0/21", + "destination_type": "CIDR_BLOCK", + "network_entity_key": "DRG-FRA-LZP-HUB-KEY" + }, + "rt-sgw": { "description": "Route for sgw", "destination": "all-services", "destination_type": "SERVICE_CIDR_BLOCK", - "network_entity_key": "SG-FRA-LZP-HUB-KEY" + "network_entity_key": "SGW-FRA-LZP-HUB-KEY" } } } @@ -181,34 +240,34 @@ ], "ingress_rules": [ { - "description": "ingress from 0.0.0.0/0 over TCP22", + "description": "ingress from anywhere to port TCP80", + "dst_port_max": 80, + "dst_port_min": 80, + "protocol": "TCP", + "src": "0.0.0.0/0", + "src_type": "CIDR_BLOCK", + "stateless": false + }, + { + "description": "ingress from 10.0.3.0/24 over TCP22", "dst_port_max": 22, "dst_port_min": 22, "protocol": "TCP", - "src": "10.0.2.0/24", + "src": "10.0.3.0/24", "src_type": "CIDR_BLOCK", "stateless": false - } - ] - }, - "SL-02-LZP-HUB-VCN-KEY": { - "display_name": "sl-02-hub-vcn", - "egress_rules": [ + }, { - "description": "egress to 0.0.0.0/0 over TCP", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "ALL", + "description": "ingress from 10.0.8.0/21 over all protocols", + "protocol": "TCP", + "src": "10.0.8.0/21", + "src_type": "CIDR_BLOCK", "stateless": false - } - ], - "ingress_rules": [ + }, { - "description": "ingress from 0.0.0.0/0 over TCP22", - "dst_port_max": 22, - "dst_port_min": 22, + "description": "ingress from 10.0.16.0/21 over all protocols", "protocol": "TCP", - "src": "10.0.2.0/24", + "src": "10.0.16.0/21", "src_type": "CIDR_BLOCK", "stateless": false } @@ -216,85 +275,94 @@ } }, "subnets": { - "SN-FRA-LZP-HUB-LB-KEY": { - "availability_domain": null, + "SN-FRA-LZP-HUB-FW-DMZ-KEY": { "cidr_block": "10.0.0.0/24", "dhcp_options_key": "default_dhcp_options", - "display_name": "sn-fra-lzp-hub-lb", - "dns_label": "snfralzphublb", + "display_name": "sn-fra-lzp-hub-fw-dmz", + "dns_label": "snfrahubfwdmz", "prohibit_internet_ingress": false, "prohibit_public_ip_on_vnic": false, - "route_table_key": "RT-01-LZP-HUB-VCN-LB-KEY", + "route_table_key": "RT-02-FRA-LZP-HUB-VCN-FWDMZ-KEY", "security_list_keys": [ "SL-01-LZP-HUB-VCN-KEY" ] - }, - "SN-FRA-LZP-HUB-FW-KEY": { + }, + "SN-FRA-LZP-HUB-LB-KEY": { + "availability_domain": null, "cidr_block": "10.0.1.0/24", "dhcp_options_key": "default_dhcp_options", - "display_name": "sn-fra-lzp-hub-fw", - "dns_label": "snfralzphubfw", + "display_name": "sn-fra-lzp-hub-lb", + "dns_label": "snfrahublb", + "prohibit_internet_ingress": false, + "prohibit_public_ip_on_vnic": false, + "route_table_key": "RT-01-FRA-LZP-HUB-VCN-LB-KEY", + "security_list_keys": [] + }, + "SN-FRA-LZP-HUB-FW-INT-KEY": { + "cidr_block": "10.0.2.0/24", + "dhcp_options_key": "default_dhcp_options", + "display_name": "sn-fra-lzp-hub-fw-int", + "dns_label": "snfrahubfwint", "prohibit_internet_ingress": true, "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-02-LZP-HUB-VCN-NFW-KEY", + "route_table_key": "RT-03-FRA-LZP-HUB-VCN-FWINT-KEY", "security_list_keys": [ - "SL-02-LZP-HUB-VCN-KEY" + "SL-01-LZP-HUB-VCN-KEY" ] }, "SN-FRA-LZP-HUB-MGMT-KEY": { - "cidr_block": "10.0.2.0/24", + "cidr_block": "10.0.3.0/24", "dhcp_options_key": "default_dhcp_options", "display_name": "sn-fra-lzp-hub-mgmt", - "dns_label": "snfralzphubmgmt", + "dns_label": "snfrahubmgmt", "prohibit_internet_ingress": true, "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-04-LZP-HUB-VCN-OSN-KEY", + "route_table_key": "RT-06-LZP-HUB-VCN-MGMT-KEY", "security_list_keys": [ - "SL-02-LZP-HUB-VCN-KEY" + "SL-01-LZP-HUB-VCN-KEY" ] }, "SN-FRA-LZP-HUB-LOGS-KEY": { - "cidr_block": "10.0.3.0/24", + "cidr_block": "10.0.4.0/24", "dhcp_options_key": "default_dhcp_options", "display_name": "sn-fra-lzp-hub-logs", - "dns_label": "snfralzphublogs", + "dns_label": "snfrahublogs", "prohibit_internet_ingress": true, "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-04-LZP-HUB-VCN-OSN-KEY", + "route_table_key": "RT-06-LZP-HUB-VCN-MGMT-KEY", "security_list_keys": [ - "SL-02-LZP-HUB-VCN-KEY" + "SL-01-LZP-HUB-VCN-KEY" ] }, "SN-FRA-LZP-HUB-DNS": { - "cidr_block": "10.0.4.0/24", + "cidr_block": "10.0.5.0/24", "dhcp_options_key": "default_dhcp_options", "display_name": "sn-fra-lzp-hub-dns", - "dns_label": "snfralzphubdns", + "dns_label": "snfrahubdns", "prohibit_internet_ingress": true, "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-04-LZP-HUB-VCN-OSN-KEY", + "route_table_key": "RT-06-LZP-HUB-VCN-MGMT-KEY", "security_list_keys": [ - "SL-02-LZP-HUB-VCN-KEY" + "SL-01-LZP-HUB-VCN-KEY" ] } }, "vcn_specific_gateways": { "internet_gateways": { - "IG-FRA-LZP-HUB-KEY": { - "display_name": "ig-fra-lzp-hub", - "enabled": false + "IGW-FRA-LZP-HUB-KEY": { + "display_name": "igw-fra-lzp-hub", + "route_table_key": "RT-05-FRA-LZP-HUB-VCN-IGW-KEY" } }, "nat_gateways": { - "NG-FRA-LZP-HUB-KEY": { - "display_name": "ng-fra-lzp-hub", - "enabled": false, - "route_table_key": "RT-03-LZP-HUB-VCN-NATGW-KEY" + "NGW-FRA-LZP-HUB-KEY": { + "display_name": "ngw-fra-lzp-hub", + "route_table_key": "RT-04-FRA-LZP-HUB-VCN-NATGW-KEY" } }, "service_gateways": { - "SG-FRA-LZP-HUB-KEY": { - "display_name": "sg-fra-lzp-hub", + "SGW-FRA-LZP-HUB-KEY": { + "display_name": "sgw-fra-lzp-hub", "services": "all-services" } } @@ -304,45 +372,64 @@ "non_vcn_specific_gateways": { "dynamic_routing_gateways": { "DRG-FRA-LZP-HUB-KEY": { - "display_name": "drg-fra-lzp-hub", + "display_name": "drg-fra-hub", "drg_attachments": { - "DRGATT-VCN-FRA-LZP-HUB-KEY": { - "display_name": "drgatt-vcn-fra-lzp-hub", - "drg_route_table_key": "DRGRT-VCN-FRA-LZP-HUB-KEY", + "DRGATT-FRA-LZP-HUB-VCN-KEY": { + "display_name": "drtatt-fra-lzp-hub-vcn", + "drg_route_table_key": "DRGRT-FRA-LZP-HUB-KEY", "network_details": { "attached_resource_key": "VCN-FRA-LZP-HUB-KEY", "type": "VCN", - "route_table_key": "RT-00-LZP-HUB-VCN-INGRESS-KEY" + "route_table_key": "RT-00-FRA-LZP-HUB-VCN-INGRESS-KEY" } }, - "DRGATT-VCN-FRA-LZP-P-PROJECTS-KEY": { - "display_name": "drgatt-vcn-fra-lzp-p-projects", + "DRGATT-FRA-LZP-P-PROJECTS-VCN-KEY": { + "display_name": "drgatt-fra-lzp-p-projects-vcn", "drg_route_table_key": "DRGRT-FRA-LZP-SPOKES-KEY", "network_details": { "attached_resource_key": "VCN-FRA-LZP-P-PROJECTS-KEY", "type": "VCN" } }, - "DRGATT-VCN-FRA-LZP-U-PROJECTS-KEY": { - "display_name": "drgatt-vcn-fra-lzp-u-projects", - "drg_route_table_key": "DRGRT-FRA-LZP-SPOKES-KEY", - "network_details": { - "attached_resource_key": "VCN-FRA-LZP-U-PROJECTS-KEY", - "type": "VCN" - } - }, - "DRGATT-VCN-FRA-LZP-D-PROJECTS-KEY": { - "display_name": "drgatt-vcn-fra-lzp-d-projects", + "DRGATT-FRA-LZP-PP-PROJECTS-VCN-KEY": { + "display_name": "drgatt-fra-lzp-pp-projects-vcn", "drg_route_table_key": "DRGRT-FRA-LZP-SPOKES-KEY", "network_details": { - "attached_resource_key": "VCN-FRA-LZP-D-PROJECTS-KEY", + "attached_resource_key": "VCN-FRA-LZP-PP-PROJECTS-KEY", "type": "VCN" } } }, + "drg_route_distributions": { + "IRTD-FRA-LZP-HUB-KEY": { + "display_name": "irtd-fra-lzp-hub", + "distribution_type": "IMPORT", + "statements": { + "ROUTE-TO-VCN-PROD-KEY": { + "priority": 10, + "action": "ACCEPT", + "match_criteria": { + "match_type": "DRG_ATTACHMENT_ID", + "attachment_type": "VCN", + "drg_attachment_key": "DRGATT-FRA-LZP-P-PROJECTS-VCN-KEY" + } + }, + "ROUTE-TO-VCN-PREPROD-KEY": { + "priority": 20, + "action": "ACCEPT", + "match_criteria": { + "match_type": "DRG_ATTACHMENT_ID", + "attachment_type": "VCN", + "drg_attachment_key": "DRGATT-FRA-LZP-PP-PROJECTS-VCN-KEY" + } + } + } + } + }, "drg_route_tables": { - "DRGRT-VCN-FRA-LZP-HUB-KEY": { - "display_name": "drgrt-vcn-fra-lzp-hub", + "DRGRT-FRA-LZP-HUB-KEY": { + "display_name": "drgrt-fra-lzp-hub", + "import_drg_route_distribution_key": "IRTD-FRA-LZP-HUB-KEY", "is_ecmp_enabled": false, "route_rules": {} }, @@ -353,12 +440,127 @@ "DRGRT-FRA-LZP-SPOKES-STATIC-ROUTE": { "destination": "0.0.0.0/0", "destination_type": "CIDR_BLOCK", - "next_hop_drg_attachment_key": "DRGATT-VCN-FRA-LZP-HUB-KEY" + "next_hop_drg_attachment_key": "DRGATT-FRA-LZP-HUB-VCN-KEY" } } } } } + }, + "l7_load_balancers": { + "LB-FRA-LZP-HUB-01-KEY": { + "backend_sets": { + "LBBKST-FRA-LZP-HUB-00-KEY": { + "health_checker": { + "interval_ms": 10000, + "is_force_plain_text": true, + "port": 80, + "protocol": "HTTP", + "retries": 3, + "return_code": 200, + "timeout_in_millis": 3000, + "url_path": "/" + }, + "name": "lbbkst-fra-lzp-hub-01-00", + "policy": "LEAST_CONNECTIONS" + }, + "LBBKST-FRA-LZP-HUB-01-01-KEY": { + "backends": { + "LBBE-FRA-LZP-HUB-01-01-KEY": { + "ip_address": "10.0.8.10", + "port": 80 + } + }, + "health_checker": { + "interval_ms": 10000, + "is_force_plain_text": true, + "port": 80, + "protocol": "HTTP", + "retries": 3, + "return_code": 200, + "timeout_in_millis": 3000, + "url_path": "/testapp1/" + }, + "name": "lbbkst-fra-lzp-hub-01-01-app1", + "policy": "LEAST_CONNECTIONS" + }, + "LBBKST-FRA-LZP-HUB-01-02-KEY": { + "backends": { + "LBBE-FRA-LZP-HUB-01-02-KEY": { + "ip_address": "10.0.16.10", + "port": 80 + } + }, + "health_checker": { + "interval_ms": 10000, + "is_force_plain_text": true, + "port": 80, + "protocol": "HTTP", + "retries": 3, + "return_code": 200, + "timeout_in_millis": 3000, + "url_path": "/testapp2/" + }, + "name": "lbbkst-fra-lzp-hub-01-02-app2", + "policy": "LEAST_CONNECTIONS" + } + }, + "display_name": "lb-fra-lzp-hub-01", + "ip_mode": "IPV4", + "is_private": false, + "listeners": { + "LBLSNR-FRA-LZP-HUB-011-80-KEY": { + "connection_configuration": { + "idle_timeout_in_seconds": 1200 + }, + "default_backend_set_key": "LBBKST-FRA-LZP-HUB-00-KEY", + "name": "lblsnr-fra-lzp-hub-01-80", + "port": "80", + "protocol": "HTTP", + "routing_policy_key": "LBRT-FRA-LZP-HUB-01-KEY" + } + }, + "network_security_group_keys": [ + "NSG-02-HUB-VCN-KEY" + ], + "routing_policies": { + "LBRT-FRA-LZP-HUB-01-KEY": { + "name": "lbrt-fra-lzp-hub-01", + "condition_language_version": "V1", + "rules": { + "lbrouterule_testapp1": { + "actions": { + "action-1": { + "backend_set_key": "LBBKST-FRA-LZP-HUB-01-01-KEY", + "name": "FORWARD_TO_BACKENDSET" + } + }, + "condition": "all(http.request.url.path sw (i '/testapp1/'))", + "name": "testapp1" + }, + "lbrouterule_testapp2": { + "actions": { + "action-2": { + "backend_set_key": "LBBKST-FRA-LZP-HUB-01-02-KEY", + "name": "FORWARD_TO_BACKENDSET" + } + }, + "condition": "all(http.request.url.path sw (i '/testapp2/'))", + "name": "testapp2" + } + } + } + }, + "shape": "flexible", + "shape_details": { + "maximum_bandwidth_in_mbps": 10, + "minimum_bandwidth_in_mbps": 10 + }, + "subnet_ids": [], + "subnet_keys": [ + "SN-FRA-LZP-HUB-LB-KEY" + ] + } } } }, @@ -371,13 +573,14 @@ "10.0.8.0/21" ], "display_name": "vcn-fra-lzp-p-projects", - "dns_label": "fralzppprojs", + "dns_label": "vcnfralzppprojs", "is_attach_drg": false, "is_create_igw": false, "is_ipv6enabled": false, "is_oracle_gua_allocation_enabled": false, "network_security_groups": { "NSG-01-LZP-P-PROJECTS-KEY": { + "display_name": "nsg-01-lzp-p-projects", "egress_rules": { "anywhere": { "description": "egress to 0.0.0.0/0 over TCP", @@ -389,7 +592,7 @@ }, "ingress_rules": { "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP 22", + "description": "ingress from 10.0.2.0/24 over TCP 22", "dst_port_max": 22, "dst_port_min": 22, "protocol": "TCP", @@ -400,6 +603,7 @@ } }, "NSG-02-LZP-P-PROJECTS-APPS-KEY": { + "display_name": "nsg-02-lzp-p-projects-apps", "egress_rules": { "anywhere": { "description": "egress to 0.0.0.0/0 over TCP", @@ -411,7 +615,7 @@ }, "ingress_rules": { "http_8080": { - "description": "ingress from 0.0.0.0/0 over HTTP8080", + "description": "ingress from 0.0.0.0/0 over HTTP 80", "dst_port_max": 80, "dst_port_min": 80, "protocol": "TCP", @@ -420,114 +624,15 @@ "stateless": false }, "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP22", + "description": "ingress from 10.0.3.0/24 over TCP22", "dst_port_max": 22, "dst_port_min": 22, "protocol": "TCP", - "src": "10.0.2.0/24", + "src": "10.0.3.0/24", "src_type": "CIDR_BLOCK", "stateless": false } } - }, - "NSG-VCN-LZP-P-PROJECTS-PROJ1-APP-KEY": { - "compartment_id": "CMP-LZP-P-PROJ1-APP-KEY", - "display_name": "nsg-vcn-lzp-p-projects-proj1-apps", - "egress_rules": { - "anywhere": { - "description": "egress to 0.0.0.0/0 over TCP", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "TCP", - "stateless": false - } - }, - "ingress_rules": { - "http_80": { - "description": "ingress from 0.0.0.0/0 over HTTP 80", - "dst_port_max": 80, - "dst_port_min": 80, - "protocol": "TCP", - "src": "0.0.0.0/0", - "src_type": "CIDR_BLOCK", - "stateless": false - }, - "http_443": { - "description": "ingress from 0.0.0.0/0 over HTTP 443", - "dst_port_max": 443, - "dst_port_min": 443, - "protocol": "TCP", - "src": "0.0.0.0/0", - "src_type": "CIDR_BLOCK", - "stateless": false - }, - "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP22", - "dst_port_max": 22, - "dst_port_min": 22, - "protocol": "TCP", - "src": "10.0.2.0/24", - "src_type": "CIDR_BLOCK", - "stateless": false - } - } - }, - "NSG-VCN-LZP-P-PROJECTS-PROJ1-DB-KEY": { - "compartment_id": "CMP-LZP-P-PROJ1-DB-KEY", - "display_name": "nsg-vcn-lzp-p-projects-proj1-db", - "egress_rules": { - "anywhere": { - "description": "egress to 0.0.0.0/0 over TCP", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "TCP", - "stateless": false - } - }, - "ingress_rules": { - "db_1521": { - "description": "ingress from proj1 apps layer 172.168.7.0/25 over DB listener on 1521", - "dst_port_max": 1521, - "dst_port_min": 1521, - "protocol": "TCP", - "src": "172.168.7.0/25", - "src_type": "CIDR_BLOCK", - "stateless": false - }, - "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP22", - "dst_port_max": 22, - "dst_port_min": 22, - "protocol": "TCP", - "src": "10.0.2.0/24", - "src_type": "CIDR_BLOCK", - "stateless": false - } - } - }, - "NSG-VCN-LZP-P-PROJECTS-PROJ1-INFRA-KEY": { - "compartment_id": "CMP-LZP-P-PROJ1-INFRA-KEY", - "display_name": "nsg-vcn-lzp-p-projects-proj1-db", - "egress_rules": { - "anywhere": { - "description": "egress to 0.0.0.0/0 over TCP", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "TCP", - "stateless": false - } - }, - "ingress_rules": { - "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP22", - "dst_port_max": 22, - "dst_port_min": 22, - "protocol": "TCP", - "src": "10.0.2.0/24", - "src_type": "CIDR_BLOCK", - "stateless": false - } - } } }, "route_tables": { @@ -577,14 +682,24 @@ ], "ingress_rules": [ { - "description": "ingress from 0.0.0.0/0 over TCP22", + "description": "ingress from 10.0.3.0/24 over TCP22", "dst_port_max": 22, "dst_port_min": 22, "protocol": "TCP", - "src": "10.0.2.0/24", + "src": "10.0.3.0/24", + "src_type": "CIDR_BLOCK", + "stateless": false + }, + { + "description": "ingress from 10.0.1.0/24 over TCP80", + "dst_port_max": 80, + "dst_port_min": 80, + "protocol": "TCP", + "src": "10.0.1.0/24", "src_type": "CIDR_BLOCK", "stateless": false } + ] }, "SL-02-LZP-P-PROJECTS-VCN-KEY": { @@ -607,11 +722,11 @@ ], "ingress_rules": [ { - "description": "ingress from 0.0.0.0/0 over TCP22", + "description": "ingress from 10.0.3.0/24 over TCP22", "dst_port_max": 22, "dst_port_min": 22, "protocol": "TCP", - "src": "10.0.2.0/24", + "src": "10.0.3.0/24", "src_type": "CIDR_BLOCK", "stateless": false } @@ -619,11 +734,11 @@ } }, "subnets": { - "SSN-FRA-LZP-P-LB-KEY": { + "SSN-FRA-LZP-P-WEB-KEY": { "cidr_block": "10.0.8.0/24", "dhcp_options_key": "default_dhcp_options", - "display_name": "ssn-fra-lzp-p-lb", - "dns_label": "ssnfralzpplb", + "display_name": "ssn-fra-lzp-p-web", + "dns_label": "ssnfralzppweb", "prohibit_internet_ingress": true, "prohibit_public_ip_on_vnic": true, "route_table_key": "RT-01-LZP-P-PROJECTS-VCN-GEN-KEY", @@ -679,443 +794,235 @@ } } }, - "uat": { - "category_compartment_id": "CMP-LZP-U-NETWORK-KEY", - "vcns": { - "VCN-FRA-LZP-U-PROJECTS-KEY": { - "block_nat_traffic": false, - "cidr_blocks": [ - "10.0.16.0/21" - ], - "display_name": "vcn-fra-lzp-u-projects", - "dns_label": "fralzpuprojs", - "is_attach_drg": false, - "is_create_igw": false, - "is_ipv6enabled": false, - "is_oracle_gua_allocation_enabled": false, - "network_security_groups": { - "NSG-01-LZP-U-PROJECTS-KEY": { - "egress_rules": { - "anywhere": { - "description": "egress to 0.0.0.0/0 over TCP", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "TCP", - "stateless": false - } - }, - "ingress_rules": { - "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP 22", - "dst_port_max": 22, - "dst_port_min": 22, - "protocol": "TCP", - "src": "10.0.2.0/24", - "src_type": "CIDR_BLOCK", - "stateless": false - } - } - }, - "NSG-02-LZP-U-PROJECTS-APPS-KEY": { - "egress_rules": { - "anywhere": { - "description": "egress to 0.0.0.0/0 over TCP", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "TCP", - "stateless": false - } - }, - "ingress_rules": { - "http_8080": { - "description": "ingress from 0.0.0.0/0 over HTTP8080", - "dst_port_max": 80, - "dst_port_min": 80, - "protocol": "TCP", - "src": "0.0.0.0/0", - "src_type": "CIDR_BLOCK", - "stateless": false - }, - "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP22", - "dst_port_max": 22, - "dst_port_min": 22, - "protocol": "TCP", - "src": "10.0.2.0/24", - "src_type": "CIDR_BLOCK", - "stateless": false - } - } - } - }, - "route_tables": { - "RT-01-LZP-U-PROJECTS-VCN-GEN-KEY": { - "display_name": "rt-01-lzp-u-projects-vcn-gen", - "route_rules": { - "sgw_route": { - "description": "Route for sgw", - "destination": "all-services", - "destination_type": "SERVICE_CIDR_BLOCK", - "network_entity_key": "SG-FRA-LZP-U-PROJECTS-KEY" - }, - "drg_route": { - "description": "Route to DRG", - "destination": "0.0.0.0/0", - "destination_type": "CIDR_BLOCK", - "network_entity_key": "DRG-FRA-LZP-HUB-KEY" - } - } - } - }, - "default_security_list": { - "egress_rules": [], - "ingress_rules": [ - { - "stateless": false, - "protocol": "ICMP", - "description": "ICMP type 3 code 4", - "src": "0.0.0.0/0", - "src_type": "CIDR_BLOCK", - "icmp_type": 3, - "icmp_code": 4 - } - ] - }, - "security_lists": { - "SL-01-LZP-U-PROJECTS-VCN-KEY": { - "display_name": "sl-01-lzp-u-projects-vcn", - "egress_rules": [ - { - "description": "egress to 0.0.0.0/0 over ALL protocols", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "ALL", - "stateless": false - } - ], - "ingress_rules": [ - { - "description": "ingress from 0.0.0.0/0 over TCP22", - "dst_port_max": 22, - "dst_port_min": 22, - "protocol": "TCP", - "src": "10.0.2.0/24", - "src_type": "CIDR_BLOCK", - "stateless": false - } - ] - }, - "SL-02-LZP-U-PROJECTS-VCN-KEY": { - "display_name": "sl-02-lzp-u-projects-vcn", - "egress_rules": [ - { - "description": "egress to 0.0.0.0/0 over TCP", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "ALL", - "stateless": false - }, - { - "description": "egress rule for OSN", - "dst": "all-services", - "dst_type": "SERVICE_CIDR_BLOCK", - "protocol": "ALL", - "stateless": false - } - ], - "ingress_rules": [ - { - "description": "ingress from 0.0.0.0/0 over TCP22", - "dst_port_max": 22, - "dst_port_min": 22, - "protocol": "TCP", - "src": "10.0.2.0/24", + "preprod": { + "category_compartment_id": "CMP-LZP-PP-NETWORK-KEY", + "vcns": { + "VCN-FRA-LZP-PP-PROJECTS-KEY": { + "block_nat_traffic": false, + "cidr_blocks": [ + "10.0.16.0/21" + ], + "display_name": "vcn-fra-lzp-pp-projects", + "dns_label": "vcnfralzpppproj", + "is_attach_drg": false, + "is_create_igw": false, + "is_ipv6enabled": false, + "is_oracle_gua_allocation_enabled": false, + "network_security_groups": { + "NSG-01-LZP-PP-PROJECTS-KEY": { + "display_name": "nsg-01-lzp-pp-projects", + "egress_rules": { + "anywhere": { + "description": "egress to 0.0.0.0/0 over TCP", + "dst": "0.0.0.0/0", + "dst_type": "CIDR_BLOCK", + "protocol": "TCP", + "stateless": false + } + }, + "ingress_rules": { + "ssh_22": { + "description": "ingress from 10.0.3.0/24 over TCP 22", + "dst_port_max": 22, + "dst_port_min": 22, + "protocol": "TCP", + "src": "10.0.3.0/24", + "src_type": "CIDR_BLOCK", + "stateless": false + } + } + }, + "NSG-02-LZP-PP-PROJECTS-APPS-KEY": { + "display_name": "nsg-02-lzp-pp-projects-apps", + "egress_rules": { + "anywhere": { + "description": "egress to 0.0.0.0/0 over TCP", + "dst": "0.0.0.0/0", + "dst_type": "CIDR_BLOCK", + "protocol": "TCP", + "stateless": false + } + }, + "ingress_rules": { + "http_8080": { + "description": "ingress from 0.0.0.0/0 over HTTP 80", + "dst_port_max": 80, + "dst_port_min": 80, + "protocol": "TCP", + "src": "0.0.0.0/0", + "src_type": "CIDR_BLOCK", + "stateless": false + }, + "ssh_22": { + "description": "ingress from 10.0.3.0/24 over TCP 22", + "dst_port_max": 22, + "dst_port_min": 22, + "protocol": "TCP", + "src": "10.0.3.0/24", + "src_type": "CIDR_BLOCK", + "stateless": false + } + } + } + }, + "route_tables": { + "RT-01-LZP-PP-PROJECTS-VCN-GEN-KEY": { + "display_name": "rt-01-lzp-p-projects-vcn-gen", + "route_rules": { + "sgw_route": { + "description": "Route for sgw", + "destination": "all-services", + "destination_type": "SERVICE_CIDR_BLOCK", + "network_entity_key": "SG-FRA-LZP-PP-PROJECTS-KEY" + }, + "drg_route": { + "description": "Route to DRG", + "destination": "0.0.0.0/0", + "destination_type": "CIDR_BLOCK", + "network_entity_key": "DRG-FRA-LZP-HUB-KEY" + } + } + } + }, + "default_security_list": { + "egress_rules": [], + "ingress_rules": [ + { + "stateless": false, + "protocol": "ICMP", + "description": "ICMP type 3 code 4", + "src": "0.0.0.0/0", "src_type": "CIDR_BLOCK", - "stateless": false - } - ] - } - }, - "subnets": { - "SSN-FRA-LZP-U-LB-KEY": { - "cidr_block": "10.0.16.0/24", - "dhcp_options_key": "default_dhcp_options", - "display_name": "ssn-fra-lzp-u-lb", - "dns_label": "ssnfralzpulb", - "prohibit_internet_ingress": true, - "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-01-LZP-U-PROJECTS-VCN-GEN-KEY", - "security_list_keys": [ - "SL-01-LZP-U-PROJECTS-VCN-KEY" - ] - }, - "SSN-FRA-LZP-U-APP-KEY": { - "cidr_block": "10.0.17.0/24", - "dhcp_options_key": "default_dhcp_options", - "display_name": "ssn-fra-lzp-u-app", - "dns_label": "ssnfralzpuapp", - "prohibit_internet_ingress": true, - "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-01-LZP-U-PROJECTS-VCN-GEN-KEY", - "security_list_keys": [ - "SL-01-LZP-U-PROJECTS-VCN-KEY" - ] - }, - "SSN-FRA-LZP-U-DB-KEY": { - "cidr_block": "10.0.18.0/24", - "dhcp_options_key": "default_dhcp_options", - "display_name": "ssn-fra-lzp-u-db", - "dns_label": "ssnfralzpudb", - "prohibit_internet_ingress": true, - "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-01-LZP-U-PROJECTS-VCN-GEN-KEY", - "security_list_keys": [ - "SL-01-LZP-U-PROJECTS-VCN-KEY" - ] - }, - "SSN-FRA-LZP-U-INFRA": { - "cidr_block": "10.0.19.0/24", - "dhcp_options_key": "default_dhcp_options", - "display_name": "ssn-fra-lzp-u-infra", - "dns_label": "ssnfralzpuinfra", - "prohibit_internet_ingress": true, - "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-01-LZP-U-PROJECTS-VCN-GEN-KEY", - "security_list_keys": [ - "SL-01-LZP-U-PROJECTS-VCN-KEY" - ] - } - }, - "vcn_specific_gateways": { - "service_gateways": { - "SG-FRA-LZP-U-PROJECTS-KEY": { - "display_name": "sg-fra-lzp-u-projects", - "services": "all-services" - } - } - } - } - } - }, - "dev": { - "category_compartment_id": "CMP-LZP-D-NETWORK-KEY", - "vcns": { - "VCN-FRA-LZP-D-PROJECTS-KEY": { - "block_nat_traffic": false, - "cidr_blocks": [ - "10.0.24.0/21" - ], - "display_name": "vcn-fra-lzp-d-projects", - "dns_label": "fralzpdprojs", - "is_attach_drg": false, - "is_create_igw": false, - "is_ipv6enabled": false, - "is_oracle_gua_allocation_enabled": false, - "network_security_groups": { - "NSG-01-LZP-D-PROJECTS-KEY": { - "egress_rules": { - "anywhere": { - "description": "egress to 0.0.0.0/0 over TCP", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "TCP", - "stateless": false - } - }, - "ingress_rules": { - "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP 22", + "icmp_type": 3, + "icmp_code": 4 + } + ] + }, + "security_lists": { + "SL-01-LZP-PP-PROJECTS-VCN-KEY": { + "display_name": "sl-01-lzp-pp-projects-vcn", + "egress_rules": [ + { + "description": "egress to 0.0.0.0/0 over ALL protocols", + "dst": "0.0.0.0/0", + "dst_type": "CIDR_BLOCK", + "protocol": "ALL", + "stateless": false + } + ], + "ingress_rules": [ + { + "description": "ingress from 10.0.3.0/24 over TCP22", "dst_port_max": 22, "dst_port_min": 22, "protocol": "TCP", - "src": "10.0.2.0/24", + "src": "10.0.3.0/24", "src_type": "CIDR_BLOCK", "stateless": false - } - } - }, - "NSG-02-LZP-D-PROJECTS-APPS-KEY": { - "egress_rules": { - "anywhere": { - "description": "egress to 0.0.0.0/0 over TCP", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "TCP", - "stateless": false - } - }, - "ingress_rules": { - "http_8080": { - "description": "ingress from 0.0.0.0/0 over HTTP8080", - "dst_port_max": 80, - "dst_port_min": 80, - "protocol": "TCP", - "src": "0.0.0.0/0", - "src_type": "CIDR_BLOCK", - "stateless": false - }, - "ssh_22": { - "description": "ingress from 0.0.0.0/0 over TCP22", + }, + { + "description": "ingress from 10.0.1.0/24 over TCP80", + "dst_port_max": 80, + "dst_port_min": 80, + "protocol": "TCP", + "src": "10.0.1.0/24", + "src_type": "CIDR_BLOCK", + "stateless": false + } + ] + }, + "SL-02-LZP-PP-PROJECTS-VCN-KEY": { + "display_name": "sl-02-lzp-pp-projects-vcn", + "egress_rules": [ + { + "description": "egress to 0.0.0.0/0 over TCP", + "dst": "0.0.0.0/0", + "dst_type": "CIDR_BLOCK", + "protocol": "ALL", + "stateless": false + }, + { + "description": "egress rule for OSN", + "dst": "all-services", + "dst_type": "SERVICE_CIDR_BLOCK", + "protocol": "ALL", + "stateless": false + } + ], + "ingress_rules": [ + { + "description": "ingress from 10.0.3.0/24 over TCP22", "dst_port_max": 22, "dst_port_min": 22, "protocol": "TCP", - "src": "10.0.2.0/24", + "src": "10.0.3.0/24", "src_type": "CIDR_BLOCK", "stateless": false - } - } - } - }, - "route_tables": { - "RT-01-LZP-D-PROJECTS-VCN-GEN-KEY": { - "display_name": "rt-01-lzp-d-projects-vcn-gen", - "route_rules": { - "sgw_route": { - "description": "Route for sgw", - "destination": "all-services", - "destination_type": "SERVICE_CIDR_BLOCK", - "network_entity_key": "SG-FRA-LZP-D-PROJECTS-KEY" - }, - "drg_route": { - "description": "Route to DRG", - "destination": "0.0.0.0/0", - "destination_type": "CIDR_BLOCK", - "network_entity_key": "DRG-FRA-LZP-HUB-KEY" - } - } - } - }, - "default_security_list": { - "egress_rules": [], - "ingress_rules": [ - { - "stateless": false, - "protocol": "ICMP", - "description": "ICMP type 3 code 4", - "src": "0.0.0.0/0", - "src_type": "CIDR_BLOCK", - "icmp_type": 3, - "icmp_code": 4 - } - ] - }, - "security_lists": { - "SL-01-LZP-D-PROJECTS-VCN-KEY": { - "display_name": "sl-01-lzp-d-projects-vcn", - "egress_rules": [ - { - "description": "egress to 0.0.0.0/0 over ALL protocols", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "ALL", - "stateless": false - } - ], - "ingress_rules": [ - { - "description": "ingress from 0.0.0.0/0 over TCP22", - "dst_port_max": 22, - "dst_port_min": 22, - "protocol": "TCP", - "src": "10.0.2.0/24", - "src_type": "CIDR_BLOCK", - "stateless": false - } - ] - }, - "SL-02-LZP-D-PROJECTS-VCN-KEY": { - "display_name": "sl-02-lzp-d-projects-vcn", - "egress_rules": [ - { - "description": "egress to 0.0.0.0/0 over TCP", - "dst": "0.0.0.0/0", - "dst_type": "CIDR_BLOCK", - "protocol": "ALL", - "stateless": false - }, - { - "description": "egress rule for OSN", - "dst": "all-services", - "dst_type": "SERVICE_CIDR_BLOCK", - "protocol": "ALL", - "stateless": false - } - ], - "ingress_rules": [ - { - "description": "ingress from 0.0.0.0/0 over TCP22", - "dst_port_max": 22, - "dst_port_min": 22, - "protocol": "TCP", - "src": "10.0.2.0/24", - "src_type": "CIDR_BLOCK", - "stateless": false - } - ] - } - }, - "subnets": { - "SSN-FRA-LZP-D-LB-KEY": { - "cidr_block": "10.0.24.0/24", - "dhcp_options_key": "default_dhcp_options", - "display_name": "ssn-fra-lzp-d-lb", - "dns_label": "ssnfralzpdlb", - "prohibit_internet_ingress": true, - "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-01-LZP-D-PROJECTS-VCN-GEN-KEY", - "security_list_keys": [ - "SL-01-LZP-D-PROJECTS-VCN-KEY" - ] - }, - "SSN-FRA-LZP-D-APP-KEY": { - "cidr_block": "10.0.25.0/24", - "dhcp_options_key": "default_dhcp_options", - "display_name": "ssn-fra-lzp-d-app", - "dns_label": "ssnfralzpdapp", - "prohibit_internet_ingress": true, - "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-01-LZP-D-PROJECTS-VCN-GEN-KEY", - "security_list_keys": [ - "SL-01-LZP-D-PROJECTS-VCN-KEY" - ] - }, - "SSN-FRA-LZP-D-DB-KEY": { - "cidr_block": "10.0.26.0/24", - "dhcp_options_key": "default_dhcp_options", - "display_name": "ssn-fra-lzp-d-db", - "dns_label": "ssnfralzpddb", - "prohibit_internet_ingress": true, - "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-01-LZP-D-PROJECTS-VCN-GEN-KEY", - "security_list_keys": [ - "SL-01-LZP-D-PROJECTS-VCN-KEY" - ] - }, - "SSN-FRA-LZP-D-INFRA": { - "cidr_block": "10.0.27.0/24", - "dhcp_options_key": "default_dhcp_options", - "display_name": "ssn-fra-lzp-d-infra", - "dns_label": "ssnfralzpdinfra", - "prohibit_internet_ingress": true, - "prohibit_public_ip_on_vnic": true, - "route_table_key": "RT-01-LZP-D-PROJECTS-VCN-GEN-KEY", - "security_list_keys": [ - "SL-01-LZP-D-PROJECTS-VCN-KEY" - ] - } - }, - "vcn_specific_gateways": { - "service_gateways": { - "SG-FRA-LZP-D-PROJECTS-KEY": { - "display_name": "sg-fra-lzp-d-projects", - "services": "all-services" - } - } - } - } - } + } + ] + } + }, + "subnets": { + "SSN-FRA-LZP-PP-WEB-KEY": { + "cidr_block": "10.0.16.0/24", + "dhcp_options_key": "default_dhcp_options", + "display_name": "ssn-fra-lzp-pp-web", + "dns_label": "ssnfralzpppweb", + "prohibit_internet_ingress": true, + "prohibit_public_ip_on_vnic": true, + "route_table_key": "RT-01-LZP-PP-PROJECTS-VCN-GEN-KEY", + "security_list_keys": [ + "SL-01-LZP-PP-PROJECTS-VCN-KEY" + ] + }, + "SSN-FRA-LZP-PP-APP-KEY": { + "cidr_block": "10.0.17.0/24", + "dhcp_options_key": "default_dhcp_options", + "display_name": "ssn-fra-lzp-pp-app", + "dns_label": "ssnfralzpppapp", + "prohibit_internet_ingress": true, + "prohibit_public_ip_on_vnic": true, + "route_table_key": "RT-01-LZP-PP-PROJECTS-VCN-GEN-KEY", + "security_list_keys": [ + "SL-01-LZP-PP-PROJECTS-VCN-KEY" + ] + }, + "SSN-FRA-LZP-PP-DB-KEY": { + "cidr_block": "10.0.18.0/24", + "dhcp_options_key": "default_dhcp_options", + "display_name": "ssn-fra-lzp-pp-db", + "dns_label": "ssnfralzpppdb", + "prohibit_internet_ingress": true, + "prohibit_public_ip_on_vnic": true, + "route_table_key": "RT-01-LZP-PP-PROJECTS-VCN-GEN-KEY", + "security_list_keys": [ + "SL-01-LZP-PP-PROJECTS-VCN-KEY" + ] + }, + "SSN-FRA-LZP-PP-INFRA": { + "cidr_block": "10.0.19.0/24", + "dhcp_options_key": "default_dhcp_options", + "display_name": "ssn-fra-lzp-pp-infra", + "dns_label": "ssnfralzpppinfr", + "prohibit_internet_ingress": true, + "prohibit_public_ip_on_vnic": true, + "route_table_key": "RT-01-LZP-PP-PROJECTS-VCN-GEN-KEY", + "security_list_keys": [ + "SL-01-LZP-PP-PROJECTS-VCN-KEY" + ] + } + }, + "vcn_specific_gateways": { + "service_gateways": { + "SG-FRA-LZP-PP-PROJECTS-KEY": { + "display_name": "sg-fra-lzp-pp-projects", + "services": "all-services" + } + } + } + } + } } } } - } - \ No newline at end of file +} \ No newline at end of file diff --git a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl1.auto.tfvars.json b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl1.auto.tfvars.json new file mode 100644 index 00000000..b5879c29 --- /dev/null +++ b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl1.auto.tfvars.json @@ -0,0 +1,710 @@ +{ + "notifications_configuration": { + "default_compartment_id": "CMP-LZP-SECURITY-KEY", + "topics": { + "NOTT-LZP-IAM-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for IAM related notifications.", + "name": "nott-lzp-iam", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-CLOUDGUARD-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for Cloud Guard related notifications.", + "name": "nott-lzp-cloudguard", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-VSS-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for Cloud Guard related notifications.", + "name": "nott-lzp-vss", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-NETWORK-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-FIREWALL-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for firewall related alarms.", + "name": "nott-lzp-firewall", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-SECURITY-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for notifications.", + "name": "nott-lzp-notifications", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for shared platform notifications.", + "name": "nott-lzp-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-NETWORK-KEY", + "description": "Topic for LZP shared network related alarms.", + "name": "nott-lzp-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-p-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-NETWORK-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-p-prod-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-SECURITY-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for security related notifications.", + "name": "nott-lzp-p-security", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-P-NETWORK-KEY", + "description": "Topic for LZP, Production environment, shared network related alarms.", + "name": "nott-lzp-p-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-WORKLOADS-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for Production Workloads related notifications.", + "name": "nott-lzp-p-workloads", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for Production Platform related notifications.", + "name": "nott-lzp-p-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-pp-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-NETWORK-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-pp-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for security related notifications.", + "name": "nott-lzp-pp-security", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-PP-NETWORK-KEY", + "description": "Topic for LZP, Production environment, shared network related alarms.", + "name": "nott-lzp-pp-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-WORKLOADS-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for Production Workloads related notifications.", + "name": "nott-lzp-pp-workloads", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for Production Platform related notifications.", + "name": "nott-lzp-pp-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + } + } + }, + "events_configuration" : { + "default_compartment_id": "CMP-LZP-NETWORK-KEY", + "event_rules": { + "RUL-LZP-BUDGET-NETWORK-KEY": { + "compartment_id": "CMP-LZP-NETWORK-KEY", + "destination_topic_ids": ["NOTT-LZP-BUDGET-KEY"], + "event_display_name": "rul-lzp-notify-on-budget-net-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-BUDGET-SECURITY-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-BUDGET-KEY"], + "event_display_name": "rul-lzp-notify-on-budget-sec-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-NOTIFICATION-SECURITY-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-SECURITY-KEY"], + "event_display_name": "rul-lzp-notify-on-notifications-sec-changes", + "supplied_events": [ + "com.oraclecloud.notification.createsubscription", + "com.oraclecloud.notification.deletesubscription", + "com.oraclecloud.notification.getunsubscription", + "com.oraclecloud.notification.movesubscription", + "com.oraclecloud.notification.resendsubscriptionconfirmation", + "com.oraclecloud.notification.updatesubscription" + ] + }, + "RUL-LZP-NOTIFICATION-NETWORK-KEY": { + "compartment_id": "CMP-LZP-NETWORK-KEY", + "destination_topic_ids": ["NOTT-LZP-NETWORK-KEY"], + "event_display_name": "rul-lzp-notify-on-notifications-net-changes", + "supplied_events": [ + "com.oraclecloud.virtualnetwork.createvcn", + "com.oraclecloud.virtualnetwork.deletevcn", + "com.oraclecloud.virtualnetwork.updatevcn", + "com.oraclecloud.virtualnetwork.createroutetable", + "com.oraclecloud.virtualnetwork.deleteroutetable", + "com.oraclecloud.virtualnetwork.updateroutetable", + "com.oraclecloud.virtualnetwork.changeroutetablecompartment", + "com.oraclecloud.virtualnetwork.createsecuritylist", + "com.oraclecloud.virtualnetwork.deletesecuritylist", + "com.oraclecloud.virtualnetwork.updatesecuritylist", + "com.oraclecloud.virtualnetwork.changesecuritylistcompartment", + "com.oraclecloud.virtualnetwork.createnetworksecuritygroup", + "com.oraclecloud.virtualnetwork.deletenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroupsecurityrules", + "com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment", + "com.oraclecloud.virtualnetwork.createdrg", + "com.oraclecloud.virtualnetwork.deletedrg", + "com.oraclecloud.virtualnetwork.updatedrg", + "com.oraclecloud.virtualnetwork.createdrgattachment", + "com.oraclecloud.virtualnetwork.deletedrgattachment", + "com.oraclecloud.virtualnetwork.updatedrgattachment", + "com.oraclecloud.virtualnetwork.createinternetgateway", + "com.oraclecloud.virtualnetwork.deleteinternetgateway", + "com.oraclecloud.virtualnetwork.updateinternetgateway", + "com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment", + "com.oraclecloud.virtualnetwork.createlocalpeeringgateway", + "com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end", + "com.oraclecloud.virtualnetwork.updatelocalpeeringgateway", + "com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment", + "com.oraclecloud.natgateway.createnatgateway", + "com.oraclecloud.natgateway.deletenatgateway", + "com.oraclecloud.natgateway.updatenatgateway", + "com.oraclecloud.natgateway.changenatgatewaycompartment", + "com.oraclecloud.servicegateway.createservicegateway", + "com.oraclecloud.servicegateway.deleteservicegateway.end", + "com.oraclecloud.servicegateway.attachserviceid", + "com.oraclecloud.servicegateway.detachserviceid", + "com.oraclecloud.servicegateway.updateservicegateway", + "com.oraclecloud.servicegateway.changeservicegatewaycompartment", + "com.oraclecloud.virtualnetwork.changepublicipcompartment", + "com.oraclecloud.virtualnetwork.createpublicip", + "com.oraclecloud.virtualnetwork.changedhcpoptionscompartment" + ] + }, + "RUL-LZP-FIREWALL-KEY": { + "compartment_id": "CMP-LZP-NETWORK-KEY", + "destination_topic_ids": ["NOTT-LZP-NETWORK-KEY"], + "event_display_name": "rul-lzp-notify-on-firewall-changes", + "supplied_events": [ + "com.oraclecloud.networkfirewallservice.createnetworkfirewall.begin", + "com.oraclecloud.networkfirewallservice.createnetworkfirewall.end", + "com.oraclecloud.networkfirewallservice.deletenetworkfirewall.begin", + "com.oraclecloud.networkfirewallservice.deletenetworkfirewall.end", + "com.oraclecloud.networkfirewallservice.updatenetworkfirewall.begin", + "com.oraclecloud.networkfirewallservice.updatenetworkfirewall.end", + "com.oraclecloud.networkfirewallservice.changenetworkfirewallcompartment", + "com.oraclecloud.networkfirewallservice.createnetworkfirewallpolicy", + "com.oraclecloud.networkfirewallservice.updatenetworkfirewallpolicy", + "com.oraclecloud.networkfirewallservice.deletenetworkfirewallpolicy", + "com.oraclecloud.networkfirewallservice.changenetworkfirewallpolicycompartment" + ] + }, + "RUL-LZP-P-BUDGET-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-BUDGET-KEY"], + "event_display_name": "rul-lzp-p-notify-on-budget-net-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-P-BUDGET-SECURITY-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-P-BUDGET-KEY"], + "event_display_name": "rul-lzp-p-notify-on-budget-sec-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-P-NOTIFICATION-SECURITY-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-P-SECURITY-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-sec-changes", + "supplied_events": [ + "com.oraclecloud.notification.createsubscription", + "com.oraclecloud.notification.deletesubscription", + "com.oraclecloud.notification.getunsubscription", + "com.oraclecloud.notification.movesubscription", + "com.oraclecloud.notification.resendsubscriptionconfirmation", + "com.oraclecloud.notification.updatesubscription" + ] + }, + "RUL-LZP-P-NOTIFICATION-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-NETWORK-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-net-changes-rule", + "supplied_events": [ + "com.oraclecloud.virtualnetwork.createvcn", + "com.oraclecloud.virtualnetwork.deletevcn", + "com.oraclecloud.virtualnetwork.updatevcn", + "com.oraclecloud.virtualnetwork.createroutetable", + "com.oraclecloud.virtualnetwork.deleteroutetable", + "com.oraclecloud.virtualnetwork.updateroutetable", + "com.oraclecloud.virtualnetwork.changeroutetablecompartment", + "com.oraclecloud.virtualnetwork.createsecuritylist", + "com.oraclecloud.virtualnetwork.deletesecuritylist", + "com.oraclecloud.virtualnetwork.updatesecuritylist", + "com.oraclecloud.virtualnetwork.changesecuritylistcompartment", + "com.oraclecloud.virtualnetwork.createnetworksecuritygroup", + "com.oraclecloud.virtualnetwork.deletenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroupsecurityrules", + "com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment", + "com.oraclecloud.virtualnetwork.createdrg", + "com.oraclecloud.virtualnetwork.deletedrg", + "com.oraclecloud.virtualnetwork.updatedrg", + "com.oraclecloud.virtualnetwork.createdrgattachment", + "com.oraclecloud.virtualnetwork.deletedrgattachment", + "com.oraclecloud.virtualnetwork.updatedrgattachment", + "com.oraclecloud.virtualnetwork.createinternetgateway", + "com.oraclecloud.virtualnetwork.deleteinternetgateway", + "com.oraclecloud.virtualnetwork.updateinternetgateway", + "com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment", + "com.oraclecloud.virtualnetwork.createlocalpeeringgateway", + "com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end", + "com.oraclecloud.virtualnetwork.updatelocalpeeringgateway", + "com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment", + "com.oraclecloud.natgateway.createnatgateway", + "com.oraclecloud.natgateway.deletenatgateway", + "com.oraclecloud.natgateway.updatenatgateway", + "com.oraclecloud.natgateway.changenatgatewaycompartment", + "com.oraclecloud.servicegateway.createservicegateway", + "com.oraclecloud.servicegateway.deleteservicegateway.end", + "com.oraclecloud.servicegateway.attachserviceid", + "com.oraclecloud.servicegateway.detachserviceid", + "com.oraclecloud.servicegateway.updateservicegateway", + "com.oraclecloud.servicegateway.changeservicegatewaycompartment", + "com.oraclecloud.virtualnetwork.changepublicipcompartment", + "com.oraclecloud.virtualnetwork.createpublicip", + "com.oraclecloud.virtualnetwork.changedhcpoptionscompartment" + ] + }, + "RUL-LZP-P-NOTIFICATION-PLATFORM-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-PLATFORM-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-platform-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" + ] + }, + "RUL-LZP-P-NOTIFICATION-PROJECTS-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-WORKLOADS-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-projects-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" + ] + }, + "RUL-LZP-PP-BUDGET-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-BUDGET-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-budget-net-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-PP-BUDGET-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-PP-BUDGET-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-budget-sec-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-PP-NOTIFICATION-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-PP-SECURITY-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-sec-changes", + "supplied_events": [ + "com.oraclecloud.notification.createsubscription", + "com.oraclecloud.notification.deletesubscription", + "com.oraclecloud.notification.getunsubscription", + "com.oraclecloud.notification.movesubscription", + "com.oraclecloud.notification.resendsubscriptionconfirmation", + "com.oraclecloud.notification.updatesubscription" + ] + }, + "RUL-LZP-PP-NOTIFICATION-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-NETWORK-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-net-changes-rule", + "supplied_events": [ + "com.oraclecloud.virtualnetwork.createvcn", + "com.oraclecloud.virtualnetwork.deletevcn", + "com.oraclecloud.virtualnetwork.updatevcn", + "com.oraclecloud.virtualnetwork.createroutetable", + "com.oraclecloud.virtualnetwork.deleteroutetable", + "com.oraclecloud.virtualnetwork.updateroutetable", + "com.oraclecloud.virtualnetwork.changeroutetablecompartment", + "com.oraclecloud.virtualnetwork.createsecuritylist", + "com.oraclecloud.virtualnetwork.deletesecuritylist", + "com.oraclecloud.virtualnetwork.updatesecuritylist", + "com.oraclecloud.virtualnetwork.changesecuritylistcompartment", + "com.oraclecloud.virtualnetwork.createnetworksecuritygroup", + "com.oraclecloud.virtualnetwork.deletenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroupsecurityrules", + "com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment", + "com.oraclecloud.virtualnetwork.createdrg", + "com.oraclecloud.virtualnetwork.deletedrg", + "com.oraclecloud.virtualnetwork.updatedrg", + "com.oraclecloud.virtualnetwork.createdrgattachment", + "com.oraclecloud.virtualnetwork.deletedrgattachment", + "com.oraclecloud.virtualnetwork.updatedrgattachment", + "com.oraclecloud.virtualnetwork.createinternetgateway", + "com.oraclecloud.virtualnetwork.deleteinternetgateway", + "com.oraclecloud.virtualnetwork.updateinternetgateway", + "com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment", + "com.oraclecloud.virtualnetwork.createlocalpeeringgateway", + "com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end", + "com.oraclecloud.virtualnetwork.updatelocalpeeringgateway", + "com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment", + "com.oraclecloud.natgateway.createnatgateway", + "com.oraclecloud.natgateway.deletenatgateway", + "com.oraclecloud.natgateway.updatenatgateway", + "com.oraclecloud.natgateway.changenatgatewaycompartment", + "com.oraclecloud.servicegateway.createservicegateway", + "com.oraclecloud.servicegateway.deleteservicegateway.end", + "com.oraclecloud.servicegateway.attachserviceid", + "com.oraclecloud.servicegateway.detachserviceid", + "com.oraclecloud.servicegateway.updateservicegateway", + "com.oraclecloud.servicegateway.changeservicegatewaycompartment", + "com.oraclecloud.virtualnetwork.changepublicipcompartment", + "com.oraclecloud.virtualnetwork.createpublicip", + "com.oraclecloud.virtualnetwork.changedhcpoptionscompartment" + ] + }, + "RUL-LZP-PP-NOTIFICATION-PLATFORM-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-PLATFORM-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-platform-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" + ] + }, + "RUL-LZP-PP-NOTIFICATION-PROJECTS-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-WORKLOADS-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-projects-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" + ] + } + } + }, + "home_region_events_configuration" : { + "default_compartment_id": "CMP-LANDINGZONE-P-KEY", + "event_rules": { + "RUL-LZP-IAM-KEY": { + "destination_topic_ids": ["NOTT-LZP-IAM-KEY"], + "event_display_name": "rul-lzp-notify-on-iam-changes", + "supplied_events": [ + "com.oraclecloud.identitycontrolplane.createidentityprovider", + "com.oraclecloud.identitycontrolplane.deleteidentityprovider", + "com.oraclecloud.identitycontrolplane.updateidentityprovider", + "com.oraclecloud.identitycontrolplane.createidpgroupmapping", + "com.oraclecloud.identitycontrolplane.deleteidpgroupmapping", + "com.oraclecloud.identitycontrolplane.updateidpgroupmapping", + "com.oraclecloud.identitycontrolplane.addusertogroup", + "com.oraclecloud.identitycontrolplane.creategroup", + "com.oraclecloud.identitycontrolplane.deletegroup", + "com.oraclecloud.identitycontrolplane.removeuserfromgroup", + "com.oraclecloud.identitycontrolplane.updategroup", + "com.oraclecloud.identitycontrolplane.createpolicy", + "com.oraclecloud.identitycontrolplane.deletepolicy", + "com.oraclecloud.identitycontrolplane.updatepolicy", + "com.oraclecloud.identitycontrolplane.createuser", + "com.oraclecloud.identitycontrolplane.deleteuser", + "com.oraclecloud.identitycontrolplane.updateuser", + "com.oraclecloud.identitycontrolplane.updateusercapabilities", + "com.oraclecloud.identitycontrolplane.updateuserstate", + "com.oraclecloud.identityControlPlane.UpdateSwiftPassword", + "com.oraclecloud.identityControlPlane.CreateOrResetPassword" + ] + }, + "RUL-LZP-CLOUDGUARD-KEY": { + "destination_topic_ids": ["NOTT-LZP-CLOUDGUARD-KEY"], + "event_display_name": "rul-lzp-notify-on-cloudguard-changes", + "supplied_events": [ + "com.oraclecloud.cloudguard.problemdetected", + "com.oraclecloud.cloudguard.problemdismissed", + "com.oraclecloud.cloudguard.problemremediated", + "com.oraclecloud.cloudguard.announcements", + "com.oraclecloud.cloudguard.status", + "com.oraclecloud.cloudguard.problemthresholdreached" + ] + }, + "RUL-LZP-VSS-KEY": { + "destination_topic_ids": ["NOTT-LZP-VSS-KEY"], + "event_display_name": "rul-lzp-notify-on-vss-changes", + "supplied_events": [ + "com.oraclecloud.vulnerabilityScanning.CreateHostScanRecipe", + "com.oraclecloud.vulnerabilityScanning.CreateHostScanRecipe.end", + "com.oraclecloud.vulnerabilityScanning.GetHostScanRecipe", + "com.oraclecloud.vulnerabilityScanning.ListHostScanRecipes", + "com.oraclecloud.vulnerabilityScanning.UpdateHostScanRecipe.begin", + "com.oraclecloud.vulnerabilityScanning.UpdateHostScanRecipe.end", + "com.oraclecloud.vulnerabilityScanning.DeleteHostScanRecipe", + "com.oraclecloud.vulnerabilityScanning.ChangeHostScanRecipeCompartment" + ] + } + } + }, + "alarms_configuration" : { + "default_compartment_id" : "CMP-LZP-NETWORK-KEY", + "alarms" :{ + "AL-LZP-NETWORK-LB-KEY": { + "is_enabled": "false", + "display_name": "al-lzp-lb-unhealthy-backend", + "supplied_alarm": { + "namespace": "oci_lbaas", + "query": "UnHealthyBackendServers[1m].mean() >= 0", + "message_format": "PRETTY_JSON", + "pending_duration": "PT5M" + }, + "destination_topic_ids": ["NOTT-LZP-NETWORK-ALARMS-KEY"] + }, + "AL-LZP-P-NETWORK-VNIC-KEY": { + "compartment_id": "CMP-LZP-P-NETWORK-KEY", + "is_enabled": "false", + "display_name": "al-lzp-p-vnic-drops-alarm", + "supplied_alarm": { + "namespace": "oci_vcn", + "query": "VnicEgressDropsSecurityList[1m].mean() >= 0", + "message_format": "PRETTY_JSON", + "pending_duration": "PT5M" + }, + "destination_topic_ids": ["NOTT-LZP-P-NETWORK-ALARMS-KEY"] + }, + "AL-LZP-PP-NETWORK-VNIC-KEY": { + "compartment_id": "CMP-LZP-PP-NETWORK-KEY", + "is_enabled": "false", + "display_name": "al-lzp-pp-vnic-drops-alarm", + "supplied_alarm": { + "namespace": "oci_vcn", + "query": "VnicEgressDropsSecurityList[1m].mean() >= 0", + "message_format": "PRETTY_JSON", + "pending_duration": "PT5M" + }, + "destination_topic_ids": ["NOTT-LZP-PP-NETWORK-ALARMS-KEY"] + } + } + }, + "service_connectors_configuration" : { + "default_compartment_id" : "CMP-LZP-SECURITY-KEY", + "service_connectors" : { + "SCH-LZP-MON" : { + "display_name" : "sch-lzp-mon", + "source" : { + "kind" : "logging" , + "audit_logs" : [{"cmp_id" : "ALL"}] + }, + "target" : { + "kind" : "objectstorage" , + "bucket_object_name_prefix" : "sch", + "bucket_name" : "bkt-lzp-audit" + }, + "policy" : { + "name" : "service-connector-audit-policy", + "description" : "IAM policy for letting Service Connector to push data to target resource.", + "compartment_id" : "CMP-LZP-SECURITY-KEY" + } + } + }, + "buckets":{ + "BKT-LZP-SERVICE-CONNECTOR" : + { + "name" : "bkt-lzp-audit", + "compartment_id" : "CMP-LZP-SECURITY-KEY", + "cis_level": "1" + } + } + } +} \ No newline at end of file diff --git a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl1_addon_flowlogs.auto.tfvars.json b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl1_addon_flowlogs.auto.tfvars.json new file mode 100644 index 00000000..c9aea185 --- /dev/null +++ b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl1_addon_flowlogs.auto.tfvars.json @@ -0,0 +1,758 @@ +{ + "notifications_configuration": { + "default_compartment_id": "CMP-LZP-SECURITY-KEY", + "topics": { + "NOTT-LZP-IAM-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for IAM related notifications.", + "name": "nott-lzp-iam", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-CLOUDGUARD-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for Cloud Guard related notifications.", + "name": "nott-lzp-cloudguard", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-VSS-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for Cloud Guard related notifications.", + "name": "nott-lzp-vss", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-NETWORK-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-FIREWALL-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for firewall related alarms.", + "name": "nott-lzp-firewall", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-SECURITY-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for notifications.", + "name": "nott-lzp-notifications", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for shared platform notifications.", + "name": "nott-lzp-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-NETWORK-KEY", + "description": "Topic for LZP shared network related alarms.", + "name": "nott-lzp-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-p-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-NETWORK-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-p-prod-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-SECURITY-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for security related notifications.", + "name": "nott-lzp-p-security", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-P-NETWORK-KEY", + "description": "Topic for LZP, Production environment, shared network related alarms.", + "name": "nott-lzp-p-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-WORKLOADS-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for Production Workloads related notifications.", + "name": "nott-lzp-p-workloads", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for Production Platform related notifications.", + "name": "nott-lzp-p-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-pp-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-NETWORK-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-pp-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for security related notifications.", + "name": "nott-lzp-pp-security", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-PP-NETWORK-KEY", + "description": "Topic for LZP, Production environment, shared network related alarms.", + "name": "nott-lzp-pp-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-WORKLOADS-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for Production Workloads related notifications.", + "name": "nott-lzp-pp-workloads", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for Production Platform related notifications.", + "name": "nott-lzp-pp-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + } + } + }, + "events_configuration" : { + "default_compartment_id": "CMP-LZP-NETWORK-KEY", + "event_rules": { + "RUL-LZP-BUDGET-NETWORK-KEY": { + "compartment_id": "CMP-LZP-NETWORK-KEY", + "destination_topic_ids": ["NOTT-LZP-BUDGET-KEY"], + "event_display_name": "rul-lzp-notify-on-budget-net-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-BUDGET-SECURITY-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-BUDGET-KEY"], + "event_display_name": "rul-lzp-notify-on-budget-sec-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-NOTIFICATION-SECURITY-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-SECURITY-KEY"], + "event_display_name": "rul-lzp-notify-on-notifications-sec-changes", + "supplied_events": [ + "com.oraclecloud.notification.createsubscription", + "com.oraclecloud.notification.deletesubscription", + "com.oraclecloud.notification.getunsubscription", + "com.oraclecloud.notification.movesubscription", + "com.oraclecloud.notification.resendsubscriptionconfirmation", + "com.oraclecloud.notification.updatesubscription" + ] + }, + "RUL-LZP-NOTIFICATION-NETWORK-KEY": { + "compartment_id": "CMP-LZP-NETWORK-KEY", + "destination_topic_ids": ["NOTT-LZP-NETWORK-KEY"], + "event_display_name": "rul-lzp-notify-on-notifications-net-changes", + "supplied_events": [ + "com.oraclecloud.virtualnetwork.createvcn", + "com.oraclecloud.virtualnetwork.deletevcn", + "com.oraclecloud.virtualnetwork.updatevcn", + "com.oraclecloud.virtualnetwork.createroutetable", + "com.oraclecloud.virtualnetwork.deleteroutetable", + "com.oraclecloud.virtualnetwork.updateroutetable", + "com.oraclecloud.virtualnetwork.changeroutetablecompartment", + "com.oraclecloud.virtualnetwork.createsecuritylist", + "com.oraclecloud.virtualnetwork.deletesecuritylist", + "com.oraclecloud.virtualnetwork.updatesecuritylist", + "com.oraclecloud.virtualnetwork.changesecuritylistcompartment", + "com.oraclecloud.virtualnetwork.createnetworksecuritygroup", + "com.oraclecloud.virtualnetwork.deletenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroupsecurityrules", + "com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment", + "com.oraclecloud.virtualnetwork.createdrg", + "com.oraclecloud.virtualnetwork.deletedrg", + "com.oraclecloud.virtualnetwork.updatedrg", + "com.oraclecloud.virtualnetwork.createdrgattachment", + "com.oraclecloud.virtualnetwork.deletedrgattachment", + "com.oraclecloud.virtualnetwork.updatedrgattachment", + "com.oraclecloud.virtualnetwork.createinternetgateway", + "com.oraclecloud.virtualnetwork.deleteinternetgateway", + "com.oraclecloud.virtualnetwork.updateinternetgateway", + "com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment", + "com.oraclecloud.virtualnetwork.createlocalpeeringgateway", + "com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end", + "com.oraclecloud.virtualnetwork.updatelocalpeeringgateway", + "com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment", + "com.oraclecloud.natgateway.createnatgateway", + "com.oraclecloud.natgateway.deletenatgateway", + "com.oraclecloud.natgateway.updatenatgateway", + "com.oraclecloud.natgateway.changenatgatewaycompartment", + "com.oraclecloud.servicegateway.createservicegateway", + "com.oraclecloud.servicegateway.deleteservicegateway.end", + "com.oraclecloud.servicegateway.attachserviceid", + "com.oraclecloud.servicegateway.detachserviceid", + "com.oraclecloud.servicegateway.updateservicegateway", + "com.oraclecloud.servicegateway.changeservicegatewaycompartment", + "com.oraclecloud.virtualnetwork.changepublicipcompartment", + "com.oraclecloud.virtualnetwork.createpublicip", + "com.oraclecloud.virtualnetwork.changedhcpoptionscompartment" + ] + }, + "RUL-LZP-FIREWALL-KEY": { + "compartment_id": "CMP-LZP-NETWORK-KEY", + "destination_topic_ids": ["NOTT-LZP-NETWORK-KEY"], + "event_display_name": "rul-lzp-notify-on-firewall-changes", + "supplied_events": [ + "com.oraclecloud.networkfirewallservice.createnetworkfirewall.begin", + "com.oraclecloud.networkfirewallservice.createnetworkfirewall.end", + "com.oraclecloud.networkfirewallservice.deletenetworkfirewall.begin", + "com.oraclecloud.networkfirewallservice.deletenetworkfirewall.end", + "com.oraclecloud.networkfirewallservice.updatenetworkfirewall.begin", + "com.oraclecloud.networkfirewallservice.updatenetworkfirewall.end", + "com.oraclecloud.networkfirewallservice.changenetworkfirewallcompartment", + "com.oraclecloud.networkfirewallservice.createnetworkfirewallpolicy", + "com.oraclecloud.networkfirewallservice.updatenetworkfirewallpolicy", + "com.oraclecloud.networkfirewallservice.deletenetworkfirewallpolicy", + "com.oraclecloud.networkfirewallservice.changenetworkfirewallpolicycompartment" + ] + }, + "RUL-LZP-P-BUDGET-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-BUDGET-KEY"], + "event_display_name": "rul-lzp-p-notify-on-budget-net-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-P-BUDGET-SECURITY-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-P-BUDGET-KEY"], + "event_display_name": "rul-lzp-p-notify-on-budget-sec-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-P-NOTIFICATION-SECURITY-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-P-SECURITY-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-sec-changes", + "supplied_events": [ + "com.oraclecloud.notification.createsubscription", + "com.oraclecloud.notification.deletesubscription", + "com.oraclecloud.notification.getunsubscription", + "com.oraclecloud.notification.movesubscription", + "com.oraclecloud.notification.resendsubscriptionconfirmation", + "com.oraclecloud.notification.updatesubscription" + ] + }, + "RUL-LZP-P-NOTIFICATION-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-NETWORK-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-net-changes-rule", + "supplied_events": [ + "com.oraclecloud.virtualnetwork.createvcn", + "com.oraclecloud.virtualnetwork.deletevcn", + "com.oraclecloud.virtualnetwork.updatevcn", + "com.oraclecloud.virtualnetwork.createroutetable", + "com.oraclecloud.virtualnetwork.deleteroutetable", + "com.oraclecloud.virtualnetwork.updateroutetable", + "com.oraclecloud.virtualnetwork.changeroutetablecompartment", + "com.oraclecloud.virtualnetwork.createsecuritylist", + "com.oraclecloud.virtualnetwork.deletesecuritylist", + "com.oraclecloud.virtualnetwork.updatesecuritylist", + "com.oraclecloud.virtualnetwork.changesecuritylistcompartment", + "com.oraclecloud.virtualnetwork.createnetworksecuritygroup", + "com.oraclecloud.virtualnetwork.deletenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroupsecurityrules", + "com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment", + "com.oraclecloud.virtualnetwork.createdrg", + "com.oraclecloud.virtualnetwork.deletedrg", + "com.oraclecloud.virtualnetwork.updatedrg", + "com.oraclecloud.virtualnetwork.createdrgattachment", + "com.oraclecloud.virtualnetwork.deletedrgattachment", + "com.oraclecloud.virtualnetwork.updatedrgattachment", + "com.oraclecloud.virtualnetwork.createinternetgateway", + "com.oraclecloud.virtualnetwork.deleteinternetgateway", + "com.oraclecloud.virtualnetwork.updateinternetgateway", + "com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment", + "com.oraclecloud.virtualnetwork.createlocalpeeringgateway", + "com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end", + "com.oraclecloud.virtualnetwork.updatelocalpeeringgateway", + "com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment", + "com.oraclecloud.natgateway.createnatgateway", + "com.oraclecloud.natgateway.deletenatgateway", + "com.oraclecloud.natgateway.updatenatgateway", + "com.oraclecloud.natgateway.changenatgatewaycompartment", + "com.oraclecloud.servicegateway.createservicegateway", + "com.oraclecloud.servicegateway.deleteservicegateway.end", + "com.oraclecloud.servicegateway.attachserviceid", + "com.oraclecloud.servicegateway.detachserviceid", + "com.oraclecloud.servicegateway.updateservicegateway", + "com.oraclecloud.servicegateway.changeservicegatewaycompartment", + "com.oraclecloud.virtualnetwork.changepublicipcompartment", + "com.oraclecloud.virtualnetwork.createpublicip", + "com.oraclecloud.virtualnetwork.changedhcpoptionscompartment" + ] + }, + "RUL-LZP-P-NOTIFICATION-PLATFORM-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-PLATFORM-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-platform-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" + ] + }, + "RUL-LZP-P-NOTIFICATION-PROJECTS-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-WORKLOADS-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-projects-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" + ] + }, + "RUL-LZP-PP-BUDGET-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-BUDGET-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-budget-net-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-PP-BUDGET-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-PP-BUDGET-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-budget-sec-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" + ] + }, + "RUL-LZP-PP-NOTIFICATION-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-PP-SECURITY-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-sec-changes", + "supplied_events": [ + "com.oraclecloud.notification.createsubscription", + "com.oraclecloud.notification.deletesubscription", + "com.oraclecloud.notification.getunsubscription", + "com.oraclecloud.notification.movesubscription", + "com.oraclecloud.notification.resendsubscriptionconfirmation", + "com.oraclecloud.notification.updatesubscription" + ] + }, + "RUL-LZP-PP-NOTIFICATION-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-NETWORK-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-net-changes-rule", + "supplied_events": [ + "com.oraclecloud.virtualnetwork.createvcn", + "com.oraclecloud.virtualnetwork.deletevcn", + "com.oraclecloud.virtualnetwork.updatevcn", + "com.oraclecloud.virtualnetwork.createroutetable", + "com.oraclecloud.virtualnetwork.deleteroutetable", + "com.oraclecloud.virtualnetwork.updateroutetable", + "com.oraclecloud.virtualnetwork.changeroutetablecompartment", + "com.oraclecloud.virtualnetwork.createsecuritylist", + "com.oraclecloud.virtualnetwork.deletesecuritylist", + "com.oraclecloud.virtualnetwork.updatesecuritylist", + "com.oraclecloud.virtualnetwork.changesecuritylistcompartment", + "com.oraclecloud.virtualnetwork.createnetworksecuritygroup", + "com.oraclecloud.virtualnetwork.deletenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroupsecurityrules", + "com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment", + "com.oraclecloud.virtualnetwork.createdrg", + "com.oraclecloud.virtualnetwork.deletedrg", + "com.oraclecloud.virtualnetwork.updatedrg", + "com.oraclecloud.virtualnetwork.createdrgattachment", + "com.oraclecloud.virtualnetwork.deletedrgattachment", + "com.oraclecloud.virtualnetwork.updatedrgattachment", + "com.oraclecloud.virtualnetwork.createinternetgateway", + "com.oraclecloud.virtualnetwork.deleteinternetgateway", + "com.oraclecloud.virtualnetwork.updateinternetgateway", + "com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment", + "com.oraclecloud.virtualnetwork.createlocalpeeringgateway", + "com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end", + "com.oraclecloud.virtualnetwork.updatelocalpeeringgateway", + "com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment", + "com.oraclecloud.natgateway.createnatgateway", + "com.oraclecloud.natgateway.deletenatgateway", + "com.oraclecloud.natgateway.updatenatgateway", + "com.oraclecloud.natgateway.changenatgatewaycompartment", + "com.oraclecloud.servicegateway.createservicegateway", + "com.oraclecloud.servicegateway.deleteservicegateway.end", + "com.oraclecloud.servicegateway.attachserviceid", + "com.oraclecloud.servicegateway.detachserviceid", + "com.oraclecloud.servicegateway.updateservicegateway", + "com.oraclecloud.servicegateway.changeservicegatewaycompartment", + "com.oraclecloud.virtualnetwork.changepublicipcompartment", + "com.oraclecloud.virtualnetwork.createpublicip", + "com.oraclecloud.virtualnetwork.changedhcpoptionscompartment" + ] + }, + "RUL-LZP-PP-NOTIFICATION-PLATFORM-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-PLATFORM-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-platform-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" + ] + }, + "RUL-LZP-PP-NOTIFICATION-PROJECTS-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-WORKLOADS-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-projects-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" + ] + } + } + }, + "home_region_events_configuration" : { + "default_compartment_id": "CMP-LANDINGZONE-P-KEY", + "event_rules": { + "RUL-LZP-IAM-KEY": { + "destination_topic_ids": ["NOTT-LZP-IAM-KEY"], + "event_display_name": "rul-lzp-notify-on-iam-changes", + "supplied_events": [ + "com.oraclecloud.identitycontrolplane.createidentityprovider", + "com.oraclecloud.identitycontrolplane.deleteidentityprovider", + "com.oraclecloud.identitycontrolplane.updateidentityprovider", + "com.oraclecloud.identitycontrolplane.createidpgroupmapping", + "com.oraclecloud.identitycontrolplane.deleteidpgroupmapping", + "com.oraclecloud.identitycontrolplane.updateidpgroupmapping", + "com.oraclecloud.identitycontrolplane.addusertogroup", + "com.oraclecloud.identitycontrolplane.creategroup", + "com.oraclecloud.identitycontrolplane.deletegroup", + "com.oraclecloud.identitycontrolplane.removeuserfromgroup", + "com.oraclecloud.identitycontrolplane.updategroup", + "com.oraclecloud.identitycontrolplane.createpolicy", + "com.oraclecloud.identitycontrolplane.deletepolicy", + "com.oraclecloud.identitycontrolplane.updatepolicy", + "com.oraclecloud.identitycontrolplane.createuser", + "com.oraclecloud.identitycontrolplane.deleteuser", + "com.oraclecloud.identitycontrolplane.updateuser", + "com.oraclecloud.identitycontrolplane.updateusercapabilities", + "com.oraclecloud.identitycontrolplane.updateuserstate", + "com.oraclecloud.identityControlPlane.UpdateSwiftPassword", + "com.oraclecloud.identityControlPlane.CreateOrResetPassword" + ] + }, + "RUL-LZP-CLOUDGUARD-KEY": { + "destination_topic_ids": ["NOTT-LZP-CLOUDGUARD-KEY"], + "event_display_name": "rul-lzp-notify-on-cloudguard-changes", + "supplied_events": [ + "com.oraclecloud.cloudguard.problemdetected", + "com.oraclecloud.cloudguard.problemdismissed", + "com.oraclecloud.cloudguard.problemremediated", + "com.oraclecloud.cloudguard.announcements", + "com.oraclecloud.cloudguard.status", + "com.oraclecloud.cloudguard.problemthresholdreached" + ] + }, + "RUL-LZP-VSS-KEY": { + "destination_topic_ids": ["NOTT-LZP-VSS-KEY"], + "event_display_name": "rul-lzp-notify-on-vss-changes", + "supplied_events": [ + "com.oraclecloud.vulnerabilityScanning.CreateHostScanRecipe", + "com.oraclecloud.vulnerabilityScanning.CreateHostScanRecipe.end", + "com.oraclecloud.vulnerabilityScanning.GetHostScanRecipe", + "com.oraclecloud.vulnerabilityScanning.ListHostScanRecipes", + "com.oraclecloud.vulnerabilityScanning.UpdateHostScanRecipe.begin", + "com.oraclecloud.vulnerabilityScanning.UpdateHostScanRecipe.end", + "com.oraclecloud.vulnerabilityScanning.DeleteHostScanRecipe", + "com.oraclecloud.vulnerabilityScanning.ChangeHostScanRecipeCompartment" + ] + } + } + }, + "alarms_configuration" : { + "default_compartment_id" : "CMP-LZP-NETWORK-KEY", + "alarms" :{ + "AL-LZP-NETWORK-LB-KEY": { + "is_enabled": "false", + "display_name": "al-lzp-lb-unhealthy-backend", + "supplied_alarm": { + "namespace": "oci_lbaas", + "query": "UnHealthyBackendServers[1m].mean() >= 0", + "message_format": "PRETTY_JSON", + "pending_duration": "PT5M" + }, + "destination_topic_ids": ["NOTT-LZP-NETWORK-ALARMS-KEY"] + }, + "AL-LZP-P-NETWORK-VNIC-KEY": { + "compartment_id": "CMP-LZP-P-NETWORK-KEY", + "is_enabled": "false", + "display_name": "al-lzp-p-vnic-drops-alarm", + "supplied_alarm": { + "namespace": "oci_vcn", + "query": "VnicEgressDropsSecurityList[1m].mean() >= 0", + "message_format": "PRETTY_JSON", + "pending_duration": "PT5M" + }, + "destination_topic_ids": ["NOTT-LZP-P-NETWORK-ALARMS-KEY"] + }, + "AL-LZP-PP-NETWORK-VNIC-KEY": { + "compartment_id": "CMP-LZP-PP-NETWORK-KEY", + "is_enabled": "false", + "display_name": "al-lzp-pp-vnic-drops-alarm", + "supplied_alarm": { + "namespace": "oci_vcn", + "query": "VnicEgressDropsSecurityList[1m].mean() >= 0", + "message_format": "PRETTY_JSON", + "pending_duration": "PT5M" + }, + "destination_topic_ids": ["NOTT-LZP-PP-NETWORK-ALARMS-KEY"] + } + } + }, + "logging_configuration" : { + "default_compartment_id" : "CMP-LZP-SECURITY-KEY", + "log_groups" : { + "LGRP-LZP-VCN-FLOW-KEY" : { + "name" : "lgrp-lzp-vcn-flow" + }, + "LGRP-LZP-P-VCN-FLOW-KEY" : { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "name": "lgrp-lzp-p-vcn-flow" + }, + "LGRP-LZP-PP-VCN-FLOW-KEY" : { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "name": "lgrp-lzp-pp-vcn-flow" + } + }, + "flow_logs" : { + "LOG-LZP-SUBNET-FLOW-KEY" : { + "log_group_id" : "LGRP-LZP-VCN-FLOW-KEY", + "target_compartment_ids" : ["CMP-LZP-NETWORK-KEY"], + "target_resource_type" : "subnet" + }, + "LOG-LZP-VCN-FLOW-KEY" : { + "log_group_id" : "LGRP-LZP-VCN-FLOW-KEY", + "target_compartment_ids" : ["CMP-LZP-NETWORK-KEY"], + "target_resource_type" : "vcn" + }, + "LOG-LZP-P-SUBNET-FLOW-KEY" : { + "log_group_id" : "LGRP-LZP-P-VCN-FLOW-KEY", + "target_compartment_ids" : ["CMP-LZP-P-NETWORK-KEY"], + "target_resource_type" : "subnet" + }, + "LOG-LZP-P-VCN-FLOW-KEY" : { + "log_group_id" : "LGRP-LZP-P-VCN-FLOW-KEY", + "target_compartment_ids" : ["CMP-LZP-P-NETWORK-KEY"], + "target_resource_type" : "vcn" + }, + "LOG-LZP-PP-SUBNET-FLOW-KEY" : { + "log_group_id" : "LGRP-LZP-PP-VCN-FLOW-KEY", + "target_compartment_ids" : ["CMP-LZP-PP-NETWORK-KEY"], + "target_resource_type" : "subnet" + }, + "LOG-LZP-PP-VCN-FLOW-KEY" : { + "log_group_id" : "LGRP-LZP-PP-VCN-FLOW-KEY", + "target_compartment_ids" : ["CMP-LZP-PP-NETWORK-KEY"], + "target_resource_type" : "vcn" + } + } + }, + "service_connectors_configuration" : { + "default_compartment_id" : "CMP-LZP-SECURITY-KEY", + "service_connectors" : { + "SCH-LZP-MON" : { + "display_name" : "sch-lzp-mon", + "source" : { + "kind" : "logging" , + "audit_logs" : [{"cmp_id" : "ALL"}] + }, + "target" : { + "kind" : "objectstorage" , + "bucket_object_name_prefix" : "sch", + "bucket_name" : "bkt-lzp-audit" + }, + "policy" : { + "name" : "service-connector-audit-policy", + "description" : "IAM policy for letting Service Connector to push data to target resource.", + "compartment_id" : "CMP-LZP-SECURITY-KEY" + } + } + }, + "buckets":{ + "BKT-LZP-SERVICE-CONNECTOR" : + { + "name" : "bkt-lzp-audit", + "compartment_id" : "CMP-LZP-SECURITY-KEY", + "cis_level": "1" + } + } + } +} \ No newline at end of file diff --git a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability.auto.tfvars.json b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl2.auto.tfvars.json similarity index 65% rename from blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability.auto.tfvars.json rename to blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl2.auto.tfvars.json index 5151fecd..b3a1dfa0 100644 --- a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability.auto.tfvars.json +++ b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl2.auto.tfvars.json @@ -1,12 +1,288 @@ { + "notifications_configuration": { + "default_compartment_id": "CMP-LZP-SECURITY-KEY", + "topics": { + "NOTT-LZP-IAM-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for IAM related notifications.", + "name": "nott-lzp-iam", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-CLOUDGUARD-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for Cloud Guard related notifications.", + "name": "nott-lzp-cloudguard", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-VSS-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for Cloud Guard related notifications.", + "name": "nott-lzp-vss", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-NETWORK-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-FIREWALL-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for firewall related alarms.", + "name": "nott-lzp-firewall", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-SECURITY-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for notifications.", + "name": "nott-lzp-notifications", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for shared platform notifications.", + "name": "nott-lzp-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-NETWORK-KEY", + "description": "Topic for LZP shared network related alarms.", + "name": "nott-lzp-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-p-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-NETWORK-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-p-prod-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-SECURITY-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for security related notifications.", + "name": "nott-lzp-p-security", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-P-NETWORK-KEY", + "description": "Topic for LZP, Production environment, shared network related alarms.", + "name": "nott-lzp-p-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-WORKLOADS-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for Production Workloads related notifications.", + "name": "nott-lzp-p-workloads", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for Production Platform related notifications.", + "name": "nott-lzp-p-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-pp-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-NETWORK-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-pp-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for security related notifications.", + "name": "nott-lzp-pp-security", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-PP-NETWORK-KEY", + "description": "Topic for LZP, Production environment, shared network related alarms.", + "name": "nott-lzp-pp-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-WORKLOADS-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for Production Workloads related notifications.", + "name": "nott-lzp-pp-workloads", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for Production Platform related notifications.", + "name": "nott-lzp-pp-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + } + } + }, "events_configuration" : { "default_compartment_id": "CMP-LZP-NETWORK-KEY", "event_rules": { "RUL-LZP-BUDGET-NETWORK-KEY": { "compartment_id": "CMP-LZP-NETWORK-KEY", - "destination_topic_ids": [ - "NOTT-LZP-BUDGET-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-BUDGET-KEY"], "event_display_name": "rul-lzp-notify-on-budget-net-cmp-changes", "supplied_events": [ "com.oraclecloud.budgets.updatealertrule", @@ -17,9 +293,7 @@ }, "RUL-LZP-BUDGET-SECURITY-KEY": { "compartment_id": "CMP-LZP-SECURITY-KEY", - "destination_topic_ids": [ - "NOTT-LZP-BUDGET-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-BUDGET-KEY"], "event_display_name": "rul-lzp-notify-on-budget-sec-cmp-changes", "supplied_events": [ "com.oraclecloud.budgets.updatealertrule", @@ -30,9 +304,7 @@ }, "RUL-LZP-NOTIFICATION-SECURITY-KEY": { "compartment_id": "CMP-LZP-SECURITY-KEY", - "destination_topic_ids": [ - "NOTT-LZP-SECURITY-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-SECURITY-KEY"], "event_display_name": "rul-lzp-notify-on-notifications-sec-changes", "supplied_events": [ "com.oraclecloud.notification.createsubscription", @@ -45,9 +317,7 @@ }, "RUL-LZP-NOTIFICATION-NETWORK-KEY": { "compartment_id": "CMP-LZP-NETWORK-KEY", - "destination_topic_ids": [ - "NOTT-LZP-NETWORK-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-NETWORK-KEY"], "event_display_name": "rul-lzp-notify-on-notifications-net-changes", "supplied_events": [ "com.oraclecloud.virtualnetwork.createvcn", @@ -97,9 +367,7 @@ }, "RUL-LZP-FIREWALL-KEY": { "compartment_id": "CMP-LZP-NETWORK-KEY", - "destination_topic_ids": [ - "NOTT-LZP-NETWORK-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-NETWORK-KEY"], "event_display_name": "rul-lzp-notify-on-firewall-changes", "supplied_events": [ "com.oraclecloud.networkfirewallservice.createnetworkfirewall.begin", @@ -116,10 +384,8 @@ ] }, "RUL-LZP-P-BUDGET-NETWORK-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-P-BUDGET-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-budget-prod-net-cmp-changes", + "destination_topic_ids": ["NOTT-LZP-P-BUDGET-KEY"], + "event_display_name": "rul-lzp-p-notify-on-budget-net-cmp-changes", "supplied_events": [ "com.oraclecloud.budgets.updatealertrule", "com.oraclecloud.budgets.deletealertrule", @@ -129,10 +395,8 @@ }, "RUL-LZP-P-BUDGET-SECURITY-KEY": { "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "destination_topic_ids": [ - "NOTT-LZP-P-BUDGET-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-budget-prod-sec-cmp-changes", + "destination_topic_ids": ["NOTT-LZP-P-BUDGET-KEY"], + "event_display_name": "rul-lzp-p-notify-on-budget-sec-cmp-changes", "supplied_events": [ "com.oraclecloud.budgets.updatealertrule", "com.oraclecloud.budgets.deletealertrule", @@ -142,10 +406,8 @@ }, "RUL-LZP-P-NOTIFICATION-SECURITY-KEY": { "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "destination_topic_ids": [ - "NOTT-LZP-P-SECURITY-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-notifications-prod-sec-changes", + "destination_topic_ids": ["NOTT-LZP-P-SECURITY-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-sec-changes", "supplied_events": [ "com.oraclecloud.notification.createsubscription", "com.oraclecloud.notification.deletesubscription", @@ -156,10 +418,8 @@ ] }, "RUL-LZP-P-NOTIFICATION-NETWORK-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-P-NETWORK-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-notifications-prod-net-changes-rule", + "destination_topic_ids": ["NOTT-LZP-P-NETWORK-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-net-changes-rule", "supplied_events": [ "com.oraclecloud.virtualnetwork.createvcn", "com.oraclecloud.virtualnetwork.deletevcn", @@ -206,141 +466,115 @@ "com.oraclecloud.virtualnetwork.changedhcpoptionscompartment" ] }, - "RUL-LZP-P-NOTIFICATION-PROD-PLATFORM-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-P-PROD-PLATFORM-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-notifications-prod-platform-changes-rule", + "RUL-LZP-P-NOTIFICATION-PLATFORM-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-PLATFORM-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-platform-changes-rule", "supplied_events": [ "com.oraclecloud.computeapi.instancefailed" ] }, - "RUL-LZP-P-NOTIFICATION-PROD-PROJECTS-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-P-PROD-WORKLOADS-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-notifications-prod-projects-changes-rule", + "RUL-LZP-P-NOTIFICATION-PROJECTS-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-WORKLOADS-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-projects-changes-rule", "supplied_events": [ "com.oraclecloud.computeapi.instancefailed" ] - } - }, - "topics": { - "NOTT-LZP-BUDGET-KEY": { - "compartment_id" : "CMP-LZP-SECURITY-KEY", - "description": "Topic for budget related notifications.", - "name": "nott-lzp-budget", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] - }, - "NOTT-LZP-NETWORK-KEY": { - "compartment_id": "CMP-LZP-NETWORK-KEY", - "description": "Topic for network related notifications.", - "name": "nott-lzp-network", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] - }, - "NOTT-LZP-FIREWALL-KEY": { - "compartment_id": "CMP-LZP-NETWORK-KEY", - "description": "Topic for firewall related alarms.", - "name": "nott-lzp-firewall", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] }, - "NOTT-LZP-SECURITY-KEY": { - "compartment_id": "CMP-LZP-SECURITY-KEY", - "description": "Topic for notifications.", - "name": "nott-lzp-notifications", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-BUDGET-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-BUDGET-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-budget-net-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" ] }, - "NOTT-LZP-P-BUDGET-TOPIC-KEY": { - "compartment_id" : "CMP-LZP-P-SECURITY-KEY", - "description": "Topic for budget related notifications.", - "name": "nott-lzp-p-budget", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-BUDGET-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-PP-BUDGET-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-budget-sec-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" ] }, - "NOTT-LZP-P-NETWORK-TOPIC-KEY": { - "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "description": "Topic for network related notifications.", - "name": "nott-lzpoe-p-prod-network", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-NOTIFICATION-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-PP-SECURITY-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-sec-changes", + "supplied_events": [ + "com.oraclecloud.notification.createsubscription", + "com.oraclecloud.notification.deletesubscription", + "com.oraclecloud.notification.getunsubscription", + "com.oraclecloud.notification.movesubscription", + "com.oraclecloud.notification.resendsubscriptionconfirmation", + "com.oraclecloud.notification.updatesubscription" ] }, - "NOTT-LZP-P-SECURITY-TOPIC-KEY": { - "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "description": "Topic for security related notifications.", - "name": "nott-lzp-p-security", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-NOTIFICATION-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-NETWORK-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-net-changes-rule", + "supplied_events": [ + "com.oraclecloud.virtualnetwork.createvcn", + "com.oraclecloud.virtualnetwork.deletevcn", + "com.oraclecloud.virtualnetwork.updatevcn", + "com.oraclecloud.virtualnetwork.createroutetable", + "com.oraclecloud.virtualnetwork.deleteroutetable", + "com.oraclecloud.virtualnetwork.updateroutetable", + "com.oraclecloud.virtualnetwork.changeroutetablecompartment", + "com.oraclecloud.virtualnetwork.createsecuritylist", + "com.oraclecloud.virtualnetwork.deletesecuritylist", + "com.oraclecloud.virtualnetwork.updatesecuritylist", + "com.oraclecloud.virtualnetwork.changesecuritylistcompartment", + "com.oraclecloud.virtualnetwork.createnetworksecuritygroup", + "com.oraclecloud.virtualnetwork.deletenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroupsecurityrules", + "com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment", + "com.oraclecloud.virtualnetwork.createdrg", + "com.oraclecloud.virtualnetwork.deletedrg", + "com.oraclecloud.virtualnetwork.updatedrg", + "com.oraclecloud.virtualnetwork.createdrgattachment", + "com.oraclecloud.virtualnetwork.deletedrgattachment", + "com.oraclecloud.virtualnetwork.updatedrgattachment", + "com.oraclecloud.virtualnetwork.createinternetgateway", + "com.oraclecloud.virtualnetwork.deleteinternetgateway", + "com.oraclecloud.virtualnetwork.updateinternetgateway", + "com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment", + "com.oraclecloud.virtualnetwork.createlocalpeeringgateway", + "com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end", + "com.oraclecloud.virtualnetwork.updatelocalpeeringgateway", + "com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment", + "com.oraclecloud.natgateway.createnatgateway", + "com.oraclecloud.natgateway.deletenatgateway", + "com.oraclecloud.natgateway.updatenatgateway", + "com.oraclecloud.natgateway.changenatgatewaycompartment", + "com.oraclecloud.servicegateway.createservicegateway", + "com.oraclecloud.servicegateway.deleteservicegateway.end", + "com.oraclecloud.servicegateway.attachserviceid", + "com.oraclecloud.servicegateway.detachserviceid", + "com.oraclecloud.servicegateway.updateservicegateway", + "com.oraclecloud.servicegateway.changeservicegatewaycompartment", + "com.oraclecloud.virtualnetwork.changepublicipcompartment", + "com.oraclecloud.virtualnetwork.createpublicip", + "com.oraclecloud.virtualnetwork.changedhcpoptionscompartment" ] }, - "NOTT-LZP-P-PROD-WORKLOADS-TOPIC-KEY": { - "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "description": "Topic for Production Workloads related notifications.", - "name": "nott-lzp-p-prod-workloads", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-NOTIFICATION-PLATFORM-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-PLATFORM-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-platform-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" ] }, - "NOTT-LZP-P-PROD-PLATFORM-TOPIC-KEY": { - "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "description": "Topic for Production Platform related notifications.", - "name": "nott-lzp-p-prod-platform", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-NOTIFICATION-PROJECTS-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-WORKLOADS-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-projects-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" ] } } @@ -349,9 +583,7 @@ "default_compartment_id": "CMP-LANDINGZONE-P-KEY", "event_rules": { "RUL-LZP-IAM-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-IAM-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-IAM-KEY"], "event_display_name": "rul-lzp-notify-on-iam-changes", "supplied_events": [ "com.oraclecloud.identitycontrolplane.createidentityprovider", @@ -378,9 +610,7 @@ ] }, "RUL-LZP-CLOUDGUARD-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-CLOUDGUARD-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-CLOUDGUARD-KEY"], "event_display_name": "rul-lzp-notify-on-cloudguard-changes", "supplied_events": [ "com.oraclecloud.cloudguard.problemdetected", @@ -392,9 +622,7 @@ ] }, "RUL-LZP-VSS-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-VSS-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-VSS-KEY"], "event_display_name": "rul-lzp-notify-on-vss-changes", "supplied_events": [ "com.oraclecloud.vulnerabilityScanning.CreateHostScanRecipe", @@ -407,47 +635,6 @@ "com.oraclecloud.vulnerabilityScanning.ChangeHostScanRecipeCompartment" ] } - }, - "topics": { - "NOTT-LZP-IAM-KEY": { - "compartment_id": "CMP-LANDINGZONE-P-KEY", - "description": "Topic for IAM related notifications.", - "name": "nott-lzp-iam", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] - }, - "NOTT-LZP-CLOUDGUARD-KEY": { - "compartment_id": "CMP-LANDINGZONE-P-KEY", - "description": "Topic for Cloud Guard related notifications.", - "name": "nott-lzp-cloudguard", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] - }, - "NOTT-LZP-VSS-KEY": { - "compartment_id": "CMP-LANDINGZONE-P-KEY", - "description": "Topic for Cloud Guard related notifications.", - "name": "nott-lzp-vss", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] - } } }, "alarms_configuration" : { @@ -474,37 +661,19 @@ "message_format": "PRETTY_JSON", "pending_duration": "PT5M" }, - "destination_topic_ids": [ - "NOTT-LZP-P-NETWORK-ALARMS-TOPIC-KEY" - ] - } - }, - "topics": { - "NOTT-LZP-NETWORK-ALARMS-KEY": { - "compartment_id": "CMP-LZP-NETWORK-KEY", - "description": "Topic for network related alarms.", - "name": "nott-lzp-network-alarms", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] + "destination_topic_ids": ["NOTT-LZP-P-NETWORK-ALARMS-KEY"] }, - "NOTT-LZP-P-NETWORK-ALARMS-TOPIC-KEY": { - "compartment_id": "CMP-LZP-P-NETWORK-KEY", - "description": "Topic for network related alarms.", - "name": "nott-lzp-p-network-alarms", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] + "AL-LZP-PP-NETWORK-VNIC-KEY": { + "compartment_id": "CMP-LZP-PP-NETWORK-KEY", + "is_enabled": "false", + "display_name": "al-lzp-pp-vnic-drops-alarm", + "supplied_alarm": { + "namespace": "oci_vcn", + "query": "VnicEgressDropsSecurityList[1m].mean() >= 0", + "message_format": "PRETTY_JSON", + "pending_duration": "PT5M" + }, + "destination_topic_ids": ["NOTT-LZP-PP-NETWORK-ALARMS-KEY"] } } }, diff --git a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_addon_flowlogs.auto.tfvars.json b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl2_addon_flowlogs.auto.tfvars.json similarity index 66% rename from blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_addon_flowlogs.auto.tfvars.json rename to blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl2_addon_flowlogs.auto.tfvars.json index 16d84f33..16e9ed05 100644 --- a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_addon_flowlogs.auto.tfvars.json +++ b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl2_addon_flowlogs.auto.tfvars.json @@ -1,12 +1,288 @@ { + "notifications_configuration": { + "default_compartment_id": "CMP-LZP-SECURITY-KEY", + "topics": { + "NOTT-LZP-IAM-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for IAM related notifications.", + "name": "nott-lzp-iam", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-CLOUDGUARD-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for Cloud Guard related notifications.", + "name": "nott-lzp-cloudguard", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-VSS-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for Cloud Guard related notifications.", + "name": "nott-lzp-vss", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-NETWORK-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-FIREWALL-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for firewall related alarms.", + "name": "nott-lzp-firewall", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-SECURITY-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for notifications.", + "name": "nott-lzp-notifications", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-SECURITY-KEY", + "description": "Topic for shared platform notifications.", + "name": "nott-lzp-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-NETWORK-KEY", + "description": "Topic for LZP shared network related alarms.", + "name": "nott-lzp-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-p-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-NETWORK-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-p-prod-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-SECURITY-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for security related notifications.", + "name": "nott-lzp-p-security", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-P-NETWORK-KEY", + "description": "Topic for LZP, Production environment, shared network related alarms.", + "name": "nott-lzp-p-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-WORKLOADS-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for Production Workloads related notifications.", + "name": "nott-lzp-p-workloads", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-P-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-P-SECURITY-KEY", + "description": "Topic for Production Platform related notifications.", + "name": "nott-lzp-p-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-BUDGET-KEY": { + "compartment_id" : "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for budget related notifications.", + "name": "nott-lzp-pp-budget", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-NETWORK-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for network related notifications.", + "name": "nott-lzp-pp-network", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for security related notifications.", + "name": "nott-lzp-pp-security", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-NETWORK-ALARMS-KEY": { + "compartment_id": "CMP-LZP-PP-NETWORK-KEY", + "description": "Topic for LZP, Production environment, shared network related alarms.", + "name": "nott-lzp-pp-network-alarms", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-WORKLOADS-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for Production Workloads related notifications.", + "name": "nott-lzp-pp-workloads", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + }, + "NOTT-LZP-PP-PLATFORM-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "description": "Topic for Production Platform related notifications.", + "name": "nott-lzp-pp-platform", + "subscriptions": [ + { + "protocol": "EMAIL", + "values": [ + "email.address@example.com" + ] + } + ] + } + } + }, "events_configuration" : { "default_compartment_id": "CMP-LZP-NETWORK-KEY", "event_rules": { "RUL-LZP-BUDGET-NETWORK-KEY": { "compartment_id": "CMP-LZP-NETWORK-KEY", - "destination_topic_ids": [ - "NOTT-LZP-BUDGET-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-BUDGET-KEY"], "event_display_name": "rul-lzp-notify-on-budget-net-cmp-changes", "supplied_events": [ "com.oraclecloud.budgets.updatealertrule", @@ -17,9 +293,7 @@ }, "RUL-LZP-BUDGET-SECURITY-KEY": { "compartment_id": "CMP-LZP-SECURITY-KEY", - "destination_topic_ids": [ - "NOTT-LZP-BUDGET-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-BUDGET-KEY"], "event_display_name": "rul-lzp-notify-on-budget-sec-cmp-changes", "supplied_events": [ "com.oraclecloud.budgets.updatealertrule", @@ -30,9 +304,7 @@ }, "RUL-LZP-NOTIFICATION-SECURITY-KEY": { "compartment_id": "CMP-LZP-SECURITY-KEY", - "destination_topic_ids": [ - "NOTT-LZP-SECURITY-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-SECURITY-KEY"], "event_display_name": "rul-lzp-notify-on-notifications-sec-changes", "supplied_events": [ "com.oraclecloud.notification.createsubscription", @@ -45,9 +317,7 @@ }, "RUL-LZP-NOTIFICATION-NETWORK-KEY": { "compartment_id": "CMP-LZP-NETWORK-KEY", - "destination_topic_ids": [ - "NOTT-LZP-NETWORK-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-NETWORK-KEY"], "event_display_name": "rul-lzp-notify-on-notifications-net-changes", "supplied_events": [ "com.oraclecloud.virtualnetwork.createvcn", @@ -97,9 +367,7 @@ }, "RUL-LZP-FIREWALL-KEY": { "compartment_id": "CMP-LZP-NETWORK-KEY", - "destination_topic_ids": [ - "NOTT-LZP-NETWORK-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-NETWORK-KEY"], "event_display_name": "rul-lzp-notify-on-firewall-changes", "supplied_events": [ "com.oraclecloud.networkfirewallservice.createnetworkfirewall.begin", @@ -116,10 +384,8 @@ ] }, "RUL-LZP-P-BUDGET-NETWORK-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-P-BUDGET-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-budget-prod-net-cmp-changes", + "destination_topic_ids": ["NOTT-LZP-P-BUDGET-KEY"], + "event_display_name": "rul-lzp-p-notify-on-budget-net-cmp-changes", "supplied_events": [ "com.oraclecloud.budgets.updatealertrule", "com.oraclecloud.budgets.deletealertrule", @@ -129,10 +395,8 @@ }, "RUL-LZP-P-BUDGET-SECURITY-KEY": { "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "destination_topic_ids": [ - "NOTT-LZP-P-BUDGET-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-budget-prod-sec-cmp-changes", + "destination_topic_ids": ["NOTT-LZP-P-BUDGET-KEY"], + "event_display_name": "rul-lzp-p-notify-on-budget-sec-cmp-changes", "supplied_events": [ "com.oraclecloud.budgets.updatealertrule", "com.oraclecloud.budgets.deletealertrule", @@ -142,10 +406,8 @@ }, "RUL-LZP-P-NOTIFICATION-SECURITY-KEY": { "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "destination_topic_ids": [ - "NOTT-LZP-P-SECURITY-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-notifications-prod-sec-changes", + "destination_topic_ids": ["NOTT-LZP-P-SECURITY-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-sec-changes", "supplied_events": [ "com.oraclecloud.notification.createsubscription", "com.oraclecloud.notification.deletesubscription", @@ -156,10 +418,8 @@ ] }, "RUL-LZP-P-NOTIFICATION-NETWORK-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-P-NETWORK-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-notifications-prod-net-changes-rule", + "destination_topic_ids": ["NOTT-LZP-P-NETWORK-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-net-changes-rule", "supplied_events": [ "com.oraclecloud.virtualnetwork.createvcn", "com.oraclecloud.virtualnetwork.deletevcn", @@ -206,141 +466,115 @@ "com.oraclecloud.virtualnetwork.changedhcpoptionscompartment" ] }, - "RUL-LZP-P-NOTIFICATION-PROD-PLATFORM-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-P-PROD-PLATFORM-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-notifications-prod-platform-changes-rule", + "RUL-LZP-P-NOTIFICATION-PLATFORM-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-PLATFORM-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-platform-changes-rule", "supplied_events": [ "com.oraclecloud.computeapi.instancefailed" ] }, - "RUL-LZP-P-NOTIFICATION-PROD-PROJECTS-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-P-PROD-WORKLOADS-TOPIC-KEY" - ], - "event_display_name": "rul-lzp-p-notify-on-notifications-prod-projects-changes-rule", + "RUL-LZP-P-NOTIFICATION-PROJECTS-KEY": { + "destination_topic_ids": ["NOTT-LZP-P-WORKLOADS-KEY"], + "event_display_name": "rul-lzp-p-notify-on-notifications-projects-changes-rule", "supplied_events": [ "com.oraclecloud.computeapi.instancefailed" ] - } - }, - "topics": { - "NOTT-LZP-BUDGET-KEY": { - "compartment_id" : "CMP-LZP-SECURITY-KEY", - "description": "Topic for budget related notifications.", - "name": "nott-lzp-budget", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] }, - "NOTT-LZP-NETWORK-KEY": { - "compartment_id": "CMP-LZP-NETWORK-KEY", - "description": "Topic for network related notifications.", - "name": "nott-lzp-network", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] - }, - "NOTT-LZP-FIREWALL-KEY": { - "compartment_id": "CMP-LZP-NETWORK-KEY", - "description": "Topic for firewall related alarms.", - "name": "nott-lzp-firewall", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] - }, - "NOTT-LZP-SECURITY-KEY": { - "compartment_id": "CMP-LZP-SECURITY-KEY", - "description": "Topic for notifications.", - "name": "nott-lzp-notifications", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-BUDGET-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-BUDGET-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-budget-net-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" ] }, - "NOTT-LZP-P-BUDGET-TOPIC-KEY": { - "compartment_id" : "CMP-LZP-P-SECURITY-KEY", - "description": "Topic for budget related notifications.", - "name": "nott-lzp-p-budget", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-BUDGET-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-PP-BUDGET-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-budget-sec-cmp-changes", + "supplied_events": [ + "com.oraclecloud.budgets.updatealertrule", + "com.oraclecloud.budgets.deletealertrule", + "com.oraclecloud.budgets.updatebudget", + "com.oraclecloud.budgets.deletebudget" ] }, - "NOTT-LZP-P-NETWORK-TOPIC-KEY": { - "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "description": "Topic for network related notifications.", - "name": "nott-lzpoe-p-prod-network", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-NOTIFICATION-SECURITY-KEY": { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "destination_topic_ids": ["NOTT-LZP-PP-SECURITY-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-sec-changes", + "supplied_events": [ + "com.oraclecloud.notification.createsubscription", + "com.oraclecloud.notification.deletesubscription", + "com.oraclecloud.notification.getunsubscription", + "com.oraclecloud.notification.movesubscription", + "com.oraclecloud.notification.resendsubscriptionconfirmation", + "com.oraclecloud.notification.updatesubscription" ] }, - "NOTT-LZP-P-SECURITY-TOPIC-KEY": { - "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "description": "Topic for security related notifications.", - "name": "nott-lzp-p-security", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-NOTIFICATION-NETWORK-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-NETWORK-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-net-changes-rule", + "supplied_events": [ + "com.oraclecloud.virtualnetwork.createvcn", + "com.oraclecloud.virtualnetwork.deletevcn", + "com.oraclecloud.virtualnetwork.updatevcn", + "com.oraclecloud.virtualnetwork.createroutetable", + "com.oraclecloud.virtualnetwork.deleteroutetable", + "com.oraclecloud.virtualnetwork.updateroutetable", + "com.oraclecloud.virtualnetwork.changeroutetablecompartment", + "com.oraclecloud.virtualnetwork.createsecuritylist", + "com.oraclecloud.virtualnetwork.deletesecuritylist", + "com.oraclecloud.virtualnetwork.updatesecuritylist", + "com.oraclecloud.virtualnetwork.changesecuritylistcompartment", + "com.oraclecloud.virtualnetwork.createnetworksecuritygroup", + "com.oraclecloud.virtualnetwork.deletenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroup", + "com.oraclecloud.virtualnetwork.updatenetworksecuritygroupsecurityrules", + "com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment", + "com.oraclecloud.virtualnetwork.createdrg", + "com.oraclecloud.virtualnetwork.deletedrg", + "com.oraclecloud.virtualnetwork.updatedrg", + "com.oraclecloud.virtualnetwork.createdrgattachment", + "com.oraclecloud.virtualnetwork.deletedrgattachment", + "com.oraclecloud.virtualnetwork.updatedrgattachment", + "com.oraclecloud.virtualnetwork.createinternetgateway", + "com.oraclecloud.virtualnetwork.deleteinternetgateway", + "com.oraclecloud.virtualnetwork.updateinternetgateway", + "com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment", + "com.oraclecloud.virtualnetwork.createlocalpeeringgateway", + "com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end", + "com.oraclecloud.virtualnetwork.updatelocalpeeringgateway", + "com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment", + "com.oraclecloud.natgateway.createnatgateway", + "com.oraclecloud.natgateway.deletenatgateway", + "com.oraclecloud.natgateway.updatenatgateway", + "com.oraclecloud.natgateway.changenatgatewaycompartment", + "com.oraclecloud.servicegateway.createservicegateway", + "com.oraclecloud.servicegateway.deleteservicegateway.end", + "com.oraclecloud.servicegateway.attachserviceid", + "com.oraclecloud.servicegateway.detachserviceid", + "com.oraclecloud.servicegateway.updateservicegateway", + "com.oraclecloud.servicegateway.changeservicegatewaycompartment", + "com.oraclecloud.virtualnetwork.changepublicipcompartment", + "com.oraclecloud.virtualnetwork.createpublicip", + "com.oraclecloud.virtualnetwork.changedhcpoptionscompartment" ] }, - "NOTT-LZP-P-PROD-WORKLOADS-TOPIC-KEY": { - "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "description": "Topic for Production Workloads related notifications.", - "name": "nott-lzp-p-prod-workloads", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-NOTIFICATION-PLATFORM-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-PLATFORM-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-platform-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" ] }, - "NOTT-LZP-P-PROD-PLATFORM-TOPIC-KEY": { - "compartment_id": "CMP-LZP-P-SECURITY-KEY", - "description": "Topic for Production Platform related notifications.", - "name": "nott-lzp-p-prod-platform", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } + "RUL-LZP-PP-NOTIFICATION-PROJECTS-KEY": { + "destination_topic_ids": ["NOTT-LZP-PP-WORKLOADS-KEY"], + "event_display_name": "rul-lzp-pp-notify-on-notifications-projects-changes-rule", + "supplied_events": [ + "com.oraclecloud.computeapi.instancefailed" ] } } @@ -349,9 +583,7 @@ "default_compartment_id": "CMP-LANDINGZONE-P-KEY", "event_rules": { "RUL-LZP-IAM-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-IAM-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-IAM-KEY"], "event_display_name": "rul-lzp-notify-on-iam-changes", "supplied_events": [ "com.oraclecloud.identitycontrolplane.createidentityprovider", @@ -378,9 +610,7 @@ ] }, "RUL-LZP-CLOUDGUARD-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-CLOUDGUARD-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-CLOUDGUARD-KEY"], "event_display_name": "rul-lzp-notify-on-cloudguard-changes", "supplied_events": [ "com.oraclecloud.cloudguard.problemdetected", @@ -392,9 +622,7 @@ ] }, "RUL-LZP-VSS-KEY": { - "destination_topic_ids": [ - "NOTT-LZP-VSS-KEY" - ], + "destination_topic_ids": ["NOTT-LZP-VSS-KEY"], "event_display_name": "rul-lzp-notify-on-vss-changes", "supplied_events": [ "com.oraclecloud.vulnerabilityScanning.CreateHostScanRecipe", @@ -407,47 +635,6 @@ "com.oraclecloud.vulnerabilityScanning.ChangeHostScanRecipeCompartment" ] } - }, - "topics": { - "NOTT-LZP-IAM-KEY": { - "compartment_id": "CMP-LANDINGZONE-P-KEY", - "description": "Topic for IAM related notifications.", - "name": "nott-lzp-iam", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] - }, - "NOTT-LZP-CLOUDGUARD-KEY": { - "compartment_id": "CMP-LANDINGZONE-P-KEY", - "description": "Topic for Cloud Guard related notifications.", - "name": "nott-lzp-cloudguard", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] - }, - "NOTT-LZP-VSS-KEY": { - "compartment_id": "CMP-LANDINGZONE-P-KEY", - "description": "Topic for Cloud Guard related notifications.", - "name": "nott-lzp-vss", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] - } } }, "alarms_configuration" : { @@ -474,37 +661,19 @@ "message_format": "PRETTY_JSON", "pending_duration": "PT5M" }, - "destination_topic_ids": [ - "NOTT-LZP-P-NETWORK-ALARMS-TOPIC-KEY" - ] - } - }, - "topics": { - "NOTT-LZP-NETWORK-ALARMS-KEY": { - "compartment_id": "CMP-LZP-NETWORK-KEY", - "description": "Topic for network related alarms.", - "name": "nott-lzp-network-alarms", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] + "destination_topic_ids": ["NOTT-LZP-P-NETWORK-ALARMS-KEY"] }, - "NOTT-LZP-P-NETWORK-ALARMS-TOPIC-KEY": { - "compartment_id": "CMP-LZP-P-NETWORK-KEY", - "description": "Topic for network related alarms.", - "name": "nott-lzp-p-network-alarms", - "subscriptions": [ - { - "protocol": "EMAIL", - "values": [ - "email.address@example.com" - ] - } - ] + "AL-LZP-PP-NETWORK-VNIC-KEY": { + "compartment_id": "CMP-LZP-PP-NETWORK-KEY", + "is_enabled": "false", + "display_name": "al-lzp-pp-vnic-drops-alarm", + "supplied_alarm": { + "namespace": "oci_vcn", + "query": "VnicEgressDropsSecurityList[1m].mean() >= 0", + "message_format": "PRETTY_JSON", + "pending_duration": "PT5M" + }, + "destination_topic_ids": ["NOTT-LZP-PP-NETWORK-ALARMS-KEY"] } } }, @@ -518,13 +687,9 @@ "compartment_id": "CMP-LZP-P-SECURITY-KEY", "name": "lgrp-lzp-p-vcn-flow" }, - "LGRP-LZP-U-VCN-FLOW-KEY" : { - "compartment_id": "CMP-LZP-U-SECURITY-KEY", - "name": "lgrp-lzp-u-vcn-flow" - }, - "LGRP-LZP-D-VCN-FLOW-KEY" : { - "compartment_id": "CMP-LZP-D-SECURITY-KEY", - "name": "lgrp-lzp-d-vcn-flow" + "LGRP-LZP-PP-VCN-FLOW-KEY" : { + "compartment_id": "CMP-LZP-PP-SECURITY-KEY", + "name": "lgrp-lzp-pp-vcn-flow" } }, "flow_logs" : { @@ -548,24 +713,14 @@ "target_compartment_ids" : ["CMP-LZP-P-NETWORK-KEY"], "target_resource_type" : "vcn" }, - "LOG-LZP-U-SUBNET-FLOW-KEY" : { - "log_group_id" : "LGRP-LZP-U-VCN-FLOW-KEY", - "target_compartment_ids" : ["CMP-LZP-U-NETWORK-KEY"], - "target_resource_type" : "subnet" - }, - "LOG-LZP-U-VCN-FLOW-KEY" : { - "log_group_id" : "LGRP-LZP-U-VCN-FLOW-KEY", - "target_compartment_ids" : ["CMP-LZP-U-NETWORK-KEY"], - "target_resource_type" : "vcn" - }, - "LOG-LZP-D-SUBNET-FLOW-KEY" : { - "log_group_id" : "LGRP-LZP-D-VCN-FLOW-KEY", - "target_compartment_ids" : ["CMP-LZP-D-NETWORK-KEY"], + "LOG-LZP-PP-SUBNET-FLOW-KEY" : { + "log_group_id" : "LGRP-LZP-PP-VCN-FLOW-KEY", + "target_compartment_ids" : ["CMP-LZP-PP-NETWORK-KEY"], "target_resource_type" : "subnet" }, - "LOG-LZP-D-VCN-FLOW-KEY" : { - "log_group_id" : "LGRP-LZP-D-VCN-FLOW-KEY", - "target_compartment_ids" : ["CMP-LZP-D-NETWORK-KEY"], + "LOG-LZP-PP-VCN-FLOW-KEY" : { + "log_group_id" : "LGRP-LZP-PP-VCN-FLOW-KEY", + "target_compartment_ids" : ["CMP-LZP-PP-NETWORK-KEY"], "target_resource_type" : "vcn" } } diff --git a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl1.auto.tfvars.json b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl1.auto.tfvars.json new file mode 100644 index 00000000..b5860521 --- /dev/null +++ b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl1.auto.tfvars.json @@ -0,0 +1,146 @@ +{ + "cloud_guard_configuration": { + "enable_cloud_guard": "true", + "tenancy_id": "TENANCY-ROOT", + "compartment_id": "TENANCY-ROOT", + "target_resource_id": "TENANCY-ROOT", + "name_prefix": null, + "self_manage_resources": "false", + "target_resource_name": null, + "target_resource_type": "COMPARTMENT", + "enable_cloned_recipes": "false", + "configuration_detector_recipe_name": null, + "activity_detector_recipe_name": null, + "threat_detector_recipe_name": null, + "responder_recipe_name": null, + "targets": { + "CG-TGT-ROOT-KEY": { + "name": "cg-tgt-root", + "compartment_id": "TENANCY-ROOT", + "target_resource_type": "COMPARTMENT", + "resource_id": "TENANCY-ROOT", + "use_cloned_recipes": "false" + } + } + }, + "security_zones_configuration": { + "tenancy_ocid": "TENANCY-ROOT", + "recipes": { + "SZ-RCP-LZP-01-CIS-LVL-1-KEY": { + "name": "sz-rcp-lzp-01-CIS-Level-1", + "description": "Recipe 01 CIS Level 1", + "compartment_id": "CMP-LZP-SECURITY-KEY", + "cis_level": "1" + }, + "SZ-RCP-LZP-02-CIS-LVL-2-KEY": { + "name": "sz-rcp-lzp-02-CIS-Level-2", + "description": "Recipe 02 CIS Level 2", + "compartment_id": "CMP-LZP-SECURITY-KEY", + "cis_level": "2" + }, + "SZ-RCP-LZP-03-SHARED-NETWORK-KEY": { + "name": "sz-rcp-lzp-03-shared-network", + "description": "Recipe 03 Shared Network", + "compartment_id": "CMP-LZP-SECURITY-KEY", + "cis_level": "2", + "security_policies_ocids": [ + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaavolswrbfqy6qn2qe7zek2dumml6pbmyzv47q6jfwdatrywmqumba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaayxn5ccbavcx5w35uoozguju5zlovvtbnuvnrduxpdp3vsho33lba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaazlzn66zeazf5npw46qah3wlqpfrugv7w4tjbomit2msr43stidga", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaw6v2nz4unovq3joqk6pguxpaqriws2vzd7gvpldgai47tl72wseq" + + ] + }, + "SZ-RCP-LZP-04-ENV-NETWORK-KEY": { + "name": "sz-rcp-lzp-04-environment-network", + "description": "Recipe 04 Environment Network", + "compartment_id": "CMP-LZP-SECURITY-KEY", + "cis_level": "2", + "security_policies_ocids": [ + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaavolswrbfqy6qn2qe7zek2dumml6pbmyzv47q6jfwdatrywmqumba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaayxn5ccbavcx5w35uoozguju5zlovvtbnuvnrduxpdp3vsho33lba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaazlzn66zeazf5npw46qah3wlqpfrugv7w4tjbomit2msr43stidga", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaw6v2nz4unovq3joqk6pguxpaqriws2vzd7gvpldgai47tl72wseq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaak5wxfr2r6kxmtd6bq6hqhyywfkj6pcnl74g3iui6qnlq7rof4ezq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaabs6kboflsfan2lihfnodhbeb75r4nxiolhlobvj6vqclx6j5yyha", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa6j7b5bf3ytsno7a45r7xupqt2q342q2hlecnf7fgqpkq67stakda", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaamewv6k5a7cik6ds6m6bsijwkiixpfzgsqzvrjlns5pxg6lslrzgq" + ] + }, + "SZ-RCP-LZP-05-WORKLOADS-KEY": { + "name": "sz-rcp-lzp-05-workloads", + "description": "Recipe 05 Workloads", + "compartment_id": "CMP-LZP-SECURITY-KEY", + "cis_level": "2", + "security_policies_ocids": [ + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaavolswrbfqy6qn2qe7zek2dumml6pbmyzv47q6jfwdatrywmqumba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaayxn5ccbavcx5w35uoozguju5zlovvtbnuvnrduxpdp3vsho33lba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaazlzn66zeazf5npw46qah3wlqpfrugv7w4tjbomit2msr43stidga", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaw6v2nz4unovq3joqk6pguxpaqriws2vzd7gvpldgai47tl72wseq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaak5wxfr2r6kxmtd6bq6hqhyywfkj6pcnl74g3iui6qnlq7rof4ezq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaabs6kboflsfan2lihfnodhbeb75r4nxiolhlobvj6vqclx6j5yyha", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa6j7b5bf3ytsno7a45r7xupqt2q342q2hlecnf7fgqpkq67stakda", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaamewv6k5a7cik6ds6m6bsijwkiixpfzgsqzvrjlns5pxg6lslrzgq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaf45c2imtiuyxbccuwrh3s7is5lokpx5ksr4heu46c6mz6k35dsqa", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa5qtljtbaeacnhfhr7hfs5nd3jp6jin6grbdgf6izkf4ukxmatjpa", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa6oycc62uuvpi6oddkzku6x2vzhraud7ynkbdeols5i4khwroklva", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaauvfkentmqda6mq7lxekkstjpe7kwgmrpkadzt7krhrt66tliourq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa544n6cyqrq6tato53ohh7vcz523af5dtuz6x54efhs6mb7bcw54a", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaay32fadjsdgsytdpyn4busugqftko2shttseljqbagapngiatxepa", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaqlpaf5tc3xfqdzdw2rtx7hk4ifywzml3eh3upspeh4s6x4epaskq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaxou4266jlusvklor34czqvloa64k5dsok5cejug2bxi2jvqy32zq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaak2x2aomzhqoeg2bf4zgqyr3bg2ppsfhupn2xvu66zpuz7kbvae5a", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaauah5cz3vxzpdvw4uz32hcgcmhogvuhacgyc7z3al42tfjey46eea", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaawebiliesbgzdguac5m5u332oj66afaab6ruovydpsdoexloguweq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa2lfkaypfwyykhbz65zlgc4lvypl64axzhnsqmegllgiyxbweruya", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaah3k66efqfgo5ccjgvtkwbfpzj5yjajmw7vt5eub6ma4jp6su55zq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaajscm24dhll5wk65k6q4mmkopiykpqrumtururitjaxk3j4ibe3ua", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaol3pxbbikegih24c7l4um7wqeeun2dpkvgm3izz5syf755xfscgq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaawol5fz6qkrkxm5ui7n3car44e5wbs54thnku2hjxwaedi5ee6htq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaegi6cweu5jqwipqhj5quz4pebfd76djed4lfogslzuawqavkrsjq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaarkvvuzwtc6xwwr57zg6fymgkco3lbt35c7r4lnahw4ab5i3vkbrq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaauhuzsidaju3mwy3llsetvm3dlc6ftel65ielfu7h4hg6q2cfsrxa", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaawec56szedvf6hogbbnu7cxywm4xkmta53wuo7lenceiqyr4bx5hq" + ] + } + }, + "security_zones": { + "SZ-TGT-LZP-CISL1-KEY": { + "name": "sz-tgt-lzp-cisl1", + "compartment_id": "CMP-LANDINGZONE-P-KEY", + "recipe_key": "SZ-RCP-LZP-01-CIS-LVL-1-KEY" + } + } + }, + "scanning_configuration": { + "default_compartment_id": "CMP-LZP-SECURITY-KEY", + "host_recipes": { + "VSS-RECH-LZP-KEY": { + "name": "vss-rech-lzp", + "port_scan_level": "STANDARD", + "schedule_settings": { + "type": "WEEKLY", + "day_of_week": "SUNDAY" + }, + "agent_settings": { + "scan_level": "STANDARD", + "vendor": "OCI", + "cis_benchmark_scan_level": "STRICT" + }, + "file_scan_settings": { + "enable": true, + "scan_recurrence": "FREQ=WEEKLY;INTERVAL=2;WKST=SU", + "folders_to_scan": ["/"], + "operating_system": "LINUX" + } + } + }, + "host_targets": { + "VSS-TGT-LZP-KEY": { + "name": "vss-tgt-lzp", + "target_compartment_id": "CMP-LANDINGZONE-P-KEY", + "host_recipe_id": "VSS-RECH-LZP-KEY" + } + } + } +} \ No newline at end of file diff --git a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_addon_sz345.auto.tfvars.json b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl1_addon_sz345.auto.tfvars.json similarity index 100% rename from blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_addon_sz345.auto.tfvars.json rename to blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl1_addon_sz345.auto.tfvars.json diff --git a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security.auto.tfvars.json b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl2.auto.tfvars.json similarity index 100% rename from blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security.auto.tfvars.json rename to blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl2.auto.tfvars.json diff --git a/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl2_addon_sz345.auto.tfvars.json b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl2_addon_sz345.auto.tfvars.json new file mode 100644 index 00000000..96e7adc8 --- /dev/null +++ b/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl2_addon_sz345.auto.tfvars.json @@ -0,0 +1,181 @@ +{ + "cloud_guard_configuration": { + "enable_cloud_guard": "true", + "tenancy_id": "TENANCY-ROOT", + "reporting_region": "eu-frankfurt-1", + "compartment_id": "TENANCY-ROOT", + "target_resource_id": "TENANCY-ROOT", + "name_prefix": null, + "self_manage_resources": "false", + "target_resource_name": null, + "target_resource_type": "COMPARTMENT", + "enable_cloned_recipes": "false", + "configuration_detector_recipe_name": null, + "activity_detector_recipe_name": null, + "threat_detector_recipe_name": null, + "responder_recipe_name": null, + "targets": { + "CG-TGT-ROOT-KEY": { + "name": "cg-tgt-root", + "compartment_id": "TENANCY-ROOT", + "target_resource_type": "COMPARTMENT", + "resource_id": "TENANCY-ROOT", + "use_cloned_recipes": "false" + } + } + }, + "security_zones_configuration": { + "reporting_region": "eu-frankfurt-1", + "tenancy_ocid": "TENANCY-ROOT", + "recipes": { + "SZ-RCP-LZP-01-CIS-LVL-1-KEY": { + "name": "sz-rcp-lzp-01-CIS-Level-1", + "description": "Recipe 01 CIS Level 1", + "compartment_id": "CMP-LZP-SECURITY-KEY", + "cis_level": "1" + }, + "SZ-RCP-LZP-02-CIS-LVL-2-KEY": { + "name": "sz-rcp-lzp-02-CIS-Level-2", + "description": "Recipe 02 CIS Level 2", + "compartment_id": "CMP-LZP-SECURITY-KEY", + "cis_level": "2" + }, + "SZ-RCP-LZP-03-SHARED-NETWORK-KEY": { + "name": "sz-rcp-lzp-03-shared-network", + "description": "Recipe 03 Shared Network", + "compartment_id": "CMP-LZP-SECURITY-KEY", + "cis_level": "2", + "security_policies_ocids": [ + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaavolswrbfqy6qn2qe7zek2dumml6pbmyzv47q6jfwdatrywmqumba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaayxn5ccbavcx5w35uoozguju5zlovvtbnuvnrduxpdp3vsho33lba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaazlzn66zeazf5npw46qah3wlqpfrugv7w4tjbomit2msr43stidga", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaw6v2nz4unovq3joqk6pguxpaqriws2vzd7gvpldgai47tl72wseq" + + ] + }, + "SZ-RCP-LZP-04-ENV-NETWORK-KEY": { + "name": "sz-rcp-lzp-04-environment-network", + "description": "Recipe 04 Environment Network", + "compartment_id": "CMP-LZP-SECURITY-KEY", + "cis_level": "2", + "security_policies_ocids": [ + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaavolswrbfqy6qn2qe7zek2dumml6pbmyzv47q6jfwdatrywmqumba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaayxn5ccbavcx5w35uoozguju5zlovvtbnuvnrduxpdp3vsho33lba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaazlzn66zeazf5npw46qah3wlqpfrugv7w4tjbomit2msr43stidga", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaw6v2nz4unovq3joqk6pguxpaqriws2vzd7gvpldgai47tl72wseq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaak5wxfr2r6kxmtd6bq6hqhyywfkj6pcnl74g3iui6qnlq7rof4ezq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaabs6kboflsfan2lihfnodhbeb75r4nxiolhlobvj6vqclx6j5yyha", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa6j7b5bf3ytsno7a45r7xupqt2q342q2hlecnf7fgqpkq67stakda", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaamewv6k5a7cik6ds6m6bsijwkiixpfzgsqzvrjlns5pxg6lslrzgq" + ] + }, + "SZ-RCP-LZP-05-WORKLOADS-KEY": { + "name": "sz-rcp-lzp-05-workloads", + "description": "Recipe 05 Workloads", + "compartment_id": "CMP-LZP-SECURITY-KEY", + "cis_level": "2", + "security_policies_ocids": [ + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaavolswrbfqy6qn2qe7zek2dumml6pbmyzv47q6jfwdatrywmqumba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaayxn5ccbavcx5w35uoozguju5zlovvtbnuvnrduxpdp3vsho33lba", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaazlzn66zeazf5npw46qah3wlqpfrugv7w4tjbomit2msr43stidga", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaw6v2nz4unovq3joqk6pguxpaqriws2vzd7gvpldgai47tl72wseq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaak5wxfr2r6kxmtd6bq6hqhyywfkj6pcnl74g3iui6qnlq7rof4ezq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaabs6kboflsfan2lihfnodhbeb75r4nxiolhlobvj6vqclx6j5yyha", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa6j7b5bf3ytsno7a45r7xupqt2q342q2hlecnf7fgqpkq67stakda", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaamewv6k5a7cik6ds6m6bsijwkiixpfzgsqzvrjlns5pxg6lslrzgq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaf45c2imtiuyxbccuwrh3s7is5lokpx5ksr4heu46c6mz6k35dsqa", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa5qtljtbaeacnhfhr7hfs5nd3jp6jin6grbdgf6izkf4ukxmatjpa", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa6oycc62uuvpi6oddkzku6x2vzhraud7ynkbdeols5i4khwroklva", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaauvfkentmqda6mq7lxekkstjpe7kwgmrpkadzt7krhrt66tliourq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa544n6cyqrq6tato53ohh7vcz523af5dtuz6x54efhs6mb7bcw54a", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaay32fadjsdgsytdpyn4busugqftko2shttseljqbagapngiatxepa", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaqlpaf5tc3xfqdzdw2rtx7hk4ifywzml3eh3upspeh4s6x4epaskq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaxou4266jlusvklor34czqvloa64k5dsok5cejug2bxi2jvqy32zq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaak2x2aomzhqoeg2bf4zgqyr3bg2ppsfhupn2xvu66zpuz7kbvae5a", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaauah5cz3vxzpdvw4uz32hcgcmhogvuhacgyc7z3al42tfjey46eea", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaawebiliesbgzdguac5m5u332oj66afaab6ruovydpsdoexloguweq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaa2lfkaypfwyykhbz65zlgc4lvypl64axzhnsqmegllgiyxbweruya", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaah3k66efqfgo5ccjgvtkwbfpzj5yjajmw7vt5eub6ma4jp6su55zq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaajscm24dhll5wk65k6q4mmkopiykpqrumtururitjaxk3j4ibe3ua", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaol3pxbbikegih24c7l4um7wqeeun2dpkvgm3izz5syf755xfscgq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaawol5fz6qkrkxm5ui7n3car44e5wbs54thnku2hjxwaedi5ee6htq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaaegi6cweu5jqwipqhj5quz4pebfd76djed4lfogslzuawqavkrsjq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaarkvvuzwtc6xwwr57zg6fymgkco3lbt35c7r4lnahw4ab5i3vkbrq", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaauhuzsidaju3mwy3llsetvm3dlc6ftel65ielfu7h4hg6q2cfsrxa", + "ocid1.securityzonessecuritypolicy.oc1..aaaaaaaawec56szedvf6hogbbnu7cxywm4xkmta53wuo7lenceiqyr4bx5hq" + ] + } + }, + "security_zones": { + "SZ-TGT-LZP-CISL2-KEY": { + "name": "sz-tgt-lzp-cisl2", + "compartment_id": "CMP-LANDINGZONE-P-KEY", + "recipe_key": "SZ-RCP-LZP-02-CIS-LVL-2-KEY" + }, + "SZ-TGT-LZP-SHARED_NETWORK-KEY": { + "name": "sz-tgt-lzp-shared-network", + "compartment_id": "CMP-LZP-NETWORK-KEY", + "recipe_key": "SZ-RCP-LZP-03-SHARED-NETWORK-KEY" + }, + "SZ-TGT-LZP-P-SHARED-NETWORK-KEY": { + "name": "sz-tgt-lzp-environment-network", + "compartment_id": "CMP-LZP-P-NETWORK-KEY", + "recipe_key": "SZ-RCP-LZP-04-ENV-NETWORK-KEY" + }, + "SZ-TGT-LZP-P-PROJ1-KEY": { + "name": "sz-tgt-lzp-proj1", + "compartment_id": "CMP-LZP-P-PROJ1-KEY", + "recipe_key": "SZ-RCP-LZP-05-WORKLOADS-KEY" + } + } + }, + "scanning_configuration": { + "default_compartment_id": "CMP-LZP-SECURITY-KEY", + "host_recipes": { + "VSS-RECH-LZP-KEY": { + "name": "vss-rech-lzp", + "port_scan_level": "STANDARD", + "schedule_settings": { + "type": "WEEKLY", + "day_of_week": "SUNDAY" + }, + "agent_settings": { + "scan_level": "STANDARD", + "vendor": "OCI", + "cis_benchmark_scan_level": "STRICT" + }, + "file_scan_settings": { + "enable": true, + "scan_recurrence": "FREQ=WEEKLY;INTERVAL=2;WKST=SU", + "folders_to_scan": ["/"], + "operating_system": "LINUX" + } + } + }, + "host_targets": { + "VSS-TGT-LZP-KEY": { + "name": "vss-tgt-lzp", + "target_compartment_id": "CMP-LANDINGZONE-P-KEY", + "host_recipe_id": "VSS-RECH-LZP-KEY" + } + } + }, + "vaults_configuration": { + "default_compartment_id": "CMP-LZP-SECURITY-KEY", + "vaults": { + "VLT-LZP-SHARED-SECURITY-KEY": { + "name": "vlt-lzp-shared-security" + } + }, + "keys": { + "KEY-LZP-OSS-AUDIT-BKT-KEY": { + "name": "key-lzp-oss-audit-bkt", + "protection_mode": "SOFTWARE", + "vault_key": "VLT-LZP-SHARED-SECURITY-KEY", + "service_grantees": ["objectstorage-eu-frankfurt-1"], + "group_grantees": ["grp-security-admins"], + "versions": ["1","2"] + } + } + } +} \ No newline at end of file diff --git a/blueprints/one-oe/runtime/one-stack/readme.md b/blueprints/one-oe/runtime/one-stack/readme.md index c663b5a0..ab45b480 100644 --- a/blueprints/one-oe/runtime/one-stack/readme.md +++ b/blueprints/one-oe/runtime/one-stack/readme.md @@ -4,13 +4,13 @@   -| | | -|---|---| -| **OPERATION** | **OP.00 One-Stack Deployment** | -| **TARGET RESOURCES**

|
This operation creates a **One-OE Landing Zone** in **one execution** with the following resources:
- One **Landing Zone Environment** (production).
- [**Network Hub A**](/addons/oci-hub-models/hub_a/readme.md).
- Three **Workload Environments** (prod, uat, dev) and related Spoke Networks.
- Setups a **strong security posture** with Security Zones and Cloud Guard.
- Setups **monitoring** with Events, Alarms Logging, and Notifications.
- One sample **Project** and a sample **Platform** areas.
For more details on the resources being created refer to the [documentation](/blueprints/one-oe/design/readme.md) and the [drawio](/blueprints/one-oe/design/OCI_Open_LZ_One-OE-Blueprint.drawio).

| -| **INPUT CONFIGURATIONS**

  +  |
[**IAM Configuration**](oci_open_lz_one-oe_iam.auto.tfvars.json) as input to the [OCI Landing Zone IAM](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam) module.
[**Network Configuration**](oci_open_lz_one-oe_network.auto.tfvars.json) as input to the [OCI Landing Zone Network](https://github.com/oci-landing-zones/terraform-oci-modules-networking) module.
[**Security Configuration**](oci_open_lz_one-oe_security.auto.tfvars.json) as input to the [OCI Landing Zone Security](https://github.com/oci-landing-zones/terraform-oci-modules-security) module.
[**Observability Configurations**](oci_open_lz_one-oe_observability.auto.tfvars.json) as input to the [OCI Landing Zone Observability](https://github.com/oci-landing-zones/terraform-oci-modules-observability) module.

| -| **DEPLOY WITH ORM**
*- STEP #1*

|
[](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oci-landing-zones/terraform-oci-modules-orchestrator/archive/refs/tags/v2.0.3.zip&zipUrlVariables={"input_config_files_urls":"https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_iam.auto.tfvars.json,https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_network.auto.tfvars.json,https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability.auto.tfvars.json,https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security.auto.tfvars.json"})

And follow these steps:
1. Accept terms, wait for the configuration to load.
2. Set the working directory to “rms-facade”.
3. Set the stack name you prefer.
4. Set the terraform version to 1.2.x. Click Next.
5. Accept the default files. Click Next. Optionally, replace with your json/yaml config files.
6. Un-check run apply. Click Create.

| -| **POST DEPLOYMENT**
*- STEP #2*


|
This is an **optional** step to be executed once Step 1 Stack and all landing zone elements are created. This step requires the **update the previous ORM stack json configuration files** in order to add extra Security Zones Recipes (3, 4, and 5) and Network Flow Logs. This update can be executed in one step by replacing both files as described below.

**Security Zones**:
- Use the configuration [oci_open_lz_one-oe_security_addon_sz345.auto.tfvars.json](oci_open_lz_one-oe_security_addon_sz345.auto.tfvars.json) to extend the base configuration with additional Security Zone targets to apply Recipes in the shared network compartment, the production shared network compartment, and project 1 example. As the compartment hierarchy goes deeper the Security Zones are more restrictive.
- Note that this update action is not in the base stack red due to limitations with terraform dependency grapth while creating these resources. These will be merged once these limitations are solved.

**Observability - Flow Logs:**
- Use the configuration [oci_open_lz_one-oe_observability_addon_flowlogs.auto.tfvars.json](oci_open_lz_one-oe_observability_addon_flowlogs.auto.tfvars.json) to create the VCN and Subnets flow logs.
- Note that by default, the VCN and Subnet flows logs are not deployed. The first 10 gigabytes of log storage are free every month. The configuration creates a log group for the shared network and each shared network environment, where it would create logs for every VCN and subnet within the VCNs. It would depend on how much traffic is generated in your VCNs/Subnets to overpass the free log storage that you get every month.

| +| | | | +|---|---|---| +| **OPERATION** | **One-Stack Deployment with CIS Level 1 Security Controls** | **One-Stack Deployment with CIS Level 2 Security Controls** | +| **TARGET RESOURCES**

|
This operation creates a **One-OE Landing Zone** in **one execution** with the following resources:
- One **Landing Zone Environment** (production).
- [**Network Hub A, no cost version**](/addons/oci-hub-models/hub_a/readme.md).
- Two **Workload Environments** (prod, preprod) and related Spoke Networks.
- Setups a **strong security posture** with Security Zones and Cloud Guard based on CIS Security Controls Level 1.
- Setups **monitoring** with Events, Alarms Logging, and Notifications based on CIS Security Controls Level 1.
- One sample **Project** per workload environment and a sample **Platform** areas.
For more details on the resources being created refer to the [documentation](/blueprints/one-oe/design/readme.md) and the [drawio](/blueprints/one-oe/design/OCI_Open_LZ_One-OE-Blueprint.drawio).

|
This operation creates a **One-OE Landing Zone** in **one execution** with the following resources:
- One **Landing Zone Environment** (production).
- [**Network Hub A, no cost version**](/addons/oci-hub-models/hub_a/readme.md).
- Two **Workload Environments** (prod, preprod) and related Spoke Networks.
- Setups a **strong security posture** with Security Zones and Cloud Guard based on CIS Security Controls Level 2.
- Setups **monitoring** with Events, Alarms Logging, and Notifications based on CIS Security Controls Level 2.
- One sample **Project** per workload environment and a sample **Platform** areas.
For more details on the resources being created refer to the [documentation](/blueprints/one-oe/design/readme.md) and the [drawio](/blueprints/one-oe/design/OCI_Open_LZ_One-OE-Blueprint.drawio).

| +| **INPUT CONFIGURATIONS**

  +  |
[**IAM Configuration**](oci_open_lz_one-oe_iam.auto.tfvars.json) as input to the [OCI Landing Zone IAM](https://github.com/oci-landing-zones/terraform-oci-modules-iam) module.
[**Network Configuration**](oci_open_lz_one-oe_network.auto.tfvars.json) as input to the [OCI Landing Zone Network](https://github.com/oci-landing-zones/terraform-oci-modules-networking) module.
[**Security Configuration**](oci_open_lz_one-oe_security_cisl1.auto.tfvars.json) as input to the [OCI Landing Zone Security](https://github.com/oci-landing-zones/terraform-oci-modules-security) module.
[**Observability Configurations**](oci_open_lz_one-oe_observability_cisl1.auto.tfvars.json) as input to the [OCI Landing Zone Observability](https://github.com/oci-landing-zones/terraform-oci-modules-observability) module.

|
[**IAM Configuration**](oci_open_lz_one-oe_iam.auto.tfvars.json) as input to the [OCI Landing Zone IAM](https://github.com/oci-landing-zones/terraform-oci-modules-iam) module.
[**Network Configuration**](oci_open_lz_one-oe_network.auto.tfvars.json) as input to the [OCI Landing Zone Network](https://github.com/oci-landing-zones/terraform-oci-modules-networking) module.
[**Security Configuration**](oci_open_lz_one-oe_security_cisl2.auto.tfvars.json) as input to the [OCI Landing Zone Security](https://github.com/oci-landing-zones/terraform-oci-modules-security) module.
[**Observability Configurations**](oci_open_lz_one-oe_observability_cisl2.auto.tfvars.json) as input to the [OCI Landing Zone Observability](https://github.com/oci-landing-zones/terraform-oci-modules-observability) module.

| +| **DEPLOY WITH ORM**
*- STEP #1*

|
[](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oci-landing-zones/terraform-oci-modules-orchestrator/archive/refs/tags/v2.0.4.zip&zipUrlVariables={"input_config_files_urls":"https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_iam.auto.tfvars.json,https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_network.auto.tfvars.json,https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl1.auto.tfvars.json,https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl1.auto.tfvars.json"})

And follow these steps:
1. Accept terms, wait for the configuration to load.
2. Set the working directory to “rms-facade”.
3. Set the stack name you prefer.
4. Set the terraform version to 1.5.x. Click Next.
5. Accept the default files. Click Next. Optionally, replace with your json/yaml config files.
6. Un-check run apply. Click Create.

|
[](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oci-landing-zones/terraform-oci-modules-orchestrator/archive/refs/tags/v2.0.4.zip&zipUrlVariables={"input_config_files_urls":"https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_iam.auto.tfvars.json,https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_network.auto.tfvars.json,https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_observability_cisl2.auto.tfvars.json,https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/blueprints/one-oe/runtime/one-stack/oci_open_lz_one-oe_security_cisl2.auto.tfvars.json"})

And follow these steps:
1. Accept terms, wait for the configuration to load.
2. Set the working directory to “rms-facade”.
3. Set the stack name you prefer.
4. Set the terraform version to 1.5.x. Click Next.
5. Accept the default files. Click Next. Optionally, replace with your json/yaml config files.
6. Un-check run apply. Click Create.

| +| **POST DEPLOYMENT**
*- STEP #2*


|
This is an **optional** step to be executed once Step 1 Stack and all landing zone elements are created. This step requires the **update the previous ORM stack json configuration files** in order to add extra Security Zones Recipes (3, 4, and 5) and Network Flow Logs. This update can be executed in one step by replacing both files as described below.

**Security Zones**:
- Use the configuration [oci_open_lz_one-oe_security_cisl1_addon_sz345.auto.tfvars.json](oci_open_lz_one-oe_security_cisl1_addon_sz345.auto.tfvars.json) to extend the base configuration with additional Security Zone targets to apply Recipes in the shared network compartment, the production shared network compartment, and project 1 example. As the compartment hierarchy goes deeper the Security Zones are more restrictive.
- Note that this update action is not in the base stack red due to limitations with terraform dependency grapth while creating these resources. These will be merged once these limitations are solved.

**Observability - Flow Logs:**
- Use the configuration [oci_open_lz_one-oe_observability_cisl1_addon_flowlogs.auto.tfvars.json](oci_open_lz_one-oe_observability_cisl1_addon_flowlogs.auto.tfvars.json) to create the VCN and Subnets flow logs.
- Note that by default, the VCN and Subnet flows logs are not deployed. The first 10 gigabytes of log storage are free every month. The configuration creates a log group for the shared network and each shared network environment, where it would create logs for every VCN and subnet within the VCNs. It would depend on how much traffic is generated in your VCNs/Subnets to overpass the free log storage that you get every month.

|
This is an **optional** step to be executed once Step 1 Stack and all landing zone elements are created. This step requires the **update the previous ORM stack json configuration files** in order to add extra Security Zones Recipes (3, 4, and 5) and Network Flow Logs. This update can be executed in one step by replacing both files as described below.

**Security Zones**:
- Use the configuration [oci_open_lz_one-oe_security_cisl2_addon_sz345.auto.tfvars.json](oci_open_lz_one-oe_security_cisl2_addon_sz345.auto.tfvars.json) to extend the base configuration with additional Security Zone targets to apply Recipes in the shared network compartment, the production shared network compartment, and project 1 example. As the compartment hierarchy goes deeper the Security Zones are more restrictive.
- Note that this update action is not in the base stack red due to limitations with terraform dependency grapth while creating these resources. These will be merged once these limitations are solved.

**Observability - Flow Logs:**
- Use the configuration [oci_open_lz_one-oe_observability_cisl2_addon_flowlogs.auto.tfvars.json](oci_open_lz_one-oe_observability_cisl2_addon_flowlogs.auto.tfvars.json) to create the VCN and Subnets flow logs.
- Note that by default, the VCN and Subnet flows logs are not deployed. The first 10 gigabytes of log storage are free every month. The configuration creates a log group for the shared network and each shared network environment, where it would create logs for every VCN and subnet within the VCNs. It would depend on how much traffic is generated in your VCNs/Subnets to overpass the free log storage that you get every month.

|