initial load of lanz v2

.gitignore

@@ -0,0 +1,30 @@
+*.exe
+.DS_Store
+
+*.log
+*.bak
+*.backup
+*~
+.*.swp
+
+bin/
+modules-dev/
+pkg/
+vendor/
+__pycache__/
+
+.idea
+.vscode
+
+.env
+./*.tfstate
+.terraform
+terraform.tfplan
+terraform.tfstate
+terraform.tfvars
+.terraform.tfstate.lock.info
+
+.tfcache
+**/.terraform.lock.hcl
+**/tf_resources.json
+**/var.tfvars

.gitlab-ci.yml

@@ -0,0 +1,86 @@
+# A pipeline is composed of independent jobs that run scripts, grouped into stages.
+# Stages run in sequential order, but jobs within stages run in parallel.
+#
+# For more information, see: https://docs.gitlab.com/ee/ci/yaml/index.html#stages
+
+stages:          # List of stages for jobs, and their order of execution
+  - test-unit
+  - TF-Plan-e2e
+  - TF-Apply-e2e
+  - TF-Destroy-e2e
+
+
+.testing_pipeline:
+  before_script:
+    - export http_proxy=http://www-proxy-hqdc.us.oracle.com:80
+    - export https_proxy=$http_proxy
+    - curl https://releases.hashicorp.com/terraform/1.2.2/terraform_1.2.2_linux_amd64.zip > terraform.zip
+    - unzip terraform.zip -d /bin
+    - terraform --version
+    - eval $(ssh-agent -s)
+    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
+    - mkdir -p ~/.ssh
+    - chmod 700 ~/.ssh
+    - ssh-add -l 
+    - pip install -r test/requirements.txt
+  image: lab-runner
+  tags: [LZ]
+
+unit-test-job:   # This job runs in the test stage.
+  extends: .testing_pipeline
+  stage: test-unit
+  script:
+    - pytest  -m unit --junit-xml=pytest.xml test
+  # # Orahub's artifact upload seems broken. Possibly a config issue...  
+  # artifacts:
+  #   when: always
+  #   paths:
+  #     - pytest.xml
+  #   reports:
+  #     junit: pytest.xml
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+
+e2e-full-plan-job:   # This job runs terraform plan.
+  extends: .testing_pipeline
+  stage: TF-Plan-e2e
+  when: on_success
+  script:
+    - cd templates/enterprise-landing-zone
+    - ./BackEnd.sh
+    - cat backend.tf
+    - terraform init -backend-config="address=$REMOTE_STATE_BACKEND" -backend-config="update_method=PUT"
+    - terraform validate
+    - terraform plan -var-file=$ENV_TFVARS_FILE_NAME
+  rules:
+    - if: ($CI_COMMIT_BRANCH == "LANZ-Integration")
+
+e2e-full-deploy-job:   # This job runs terraform apply.
+  extends: .testing_pipeline
+  stage: TF-Apply-e2e
+  when: on_success
+  script:
+    - cd templates/enterprise-landing-zone
+    - ./BackEnd.sh
+    - cat backend.tf
+    - terraform init -backend-config="address=$REMOTE_STATE_BACKEND" -backend-config="update_method=PUT"
+    - terraform validate
+    - terraform apply -var-file=$ENV_TFVARS_FILE_NAME -auto-approve #neeed to look at pasing a plan file but have to understan gitlab artifiacts issue
+  rules:
+    - if: ($CI_COMMIT_BRANCH == "LANZ-Integration")
+  retry: 1
+
+e2e-full-destroy-job:   # This job runs terraform destroy.
+  extends: .testing_pipeline
+  stage: TF-Destroy-e2e
+  when: manual
+  allow_failure: true
+  script:
+    - cd templates/enterprise-landing-zone
+    - ./BackEnd.sh
+    - cat backend.tf
+    - terraform init -backend-config="address=$REMOTE_STATE_BACKEND" -backend-config="update_method=PUT"
+    - terraform validate
+    - terraform destroy -var-file=$ENV_TFVARS_FILE_NAME -auto-approve #neeed to look at pasing a plan file but have to understand gitlab artifiacts issue
+  rules:
+    - if: ($CI_COMMIT_BRANCH == "LANZ-Integration")

CONTRIBUTING.md

@@ -0,0 +1,23 @@
+# Contributing to the project
+
+Oracle welcomes contributions to this repository from anyone.
+
+If you want to submit a pull request to fix a bug or enhance an existing
+feature, please first open an issue and link to that issue when you
+submit your pull request.
+
+If you have any questions about a possible submission, feel free to open
+an issue too.
+
+## Pull request process
+
+1. Fork this repository
+1. Create a branch in your fork to implement the changes. We recommend using
+the issue number as part of your branch name, e.g. `1234-fixes`
+1. Ensure that there is at least one test that would fail without the fix and
+passes post fix
+1. Submit the pull request. *Do not leave the pull request blank*. Explain exactly
+what your changes are meant to do and provide simple steps on how to validate
+your changes, ideally referencing the test. Ensure that you reference the issue
+you created as well. We will assign the pull request to 1-2 people for review
+before it is submitted internally and the PR is closed.

LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2022 Oracle and/or its affiliates.
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any person obtaining a copy of this
+software, associated documentation and/or data (collectively the "Software"), free of charge and under any and
+all copyright rights in the Software, and any and all patent rights owned or freely licensable by each licensor
+hereunder covering either (i) the unmodified Software as contributed to or provided by such licensor, or
+(ii) the Larger Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if one is included with the Software
+(each a “Larger Work” to which the Software is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create derivative works of, display,
+perform, and distribute the Software and make, use, sell, offer for sale, import, export, have made, and have
+sold the Software and the Larger Work(s), and to sublicense the foregoing rights on either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at a minimum a reference to the UPL must
+be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
+THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
+CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+IN THE SOFTWARE.

README.md

@@ -0,0 +1,23 @@
+# Landing Zones
+
+This repository contains different types of Landing Zones to deploy to the Oracle Cloud Infrastructure platform. The landing zones are assembled from modules and templates that users can use in their default configuration or fork this repo and customize for your own scenarios.
+
+## Enterprise Scale Baseline Landing Zone v2.0 (ESBLZ v2.0)
+
+The Enterprise Scale Baseline Landing Zone v2.0 (ESBLZ v2.0) deploys a typical architecture used by enterprise customers. The root template for this landing zone is located at [templates/enterprise-landing-zone](./templates/enterprise-landing-zone). Users can use the guides below to get strated with the Enterprise Scale Baseline Landing Zone v2.0 (ESBLZ v2.0).
+
+- [Architecture Guide](./templates/enterprise-landing-zone/Architecture_Guide.md)
+- [Implementation Guide](./templates/enterprise-landing-zone/IMPLEMENTATION.md)
+- [Configuration Guide](./templates/enterprise-landing-zone/CONFIGURATION.md)
+
+## The Team
+
+This repository is developed and supported by the Oracle OCI Landing Zones team.
+
+## How to Contribute
+
+Interested in contributing?  See our contribution [guidelines](CONTRIBUTING.md) for details.
+
+## License
+
+This repository and its contents are licensed under [UPL 1.0](https://opensource.org/licenses/UPL).

RELEASE.md

@@ -0,0 +1,20 @@
+# Release Notes
+
+----
+## v2.0.0 - 2023-02-28
+- Initial Release of new version 2 codebase with Hub and Spoke Networking, Multi-Environment support and more modular architecture. see the [Architecture Guide](./templates/enterprise-landing-zone/Architecture_Guide.md) for details.
+- CIS Security Benchmark Compliance: Enterprise Scale Baseline Landing Zone v2 was designed to include a foundational set of security controls from the Center for Internet Security (CIS). We are happy to share that this release of Landing Zones will support the recommended CIS 1.2 Level 1 controls. The security controls implemented by this Landing Zone are prescriptive and practical in nature with the primary focus to help provide best practices for security hardening of the technologies that are deployed in our customers' tenancies.
+While many of the CIS Level 1 recommendations are included in the Landing Zone deployment, however, there are some that require administrators to configure manually. Please be advised that for recommendations # 1.5 - 1.13, 2.6 - 2.8 and 3.16, it will be the customer administrators' responsibility to implement and enforce.
+For recommendation #1.7, we recommend that Multi-Factor Authentication (MFA) be fully tested before restricting access only to MFA-verified users. Please note each user must enable MFA for themselves and an administrator cannot enable MFA for another user. For more information, please see [OCI Managing Multi-Factor Authentication documentation][v2.0.0-1].
+For more information on the CIS Security Benchmark, please visit the official [Oracle Cloud CIS Benchmark site][v2.0.0-2].
+- Certain CIDR ranges should not be used when deploying ESBLZv2, as the can conflict with IP addresses reserved for special use. These are:
+    * 169.254.10.0-169.254.19.255
+    * 169.254.100.0-169.254.109.255
+    * 169.254.192.0-169.254.201.255
+    * 100.64.0.0–100.127.255.255 (Used by Exadata X8M/X9M for the interconnect)
+- Known Issues
+  * 400-InvalidParameter Error in CreateServiceConnector operation:  This can occasionally happen due to logs taking longer than normal to create while setting up the logging infrastructure.  This will correct itself when the logs finish creating. Later Apply jobs in ORM or invocations of `terraform apply` should succeed.
+  * 429-TooManyRequests Error: A tenancy making a large number of OCI API requests in rapid succession may be throttled by the API.  The solution is to wait some period of time (a few minutes) and retry the terraform operation again.  This is rarely seen on `apply` but may occasionally be seen on `destroy` runs, as the delete operations are much faster than create, and Terraform makes many API calls. 
+
+[v2.0.0-1]: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/usingmfa.htm
+[v2.0.0-2]: https://www.cisecurity.org/benchmark/oracle_cloud

examples/README.md

@@ -0,0 +1,3 @@
+# Sample configs
+
+

modules/README.md

@@ -0,0 +1 @@
+# Terraform Modules

modules/alarms/README.md

@@ -0,0 +1,37 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_oci"></a> [oci](#provider\_oci) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [oci_monitoring_alarm.monitoring_alarm](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/monitoring_alarm) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_alarm_map"></a> [alarm\_map](#input\_alarm\_map) | display name: the display name for alarm;<br>    metric compartment id: the OCID of the compartment containing the metric being evaluated by the alarm<br>    namespace: the source service or application emitting the metric that is evaluated by the alarm<br>    query: the Monitoring Query Language (MQL) expression to evaluate for the alarm<br>    severity: the perceived type of response required when the alarm is in the "FIRING" state | <pre>map(object({<br>    display_name          = string,<br>    metric_compartment_id = string,<br>    namespace             = string,<br>    query                 = string,<br>    severity              = string,<br>  }))</pre> | n/a | yes |
+| <a name="input_compartment_id"></a> [compartment\_id](#input\_compartment\_id) | The OCID of the compartment containing the alarm. | `string` | `""` | no |
+| <a name="input_is_enabled"></a> [is\_enabled](#input\_is\_enabled) | Alarms enabled or disabled. | `bool` | `false` | no |
+| <a name="input_message_format"></a> [message\_format](#input\_message\_format) | format of alarm message | `string` | `"ONS_OPTIMIZED"` | no |
+| <a name="input_metric_compartment_id_in_subtree"></a> [metric\_compartment\_id\_in\_subtree](#input\_metric\_compartment\_id\_in\_subtree) | Only needed if metric\_compartment\_id = <tenancy OCID> | `bool` | `false` | no |
+| <a name="input_notification_topic_id"></a> [notification\_topic\_id](#input\_notification\_topic\_id) | the OCID of notification topic. | `string` | n/a | yes |
+| <a name="input_pending_duration"></a> [pending\_duration](#input\_pending\_duration) | The period of time that the condition defined in the alarm must persist before the alarm state changes from 'OK' to 'FIRING'. | `string` | `"PT5M"` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

modules/alarms/main.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    oci = {
+      source = "oracle/oci"
+    }
+  }
+}
+
+resource "oci_monitoring_alarm" "monitoring_alarm" {
+  for_each              = var.alarm_map
+  compartment_id        = var.compartment_id
+  destinations          = [var.notification_topic_id]
+  display_name          = each.value.display_name
+  is_enabled            = var.is_enabled
+  metric_compartment_id = each.value.metric_compartment_id
+  namespace             = each.value.namespace
+  query                 = each.value.query
+  severity              = each.value.severity
+
+  message_format        = var.message_format
+  pending_duration      = var.pending_duration
+  metric_compartment_id_in_subtree = var.metric_compartment_id_in_subtree
+}

modules/alarms/variables.tf

@@ -0,0 +1,51 @@
+variable "compartment_id" {
+  type        = string
+  description = "The OCID of the compartment containing the alarm."
+  default     = ""
+}
+
+variable "alarm_map" {
+  type = map(object({
+    display_name          = string,
+    metric_compartment_id = string,
+    namespace             = string,
+    query                 = string,
+    severity              = string,
+  }))
+  description = <<EOT
+    display name: the display name for alarm;
+    metric compartment id: the OCID of the compartment containing the metric being evaluated by the alarm
+    namespace: the source service or application emitting the metric that is evaluated by the alarm
+    query: the Monitoring Query Language (MQL) expression to evaluate for the alarm
+    severity: the perceived type of response required when the alarm is in the "FIRING" state
+  EOT
+}
+
+variable "metric_compartment_id_in_subtree"{
+  type = bool
+  description = "Only needed if metric_compartment_id = <tenancy OCID>"
+  default = false
+}
+
+variable "is_enabled"{
+  type = bool
+  description = "Alarms enabled or disabled."
+  default = false
+}
+
+variable "notification_topic_id" {
+  type = string
+  description = "the OCID of notification topic."
+}
+
+variable "message_format"{
+  type = string
+  description = "format of alarm message"
+  default = "ONS_OPTIMIZED"
+}
+
+variable "pending_duration" {
+  type = string
+  description = "The period of time that the condition defined in the alarm must persist before the alarm state changes from 'OK' to 'FIRING'."
+  default = "PT5M"
+}

modules/announcement-subscription/README.md

@@ -0,0 +1,42 @@
+## Summary
+Terraform module for OCI Announcement Subscription.
+Configure announcement subscriptions to receive important information about service status.
+
+## Dependencies
+* notification-topic
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_oci"></a> [oci](#provider\_oci) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [oci_announcements_service_announcement_subscription.announcement_subscription](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/announcements_service_announcement_subscription) | resource |
+| [oci_announcements_service_announcement_subscriptions_filter_group.announcement_subscriptions_filter_group](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/announcements_service_announcement_subscriptions_filter_group) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_compartment_id"></a> [compartment\_id](#input\_compartment\_id) | The OCID of the compartment where you want to create the announcement subscription | `string` | n/a | yes |
+| <a name="input_filter_groups"></a> [filter\_groups](#input\_filter\_groups) | A list of filter groups for the announcement subscription. | `map(any)` | n/a | yes |
+| <a name="input_notification_topic_id"></a> [notification\_topic\_id](#input\_notification\_topic\_id) | The OCID of the Notifications service topic | `string` | n/a | yes |
+| <a name="input_subscription_display_name"></a> [subscription\_display\_name](#input\_subscription\_display\_name) | The display name of the subscription | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->