Skip to content

Latest commit

 

History

History
306 lines (233 loc) · 34.8 KB

IMPLEMENTATION-GUIDE.md

File metadata and controls

306 lines (233 loc) · 34.8 KB

OCI Managed SCCA Broker Landing Zone Implementation Guide

Table of Contents

  1. Introduction
  2. Deployment Samples
  3. Deleting the stack
  4. Known Issues

1. Introduction

The Managed SCCA Broker Landing Zone is designed to deploy an environment that supports Secure Cloud Computing Architecture (SCCA) standards for the US Department of Defense (DOD). This configuration guide will detail the required and available configurations needed to deploy a Managed SCCA LZ on Oracle Cloud Infrastructure which is a requirement for DOD customers in the OC3 realm. There are options of deploying a landing zone in either a single tenancy or multiple landing zones in a multitenancy configuration that supports a broker managed operational model.

2. Deployment Samples

This section provides step by step deployment scenarios of the Managed SCCA LZ feature on parent and child tenancies. Please follow this ordered sequence of steps:

Single Tenancy Deployment

  1. Deploy Managed SCCA LZ on Single Tenancy.

Multitenancy Deployment

  1. Deploy the Parent Baseline Template.
  2. Deploy the Child Baseline Template.
  3. Deploy the Parent Service Template.
  4. Deploy the Child Service Template.

2.1 : Managed SCCA LZ Variables

Parent Template Information

Parent Template tfvars Files:

Common Parent Tenancy Related Managed SCCA LZ Variables

Variable Name Description Type Default
resource_label Parent Resource Label string ""
enable_domain_replication Enable to replicate domain to secondary region bool false
identity_domain_license_type The license type of the identity domain(free/premium) string "premium"
realm_key 1 for OC1 (commercial) and 3 for OC3 (government) string "3"
home_region_deployment Set to true if deploying in home region; set to false for backup region deployment bool true
enable_logging_compartment Set to true to enable logging compartment, to false if you already had existing buckets in another tenancy. bool true
central_vault_type The type of the central vault: DEFAULT or VIRTUAL_PRIVATE string "DEFAULT"
enable_vault_replica Only support for VIRTUAL_PRIVATE vault type bool false
enable_cloud_guard To enable Cloud Guard service bool false
bastion_client_cidr_block_allow_list Client CIDR block allow list of bastion string ["10.0.0.0/0"]
enable_bastion To enable Bastion service bool false
vdms_critical_topic_endpoints List of email addresses for VDMS Critical notifications list []
vdms_warning_topic_endpoints List of email addresses for VDMS Warning notifications list []
vdss_critical_topic_endpoints List of email addresses for VDSS Critical notifications list []
vdss_warning_topic_endpoints List of email addresses for VDSS Warning notifications list []
enable_vdss_warning_alarm Enable warning alarms in VDSS compartment bool false
enable_vdss_critical_alarm Enable critical alarms in VDSS compartment bool false
enable_vdms_warning_alarm Enable warning alarms in VDMS compartment bool false
enable_vdms_critical_alarm Enable critical alarms in VDMS compartment bool false
vdss_vcn_cidr_block VDSS VCN CIDR block string ["192.168.0.0/24"]
lb_subnet_cidr_block Load Balancer subnet CIDR block string ["192.168.0.128/25"]
lb_subnet_name Load Balancer subnet name string "OCI-SCCA-PARENT-LZ-VDSS-LB-SUBNET"
lb_dns_label Load Balancer DNS label string "lbsubnet"
firewall_subnet_name Network firewall subnet name string "OCI-SCCA-PARENT-LZ-VDSS-FW-SUBNET"
firewall_subnet_cidr_block Network firewall subnet CIDR block string "15.1.2.0/24"
firewall_dns_label Network firewall DNS label string "firewallsubnet"
vdms_vcn_cidr_block VDMS VCN CIDR block string "16.1.0.0/16"
vdms_subnet_cidr_block VDMS VCN subnet CIDR block string "16.1.1.0/24"
vdms_dns_label VDMS DNS label string "vdmssubnet"
vdms_subnet_name VDMS subnet name string "OCI-SCCA-PARENT-LZ-VDMS-SUBNET"
enable_vtap Enable VTAP bool true
enable_network_firewall Enable network firewall bool true
enable_waf Enable WAF bool true
activate_service_connectors Activate Service Connector after deploying bool true

Baseline Specific Parent Template Variables

Variable Name Description Type Expected Value
enable_service_deployment Service Deployment bool false
enable_vcn_flow_logs Enable VCN flow logs bool false

Service Specific Parent Template Variables

Variable Name Description Type Expected Value
enable_service_deployment Service Deployment bool true
enable_vcn_flow_logs Enable VCN flow logs if needed bool true
nfw_ip_ocid Network firewall forwarding IP OCID string "OCID Value"
child_tenancy_ocid Child tenancy OCID string "OCID Value"
child_admin_group_ocid Child administrator group OCID. string "OCID Value"
child_vdss_vcn_cidr Child VDSS VCN CIDR block string ""
child_vdms_vcn_cidr Child VDMS VCN CIDR block string ""

Child Template Information

Child Template tfvars Files:

Common Child Tenancy Related Managed SCCA LZ Variables

Variable Name Description Type Default
resource_label Parent Resource Label string ""
enable_domain_replication Enable to replicate domain to secondary region bool false
identity_domain_license_type The license type of the identity domain(free/premium) string "premium"
realm_key 1 for OC1 (commercial) and 3 for OC3 (government). string "3"
home_region_deployment Set to true if deploying in home region; set to false for backup region deployment bool true
enable_logging_compartment Set to true to enable logging compartment, to false if you already had existing buckets in another tenancy bool true
central_vault_type The type of the central vault: DEFAULT or VIRTUAL_PRIVATE string "DEFAULT"
enable_vault_replica Only support for VIRTUAL_PRIVATE vault type bool false
enable_cloud_guard To enable Cloud Guard service bool false
bastion_client_cidr_block_allow_list Client CIDR block allow list of bastion string ["10.0.0.0/0"]
enable_bastion To enable Bastion service bool false
vdms_critical_topic_endpoints List of email addresses for VDMS Critical notifications list []
vdms_warning_topic_endpoints List of email addresses for VDMS Warning notifications list []
vdss_critical_topic_endpoints List of email addresses for VDSS Critical notifications list []
vdss_warning_topic_endpoints List of email addresses for VDSS Warning notifications list []
enable_vdss_warning_alarm Enable warning alarms in VDSS compartment bool false
enable_vdss_critical_alarm Enable critical alarms in VDSS compartment bool false
enable_vdms_warning_alarm Enable warning alarms in VDMS compartment bool false
enable_vdms_critical_alarm Enable critical alarms in VDMS compartment bool false
vdss_vcn_cidr_block VDSS VCN CIDR block string "11.1.0.0/16"
lb_subnet_cidr_block Load Balancer subnet CIDR block string "11.1.1.0/24"
lb_subnet_name Load Balancer subnet name string "OCI-SCCA-CHILD-LZ-VDSS-LB-SUBNET"
lb_dns_label Load Balancer DNS label string "lbsubnet"
firewall_subnet_name Network firewall subnet name string "OCI-SCCA-CHILD-LZ-VDSS-FW-SUBNET"
firewall_subnet_cidr_block Network firewall subnet CIDR block string "11.1.2.0/24"
firewall_dns_label Network firewall DNS label string "firewallsubnet"
vdms_vcn_cidr_block VDMS VCN CIDR block string "12.1.0.0/16"
vdms_subnet_cidr_block VDMS VCN subnet CIDR block string "12.1.1.0/24"
vdms_dns_label VDMS DNS Label. string "vdmssubnet"
vdms_subnet_name VDMS subnet name string "OCI-SCCA-CHILD-LZ-VDMS-SUBNET"
enable_vtap Enable VTAP. bool true
enable_network_firewall Enable network firewall bool true
enable_waf Enable WAF. bool true
activate_service_connectors Activate Service Connector after deploying bool true

Baseline Specific Child Template Variables

Variable Name Description Type Expected Value
enable_service_deployment Service deployment bool false
enable_vcn_flow_logs Enable VCN flow logs bool false

Service Specific Child Template Variables

Variable Name Description Type Expected Value
enable_service_deployment Service deployment bool true
enable_vcn_flow_logs Enable VCN flow logs if needed bool true
nfw_ip_ocid Network firewall forwarding IP OCID string "OCID Value"
parent_namespace Parent template namespace string "namespace Value"
scca_parent_logging_compartment_ocid Parent template Logging compartment OCID string "OCID Value"
parent_resource_label Parent template resource label string ""

Single Tenancy Deployment Variables

To Deploy Managed SCCA LZ Parent on Single Tenancy use this variable.

Variable Name Description Type Expected Value
deployment_type Single Tenancy deployment string SINGLE

2.2 : Managed SCCA LZ Deployment

2.2.1 : Managed SCCA LZ Parent Baseline Deployment

See Parent Template for more details on the parent baseline deployment

  1. Navigate to the parent-template/examples folder.

  2. Copy the baseline_terraform.tfvars.template file to the root of the parent-template folder.

  3. Rename the file to baseline_terraform.tfvars.

  4. Customize the baseline_terraform.tfvars file with your environment-specific variables. See Baseline Deployment Variables for more details about the variables.

  5. Run the following commands from the root of this folder:

    terraform plan -var-file="baseline_terraform.tfvars"
terraform apply -var-file="baseline_terraform.tfvars"

  6. When prompted, confirm the changes by typing "yes" and pressing Enter.

  7. Ensure that the deployment successfully completes.

2.2.2 : Managed SCCA LZ Child Baseline Deployment

See Child Template for more details on the child baseline deployment

  1. Navigate to the child-template/examples folder.

  2. Copy the baseline_terraform.tfvars.template file to the root of the child-template folder.

  3. Rename the file to baseline_terraform.tfvars.

  4. Customize the baseline_terraform.tfvars file with your environment-specific variables. See Baseline Deployment Variables for more details about the variables.

  5. Run the following commands from the root of child-template folder:

    terraform plan -var-file="baseline_terraform.tfvars"
terraform apply -var-file="baseline_terraform.tfvars"

  6. When prompted, confirm the changes by typing "yes" and pressing Enter.

  7. Ensure that the deployment successfully completes.

2.2.3 : Managed SCCA LZ Parent Service Deployment

See Parent Template for more details on the parent service deployment

  1. Navigate to the parent-template/examples folder.

  2. Copy the service_terraform.tfvars.template file to the root of the parent-template folder.

  3. Rename the file to service_terraform.tfvars.

  4. Customize the service_terraform.tfvars file with your environment-specific variables.

  5. Run the following commands from the root of this folder:

    terraform plan -var-file="service_terraform.tfvars"
terraform apply -var-file="service_terraform.tfvars"

  6. When prompted, confirm the changes by typing "yes" and pressing Enter.

  7. Ensure that the deployment successfully completes.

2.2.4 : Managed SCCA LZ Child Service Deployment

See Child Template for more details on the child service deployment

  1. Navigate to the child-template/examples folder.

  2. Copy the service_terraform.tfvars.template file to the root of the child-template folder.

  3. Rename the file to service_terraform.tfvars.

  4. Customize the service_terraform.tfvars file with your environment-specific variables.

  5. Run the following commands from the root of the child-template folder:

    terraform plan -var-file="service_terraform.tfvars"
terraform apply -var-file="service_terraform.tfvars"

  6. When prompted, confirm the changes by typing "yes" and pressing Enter.

  7. Ensure that the deployment successfully completes.

2.2.5 : Managed SCCA LZ Workload Template Deployment

  • Step 2.2.5.1) Go to folder workload-template/example and copy the terraform.tfvars file.
  • Step 2.2.5.2) Go to folder workload-template and paste the terraform.tfvars file.
  • Step 2.2.5.3) Update the terraform.tfvars file variables.
  • Step 2.2.2.4) Execute the CLI command "terraform init".
  • Step 2.2.2.5) Execute the CLI command "terraform plan".
  • Step 2.2.2.6) Execute the CLI command "terraform apply".
  • Step 2.2.2.7) Make sure the "terraform apply" command gracefully exited from the current shell.

2.2.6 : Managed SCCA LZ Workload Update Child Template Route Rules

  • Step 2.2.6.1) Go to Child Template folder.
  • Step 2.2.6.2) Add the Workload VCN CIDR Block in service Template workload_additionalsubnets_cidr_blocks variable.
  • Step 2.2.6.3) Execute the CLI command "terraform apply -var-file="service_terraform.tfvars".
  • Step 2.2.6.4) Make sure the "terraform apply" command gracefully exited from the current shell.

2.3 : Managed SCCA LZ Deployment on Single Tenancy

  • Step 2.3.1.1) Go to Folder child-template/examples and copy the single_terraform.tfvars.template file.
  • Step 2.3.1.2) Go to Folder child-template and paste the single_terraform.tfvars.template file.
  • Step 2.3.1.3) Rename the file name from single_terraform.tfvars.template file to single_terraform.tfvars.
  • Step 2.3.1.4) Set the Flag "deployment_type" to "SINGLE" on the single_terraform.tfvars file (Flag Already Set in tfvars file).
  • Step 2.3.1.5) Execute the CLI command "terraform init".
  • Step 2.3.1.6) Execute the CLI command "terraform plan -var-file="single_terraform.tfvars".
  • Step 2.3.1.7) Make Sure the Terraform Plan Command Successfully Exited.
  • Step 2.3.1.8) Execute the CLI command "terraform apply -var-file="single_terraform.tfvars".
  • Step 2.3.1.9) When prompted enter "yes" and then enter.
  • Step 2.3.1.10) Make sure the "terraform apply" command gracefully exited from the current shell.

3. Deleting the Stack

Certain resources created by the Landing Zone stack can block deletion of the stack. If testing the stack, it is recommended to not enable these services.

  1. Enabling logging can prevent deletion of the stack as it creates logs in the object storage buckets. To delete, remove the retention rule then delete the contents of the bucket.
  2. The log analytics log group can also prevent deletion if there are logs present in the group. Navigate to storage in the log analytics administration page and purge the logs to delete the groups.
  3. The vault can be marked for deletion but not immediately deleted. This also prevents deletion of the containing compartments.

4. Known Issues

  1. Attempting to onboard your tenancy to log analytics more than once will cause errors.

    `Error: 409-Conflict, Error on-boarding LogAnalytics for tenant idbktv455emw as it is already on-boarded or in the process of getting on-boarded`

    Avoid this error by setting the onboard_log_analytics variable to false.

  2. Object storage namespace can sometimes fail in long running deployments because of Terraform provision order.

     Error: Missing required argument
 with module.backup_bucket.oci_objectstorage_bucket.bucket,
 on modules/bucket/main.tf line 12, in resource "oci_objectstorage_bucket" "bucket"
 12:   namespace      = data.oci_objectstorage_namespace.ns.namespace
 The argument "namespace" is required, but no definition was found.

    Rerunning the deployment will remove the error.