Merge pull request #110 from oracle-quickstart/integration

Added NFW Features

templates/enterprise-landing-zone/Architecture_Guide.md → Official_Documentation/OELZ_Baseline_Deployment/Architecture_Guide.md

@@ -235,6 +235,15 @@ In order to isolate access between resources, groups are created together with p
 - **Ops Admin: ** User group that have access to the metrics, events and alerts in your environment
 - **Log Admin: ** User group that have access to the logs of your environment
 
+
+Our admin groups are not a 1:1 mapping to the [IDCS Admin groups](https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/understand-administrator-roles.html). But some admin groups provide the same IDCS functionality. 
+
+| **OELZ Admin** | **IDCS Admin** |
+| --- | --- |
+|Identity Admin|Identity domain administrator, User administrator, User Manager|
+|SecOps Admin|Security administrator|
+
+
 ## **_Logging Module_**
 
 The Logging Module implemented by OELZv2 will use the below services to help your organization meet your Security Policy and Compliance requirements.
@@ -376,6 +385,26 @@ After deployment, if it is necessary to have other Fast Connect circuits, the cu
 
 The security lists implemented during the OELZ v2.0 deployment are CIS 1.2.0 compliant, so all incoming traffic will be blocked except the ICMP protocol. For more information please refer to the CIS Benchmark 1.2.0 for Oracle Cloud Infrastructure: [CIS Oracle Cloud Infrastructure Benchmarks (cisecurity.org)](https://www.cisecurity.org/benchmark/oracle_cloud)
 
+## **_Network Firewall_**
+
+Oracle Cloud Infrastructure Network Firewall is a next-generation managed network firewall and intrusion detection and prevention service for your Oracle Cloud Infrastructure VCN. The Network Firewall service offers simple setup and deployment and gives you visibility into traffic entering your cloud environment (North-South network traffic) as well traffic between subnets (East-West network traffic). We are using combined architecture where we are using Dynamic Routing Gateway with OCI Network Firewall running in the Firewall VCN (Hub VCN). This architecture has a central component (Hub) that's connected to multiple networks around it like Spoke. To learn more about the architecture check the official [Reference Architecture doc](https://docs.oracle.com/en/solutions/oci-network-firewall/#GUID-F4B62BD0-EAD4-4763-B06F-6ACAC758BD69).
+
+This reference architecture helps enterprises achieve greater agility, scalability, and security in their cloud environments.
+One of the key features of Oracle Enterprise Landing Zone v2 is its modular architecture and the ability to implement the OCI Network Firewall natively, which allows enterprises to scale their cloud infrastructure quickly and easily. It also includes best practices for security and compliance, enabling enterprises to maintain a high level of security and meet regulatory requirements.
+
+## **_Network Firewall Architecture_**
+
+![Architecture](<../../images/OCI-NFW.jpg> "Architecture")
+
+**Network Firewall Feature**
+
+- The customer should be able to deploy the OCI Network Firewall during the OELZ v2 deployment in Production and/or Non-Production.
+- The customer should be able to deploy the OCI Network Firewall in a private or public subnet part of the HUB Network.
+- The customer should be able to inspect the North-South and East-West (inter and intra VCN) traffic in the OELZ v2 Hub and Spoke topology using OCI Network Firewall.
+- The customer should be able to enable or disable Traffic Log and Threat Log.
+- Customers can currently deploy the Network Firewall feature as greenfield and brownfield deployment.
+
+
 ## **_Security Module_**
 
 Oracle Cloud Infrastructure (OCI) is a Security-first Cloud Service that helps organizations reduce the risk of security threats for cloud workloads by putting our customers' Data Security and Privacy first.  This is achieved via the automation of security operations with simple, prescriptive, and integrated cloud-native security capabilities built into the OCI platform.  Oracle helps customers easily adopt OIC services and secure their cloud infrastructure, data, and applications.

templates/enterprise-landing-zone/CONFIGURATION.md → Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md

@@ -492,6 +492,39 @@ On Premise Subnet route will not propagate over the RPC connection to the second
     5. Apply the new Route Tables to the Attachments
 
 
+## Network Firewall
+
+The Network Firewall service offers simple setup and deployment and gives you visibility into traffic entering your cloud environment (North-south network traffic) as well traffic between subnets (East-west network traffic). Network Firewall can be Prod or Non Prod Enviornment. 
+
+
+**Required Arguments/Parameters For Baseline Deployment on Prod**:
+
+| Descripation                       | TFVAR Variable                          |Default Value                      | 
+| :--------------------------------- | --------------------------------------- |---------------------------------- |
+| Network Firewall Deployment        | enable_network_firewall_prod            | false (bool)                      |       
+| Enable NFW Threat and Traffic Log  | enable_traffic_threat_log_prod          | false (bool)                      |
+| Enable NFW on Subnet               | nfw_subnet_type_prod                    | "public"(string)(public\|private) |
+| Network Firewall Name              | nfw_instance_name_prod                  | "" (string)                       |
+| Network Firewall Policy Name       | nfw_instance_policy_prod                | "" (string)                       |
+| Network Firewall Subnet CIDR       | nfw_subnet_cidr_block_prod              | "" (string)                       |
+
+
+
+**Required Arguments/Parameters For Baseline Deployment on Non-Prod**:
+
+
+| Descripation                       | TFVAR Variable                          |Default Value                      | 
+| :--------------------------------- | --------------------------------------- |---------------------------------- |
+| Network Firewall Deployment        | enable_network_firewall_nonprod         | false (bool)                      |       
+| Enable NFW Threat and Traffic Log  | enable_traffic_threat_log_nonprod       | false (bool)                      |
+| Enable NFW on Subnet               | nfw_subnet_type_nonprod                 | "public"(string)(public\|private) |
+| Network Firewall Name              | nfw_instance_name_nonprod               | "" (string)                       |
+| Network Firewall Policy Name       | nfw_instance_policy_nonprod             | "" (string)                       |
+| Network Firewall Subnet CIDR       | nfw_subnet_cidr_block_nonprod           | "" (string)                       |
+
+
+
+
 ## Security
 
 To provide for a secure environment, the OELZ deploys several Oracle security services, such as CloudGuard to monitor for insecure cloud resource deployments, Vulnerability Scanning Service to scan compute instances for open ports and known vulnerabilities, and OS Management Service to manage updates and patches. 

templates/enterprise-landing-zone/IMPLEMENTATION.md → Official_Documentation/OELZ_Baseline_Deployment/IMPLEMENTATION.md

@@ -40,7 +40,7 @@ Most of the initial resource limits a new tenancy comes with should be sufficien
 
 However, there are some resource limits that will need to be increased in order to deploy the Oracle Enterprise Landing Zone. Below is a table listing the Terraform OCI resource names and numbers deployed, please check the resources and limits and ensure your tenancy has sufficient limts before deploying the Oracle Enterprise Landing Zone:
 
-**Note: Specified Compartment in the below table also refers to Environment.** So if the table lists limit 2 for sepecified compartment that means that limit 2 is for one environment and since LZ deployment is with 2 environments that means the limit should be doubled. eg.: oci_monitoring_alarm: 68 should be 2*68 = 136
+**Note: Specified Compartment in the below table also refers to Environment.** So if the table lists limit 2 for sepecified compartment that means that limit 2 is for one environment and since LZ deployment is with 2 environments that means the limit should be doubled. eg.: oci_monitoring_alarm: 68 should be 2*68 = 136.
 
 | OCI Defination | OCI Terraform Resource Name | Count |
 | :------:       |          :------:           | ----: |
@@ -86,6 +86,8 @@ However, there are some resource limits that will need to be increased in order
 | Starts the provisioning of a new stream pool | oci_streaming_stream_pool| 2|
 | Creates a new HostScanRecipe | oci_vulnerability_scanning_host_scan_recipe| 2|
 | Creates a new HostScanTarget | oci_vulnerability_scanning_host_scan_target| 2| 
+| Creates a Network Firewall   | oci_network_firewall_network_firewall| 1|
+
 
 Example to check the limits in tenancy:
 
@@ -176,10 +178,15 @@ For *each* workload deployed in an environment, there will be one Spoke network.
 
 The `elz-network-extension` template can add VPN or FastConnect links between an environment's DRG and an on-prem network.
 
+## Networking Firewall
+
+The Network Firewall is a part of the Oracle Enterprise Landing Zone Network Module, that can be activated in both production and non-production environments when the "enable_network_firewall_prod" or "enable_network_firewall_nonprod" variables are set to true. By default, these variables are initially set to false. The configuration of the Network Firewall will be determined based on customer requirements, either on the HUB Public VNC  or HUB Private VCN, and this choice can be specified using the "nfw_subnet_type_prod" or "nfw_subnet_type_nonprod" options.
+
 ## Deployment of The Oracle Enterprise Landing Zone
 
 ## For customers who already have Infrastructure in OCI
 
+
 If you already have infrastructure deployed in OCI and are looking to explore a best-practices infrastructure architecture with Oracle Enterprise Landing Zone, you may want to create a new [Child Tenancy](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/organization_management_overview.htm) to deploy the Oracle Enterprise Landing Zone in. This will guarantee there are no conflicts with existing infrastructure.  
 
 Note that child tenancies have their own [resource limits](#resource-limits), which should be checked to confirm the Oracle Enterprise Landing Zone can be deployed. 
@@ -324,3 +331,7 @@ These are some known temporary issues that can occur while deploying the Oracle
 
 * 400-InvalidParameter Error in CreateServiceConnector operation:  This can occasionally happen due to logs taking longer than normal to create while setting up the logging infrastructure.  This will correct itself when the logs finish creating. Later Apply jobs in ORM or invocations of `terraform apply` should succeed. 
 * 429-TooManyRequests Error: A tenancy making a large number of OCI API requests in rapid succession may be throttled by the API.  The solution is to wait some period of time (a few minutes) and retry the terraform operation again.  This is rarely seen on `apply` but may occasionally be seen on `destroy` runs, as the delete operations are much faster than create, and Terraform makes many API calls. 
+* **OCI Compartment Deletion**
+By Design, OCI compartments are not deleted upon Terraform destroy by default. Deletions can be anabled in OELZ by setting enable_compartment_delete varaible to true in tfvars file. For more information check check [OCI Terraform provider documentation](https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/identity_compartment).
+* **OCI Version Upgrade**
+On Release v3.0.0, we upgrading the OCI provider version from 5.1 to 5.9. If you have previous stack deployed and local tfstate file saved, please issue **terraform init -upgrade** to resolve the provider version mismatch error.