From 636cd382805a567cf041e775fbf1c6cb4590d486 Mon Sep 17 00:00:00 2001
From: vinaykumar-oci <er.vinayk@gmail.com>
Date: Fri, 23 Feb 2024 17:01:00 -0800
Subject: [PATCH] Added Flag to deploy Non_Prod Environment

Added Flag to deploy Non_Prod Environment , if flag "is_nonprod_env_deploy" is set to true then Non_Prod Environment  will deploy.
---
 templates/elz-environment/main.tf             |  5 ++
 templates/elz-environment/variables.tf        | 21 +++++++
 templates/elz-network/main.tf                 | 15 ++---
 templates/elz-network/variables.tf            | 22 +++++++
 .../enterprise-landing-zone/backup-main.tf    | 14 ++---
 .../enterprise-landing-zone/environment.tf    | 15 ++++-
 .../enterprise-landing-zone/example.tfvars    | 11 ++++
 templates/enterprise-landing-zone/logging.tf  | 35 ++++++-----
 templates/enterprise-landing-zone/outputs.tf  | 22 +++----
 templates/enterprise-landing-zone/security.tf | 14 +++--
 .../enterprise-landing-zone/variables.tf      | 60 +++++++++++++++++++
 11 files changed, 185 insertions(+), 49 deletions(-)

diff --git a/templates/elz-environment/main.tf b/templates/elz-environment/main.tf
index 0c74b093..ead559e3 100644
--- a/templates/elz-environment/main.tf
+++ b/templates/elz-environment/main.tf
@@ -148,7 +148,12 @@ module "network" {
   private_spoke_subnet_web_cidr_block = var.private_spoke_subnet_web_cidr_block
   private_spoke_subnet_app_cidr_block = var.private_spoke_subnet_app_cidr_block
   private_spoke_subnet_db_cidr_block  = var.private_spoke_subnet_db_cidr_block
+  hub_public_subnet_dns_label         = var.hub_public_subnet_dns_label
+  hub_private_subnet_dns_label        = var.hub_private_subnet_dns_label
   spoke_vcn_cidr                      = var.spoke_vcn_cidr
+  subnet_app_dns_label                = var.subnet_app_dns_label
+  subnet_db_dns_label                 = var.subnet_db_dns_label
+  subnet_web_dns_label                = var.subnet_web_dns_label
   ipsec_connection_static_routes      = var.ipsec_connection_static_routes
   enable_vpn_or_fastconnect           = var.enable_vpn_or_fastconnect
   enable_vpn_on_environment           = var.enable_vpn_on_environment
diff --git a/templates/elz-environment/variables.tf b/templates/elz-environment/variables.tf
index 5f451b85..5665e826 100644
--- a/templates/elz-environment/variables.tf
+++ b/templates/elz-environment/variables.tf
@@ -226,6 +226,27 @@ variable "create_master_encryption_key" {
 # Network Variables
 # -----------------------------------------------------------------------------
 
+variable "hub_public_subnet_dns_label" {
+  type        = string
+  description = "Hub Public Subnet DNS Label."
+}
+variable "hub_private_subnet_dns_label" {
+  type        = string
+  description = "Hub Private Subnet DNS Label."
+}
+variable "subnet_app_dns_label" {
+  type        = string
+  description = "Spoke App Subnet DNS Label."
+}
+variable "subnet_db_dns_label" {
+  type        = string
+  description = "Spoke DB Subnet DNS Label."
+}
+variable "subnet_web_dns_label" {
+  type        = string
+  description = "Spoke Web Subnet DNS Label."
+}
+
 variable "enable_internet_gateway_hub" {
   type        = string
   description = "Option to enable true and Disable false."
diff --git a/templates/elz-network/main.tf b/templates/elz-network/main.tf
index 398c328b..10e5c804 100644
--- a/templates/elz-network/main.tf
+++ b/templates/elz-network/main.tf
@@ -14,10 +14,8 @@ locals {
   vcn-hub-info = {
     hub_public_subnet_display_name   = "OCI-ELZ-SUB-${var.environment_prefix}-HUB-${local.region_key[0]}001"
     hub_public_subnet_description    = "Hub Public Subnet"  
-    hub_public_subnet_dns_label      = "publabel"
     hub_private_subnet_display_name  = "OCI-ELZ-SUB-${var.environment_prefix}-HUB-${local.region_key[0]}002"
     hub_private_subnet_description   = "Hub Private Subnet"
-    hub_private_subnet_dns_label     = "prilabel"
     hub_security_list_display_name   = "OCI-ELZ-${var.environment_prefix}-Hub-Security-List"
     igw_gateway_display_name         = "OCI-ELZ-IGW-${var.environment_prefix}-HUB"
     nat_gateway_display_name         = "OCI-ELZ-NGW-${var.environment_prefix}-HUB"
@@ -56,10 +54,10 @@ module "hub" {
   hub_vcn_dns_label                       = local.vcn_hub.dns_label
   hub_public_subnet_display_name          = local.vcn-hub-info.hub_public_subnet_display_name
   hub_public_subnet_description           = local.vcn-hub-info.hub_public_subnet_description
-  hub_public_subnet_dns_label             = local.vcn-hub-info.hub_public_subnet_dns_label
+  hub_public_subnet_dns_label             = var.hub_public_subnet_dns_label
   hub_private_subnet_display_name         = local.vcn-hub-info.hub_private_subnet_display_name
   hub_private_subnet_description          = local.vcn-hub-info.hub_private_subnet_description
-  hub_private_subnet_dns_label            = local.vcn-hub-info.hub_private_subnet_dns_label
+  hub_private_subnet_dns_label            = var.hub_private_subnet_dns_label
   igw_gateway_display_name                = local.vcn-hub-info.igw_gateway_display_name
   nat_gateway_display_name                = local.vcn-hub-info.nat_gateway_display_name
   srv_gateway_display_name                = local.vcn-hub-info.srv_gateway_display_name
@@ -94,9 +92,6 @@ locals {
     route_table_display_name         = "OCI-ELZ-RTPRV-${var.environment_prefix}-SPK001"
     nat_gateway_display_name         = "OCI-ELZ-NGW-${var.environment_prefix}-SPK"
     service_gateway_display_name     = "OCI-ELZ-SGW-${var.environment_prefix}-SPK"
-    subnet_app_dns_label             = "appdnslabel"
-    subnet_db_dns_label              = "dbdnslabel"
-    subnet_web_dns_label             = "webdnslabel"
     subnet_web_display_name          = "OCI-ELZ-SUB-${var.environment_prefix}-SPK-${local.region_key[0]}001"
     subnet_app_display_name          = "OCI-ELZ-SUB-${var.environment_prefix}-SPK-${local.region_key[0]}002"
     subnet_db_display_name           = "OCI-ELZ-SUB-${var.environment_prefix}-SPK-${local.region_key[0]}003"
@@ -124,13 +119,13 @@ module "spoke" {
   workload_compartment_id                        = var.workload_compartment_id
   workload_private_spoke_subnet_app_cidr_block   = var.private_spoke_subnet_app_cidr_block
   workload_private_spoke_subnet_app_display_name = local.vcn-spoke-info.subnet_app_display_name
-  workload_private_spoke_subnet_app_dns_label    = local.vcn-spoke-info.subnet_app_dns_label
+  workload_private_spoke_subnet_app_dns_label    = var.subnet_app_dns_label
   workload_private_spoke_subnet_db_cidr_block    = var.private_spoke_subnet_db_cidr_block
   workload_private_spoke_subnet_db_display_name  = local.vcn-spoke-info.subnet_db_display_name
-  workload_private_spoke_subnet_db_dns_label     = local.vcn-spoke-info.subnet_db_dns_label
+  workload_private_spoke_subnet_db_dns_label     = var.subnet_db_dns_label
   workload_private_spoke_subnet_web_cidr_block   = var.private_spoke_subnet_web_cidr_block
   workload_private_spoke_subnet_web_display_name = local.vcn-spoke-info.subnet_web_display_name
-  workload_private_spoke_subnet_web_dns_label    = local.vcn-spoke-info.subnet_web_dns_label
+  workload_private_spoke_subnet_web_dns_label    = var.subnet_web_dns_label
   workload_spoke_vcn_cidr                        = var.spoke_vcn_cidr
   enable_vpn_or_fastconnect                      = var.enable_vpn_or_fastconnect
   enable_vpn_on_environment                      = var.enable_vpn_on_environment
diff --git a/templates/elz-network/variables.tf b/templates/elz-network/variables.tf
index a410ae57..c3c3531a 100644
--- a/templates/elz-network/variables.tf
+++ b/templates/elz-network/variables.tf
@@ -135,6 +135,28 @@ variable "add_ssh_to_security_list" {
   default     = false
 }
 
+variable "hub_public_subnet_dns_label" {
+  type        = string
+  description = "Hub Public Subnet DNS Label."
+}
+variable "hub_private_subnet_dns_label" {
+  type        = string
+  description = "Hub Private Subnet DNS Label."
+}
+variable "subnet_app_dns_label" {
+  type        = string
+  description = "Spoke App Subnet DNS Label."
+}
+variable "subnet_db_dns_label" {
+  type        = string
+  description = "Spoke DB Subnet DNS Label."
+}
+variable "subnet_web_dns_label" {
+  type        = string
+  description = "Spoke Web Subnet DNS Label."
+}
+
+
 # -----------------------------------------------------------------------------
 # VPN Variables
 # -----------------------------------------------------------------------------
diff --git a/templates/enterprise-landing-zone/backup-main.tf b/templates/enterprise-landing-zone/backup-main.tf
index 77e926b9..b50d8767 100644
--- a/templates/enterprise-landing-zone/backup-main.tf
+++ b/templates/enterprise-landing-zone/backup-main.tf
@@ -112,11 +112,11 @@ module "backup_prod_environment" {
 
 module "backup_nonprod_environment" {
   source = "../elz-backup/elz-backup-environment"
-  count = var.enable_landing_zone_replication ? 1 : 0
+  count = var.enable_landing_zone_replication && var.is_nonprod_env_deploy ? 1 : 0
 
   environment_prefix      = local.nonprod_environment.environment_prefix
   spoke_vcn_cidr          = var.backup_nonprod_workload_cidr
-  workload_compartment_id = module.nonprod_environment.workload_compartment_id
+  workload_compartment_id = module.nonprod_environment[0].workload_compartment_id
   backup_region           = var.backup_region
   tenancy_ocid            = var.tenancy_ocid
   region                  = var.region
@@ -127,7 +127,7 @@ module "backup_nonprod_environment" {
   igw_hub_check                           = var.backup_igw_hub_check
   nat_gw_hub_check                        = var.backup_nat_gw_hub_check
   service_gw_hub_check                    = var.backup_service_gw_hub_check
-  network_compartment_id                  = module.nonprod_environment.compartment.network.id
+  network_compartment_id                  = module.nonprod_environment[0].compartment.network.id
   vcn_cidr_block                          = var.backup_nonprod_hub_vcn_cidr_block
   public_subnet_cidr_block                = var.backup_nonprod_public_subnet_cidr_block
   private_subnet_cidr_block               = var.backup_nonprod_private_subnet_cidr_block
@@ -152,17 +152,17 @@ module "backup_nonprod_environment" {
   enable_replication           = var.backup_nonprod_vault_enable_replication
   replica_region               = var.backup_nonprod_vault_replica_region
   resource_label               = var.resource_label
-  security_compartment_id      = module.nonprod_environment.compartment.security.id
+  security_compartment_id      = module.nonprod_environment[0].compartment.security.id
   vault_type                   = var.backup_nonprod_vault_type
   home_compartment_id          = module.home_compartment.compartment_id
 
   home_compartment_name               = var.home_compartment_name
-  logging_compartment_id              = module.nonprod_environment.compartment.logging.id
+  logging_compartment_id              = module.nonprod_environment[0].compartment.logging.id
   retention_policy_duration_amount    = var.backup_nonprod_retention_policy_duration_amount
   retention_policy_duration_time_unit = var.backup_nonprod_retention_policy_duration_time_unit
 
   bastion_client_cidr_block_allow_list = var.backup_nonprod_bastion_client_cidr_block_allow_list
-  environment_compartment_id           = module.nonprod_environment.compartment.environment.id
+  environment_compartment_id           = module.nonprod_environment[0].compartment.environment.id
 
   is_create_alarms         = var.is_create_alarms_backup
   network_topic_endpoints  = var.nonprod_network_topic_endpoints_backup
@@ -206,7 +206,7 @@ module "backup_nonprod_environment" {
   enable_fastconnect_on_environment = var.backup_nonprod_enable_fastconnect
   customer_onprem_ip_cidr           = var.backup_customer_onprem_ip_cidr
 
-  depends_on = [module.nonprod_environment]
+  depends_on = [module.nonprod_environment[0]]
 
   providers = {
     oci               = oci
diff --git a/templates/enterprise-landing-zone/environment.tf b/templates/enterprise-landing-zone/environment.tf
index de3ef293..6c795277 100644
--- a/templates/enterprise-landing-zone/environment.tf
+++ b/templates/enterprise-landing-zone/environment.tf
@@ -101,6 +101,11 @@ module "prod_environment" {
   private_spoke_subnet_web_cidr_block = var.prod_spoke_subnet_web_cidr_block
   private_spoke_subnet_app_cidr_block = var.prod_spoke_subnet_app_cidr_block
   private_spoke_subnet_db_cidr_block  = var.prod_spoke_subnet_db_cidr_block
+  hub_public_subnet_dns_label         = var.prod_hub_public_subnet_dns_label
+  hub_private_subnet_dns_label        = var.prod_hub_private_subnet_dns_label
+  subnet_app_dns_label                = var.prod_subnet_app_dns_label
+  subnet_db_dns_label                 = var.prod_subnet_db_dns_label
+  subnet_web_dns_label                = var.prod_subnet_web_dns_label
 
   enable_network_firewall   = var.enable_network_firewall_prod
   enable_traffic_threat_log = var.enable_traffic_threat_log_prod
@@ -190,7 +195,8 @@ locals {
 }
 
 module "nonprod_environment" {
-  source = "../elz-environment"
+  count  =  var.is_nonprod_env_deploy   ? 1 : 0
+  source =  "../elz-environment"
 
   tenancy_ocid   = var.tenancy_ocid
   region         = var.region
@@ -275,6 +281,11 @@ module "nonprod_environment" {
   private_spoke_subnet_web_cidr_block = var.nonprod_spoke_subnet_web_cidr_block
   private_spoke_subnet_app_cidr_block = var.nonprod_spoke_subnet_app_cidr_block
   private_spoke_subnet_db_cidr_block  = var.nonprod_spoke_subnet_db_cidr_block
+  hub_public_subnet_dns_label         = var.nonprod_hub_public_subnet_dns_label
+  hub_private_subnet_dns_label        = var.nonprod_hub_private_subnet_dns_label
+  subnet_app_dns_label                = var.nonprod_subnet_app_dns_label
+  subnet_db_dns_label                 = var.nonprod_subnet_db_dns_label
+  subnet_web_dns_label                = var.nonprod_subnet_web_dns_label
 
   enable_network_firewall   = var.enable_network_firewall_nonprod
   enable_traffic_threat_log = var.enable_traffic_threat_log_nonprod
@@ -309,7 +320,7 @@ module "nonprod_environment" {
   enable_workload_monitoring_alarms = var.nonprod_enable_workload_monitoring_alarms
   enable_datasafe                   = var.enable_datasafe
 
-  #workload_compartment_id             = module.nonprod_environment.workload_compartment_id
+  #workload_compartment_id             = module.nonprod_environment[0].workload_compartment_id
 
   remote_peering_connection_peer_id          = var.enable_vpn_or_fastconnect == "FASTCONNECT" ? module.prod_environment.rpc_id : null
   remote_peering_connection_peer_region_name = var.region
diff --git a/templates/enterprise-landing-zone/example.tfvars b/templates/enterprise-landing-zone/example.tfvars
index 5d118543..b8bce8ab 100644
--- a/templates/enterprise-landing-zone/example.tfvars
+++ b/templates/enterprise-landing-zone/example.tfvars
@@ -15,6 +15,7 @@ resource_label             = "DEMO"
 prod_domain_admin_email    = "an-example-email-address@oracle.com"
 nonprod_domain_admin_email = "an-example-email-address@oracle.com"
 enable_compartment_delete  = false
+is_nonprod_env_deploy      = true
 
 # security
 enable_cloud_guard                           = true
@@ -60,20 +61,30 @@ nonprod_enable_service_gateway_spoke = "true"
 prod_hub_vcn_cidr_block            = "10.1.0.0/16"
 prod_hub_public_subnet_cidr_block  = "10.1.1.0/24"
 prod_hub_private_subnet_cidr_block = "10.1.2.0/24"
+prod_hub_public_subnet_dns_label   = "ppublabel"
+prod_hub_private_subnet_dns_label  = "prilabel"
 
 prod_spoke_vcn_cidr              = "10.2.0.0/16"
 prod_spoke_subnet_web_cidr_block = "10.2.1.0/24"
 prod_spoke_subnet_app_cidr_block = "10.2.2.0/24"
 prod_spoke_subnet_db_cidr_block  = "10.2.3.0/24"
+prod_subnet_app_dns_label        = "papplabel"
+prod_subnet_db_dns_label         = "pdblabel"
+prod_subnet_web_dns_label        = "pweblabel"
 
 nonprod_hub_vcn_cidr_block            = "10.3.0.0/16"
 nonprod_hub_public_subnet_cidr_block  = "10.3.1.0/24"
 nonprod_hub_private_subnet_cidr_block = "10.3.2.0/24"
+nonprod_hub_public_subnet_dns_label   = "npublabel"
+nonprod_hub_private_subnet_dns_label  = "nprilabel"
 
 nonprod_spoke_vcn_cidr              = "10.4.0.0/16"
 nonprod_spoke_subnet_web_cidr_block = "10.4.1.0/24"
 nonprod_spoke_subnet_app_cidr_block = "10.4.2.0/24"
 nonprod_spoke_subnet_db_cidr_block  = "10.4.3.0/24"
+nonprod_subnet_app_dns_label        = "napplabel"
+nonprod_subnet_db_dns_label         = "ndblabel"
+nonprod_subnet_web_dns_label        = "nweblabel"
 
 # Tagging
 prod_enable_tagging          = true
diff --git a/templates/enterprise-landing-zone/logging.tf b/templates/enterprise-landing-zone/logging.tf
index 0a9b3582..f7224efc 100644
--- a/templates/enterprise-landing-zone/logging.tf
+++ b/templates/enterprise-landing-zone/logging.tf
@@ -4,6 +4,9 @@
 ##########################################################################################################
 
 locals {
+  nonprod_sec_id     = try(module.nonprod_environment[0].compartment.security.id, "")
+  nonprod_stream_id       = try(module.nonprod_environment[0].stream_id, "")
+  nonprod_logg_id      = try(module.nonprod_environment[0].compartment.logging.id, "")
   service_connector_policy = {
     name        = "${var.resource_label}-OCI-ELZ-SC-Policy"
     description = "OCI ELZ Service Connector Policy"
@@ -11,11 +14,11 @@ locals {
       "Allow any-user to read log-content in compartment id ${module.home_compartment.compartment_id} where all {request.principal.type='serviceconnector'}",
       "Allow any-user to read log-groups in compartment id ${module.home_compartment.compartment_id} where all {request.principal.type='serviceconnector'}",
       "Allow any-user to {STREAM_READ, STREAM_CONSUME} in compartment id ${module.prod_environment.compartment.security.id} where all {request.principal.type='serviceconnector', target.stream.id='${module.prod_environment.stream_id}', request.principal.compartment.id='${module.prod_environment.compartment.security.id}'}",
-      "Allow any-user to {STREAM_READ, STREAM_CONSUME} in compartment id ${module.nonprod_environment.compartment.security.id} where all {request.principal.type='serviceconnector', target.stream.id='${module.nonprod_environment.stream_id}', request.principal.compartment.id='${module.nonprod_environment.compartment.security.id}'}",
+      "Allow any-user to {STREAM_READ, STREAM_CONSUME} in compartment id ${local.nonprod_sec_id} where all {request.principal.type='serviceconnector', target.stream.id='${local.nonprod_stream_id}', request.principal.compartment.id='${local.nonprod_sec_id}'}",
       "Allow any-user to manage objects in compartment id ${module.prod_environment.compartment.logging.id} where all {request.principal.type='serviceconnector', target.bucket.name='*_standard', request.principal.compartment.id='${module.prod_environment.compartment.security.id}'}",
-      "Allow any-user to manage objects in compartment id ${module.nonprod_environment.compartment.logging.id} where all {request.principal.type='serviceconnector', target.bucket.name='*_standard', request.principal.compartment.id='${module.nonprod_environment.compartment.security.id}'}",
+      "Allow any-user to manage objects in compartment id ${local.nonprod_logg_id} where all {request.principal.type='serviceconnector', target.bucket.name='*_standard', request.principal.compartment.id='${local.nonprod_sec_id}'}",
       "Allow any-user to manage objects in compartment id ${module.prod_environment.compartment.logging.id} where all {request.principal.type='serviceconnector', any{target.bucket.name='${var.resource_label}_${local.prod_environment.environment_prefix}_auditLogs_standard', target.bucket.name='${var.resource_label}_${local.prod_environment.environment_prefix}_defaultLogs_standard', target.bucket.name='${var.resource_label}_${local.prod_environment.environment_prefix}_serviceEvents_standard'}, request.principal.compartment.id='${module.prod_environment.compartment.security.id}'}",
-      "Allow any-user to manage objects in compartment id ${module.nonprod_environment.compartment.logging.id} where all {request.principal.type='serviceconnector', any{target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_auditLogs_standard', target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_defaultLogs_standard', target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_serviceEvents_standard'}, request.principal.compartment.id='${module.nonprod_environment.compartment.security.id}'}"
+      "Allow any-user to manage objects in compartment id ${local.nonprod_logg_id} where all {request.principal.type='serviceconnector', any{target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_auditLogs_standard', target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_defaultLogs_standard', target.bucket.name='${var.resource_label}_${local.nonprod_environment.environment_prefix}_serviceEvents_standard'}, request.principal.compartment.id='${local.nonprod_sec_id}'}"
     ]
   }
 
@@ -140,7 +143,7 @@ module "service_connector_policy" {
   description      = local.service_connector_policy.description
   statements       = local.service_connector_policy.statements
 
-  depends_on = [module.prod_environment, module.nonprod_environment, module.home_compartment]
+  depends_on = [module.prod_environment, module.nonprod_environment[0], module.home_compartment]
 }
 
 module "service_connector_archive_policy" {
@@ -150,7 +153,7 @@ module "service_connector_archive_policy" {
   description      = local.service_connector_archive_policy.description
   statements       = local.service_connector_archive_policy.statements
 
-  depends_on = [module.prod_environment, module.nonprod_environment, module.home_compartment]
+  depends_on = [module.prod_environment, module.nonprod_environment[0], module.home_compartment]
 }
 
 module "archive_key" {
@@ -172,7 +175,7 @@ module "key_archive_policy" {
   description      = local.key_archive_policy.description
   statements       = local.key_archive_policy.statements
 
-  depends_on = [module.prod_environment, module.nonprod_environment, module.home_compartment]
+  depends_on = [module.prod_environment, module.nonprod_environment[0], module.home_compartment]
 }
 
 module "archive_bucket" {
@@ -187,7 +190,7 @@ module "archive_bucket" {
   retention_policy_duration_time_unit = local.archive_log_bucket.retention_policy_duration_time_unit
   namespace                           = data.oci_objectstorage_namespace.ns.namespace
 
-  depends_on = [module.prod_environment, module.nonprod_environment, module.home_compartment, module.archive_key, module.key_archive_policy]
+  depends_on = [module.prod_environment, module.nonprod_environment[0], module.home_compartment, module.archive_key, module.key_archive_policy]
 }
 
 module "prod_archive_audit_log_service_connector" {
@@ -205,9 +208,10 @@ module "prod_archive_audit_log_service_connector" {
 }
 
 module "nonprod_archive_audit_log_service_connector" {
+  count                 =  var.is_nonprod_env_deploy   ? 1 : 0
   source                = "../../modules/service-connector"
   tenancy_ocid          = var.tenancy_ocid
-  compartment_id        = module.nonprod_environment.compartment.security.id
+  compartment_id        = module.nonprod_environment[0].compartment.security.id
   source_compartment_id = module.home_compartment.compartment_id
   display_name          = local.nonprod_archive_audit_log_service_connector.display_name
   source_kind           = local.nonprod_archive_audit_log_service_connector.source_kind
@@ -233,14 +237,15 @@ module "prod_archive_default_log_service_connector" {
 }
 
 module "nonprod_archive_default_log_service_connector" {
+  count                 =  var.is_nonprod_env_deploy   ? 1 : 0
   source                = "../../modules/service-connector"
   tenancy_ocid          = var.tenancy_ocid
-  compartment_id        = module.nonprod_environment.compartment.security.id
-  source_compartment_id = module.nonprod_environment.compartment.security.id
+  compartment_id        = module.nonprod_environment[0].compartment.security.id
+  source_compartment_id = module.nonprod_environment[0].compartment.security.id
   display_name          = local.nonprod_archive_default_log_service_connector.display_name
   source_kind           = local.nonprod_archive_default_log_service_connector.source_kind
   target_kind           = local.nonprod_archive_default_log_service_connector.target_kind
-  log_group_id          = module.nonprod_environment.default_group_id
+  log_group_id          = module.nonprod_environment[0].default_group_id
   target_bucket         = local.nonprod_archive_default_log_service_connector.target_bucket
 
   depends_on = [module.archive_bucket, module.service_connector_archive_policy]
@@ -262,14 +267,15 @@ module "prod_archive_service_events_service_connector" {
 }
 
 module "nonprod_archive_service_events_service_connector" {
+  count                 =  var.is_nonprod_env_deploy   ? 1 : 0
   source                = "../../modules/service-connector"
   tenancy_ocid          = var.tenancy_ocid
-  compartment_id        = module.nonprod_environment.compartment.security.id
-  source_compartment_id = module.nonprod_environment.compartment.security.id
+  compartment_id        = module.nonprod_environment[0].compartment.security.id
+  source_compartment_id = module.nonprod_environment[0].compartment.security.id
   display_name          = local.nonprod_archive_service_events_service_connector.display_name
   source_kind           = local.nonprod_archive_service_events_service_connector.source_kind
   target_kind           = local.nonprod_archive_service_events_service_connector.target_kind
-  stream_id             = module.nonprod_environment.stream_id
+  stream_id             = module.nonprod_environment[0].stream_id
   cursor_kind           = local.nonprod_archive_service_events_service_connector.cursor_kind
   target_bucket         = local.nonprod_archive_service_events_service_connector.target_bucket
 
@@ -287,6 +293,7 @@ module "prod_platform_admin_policy" {
 }
 
 module "nonprod_platform_admin_policy" {
+  count            =  var.is_nonprod_env_deploy   ? 1 : 0
   source           = "../../modules/policies"
   compartment_ocid = module.home_compartment.compartment_id
   policy_name      = local.nonprod_platform_admin_policy.name
diff --git a/templates/enterprise-landing-zone/outputs.tf b/templates/enterprise-landing-zone/outputs.tf
index 46e804d6..d8b256d1 100644
--- a/templates/enterprise-landing-zone/outputs.tf
+++ b/templates/enterprise-landing-zone/outputs.tf
@@ -45,17 +45,17 @@ output "prod_environment" {
 output "nonprod_environment" {
   value = {
     environment_prefix          = local.nonprod_environment.environment_prefix
-    compartments                = module.nonprod_environment.compartment
-    subnets                     = module.nonprod_environment.subnets
-    hub_vcn                     = module.nonprod_environment.vcn
-    hub_public_subnet_cidr      = module.nonprod_environment.hub_public_subnet_cidr
-    hub_private_subnet_cidr     = module.nonprod_environment.hub_private_subnet_cidr
-    drg_id                      = module.nonprod_environment.drg_id
-    identity_domain             = module.nonprod_environment.identity_domain
-    workload_compartment_name   = module.nonprod_environment.workload_compartment_name
-    workload_compartment_id     = module.nonprod_environment.workload_compartment_id
-    workload_subnet_cidr_blocks = module.nonprod_environment.workload_subnet_cidr_blocks
-    access_governance_service_instance = module.nonprod_environment.access_governance_service_instance
+    compartments                = try(module.nonprod_environment[0].compartment, null)
+    subnets                     = try(module.nonprod_environment[0].subnets, null)
+    hub_vcn                     = try(module.nonprod_environment[0].vcn, null)
+    hub_public_subnet_cidr      = try(module.nonprod_environment[0].hub_public_subnet_cidr, null)
+    hub_private_subnet_cidr     = try(module.nonprod_environment[0].hub_private_subnet_cidr, null)
+    drg_id                      = try(module.nonprod_environment[0].drg_id, null)
+    identity_domain             = try(module.nonprod_environment[0].identity_domain, null)
+    workload_compartment_name   = try(module.nonprod_environment[0].workload_compartment_name, null)
+    workload_compartment_id     = try(module.nonprod_environment[0].workload_compartment_id, null)
+    workload_subnet_cidr_blocks = try(module.nonprod_environment[0].workload_subnet_cidr_blocks, null)
+    access_governance_service_instance = try(module.nonprod_environment[0].access_governance_service_instance, null)
   }
   description = "Non-Production Environment Information."
 }
\ No newline at end of file
diff --git a/templates/enterprise-landing-zone/security.tf b/templates/enterprise-landing-zone/security.tf
index b2756c7d..79ac6aa3 100644
--- a/templates/enterprise-landing-zone/security.tf
+++ b/templates/enterprise-landing-zone/security.tf
@@ -4,6 +4,10 @@
 ##########################################################################################################
 
 locals {
+  nonprod_security_id     = try(module.nonprod_environment[0].compartment.security.id, "")
+  nonprod_network_id      = try(module.nonprod_environment[0].compartment.network.id, "")
+  nonprod_workload_cmp_id = try(module.nonprod_environment[0].workload_compartment_id, "")
+  nonprod_logging_id      = try(module.nonprod_environment[0].compartment.logging.id, "")
   cloud_guard_policy = {
     name        = "${var.resource_label}-OCI-ELZ-CG-Policy"
     description = "OCI Enterprise Landing Zone Cloud Guard Policy"
@@ -76,11 +80,11 @@ locals {
       instance.compartment.id = '${module.prod_environment.compartment.security.id}',
       instance.compartment.id = '${module.prod_environment.compartment.network.id}',
       instance.compartment.id = '${module.prod_environment.workload_compartment_id}',
-      instance.compartment.id = '${module.nonprod_environment.compartment.security.id}',
-      instance.compartment.id = '${module.nonprod_environment.compartment.network.id}',
-      instance.compartment.id = '${module.nonprod_environment.workload_compartment_id}',
+      instance.compartment.id = '${local.nonprod_security_id}',
+      instance.compartment.id = '${local.nonprod_network_id}',
+      instance.compartment.id = '${local.nonprod_workload_cmp_id}',
       instance.compartment.id = '${module.prod_environment.compartment.logging.id}',
-      instance.compartment.id = '${module.nonprod_environment.compartment.logging.id}',
+      instance.compartment.id = '${local.nonprod_logging_id}',
       instance.compartment.id = '${module.home_compartment.compartment_id}'
     }
     EOT
@@ -163,7 +167,7 @@ module "osms_dynamic_group" {
   name          = local.osms_dynamic_group.dynamic_group_name
   matching_rule = local.osms_dynamic_group.general_matching_rule
 
-  depends_on = [module.prod_environment, module.nonprod_environment, module.home_compartment]
+  depends_on = [module.prod_environment, module.nonprod_environment[0], module.home_compartment]
 }
 
 module "osms_policy" {
diff --git a/templates/enterprise-landing-zone/variables.tf b/templates/enterprise-landing-zone/variables.tf
index 10adae37..6e12fe99 100644
--- a/templates/enterprise-landing-zone/variables.tf
+++ b/templates/enterprise-landing-zone/variables.tf
@@ -25,6 +25,12 @@ variable "is_baseline_deploy" {
   description = "TagNameSpace Optimization: Set to True(if the deployment is baseline) to disable dependent module TagNameSpace Tag Creation."
 }
 
+variable "is_nonprod_env_deploy" {
+  type        = bool
+  default     = true
+  description = "Deploy Non-Production Enviornment"
+}
+
 # -----------------------------------------------------------------------------
 # Compartment Variables
 # -----------------------------------------------------------------------------
@@ -501,6 +507,60 @@ variable "nonprod_spoke_vcn_cidr" {
   description = "Non-Production Enivornment Spoke VCN CIDR Block."
 }
 
+variable "prod_hub_public_subnet_dns_label" {
+  default     = "ppublabel"
+  type        = string
+  description = "Production Enivornment Hub Public Subnet DNS Label."
+}
+variable "nonprod_hub_public_subnet_dns_label" {
+  default     = "npublabel"
+  type        = string
+  description = "Non-Production Enivornment Hub Public Subnet DNS Label."
+}
+variable "prod_hub_private_subnet_dns_label" {
+  default     = "pprilabel"
+  type        = string
+  description = "Production Enivornment Hub Public Subnet DNS Label."
+}
+variable "nonprod_hub_private_subnet_dns_label" {
+  default     = "nprilabel"
+  type        = string
+  description = "Non-Production Enivornment Hub Public Subnet DNS Label."
+}
+
+variable "prod_subnet_app_dns_label" {
+  default     = "papplabel"
+  type        = string
+  description = "Production Enivornment Spoke App Subnet DNS Label."
+}
+variable "nonprod_subnet_app_dns_label" {
+  default     = "napplabel"
+  type        = string
+  description = "Non-Production Enivornment Spoke App Subnet DNS Label."
+}
+
+variable "prod_subnet_db_dns_label" {
+  default     = "pdblabel"
+  type        = string
+  description = "Production Enivornment Spoke DB Subnet DNS Label."
+}
+variable "nonprod_subnet_db_dns_label" {
+  default     = "ndblabel"
+  type        = string
+  description = "Non-Production Enivornment Spoke DB Subnet DNS Label."
+}
+
+variable "prod_subnet_web_dns_label" {
+  default     = "pweblabel"
+  type        = string
+  description = "Production Enivornment Spoke Web Subnet DNS Label."
+}
+variable "nonprod_subnet_web_dns_label" {
+  default     = "nweblabel"
+  type        = string
+  description = "Non-Production Enivornment Spoke Web Subnet DNS Label."
+}
+
 #Tagging 
 #nonprod_enable_tagging