Skip to content

Latest commit

 

History

History
398 lines (387 loc) · 87.9 KB

File metadata and controls

398 lines (387 loc) · 87.9 KB

Requirements

Name Version
terraform >= 1.3.0

Providers

Name Version
oci n/a
time n/a

Modules

Name Source Version
lz_alarms github.com/oci-landing-zones/terraform-oci-modules-observability//alarms v0.1.8
lz_bastion github.com/oci-landing-zones/terraform-oci-modules-security//bastion v0.1.9
lz_bastion_jump_host github.com/oci-landing-zones/terraform-oci-modules-workloads//cis-compute-storage v0.1.8
lz_budgets github.com/oci-landing-zones/terraform-oci-modules-governance//budgets v0.1.4
lz_cloud_guard github.com/oci-landing-zones/terraform-oci-modules-security//cloud-guard v0.1.7
lz_compartments github.com/oci-landing-zones/terraform-oci-modules-iam//compartments v0.2.4
lz_custom_domain_dynamic_groups github.com/oci-landing-zones/terraform-oci-modules-iam//identity-domains v0.2.4
lz_custom_domain_groups github.com/oci-landing-zones/terraform-oci-modules-iam//identity-domains v0.2.4
lz_dynamic_groups github.com/oci-landing-zones/terraform-oci-modules-iam//dynamic-groups v0.2.4
lz_firewall_appliance github.com/oci-landing-zones/terraform-oci-modules-workloads//cis-compute-storage v0.1.7
lz_flow_logs github.com/oci-landing-zones/terraform-oci-modules-observability//logging v0.1.8
lz_groups github.com/oci-landing-zones/terraform-oci-modules-iam//groups v0.2.7
lz_home_region_notifications github.com/oci-landing-zones/terraform-oci-modules-observability//events v0.1.8
lz_home_region_topics github.com/oci-landing-zones/terraform-oci-modules-observability//notifications v0.1.8
lz_logging_analytics github.com/oci-landing-zones/terraform-oci-modules-observability//logging v0.1.8
lz_network github.com/oci-landing-zones/terraform-oci-modules-networking v0.7.1
lz_new_identity_domain github.com/oci-landing-zones/terraform-oci-modules-iam//identity-domains v0.2.4
lz_nlb github.com/oci-landing-zones/terraform-oci-modules-networking//modules/nlb v0.7.1
lz_notifications github.com/oci-landing-zones/terraform-oci-modules-observability//events v0.1.8
lz_oke_clusters_policy github.com/oci-landing-zones/terraform-oci-modules-iam//policies v0.2.4
lz_policies github.com/oci-landing-zones/terraform-oci-modules-iam//policies v0.2.4
lz_regional_topics github.com/oci-landing-zones/terraform-oci-modules-observability//notifications v0.1.8
lz_root_policies github.com/oci-landing-zones/terraform-oci-modules-iam//policies v0.2.4
lz_scanning github.com/oci-landing-zones/terraform-oci-modules-security//vss v0.1.7
lz_security_zones github.com/oci-landing-zones/terraform-oci-modules-security//security-zones v0.1.7
lz_service_connector_hub github.com/oci-landing-zones/terraform-oci-modules-observability//service-connectors v0.1.8
lz_services_policy github.com/oci-landing-zones/terraform-oci-modules-iam//policies v0.2.4
lz_tags github.com/oci-landing-zones/terraform-oci-modules-governance//tags v0.1.4
lz_top_compartment github.com/oci-landing-zones/terraform-oci-modules-iam//compartments v0.2.4
lz_vault github.com/oci-landing-zones/terraform-oci-modules-security//vaults v0.1.7
lz_zpr github.com/oci-landing-zones/terraform-oci-modules-security//zpr v0.1.9
native_oci_firewall github.com/oci-landing-zones/terraform-oci-modules-networking v0.7.1
oci_native_firewall_logs github.com/oci-landing-zones/terraform-oci-modules-observability//logging v0.1.9

Resources

Name Type
time_sleep.wait_on_compartments resource
time_sleep.wait_on_services_policy resource
oci_cloud_guard_cloud_guard_configuration.this data source
oci_identity_compartment.existing_enclosing_compartment data source
oci_identity_compartments.app data source
oci_identity_compartments.database data source
oci_identity_compartments.exainfra data source
oci_identity_compartments.network data source
oci_identity_compartments.security data source
oci_identity_domain.existing_identity_domain data source
oci_identity_dynamic_groups.all data source
oci_identity_group.existing_ag_admin_group data source
oci_identity_group.existing_announcement_reader_group data source
oci_identity_group.existing_appdev_admin_group data source
oci_identity_group.existing_auditor_group data source
oci_identity_group.existing_cost_admin_group data source
oci_identity_group.existing_cred_admin_group data source
oci_identity_group.existing_database_admin_group data source
oci_identity_group.existing_exainfra_admin_group data source
oci_identity_group.existing_iam_admin_group data source
oci_identity_group.existing_network_admin_group data source
oci_identity_group.existing_security_admin_group data source
oci_identity_group.existing_storage_admin_group data source
oci_identity_region_subscriptions.these data source
oci_identity_regions.these data source
oci_identity_tag_namespaces.this data source
oci_identity_tenancy.this data source
oci_objectstorage_namespace.this data source

Inputs

Name Description Type Default Required
activate_service_connector Whether Service Connector should be activated. If true, costs my incur due to usage of Object Storage bucket, Streaming or Function. bool false no
add_exa_vcn1 Whether to add a VCN configured for Exadata Cloud Service deployment, with two subnets: client (private) and backup (private). The added VCN is labelled 'EXA-VCN-1'. The label should be used in the '*_routable_vcns' fields of other VCNs for constraining network traffic to those respective VCNs in a Hub/Spoke topology. bool false no
add_exa_vcn2 Whether to add a second VCN configured for Exadata Cloud Service deployment, with two subnets: client (private) and backup (private). The added VCN is labelled 'EXA-VCN-2'. The label should be used in the '*_routable_vcns' fields of other VCNs for constraining network traffic to those respective VCNs in a Hub/Spoke topology. bool false no
add_exa_vcn3 Whether to add a third VCN configured for Exadata Cloud Service deployment, with two subnets: client (private) and backup (private). The added VCN is labelled 'EXA-VCN-3'. The label should be used in the '*_routable_vcns' fields of other VCNs for constraining network traffic to those respective VCNs in a Hub/Spoke topology. bool false no
add_oke_vcn1 Whether to add a VCN configured for OKE workload deployments, with at least three subnets: service (public by default), workers (private) and API endpoint (private). Additionally, a private subnet for pods deployment is created if the OKE CNI Type is 'Native'. You can also enable an extra private subnet for managing the OKE cluster. The added VCN is labelled 'OKE-VCN-1'. The label should be used in the '*_routable_vcns' fields of other VCNs for constraining network traffic to those respective VCNs in a Hub/Spoke topology. bool false no
add_oke_vcn1_mgmt_subnet Whether to add a private subnet for cluster management. bool false no
add_oke_vcn2 Whether to add a second VCN configured for OKE workload deployments, with at least three subnets: service (public by default), workers (private) and API endpoint (private). Additionally, a private subnet for pods deployment is created if the OKE CNI Type is 'Native'. You can also enable an extra private subnet for managing the OKE cluster. The added VCN is labelled 'OKE-VCN-2'. The label should be used in the '*_routable_vcns' fields of other VCNs for constraining network traffic to those respective VCNs in a Hub/Spoke topology. bool false no
add_oke_vcn2_mgmt_subnet Whether to add a private subnet for cluster management. bool false no
add_oke_vcn3 Whether to add a third VCN configured for OKE workload deployments, with at least three subnets: service (public by default), workers (private) and API endpoint (private). Additionally, a private subnet for pods deployment is created if the OKE CNI Type is 'Native'. You can also enable an extra private subnet for managing the OKE cluster. The added VCN is labelled 'OKE-VCN-3'. The label should be used in the '*_routable_vcns' fields of other VCNs for constraining network traffic to those respective VCNs in a Hub/Spoke topology. bool false no
add_oke_vcn3_mgmt_subnet Whether to add a private subnet for cluster management. bool false no
add_tt_vcn1 Whether to add a VCN configured for three-tier workload deployments, with up to four subnets: web (public by default), application (private), database (private). An optional subnet (private by default) for bastion deployment is also available. The added VCN is labelled 'TT-VCN-1'. The label should be used in the '*_routable_vcns' fields of other VCNs for constraining network traffic to those respective VCNs in a Hub/Spoke topology. bool false no
add_tt_vcn2 Whether to add a second VCN configured for three-tier workload deployments, with up to four subnets: web (public by default), application (private), database (private). An optional subnet (private by default) for bastion deployment is also available. The added VCN is labelled 'TT-VCN-2'. The label should be used in the '*_routable_vcns' fields of other VCNs for constraining network traffic to those respective VCNs in a Hub/Spoke topology. bool false no
add_tt_vcn3 Whether to add a third VCN configured for three-tier workload deployments, with up to four subnets: web (public by default), application (private), database (private). An optional subnet (private by default) for bastion deployment is also available. The added VCN is labelled 'TT-VCN-3'. The label should be used in the '*_routable_vcns' fields of other VCNs for constraining network traffic to those respective VCNs in a Hub/Spoke topology. bool false no
alarm_message_format Format of the message sent by Alarms string "PRETTY_JSON" no
bastion_jump_host_boot_volume_size The boot volume size (in GB) for the bastion jump host instance. number 60 no
bastion_jump_host_custom_image_ocid The custom image ocid of the user-provided bastion jump host instance. The custom image takes precedence over marketplace image. string null no
bastion_jump_host_flex_shape_cpu The number of OCPUs for the selected flex shape. Applicable to flexible shapes only. number 2 no
bastion_jump_host_flex_shape_memory The amount of memory (in GB) for the selected flex shape. Applicable to flexible shapes only. number 56 no
bastion_jump_host_instance_name The display name of the bastion jump host instance. string "bastion-jump-host-instance" no
bastion_jump_host_instance_shape The instance shape for the bastion jump host instance. string "VM.Standard.E4.Flex" no
bastion_jump_host_marketplace_image_option Options to select a jump host marketplace image. Either Oracle Linux 8 STIG (Free), or CIS Hardened Image Level 1 on Oracle Linux 8 (Paid). string null no
bastion_jump_host_ssh_public_key_path The SSH public key to login to bastion jump host instance. string null no
bastion_service_allowed_cidrs List of the bastion service allowed cidrs. list(string) [] no
bastion_service_name The bastion service name. string null no
budget_admin_email_endpoints List of email addresses for all budget related notifications such as budget and finance. (Type an email address and hit enter to enter multiple values) list(string) [] no
budget_alert_email_endpoints List of email addresses for budget alerts. (Type an email address and hit enter to enter multiple values) list(string) [] no
budget_alert_threshold The threshold for triggering the alert expressed as a percentage of the monthly forecast spend. 100% is the default. number 100 no
budget_amount The amount of the budget expressed as a whole number in the currency of the customer's rate card. number 1000 no
cis_level Determines CIS OCI Benchmark Level to apply on Landing Zone managed resources. Level 1 is be practical and prudent. Level 2 is intended for environments where security is more critical than manageability and usability. Level 2 drives the creation of an OCI Vault, buckets encryption with a customer managed key, write logs for buckets and the usage of specific policies in Security Zones. string "1" no
cloud_guard_admin_email_endpoints List of email addresses for Cloud Guard related notifications. list(string) [] no
cloud_guard_reporting_region Cloud Guard reporting region, where Cloud Guard reporting resources are kept. If not set, it defaults to home region. string null no
cloud_guard_risk_level_threshold Determines the minimum Risk level that triggers sending Cloud Guard problems to the defined Cloud Guard Email Endpoint. E.g. a setting of High will send notifications for Critical and High problems. string "High" no
compute_admin_email_endpoints List of email addresses for all compute related notifications. (Type an email address and hit enter to enter multiple values) list(string) [] no
create_alarms_as_enabled Whether a alarms should be created in an enabled state by default. If unchecked, alarms will be created but not emit alerts. bool false no
create_budget If true, a budget is created for the enclosing compartment, based on forecast or actual spending. bool false no
create_events_as_enabled Whether events should be created in an enabled state by default. If unchecked, events will be created but not emit notifications. bool false no
custom_id_domain_ocid The existing identity domain OCID. string null no
customize_hub_vcn_subnets Whether to customize default subnets settings of the Hub VCN. Only applicable to RMS deployments. bool false no
customize_iam Whether Landing Zone IAM settings are to be customized. Customizable options are identity domains, groups, dynamic groups and policies. bool false no
customize_tt_vcn1_subnets If true, allows for the customization of default subnets settings. Only applicable to RMS deployments. bool false no
customize_tt_vcn2_subnets If true, allows for the customization of default subnets settings. Only applicable to RMS deployments. bool false no
customize_tt_vcn3_subnets If true, allows for the customization of default subnets settings. Only applicable to RMS deployments. bool false no
database_admin_email_endpoints List of email addresses for all database related notifications. (Type an email address and hit enter to enter multiple values) list(string) [] no
define_net Whether networking is defined as part of this Landing Zone. By default, no networking resources are created. bool false no
deploy_bastion_jump_host The option to deploy the bastion jump host. bool false no
deploy_bastion_service The option to deploy the bastion service. bool false no
deploy_custom_domain_groups Whether to deploy IAM domain groups and dynamic groups in the existing domain. If false, the Landing Zone will use the existing groups and dynamic groups in the existing domain. bool false no
deploy_exainfra_cmp Whether a separate compartment for Exadata Cloud Service Infrastructure is deployed. bool false no
deploy_tt_vcn1_bastion_subnet Whether to deploy a subnet where you can further deploy OCI Bastion service or a jump host. bool false no
deploy_tt_vcn2_bastion_subnet Whether to deploy a subnet where you can further deploy OCI Bastion service or a jump host. bool false no
deploy_tt_vcn3_bastion_subnet Whether to deploy a subnet where you can further deploy OCI Bastion service or a jump host. bool false no
display_output Whether to display a concise set of select resource outputs with their OCIDs and names. bool true no
dyn_groups_options ------------------------------------------------------ ----- IAM - Dynamic Groups ------------------------------------------------------- string "Yes" no
enable_cloud_guard Determines whether the Cloud Guard service should be enabled. If true, Cloud Guard is enabled and the Root compartment is configured with a Cloud Guard target, as long as there is no pre-existing Cloud Guard target for the Root compartment (or target creation will fail). Keep in mind that once you set this to true, Cloud Guard target is managed by Landing Zone. If later on you switch this to false, the managed target is deleted and all (open, resolved and dismissed) problems associated with the deleted target are being moved to 'deleted' state. This operation happens in the background and would take some time to complete. Deleted problems can be viewed from the problems page using the 'deleted' status filter. For more details on Cloud Guard problems lifecycle, see https://docs.oracle.com/en-us/iaas/cloud-guard/using/problems-page.htm#problems-page__sect_prob_lifecycle. If Cloud Guard is already enabled and a target exists for the Root compartment, set this variable to false. bool true no
enable_cloud_guard_cloned_recipes Whether cloned recipes are attached to the managed Cloud Guard target. If false, Oracle managed recipes are attached. bool true no
enable_native_firewall_threat_log Enable OCI Native Firewall Threat Log. bool false no
enable_native_firewall_traffic_log Enable OCI Native Firewall Traffic Log. bool false no
enable_security_zones Determines if Security Zones are enabled in Landing Zone. When set to true, the Security Zone is enabled for the enclosing compartment. If no enclosing compartment is used, then the Security Zone is not enabled. bool false no
enable_service_connector Whether Service Connector should be enabled. If true, a single Service Connector is managed for all services log sources and the designated target specified in 'Service Connector Target Kind'. The Service Connector resource is created in INACTIVE state. To activate, check 'Activate Service Connector?' (costs may incur). bool false no
enable_zpr Whether to enable ZPR service. bool false no
enclosing_compartment_options Determines where the landing zone compartments are deployed: within a new enclosing compartment or within an existing select enclosing compartment (that can be the Root compartment). Valid options: 'Yes, deploy new', 'Yes, use existing', 'No' string "Yes, deploy new" no
enclosing_compartment_parent_ocid The existing compartment where Landing Zone enclosing compartment is created. string null no
exa_vcn1_attach_to_drg If true, the VCN is attached to a DRG, enabling cross-vcn traffic routing. bool false no
exa_vcn1_backup_subnet_cidr The Backup subnet CIDR block. It must be within the VCN CIDR blocks. string null no
exa_vcn1_backup_subnet_name The Backup subnet name. string null no
exa_vcn1_cidrs The list of CIDR blocks for the VCN. list(string)
[
"172.16.0.0/20"
]
no
exa_vcn1_client_subnet_cidr The Client subnet CIDR block. It must be within the VCN CIDR blocks. string null no
exa_vcn1_client_subnet_name The Client subnet name. string null no
exa_vcn1_name The VCN name. If unassigned, a default name is provided. VCN label: EXA-VCN-1. string null no
exa_vcn1_routable_vcns The VCN labels that this VCN can send traffic to. Leave unassigned for sending traffic to all VCNs. Only applicable for Hub/Spoke topology where a DRG is deployed as the hub. Valid values: TT-VCN-1, TT-VCN-2, TT-VCN-3, EXA-VCN-2, EXA-VCN3, OKE-VCN-1, OKE-VCN-2, OKE-VCN-3. list(string) [] no
exa_vcn2_attach_to_drg If true, the VCN is attached to a DRG, enabling cross-vcn traffic routing. bool false no
exa_vcn2_backup_subnet_cidr The Backup subnet CIDR block. It must be within the VCN CIDR blocks. string null no
exa_vcn2_backup_subnet_name The Backup subnet name. string null no
exa_vcn2_cidrs The list of CIDR blocks for the VCN. list(string)
[
"172.17.0.0/20"
]
no
exa_vcn2_client_subnet_cidr The Client subnet CIDR block. It must be within the VCN CIDR blocks. string null no
exa_vcn2_client_subnet_name The Client subnet name. string null no
exa_vcn2_name The VCN name. If unassigned, a default name is provided. VCN label: EXA-VCN-2 string null no
exa_vcn2_routable_vcns The VCN labels that this VCN can send traffic to. Leave unassigned for sending traffic to all VCNs. Only applicable for Hub/Spoke topology where a DRG is deployed as the hub. Valid values: TT-VCN-1, TT-VCN-2, TT-VCN-3, EXA-VCN-1, EXA-VCN3, OKE-VCN-1, OKE-VCN-2, OKE-VCN-3. list(string) [] no
exa_vcn3_attach_to_drg If true, the VCN is attached to a DRG, enabling cross-vcn traffic routing. bool false no
exa_vcn3_backup_subnet_cidr The Backup subnet CIDR block. It must be within the VCN CIDR blocks. string null no
exa_vcn3_backup_subnet_name The Backup subnet name. string null no
exa_vcn3_cidrs The list of CIDR blocks for the VCN. list(string)
[
"172.18.0.0/20"
]
no
exa_vcn3_client_subnet_cidr The Client subnet CIDR block. It must be within the VCN CIDR blocks. string null no
exa_vcn3_client_subnet_name The Client subnet name. string null no
exa_vcn3_name The VCN name. If unassigned, a default name is provided. Label: EXA-VCN-3. string null no
exa_vcn3_routable_vcns The VCN labels that this VCN can send traffic to. Leave unassigned for sending traffic to all VCNs. Only applicable for Hub/Spoke topology where a DRG is deployed as the hub. Valid values: TT-VCN-1, TT-VCN-2, TT-VCN-3, EXA-VCN-1, EXA-VCN2, OKE-VCN-1, OKE-VCN-2, OKE-VCN-3. list(string) [] no
exainfra_admin_email_endpoints List of email addresses for all Exadata infrastructure related notifications. (Type an email address and hit enter to enter multiple values) list(string) [] no
existing_ag_admin_group_name The existing group to which Access Governance management policies will be granted to. list(string) [] no
existing_announcement_reader_group_name The existing group to which announcement reading policies will be granted to. list(string) [] no
existing_appdev_admin_group_name The existing group to which application management policies will be granted to. list(string) [] no
existing_appdev_fun_dyn_group_name Existing appdev dynamic group. string "" no
existing_auditor_group_name The existing group to which auditing policies will be granted to. list(string) [] no
existing_compute_agent_dyn_group_name Existing compute agent dynamic group for management agent access. string "" no
existing_cost_admin_group_name The existing group to which Cost management policies will be granted to. list(string) [] no
existing_cred_admin_group_name The existing group to which credentials management policies will be granted to. list(string) [] no
existing_database_admin_group_name The existing group to which database management policies will be granted to. list(string) [] no
existing_database_kms_dyn_group_name Existing database dynamic group for database to access keys. string "" no
existing_drg_ocid The OCID of an existing DRG that you want to reuse for hub deployment. Only applicable if hub_deployment_option is 'VCN or on-premises connectivity routing via DRG (existing DRG)' or 'VCN or on-premises connectivity routed through DMZ VCN with Network Virtual Appliance existing DRG (DMZ VCN will be created and DRG ID required)'. string null no
existing_enclosing_compartment_ocid The existing compartment where Landing Zone compartments (Network, Security, App, Database) are created. string null no
existing_exainfra_admin_group_name The existing group to which Exadata Cloud Service infrastructure management policies will be granted to. list(string) [] no
existing_iam_admin_group_name The existing group to which IAM management policies will be granted to. list(string) [] no
existing_id_domain_appdev_fun_dyn_group_name The existing dynamic group name in the existing identity domain for executing applications functions. string "" no
existing_id_domain_compute_agent_dyn_group_name The existing dynamic group name in the existing identity domain for Compute agents. string "" no
existing_id_domain_database_kms_dyn_group_name The existing dynamic group name in the existing identity domain for accessing database encryption keys. string "" no
existing_id_domain_net_fw_app_dyn_group_name The existing dynamic group name in the existing identity domain for running network firewall appliances. string "" no
existing_id_domain_security_fun_dyn_group_name The existing dynamic group name in the existing identity domain for executing security functions. string "" no
existing_net_fw_app_dyn_group_name Existing network firewall appliance dynamic group for reading firewall instances. string "" no
existing_network_admin_group_name The existing group to which network management policies will be granted to. list(string) [] no
existing_security_admin_group_name The existing group to which security management policies will be granted to. list(string) [] no
existing_security_fun_dyn_group_name Existing security dynamic group to run functions. string "" no
existing_service_connector_bucket_key_id An existing key used to encrypt Service Connector target Object Storage bucket. string null no
existing_service_connector_bucket_vault_compartment_id An existing compartment for the vault with the key used to encrypt Service Connector target Object Storage bucket. string null no
existing_service_connector_bucket_vault_id An existing vault for the key used to encrypt Service Connector target Object Storage bucket. string null no
existing_service_connector_target_function_id An existing function to be used as the Service Connector target. Only applicable if 'service_connector_target_kind' is set to 'functions'. string null no
existing_service_connector_target_stream_id An existing stream to be used as the Service Connector target. Only applicable if 'service_connector_target_kind' is set to 'streaming'. string null no
existing_storage_admin_group_name The existing group to which Storage management policies will be granted to. list(string) [] no
extend_landing_zone_to_new_region Whether Landing Zone is being extended to another region. When set to true, compartments, groups, policies and resources at the home region are not provisioned. Use this when you want to provision a Landing Zone in a new region, but reuse existing Landing Zone resources in the home region. bool false no
fingerprint n/a string "" no
groups_options Whether to deploy new groups or use existing groups. string "Yes" no
hub_deployment The available options for hub deployment as an integer. 'No cross-VCN or on-premises connectivity' = 0, 'VCN or on-premises connectivity routing via DRG (DRG will be created)' = 1, 'VCN or on-premises connectivity routing via DRG (existing DRG)' = 2, 'VCN or on-premises connectivity routing through DMZ VCN with Network Virtual Appliance (DRG and DMZ VCN will be created)' = 3, 'VCN or on-premises connectivity routed through DMZ VCN with Network Virtual Appliance existing DRG (DMZ VCN will be created and DRG ID required)' = 4 number 0 no
hub_deployment_option The available options for hub deployment. Valid values: 'No cross-VCN or on-premises connectivity', 'VCN or on-premises connectivity routing via DRG (DRG will be created)', 'VCN or on-premises connectivity routing via DRG (existing DRG)', 'VCN or on-premises connectivity routing through DMZ VCN with Network Virtual Appliance (DRG and DMZ VCN will be created)', 'VCN or on-premises connectivity routed through DMZ VCN with Network Virtual Appliance existing DRG (DMZ VCN will be created and DRG ID required)'. All the VCNs that attach to the DRG join the topology as spokes. string "" no
hub_vcn_cidrs List of CIDR blocks for the Hub VCN. list(string)
[
"192.168.0.0/24"
]
no
hub_vcn_deploy_net_appliance_option The network appliance option for deploying in the Hub VCN. Valid values: 'Don't deploy any network appliance at this time' (default), 'Palo Alto Networks VM-Series Firewall', 'Fortinet FortiGate Firewall', 'User-Provided Virtual Network Appliance', and 'OCI Native Firewall'. Costs are incurred. string "Don't deploy any network appliance at this time" no
hub_vcn_east_west_entry_point_ocid The OCID of a private address the Hub VCN routes traffic to for inbound internal cross-vcn traffic (East/West). This variable is to be assigned with the OCID of the indoor network load balancer's private IP address. string null no
hub_vcn_indoor_subnet_cidr The Hub VCN Indoor subnet CIDR block. It must be within the VCN CIDR blocks. string null no
hub_vcn_indoor_subnet_name The Hub VCN Indoor subnet name. string null no
hub_vcn_jumphost_subnet_cidr The Hub VCN Jump Host subnet CIDR block. It must be within the VCN CIDR blocks. string null no
hub_vcn_jumphost_subnet_name The Hub VCN Jump Host subnet Name. string null no
hub_vcn_mgmt_subnet_cidr The Hub VCN Management subnet CIDR block. It must be within the VCN CIDR blocks. string null no
hub_vcn_mgmt_subnet_external_allowed_cidrs_for_http List of CIDR blocks allowed to connect to Management subnet over HTTP. Leave empty for no access. list(string) [] no
hub_vcn_mgmt_subnet_external_allowed_cidrs_for_ssh List of CIDR blocks allowed to connect to Management subnet over SSH. Leave empty for no access. list(string) [] no
hub_vcn_mgmt_subnet_name The Hub VCN Management subnet Name. string null no
hub_vcn_name The Hub VCN name. string null no
hub_vcn_north_south_entry_point_ocid The OCID of a private address the Hub VCN routes traffic to for inbound external traffic (North/South). This variable is to be assigned with the OCID of the outdoor network load balancer's private IP address. string null no
hub_vcn_outdoor_subnet_cidr The Hub VCN Outdoor subnet CIDR block. It must be within the VCN CIDR blocks. string null no
hub_vcn_outdoor_subnet_name The Hub VCN Outdoor subnet name. string null no
hub_vcn_web_subnet_cidr The Hub VCN Web subnet CIDR block. It must be within the VCN CIDR blocks. string null no
hub_vcn_web_subnet_is_private Whether the Web subnet private. It is public by default. bool false no
hub_vcn_web_subnet_name The Hub VCN Web subnet name. string null no
identity_domain_option Option to use the default identity domain, create a new identity domain or use custom identity domain. Value to use: Default Domain, New Identity Domain, Use Custom Identity Domain string Default Domain no
lz_provenant_prefix The provenant landing zone prefix or code that identifies the client of this Landing Zone. This information goes into a freeform tag applied to all deployed resources. string "core" no
lz_provenant_version The provenant landing zone version. This information goes into a freeform tag applied to all deployed resources. string null no
net_appliance_boot_volume_size The boot volume size (in GB) for the Network Appliance instances. number 60 no
net_appliance_flex_shape_cpu The number of OCPUs for the selected flex shape. Applicable to flexible shapes only. number 4 no
net_appliance_flex_shape_memory The amount of memory (in GB) for the selected flex shape. Applicable to flexible shapes only. number 56 no
net_appliance_image_ocid The custom image ocid of the user-provided virtual network appliance. string null no
net_appliance_name_prefix Common prefix to network appliance name. To this common prefix, numbers 1 and 2 are appended to the corresponding instance. string "net-appliance-instance" no
net_appliance_public_rsa_key The SSH public key to login to Network Appliance Compute instance. string null no
net_appliance_shape The instance shape for the network appliance nodes. string "VM.Optimized3.Flex" no
net_fortigate_version Fortinet Fortigate Firewall Version. string "7.2.9_(_X64_)" no
net_palo_alto_version Palo Alto Firewall Version. string "11.1.4-h7" no
network_admin_email_endpoints List of email addresses for all network related notifications. (Type an email address and hit enter to enter multiple values) list(string) [] no
new_identity_domain_license_type The license type of new identity domain. Value to use: free, premium string free no
new_identity_domain_name The name of the new identity domain if the option to create a new identity domain is chosen. string "" no
notifications_advanced_options n/a bool false no
oci_nfw_ip_ocid Enter OCI Network Firewall's Forwarding Private IP OCID. string null no
oci_nfw_policy_ocid Enter the OCI Network Firewall Policy OCID. string null no
oke_vcn1_api_subnet_cidr The API subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn1_api_subnet_name The API subnet name. string null no
oke_vcn1_attach_to_drg If true, the VCN is attached to a DRG, enabling cross-vcn traffic routing. bool false no
oke_vcn1_cidrs The list of CIDR blocks for the VCN. list(string)
[
"10.3.0.0/16"
]
no
oke_vcn1_cni_type The CNI type for the OKE cluster. Valid values: 'Flannel' (default), 'Native'. If 'Native', a private subnet for pods deployment is created. string "Flannel" no
oke_vcn1_mgmt_subnet_cidr The Management subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn1_mgmt_subnet_name The Management subnet name. string null no
oke_vcn1_name The VCN name. If unassigned a default name is provided. string null no
oke_vcn1_pods_subnet_cidr The Pods subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn1_pods_subnet_name The Pods subnet name. A private subnet for pods deployment is automatically added if oke_vcn1_cni_type value is 'Native'. string null no
oke_vcn1_routable_vcns The VCN labels that this VCN can send traffic to. Only applicable for Hub/Spoke topology where a DRG is deployed as the hub. Valid values: TT-VCN-1, TT-VCN-2, TT-VCN-3, EXA-VCN-1, EXA-VCN-2, EXA-VCN3, OKE-VCN-2, OKE-VCN-3. list(string) [] no
oke_vcn1_services_subnet_cidr The Services subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn1_services_subnet_name The Services subnet name. string null no
oke_vcn1_workers_subnet_cidr The Workers subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn1_workers_subnet_name The Workers subnet name. string null no
oke_vcn2_api_subnet_cidr The API subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn2_api_subnet_name The API subnet name. string null no
oke_vcn2_attach_to_drg If true, the VCN is attached to a DRG, enabling cross-vcn traffic routing. bool false no
oke_vcn2_cidrs The list of CIDR blocks for the VCN. list(string)
[
"10.4.0.0/16"
]
no
oke_vcn2_cni_type The CNI type for the OKE cluster. Valid values: 'Flannel' (default), 'Native'. If 'Native', a private subnet for pods deployment is created. string "Flannel" no
oke_vcn2_mgmt_subnet_cidr The Management subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn2_mgmt_subnet_name The Management subnet name. string null no
oke_vcn2_name The VCN name. If unassigned, a default name is provided. string null no
oke_vcn2_pods_subnet_cidr The Pods subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn2_pods_subnet_name The pods subnet name. A private subnet for pods deployment is automatically added if oke_vcn2_cni_type value is 'Native'. string null no
oke_vcn2_routable_vcns The VCN labels that this VCN can send traffic to. Only applicable for Hub/Spoke topology where a DRG is deployed as the hub. Valid values: TT-VCN-1, TT-VCN-2, TT-VCN-3, EXA-VCN-1, EXA-VCN-2, EXA-VCN3, OKE-VCN-1, OKE-VCN-3. list(string) [] no
oke_vcn2_services_subnet_cidr The Services subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn2_services_subnet_name The Services subnet name. string null no
oke_vcn2_workers_subnet_cidr The Workers subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn2_workers_subnet_name The Workers subnet name. string null no
oke_vcn3_api_subnet_cidr The API subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn3_api_subnet_name The API subnet name. string null no
oke_vcn3_attach_to_drg If true, the VCN is attached to a DRG, enabling cross-vcn traffic routing. bool false no
oke_vcn3_cidrs The list of CIDR blocks for the VCN. list(string)
[
"10.5.0.0/16"
]
no
oke_vcn3_cni_type The CNI type for the OKE cluster. Valid values: 'Flannel' (default), 'Native'. If 'Native', a private subnet for pods deployment is created. string "Flannel" no
oke_vcn3_mgmt_subnet_cidr The Management subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn3_mgmt_subnet_name The Management subnet name. string null no
oke_vcn3_name The VCN name. If unassigned, a default name is provided. string null no
oke_vcn3_pods_subnet_cidr The Pods subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn3_pods_subnet_name The Pods subnet name. A private subnet for pods deployment is automatically added if oke_vcn3_cni_type value is 'Native'. string null no
oke_vcn3_routable_vcns The VCN labels that this VCN can send traffic to. Only applicable for Hub/Spoke topology where a DRG is deployed as the hub. Valid values: TT-VCN-1, TT-VCN-2, TT-VCN-3, EXA-VCN-1, EXA-VCN-2, EXA-VCN3, OKE-VCN-1, OKE-VCN-2. list(string) [] no
oke_vcn3_services_subnet_cidr The Services subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn3_services_subnet_name The Services subnet name. string null no
oke_vcn3_workers_subnet_cidr The Workers subnet CIDR block. It must be within the VCN CIDR blocks. string null no
oke_vcn3_workers_subnet_name The Workers subnet name. string null no
onboard_logging_analytics Whether Logging Analytics will be enabled in the tenancy. If true, the Logging Analytics service will be enabled in the tenancy and a new Logging Analytics Namespace will be created. If false, the existing Logging Analytics namespace will be used. Only applicable if 'service_connector_target_kind' is set to 'logginganalytics'. bool false no
onprem_cidrs List of on-premises CIDR blocks allowed to connect to the Landing Zone network via a DRG. list(string) [] no
policies_in_root_compartment Whether policies in the Root compartment should be created or simply used. If 'CREATE', you must be sure the user executing this stack has permissions to create policies in the Root compartment. If 'USE', policies must have been created previously. string "CREATE" no
private_key_password n/a string "" no
private_key_path n/a string "" no
region The region where resources are deployed. string n/a yes
rm_existing_ag_admin_group_name Only applicable to RMS deployments. The existing group to which access governance policies will be granted to. string "" no
rm_existing_announcement_reader_group_name Only applicable to RMS deployments. The existing group to which announcement reader policies will be granted to. string "" no
rm_existing_appdev_admin_group_name Only applicable to RMS deployments. The existing group to which application management policies will be granted to. string "" no
rm_existing_auditor_group_name Only applicable to RMS deployments. The existing group to which auditor policies will be granted to. string "" no
rm_existing_cost_admin_group_name Only applicable to RMS deployments. The existing group to which cost management policies will be granted to. string "" no
rm_existing_cred_admin_group_name Only applicable to RMS deployments. The existing group to which credentials management policies will be granted to. string "" no
rm_existing_database_admin_group_name Only applicable to RMS deployments. The existing group to which database management policies will be granted to. string "" no
rm_existing_exainfra_admin_group_name Only applicable to RMS deployments. The existing group to which Exadata Cloud Service infrastructure management policies will be granted to. string "" no
rm_existing_iam_admin_group_name Only applicable to RMS deployments. The existing group to which IAM management policies will be granted to. string "" no
rm_existing_id_domain_ag_admin_group_name The existing access governance admin group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_announcement_reader_group_name The existing announcement readers group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_appdev_admin_group_name The existing applications admin group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_auditor_group_name The existing auditor group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_cost_admin_group_name The existing cost admin group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_cred_admin_group_name The existing credentials admin group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_database_admin_group_name The existing database admin group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_exainfra_admin_group_name The existing Exadata CS infrastructure admin group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_iam_admin_group_name The existing IAM admin group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_network_admin_group_name The existing network admin group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_security_admin_group_name The existing security admin group name in the existing identity domain. list(string) [] no
rm_existing_id_domain_storage_admin_group_name The existing storage admin group name in the existing identity domain. list(string) [] no
rm_existing_network_admin_group_name Only applicable to RMS deployments. The existing group to which network management policies will be granted to. string "" no
rm_existing_security_admin_group_name Only applicable to RMS deployments. The existing group to which security policies will be granted to. string "" no
rm_existing_storage_admin_group_name Only applicable to RMS deployments. The existing group to which storage management policies will be granted to. string "" no
security_admin_email_endpoints List of email addresses for all security related notifications. (Type an email address and hit enter to enter multiple values) list(string) [] no
security_zones_reporting_region The reporting region of security zones. It defaults to tenancy home region if undefined. string "" no
service_connector_target_kind Service Connector Hub target resource. Valid values are 'objectstorage', 'streaming', 'functions' or 'logginganalytics'. In case of 'objectstorage', a new bucket is created. In case of 'streaming', you can provide an existing stream ocid in 'existing_service_connector_target_stream_id' and that stream is used. If no ocid is provided, a new stream is created. In case of 'functions', you must provide the existing function ocid in 'existing_service_connector_target_function_id'. If case of 'logginganalytics', a log group for Logging Analytics service is created and the service is enabled if not already. string "objectstorage" no
service_label A unique label that gets prepended to all resources deployed by the Landing Zone. Max length: 15 characters. any n/a yes
storage_admin_email_endpoints List of email addresses for all storage related notifications. (Type an email address and hit enter to enter multiple values) list(string) [] no
sz_security_policies Additional Security Zones Policy OCIDs to add to security zone recipe (The default policies are added based on CIS level). To get a Security Zone policy OCID use the oci cli: oci cloud-guard security-policy-collection list-security-policies --compartment-id . list(string) [] no
tenancy_ocid n/a any n/a yes
tt_vcn1_app_subnet_cidr The Application subnet CIDR block. It must be within the VCN CIDR blocks. string null no
tt_vcn1_app_subnet_name The Application subnet name. string null no
tt_vcn1_attach_to_drg If true, the VCN is attached to a DRG, enabling cross-vcn traffic routing. bool false no
tt_vcn1_bastion_is_access_via_public_endpoint If true, the Bastion subnet is made public where you'd later deploy and manage your jump hosts. By default, the Bastion subnet is private, where OCI Bastion service is expected to be deployed. bool false no
tt_vcn1_bastion_subnet_allowed_cidrs List of CIDR blocks allowed to SSH into the the jump host that is eventually deployed in the public Bastion subnet. Leave it empty for no access. list(string) [] no
tt_vcn1_bastion_subnet_cidr The Bastion subnet CIDR block. A /29 block is usually enough, unless you plan on deploying a large number of jump hosts. It must be within the VCN CIDR blocks. string null no
tt_vcn1_bastion_subnet_name The Bastion subnet name. string null no
tt_vcn1_cidrs The list of CIDR blocks for the VCN. list(string)
[
"10.0.0.0/20"
]
no
tt_vcn1_db_subnet_cidr The Database subnet CIDR block. It must be within the VCN CIDR blocks. string null no
tt_vcn1_db_subnet_name The Database subnet name. string null no
tt_vcn1_name The VCN name. If unassigned, a default name is provided. VCN label: TT-VCN-1. string null no
tt_vcn1_routable_vcns The VCN labels that this VCN can send traffic to. Leave unassigned for sending traffic to all VCNs. Only applicable for Hub/Spoke topology where a DRG is deployed as the hub. Valid values: TT-VCN-2, TT-VCN-3, EXA-VCN-1, EXA-VCN-2, EXA-VCN3, OKE-VCN-1, OKE-VCN-2, OKE-VCN-3. list(string) [] no
tt_vcn1_web_subnet_cidr The Web subnet CIDR block. It must be within the VCN CIDR blocks. string null no
tt_vcn1_web_subnet_is_private Whether the Web subnet private. It is public by default. bool false no
tt_vcn1_web_subnet_name The Web subnet name. string null no
tt_vcn2_app_subnet_cidr The Application subnet CIDR block. It must be within the VCN CIDR blocks. string null no
tt_vcn2_app_subnet_name The Application subnet name. string null no
tt_vcn2_attach_to_drg If true, the VCN is attached to a DRG, enabling cross-vcn traffic routing. bool false no
tt_vcn2_bastion_is_access_via_public_endpoint If true, the Bastion subnet is made public where you'd later deploy and manage your jump hosts. By default, the Bastion subnet is private, where OCI Bastion service is expected to be deployed. bool false no
tt_vcn2_bastion_subnet_allowed_cidrs List of CIDRs blocks allowed to SSH into the the jump host that is eventually deployed in the public Bastion subnet. Leave it empty for no access. list(string) [] no
tt_vcn2_bastion_subnet_cidr The Bastion subnet CIDR block. A /29 block is usually enough, unless you plan on deploying a large number of jump hosts. It must be within the VCN CIDR blocks. string null no
tt_vcn2_bastion_subnet_name The Bastion subnet name. string null no
tt_vcn2_cidrs The list of CIDR blocks for the VCN. list(string)
[
"10.1.0.0/20"
]
no
tt_vcn2_db_subnet_cidr The Database subnet CIDR block. It must be within the VCN CIDR blocks. string null no
tt_vcn2_db_subnet_name The Database subnet name. string null no
tt_vcn2_name The VCN name. If unassigned, a default name is provided. Label: TT-VCN-2. string null no
tt_vcn2_routable_vcns The VCN labels that this VCN can send traffic to. Only applicable for Hub/Spoke topology where a DRG is deployed as the hub. Valid values: TT-VCN-1, TT-VCN-3, EXA-VCN-1, EXA-VCN-2, EXA-VCN3, OKE-VCN-1, OKE-VCN-2, OKE-VCN-3. list(string) [] no
tt_vcn2_web_subnet_cidr The Web subnet CIDR block. It must be within the VCN CIDR blocks. string null no
tt_vcn2_web_subnet_is_private Whether the Web subnet private. It is public by default. bool false no
tt_vcn2_web_subnet_name The Web subnet name. string null no
tt_vcn3_app_subnet_cidr The Application subnet CIDR block. It must be within the VCN CIDR blocks. string null no
tt_vcn3_app_subnet_name The Application subnet name. string null no
tt_vcn3_attach_to_drg If true, the VCN is attached to a DRG, enabling cross-vcn traffic routing. bool false no
tt_vcn3_bastion_is_access_via_public_endpoint If true, the Bastion subnet is made public where you'd later deploy and manage your jump hosts. By default, the Bastion subnet is private, where OCI Bastion service is expected to be deployed. bool false no
tt_vcn3_bastion_subnet_allowed_cidrs List of CIDRs allowed to SSH into the the jump host that is eventually deployed in the public Bastion subnet. Leave it empty for no access. 0.0.0.0/0 is not allowed. list(string) [] no
tt_vcn3_bastion_subnet_cidr The Bastion subnet CIDR block. A /29 block is usually enough, unless you plan on deploying a large number of jump hosts. It must be within the VCN CIDR blocks. string null no
tt_vcn3_bastion_subnet_name The Bastion subnet name. string null no
tt_vcn3_cidrs The list of CIDR blocks for the VCN. list(string)
[
"10.2.0.0/20"
]
no
tt_vcn3_db_subnet_cidr The Database subnet CIDR block. It must be within the VCN CIDR blocks. string null no
tt_vcn3_db_subnet_name The Database subnet name. string null no
tt_vcn3_name The VCN name. If unassigned, a default name is provided. Label: TT-VCN-3. string null no
tt_vcn3_routable_vcns The VCN labels that this VCN can send traffic to. Only applicable for Hub/Spoke topology where a DRG is deployed as the hub. Valid values: TT-VCN-1, TT-VCN-2, EXA-VCN-1, EXA-VCN-2, EXA-VCN3, OKE-VCN-1, OKE-VCN-2, OKE-VCN-3. list(string) [] no
tt_vcn3_web_subnet_cidr The Web subnet CIDR block. It must be within the VCN CIDR blocks. string null no
tt_vcn3_web_subnet_is_private Whether the Web subnet private. It is public by default. bool false no
tt_vcn3_web_subnet_name The Web subnet name. string null no
user_ocid n/a string "" no
vss_agent_cis_benchmark_settings_scan_level Valid values: STRICT, MEDIUM, LIGHTWEIGHT, NONE. STRICT: If more than 20% of the CIS benchmarks fail, then the target is assigned a risk level of Critical. MEDIUM: If more than 40% of the CIS benchmarks fail, then the target is assigned a risk level of High. LIGHTWEIGHT: If more than 80% of the CIS benchmarks fail, then the target is assigned a risk level of High. NONE: disables cis benchmark scanning. string "MEDIUM" no
vss_agent_scan_level Valid values: STANDARD, NONE. STANDARD enables agent-based scanning. NONE disables agent-based scanning and moots any agent related attributes. string "STANDARD" no
vss_create Whether Vulnerability Scanning Service recipes and targets are enabled in the Landing Zone. bool false no
vss_enable_file_scan Whether file scanning is enabled. bool false no
vss_folders_to_scan A list of folders to scan. Only applies if vss_enable_file_scan is true. Currently, the Scanning service checks for vulnerabilities only in log4j and spring4shell. list(string)
[
"/"
]
no
vss_port_scan_level Valid values: STANDARD, LIGHT, NONE. STANDARD checks the 1000 most common port numbers, LIGHT checks the 100 most common port numbers, NONE does not check for open ports. string "STANDARD" no
vss_scan_day The week day for the Vulnerability Scanning Service recipe, if enabled. Only applies if vss_scan_schedule is WEEKLY (case insensitive). string "SUNDAY" no
vss_scan_schedule The scan schedule for the Vulnerability Scanning Service recipe, if enabled. Valid values are WEEKLY or DAILY (case insensitive). string "WEEKLY" no
zpr_namespace_name ZPR namespace name. string null no

Outputs

Name Description
cis_level The CIS profile level.
compartments The deployed compartments.
dynamic_routing_gateways The deployed dynamic routing gateway.
network_security_groups The deployed network security groups.
nlb_private_ip_addresses The deployed private IP addresses OCIDs.
oci_firewall_ip_ocid n/a
region The region where resources have been deployed.
release The OCI Core Landing Zone release.
service_label The prefix to deployed resources.
subnets The deployed subnets.
vcns The deployed virtual cloud networks.