LZsteps

LZ steps

Author: NicolaCimitile

manageability-and-operations/observability-and-manageability/database-management/LZ-autonomous-databases/Implementation_addon_steps.md

@@ -0,0 +1,28 @@
+# STEP2. ORM OBS ADD-ON Deployment Steps <!-- omit from toc -->
+
+
+Go to the orchestrator [github page](https://github.com/oci-landing-zones/terraform-oci-modules-orchestrator).
+
+At the beginning of the README page, select 'Deploy to Oracle Cloud'. When you click the provided magic button, a new ORM stack will be created. Follow these steps:
+
+1. Accept terms, wait for the configuration to load.
+2. Set the working directory to “rms-facade”.
+3. Set the stack name you prefer.
+4. Set the terraform version to 1.5.x. Click Next.
+5. Create you own bucket and upload the JSON files provided in this asset:
+
+* [oci_open_lz_addon_mon_iam_atp.auto.tfvars.json](oci_open_lz_addon_mon_iam_atp.auto.tfvars.json)
+* [oci_open_lz_addon_mon_network_atp.auto.tfvars.json](oci_open_lz_addon_mon_network_atp.auto.tfvars.json)
+
+6. Add the files generated as output in the ONE-OE deployment as dependencies.
+7. Un-check run apply. Click Create.
+8. First, execute a plan job to review all the resources that Terraform will create. Once verified, proceed to run the apply job to initiate the deployment.
+
+
+# License <!-- omit from toc -->
+
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.

manageability-and-operations/observability-and-manageability/database-management/LZ-autonomous-databases/oci_open_lz_addon_mon_iam.auto.tfvars.json

@@ -0,0 +1,116 @@
+{
+    "network_configuration": {
+        "default_enable_cis_checks": false,
+        "network_configuration_categories": {
+            "Add_DM_NSGs": {
+                "inject_into_existing_vcns": {
+                    "VCN-FRA-LZP-HUB-01-KEY": {
+                        "vcn_id": "VCN-FRA-LZP-HUB-KEY",
+                        "network_security_groups": {
+                        "NSG-FRA-LZP-HUB-PE-KEY": {
+                            "display_name": "nsg-fra-lzp-hub-global-mon-pe",
+                            "compartment_id": "CMP-LZP-NETWORK-KEY",
+                            "egress_rules": {
+                                "anywhere": {
+                                    "description": "egress to 0.0.0.0/0 over ALL protocols",
+                                    "dst": "0.0.0.0/0",
+                                    "dst_type": "CIDR_BLOCK",
+                                    "protocol": "ALL",
+                                    "stateless": true
+                                }
+                            },
+                            "ingress_rules": {
+                                "ingress_database": {
+                                    "description": "ingress to Allow communication between global PEs DM/OPSI and PE ATP, in db subnet",
+                                    "dst_port_max": 1521,
+                                    "dst_port_min": 1521,
+                                    "protocol": "TCP",
+                                    "src": "10.0.66.0/24",
+                                    "src_type": "CIDR_BLOCK",
+                                    "stateless": false
+                                }
+                            }
+                        }  
+                        }  
+                    },
+                    "VCN-FRA-LZP-P-PROJECTS-01-KEY": {
+                        "vcn_id": "VCN-FRA-LZP-P-PROJECTS-KEY",
+                        "network_security_groups": {
+                        "NSG-LZP-P-PROJECTS-PE-DB1-KEY": {
+                            "compartment_id": "CMP-LZP-P-PROJ1-DB-KEY",
+                            "display_name": "nsg-lzp-p-projects-mon-pe-db1",
+                            "egress_rules": {
+                                "anywhere": {
+                                    "description": "egress to 0.0.0.0/0 over TCP",
+                                    "dst": "0.0.0.0/0",
+                                    "dst_type": "CIDR_BLOCK",
+                                    "protocol": "TCP",
+                                    "stateless": false
+                                }
+                            },
+                            "ingress_rules": {
+                            "ingress_pe_database_sn": {
+                                    "description": "ingress to Allow communication between PE DM/OPSI and PE ATP, in Prod db subnet",
+                                    "dst_port_max": 1521,
+                                    "dst_port_min": 1521,
+                                    "protocol": "TCP",
+                                    "src": "10.0.66.0/24",
+                                    "src_type": "CIDR_BLOCK",
+                                    "stateless": false
+                            },
+                            "ingress_logs_sn_database_sn": {
+                                    "description": "ingress from global DM/OPSI PE, in logs subnet",
+                                    "dst_port_max": 1521,
+                                    "dst_port_min": 1521,
+                                    "protocol": "TCP",
+                                    "src": "10.0.4.0/24",
+                                    "src_type": "CIDR_BLOCK",
+                                    "stateless": false
+                            }                          
+                            }
+                        }
+                        } 
+                    },
+                    "VCN-FRA-LZP-PP-PROJECTS-01-KEY": {
+                        "vcn_id": "VCN-FRA-LZP-PP-PROJECTS-KEY",
+                        "network_security_groups": {
+                        "NSG-LZP-PP-PROJECTS-PE-DB1-KEY": {
+                            "compartment_id": "CMP-LZP-PP-PROJ1-DB-KEY",
+                            "display_name": "nsg-lzp-pp-projects-mon-pe-db1",
+                            "egress_rules": {
+                                "anywhere": {
+                                    "description": "egress to 0.0.0.0/0 over TCP",
+                                    "dst": "0.0.0.0/0",
+                                    "dst_type": "CIDR_BLOCK",
+                                    "protocol": "TCP",
+                                    "stateless": false
+                                }
+                            },
+                            "ingress_rules": {
+                            "ingress_pe_database_sn": {
+                                    "description": "ingress to Allow communication between PEs DM/OPSI and PE ATP, in Preprod db subnet",
+                                    "dst_port_max": 1521,
+                                    "dst_port_min": 1521,
+                                    "protocol": "TCP",
+                                    "src": "10.0.130.0/24",
+                                    "src_type": "CIDR_BLOCK",
+                                    "stateless": false
+                            },
+                            "ingress_logs_sn_database_sn": {
+                                    "description": "ingress from global DM/OPSI PEs, in logs subnet",
+                                    "dst_port_max": 1521,
+                                    "dst_port_min": 1521,
+                                    "protocol": "TCP",
+                                    "src": "10.0.4.0/24",
+                                    "src_type": "CIDR_BLOCK",
+                                    "stateless": false
+                            }                          
+                            }
+                        }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}

manageability-and-operations/observability-and-manageability/database-management/LZ-autonomous-databases/oci_open_lz_addon_mon_network.auto.tfvars.json

@@ -0,0 +1,21 @@
+{
+
+    "vaults_configuration": {
+        "default_compartment_id": "CMP-LZP-SECURITY-KEY",      
+        "vaults": {
+            "VLT-LZP-SHARED-MON-KEY": {
+                "name": "vlt-lzp-shared-mon-security"
+            }
+        },
+        "keys": {
+            "KEY-LZP-MON-KEY": {
+                "name": "key-lzp-mon-bkt",
+                "protection_mode": "SOFTWARE",
+                "vault_key": "VLT-LZP-SHARED-MON-KEY",
+                "service_grantees": ["objectstorage-eu-frankfurt-1"],
+                "group_grantees": ["grp-lzp-mon-admins"],
+                "versions": ["1","2"]
+            }
+        }
+    }
+}

manageability-and-operations/observability-and-manageability/database-management/LZ-autonomous-databases/oci_open_lz_addon_mon_security.auto.tfvars.json

@@ -0,0 +1,78 @@
+# **[Autonomous Databases ](#)**
+## **An OCI Open LZ Addon to help you enable Database Management & Operation Insights for Autonomous Databases**
+
+## Design
+
+To enable **Database Management** or **Operational Insights** for Autonomous Databases, you must deploy Private Endpoints that have access to the database you wish to configure. A Private Endpoint acts as a representation of OCI O&M Services within the VCN.
+
+Both DMA Private Endpoints and OPSI Private Endpoints need visibility into the ATP Private Endpoint. To enable this, the add-on includes Network Security Groups (NSGs).
+
+To check the documentation you can use these links: [DMA PE](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/privateaccess.htm#private-endpoints) (Database Management Private Endpoint). or [OPSI PE](https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/privateaccess.htm#private-endpoints) (Operation Insights Private Endpoint).
+
+
+**GLOBAL APPROACH**
+
+For customers with multiple OEs and environments, it's crucial to consider the service limits for Private Endpoints. In such cases, we recommend a shared approach using global Private Endpoints, which should be deployed in the HUB VCN and considered shared resources.
+
+In this **global approach**, PEs will be placed in the monitoring subnet (sn-fra-lzp-hub-mon) in the hub vcn and should be assigned to the PE NSGs (nsg-fra-lzp-hub-global-mon-pe). In the other hand the database will be placed in cmp-lzp-p-proj1-db compartment using the database subnet (ssn-fra-lzp-p-db) and assigned to the DB NSGs (nsg-lzp-p-projects-mon-pe-db1).
+  
+In this add-on, we will deploy a Shared Observability Platform compartment, a dedicated Observability Vault, and include the necessary groups and policies to manage native observability, along with the previously mentioned NSGs
+
+<img src="../images/ATP_GLOBAL.png" height="300" align="center">
+
+&nbsp; 
+
+**LOCAL APPROACH**
+
+Customers with simpler infrastructures, using a single OE and fewer environments, may choose to deploy dedicated Private Endpoints (PEs) for each environment. This approach is often preferred when there is a dedicated monitoring team for each environment.
+
+In a **local approach**, DMA/OPS PEs and the ATP PE will reside in the same database subnet (ssn-fra-lzp-p-db), and the nsg-lzp-p-projects-mon-pe-db1 NSGs will allow communication between them.
+  
+In this case, a dedicated Environment Observability platform compartment, a dedicated Observability Vault, along with the necessary groups and policies to manage native observability, will be included, in addition to the previously mentioned NSGs.
+
+<img src="../images/ATP_LOCAL.png" height="300" align="center">
+  
+Private endpoints will be placed in the observability compartments, accessing the required subnets.
+
+During the process of enabling Database Management or Operation Insights in an Autonomous Database, the user and password will be required. These credentials must be stored as secrets in a dedicated Vault within the shared security compartment. All necessary policies to access the secret are already included in the add-on.
+
+> [!WARNING]  
+> You can create the Private Endpoint in the same VCN or a different VCN. Please disregard the information stated in the [Database Management documentation](https://docs.oracle.com/en-us/iaas/database-management/doc/create-database-management-private-endpoint-adb.html#GUID-EBA1A30F-96E9-412D-836F-5ED57FC74D99) or [Operations Insights documentation](https://docs.oracle.com/en-us/iaas/operations-insights/doc/create-private-endpoint.html).
+>
+> There is a limitation: only one Private Endpoint can be created per VCN.
+&nbsp; 
+
+
+## Implementation
+
+Our add-on template includes all the necessary components, such as CMP, groups, a dedicated monitoring Vault, policies, and NSGs, to enable Database Management and Operations Insights.
+
+Follow these steps to extend your Landing zone:
+
+**Step 1**. 
+
+(Prerequisite) Deploy ONE-OE landing Zone. You can follow next [steps](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/tree/master/blueprints/one-oe/runtime/one-stack).
+
+<img src="../images/ONE-OE.png" height="850" align="center">
+
+&nbsp; 
+
+**Step 2**. 
+
+Enable Observability adding this Add-on, use the ATP JSONs files provided in this asset. To check step by step how to do it check [here](./Implementation_addon_steps.md).
+
+<img src="../images/OBS_ADDON.png" height="600" align="center">
+
+&nbsp; 
+
+Now, the landing zone is ready to proceed with the necessary steps to enable the observability services. Follow these [steps](./steps_to_enable_DMA_OPSI.md).
+
+&nbsp; 
+
+# License
+
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE.txt) for more details.