Merge pull request #264 from oracle-devrel/LZ_17072023

LZ initial version

Author: AlexanderHodicke

landing-zones/README.md

@@ -1,11 +1,44 @@
-# Landing Zones
+# LANDING ZONE FRAMEWORK
+
+  
+
+
+Welcome to the **Landing Zone Framework (LZF)**. 
+
+The LZF is a set of assets that aim to **simplify the OCI onboarding experience** and **reduce OCI day-one and day-two efforts**. It provides **best practices**, and approaches covering the complete spectrum of OCI landing zones, from the **Standards** ones with the CIS LZ and OELZ to the **Tailored** approaches with IaC configurations.  
+  
+
+
+| APPROACH  |  DESCRIPTION | ASSET  |  
+|---|---|:---:|
+| <a href="/landing-zones/standard_landing_zones/standard_landing_zones.md" ><img src="images/slz.png" alt= “” width="600" height=""></a>  | A standard landing zone is a **prescribed** approach to landing zones with a **guided setup** by the user, using an **existing IaC solution**. This is the recommended approach for initial landing zone deployments covering the most-common workload scenarios.  | **[VIEW](/landing-zones/standard_landing_zones/standard_landing_zones.md)** | 
+| <a href="tailored_landing_zones/tailored_landing_zones.md" ><img src="images/tlz.png" alt= “” width="600" height=""> </a>  | A tailored landing zone is a solution to **fit specific requirements** when the standard approach is not enough. It's an **IaC configuration-driven** approach, simple to set up, and is normally used to bridge with existing operating models, with fine-grained segregations of duties, strong network isolation, and heterogeneous workloads, among others.  |  **[VIEW](/landing-zones/tailored_landing_zones/tailored_landing_zones.md)** |   |  
+&nbsp; 
+
+If you're starting with landing zones, we recommend the following **decision process**:
+1. Start with the **standard** approach as they're full of best practices.
+2. If it needs adjustments or **extensions** on top of the prescribed design, customize it by code or manually. 
+3. If the design requires **structural changes** to the standard landing zone and a **scalable operating model**, use the **tailored** approach with IaC configuration (json/hcl).
+
+&nbsp; 
+
+The following support assets are also available for a better OCI experience:
+- [Resource Namining Conventions](/commons/resource_naming_conventions.md)
+- [User Identity Management](/commons/user_identity_management.md)
+- [Budgets and Tagging](/commons/budgets_and_tagging.md)
+
+
+&nbsp; 
+
+&nbsp; 
+
+
 
-With Landing Zones, we simplify the OCI onboarding experience and reduce OCI day-one and day-two efforts. We provide Landing Zone assets, best practices, and approaches covering the complete spectrum of OCI landing zones, from the standards ones with the CIS LZ and OELZ to the most strategically tailored design with IaC.
 
 # License
 
 Copyright (c) 2023 Oracle and/or its affiliates.
 
 Licensed under the Universal Permissive License (UPL), Version 1.0.
 
-See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/folder-structure/LICENSE) for more details.
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.

landing-zones/commons/budgets_and_tagging.md

@@ -0,0 +1,60 @@
+# BUDGETS AND TAGGING
+
+## 1. Tagging
+
+OCI Tagging allows you to assign **key:value** pairs to resources and use these assigned tags for the purpose of organizing and listing resources, based on requirements. Tagging can be used for organizing/listing resources, cost-tracking, and access control purposes. There are two ways for you to add tags to resources. Each approach offers a different type of tag for you to work with:
+
+- **Defined tags**: tag administrators manage resource metadata.
+- **Free-form tags**: unmanaged metadata applied to resources by users (these are out of scope)
+
+**Cost tracking** is a feature available with defined tags. This feature is currently only relevant for use with **Budgets**.
+
+Tags are grouped into **Tag Namespaces** which are a container for tag keys. They consist of a name and zero or more tag key definitions. Tag namespaces are not case-sensitive and must be unique across the tenancy. The namespace is also a natural grouping to which administrators can apply policy. One policy on the tag namespace applies to all the tag definitions contained within that namespace.
+
+Below are some service limitations with respect to using tags:
+
+- Tags per tenancy: unlimited
+- Tags per resource: 10 free-form tags and 64 defined tags
+- Tags enabled for cost-tracking: 10 per tenancy (includes both active and retired tags)
+- Total tag data size: 5 K (JSON). The total tag data size includes all tag data for a single resource (all applied tags and tag values). Sizing is per UTF-8.
+- Number of pre-defined values for a tag key: 100 per list
+  
+### 1.2 Design and Usage of Defined Tags 
+
+The design and usage of defined tags are customers, business, and even OE-specific. It must be designed and used that matches the customer's nomenclature and values.
+
+Defined tags can be assigned to resources and used in policy statements or Cloud Guard recipes.
+
+Defined tags can be applied to Terraform configurations at any time. They are considered updates to existing resources and will not trigger any recreation of these.
+
+  
+## 2. Budgets
+
+Budgets can be used to set limits on OCI spending (i.e., Quotas). You can set alerts on your budget to inform you when you are close to exceeding your budget. The budgets and spending are available directly from the OCI console.
+
+Budgets are set on a cost-tracking tags or compartment basis and allow the tracking of all spending in that cost-tracking tag or for the compartment and its child compartments. A monthly threshold is defined for OCI spending and email alerts can be defined to get sent out for the respective budget. Alerts are evaluated every hour in most regions and can be triggered when the actual or forecasted spending hits either a percentage of the budget or a specified set amount.
+
+In addition, automation can be created for Budgets with the use of Events Service.
+
+  
+### 2.1 Budget Control and Billing
+
+For budget control and billing two approaches are recommended:
+
+- Tenancy-global to identify unauthenticated usage
+- Landing Zone structure specific
+  
+
+While the tenancy-global budget control applies to the overall average consumption, the landing zone compartment structure enables the creation of budgets to set soft limits on OCI tenancy spending, by shared elements, operating entities, departments, projects, etc. With budget control, the available budget can be controlled using quotas and also trigger alarms when unusual costs occur.
+
+Budget control and billing is a global task for every tenancy, and since it's a generic OCI topic not specific to any landing zone, it is not described in this asset. 
+
+  
+  
+# License
+
+Copyright (c) 2023 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.

landing-zones/commons/resource_naming_conventions.md

@@ -0,0 +1,118 @@
+# RESOURCE NAMING CONVENTIONS
+
+  
+
+## 1. Introduction
+
+A resource naming convention helps to identify resources, their type, and location by the name, quickly. If you don't have any naming convention in place, we recommend the following Resource Naming Convention:
+
+- Segments of the name are separated by "-".
+- Within a name segment avoid using <space> and ".".
+- Where possible intuitive/standard abbreviations should be considered (e.g., use "shared" instead of "shared.cloud.team").
+- When referring to the compartment fully qualified compartment path, use ":" as a separator, e.g. cmp-shared:cmp-security
+
+Examples of names are:
+- cmp-shared
+- cmp-<workload>
+- cmp-networking
+
+The patterns used for the names are:
+- <resource-type>-<environment>-<location>-<purpose>
+  <resource-type>-<environment>-<source-location>-<destination-location>-<purpose>
+- <resource-type>-<entity/sub-entity>-<environment>-<function/department>-<project>-<custom>
+
+  
+
+## 2. List of Resource Types
+
+
+| RESOURCE TYPE  |  ABREVIATION | 
+|---|---|
+| Agent | agt | 
+| Alarm | al |
+| API Gateway |apigw |
+| Autonomous Container Database (Dedicated) | adbc 
+| Autonomous Database (Transaction Processing) | atp 
+| Autonomous Data Warehouse | adw 
+| Autonomous Exadata Infrastructure | aei 
+| Autonomous JSON Database | ajd 
+| Autonomous Database with APEX | apx 
+| Bastion Service | bst |
+| Bucket | bkt |
+| Block Volume | blk |
+| Cloud Guard Recipe (cloned) | cg-act, cg-cfg|
+| Cloud Guard Responder (cloned) | cg-rsp |
+| Cloud Guard Target | cg-tgt |
+| Compartment | cmp |
+| Container Repository | cir |
+| Customer Premise Equipment | cpe |
+| Database on VM | db |
+| Database Backup | dbb |
+| Database Backup Destination | dbbd |
+| Database Connection | dbc |
+| Database Home | dbh |
+| Database Key Store | dks |
+| Database Node | dbn |
+| Database Pluggable Database | pdb |
+| Database Server | dbs |
+| Database Software Image | dbi |
+| Database System | dbsys |
+| DNS Endpoint Forwarder | dnsepf |
+| DNS Endpoint Listener | dnsepl |
+| Dynamic Group | dgp |
+| Dynamic Routing Gateway | drg |
+| Dynamic Routing Gateway Attachment | drgatt |
+| Event Rule | rul |
+| ExaCS Infrastructure | ecsi |
+| ExaCS VMCluster Cloud | ecsvmc |
+| Exadata Cloud@Customer Infrastructure | ecci |
+| Exadata Cloud@Customer VMCluster | eccvmcls |
+| Exadata Cloud@Customer Operator Control | eccop |
+| Exadata Cloud@Customer Operator Control Assignment | eccopasgn |
+| Exadata Cloud@Customer Operator Control Access Request | eccopreq |
+| External Database | edb |
+| External Container Database | edbc |
+| External Pluggable Container Database | epdb |
+| External Non-Container Database | edbn |
+| External Database Connector | edbc |
+| Fast Connect | fc# <# := 1...n> |
+| File Storage | fss |
+| Function | fun |
+| Group | grp |
+| Internet Gateway | igw |
+| Load Balancer | lb |
+| Location (Three-letter region code)| ams, fra, etc. |
+| Log | log |
+| Log Groups | lgrp |
+| NAT Gateway | nat |
+| Network Security Group | nsg |
+| Notification Topic | nott |
+| Managed key | key |
+| OCI Function Application | fn |
+| Object Storage Bucket | bkt |
+| Policy | pcy |
+| Routing Table | rt |
+| Secret | sec |
+| Security List | sl |
+| Security Zone Recipe | sz-rcp |
+| Security Zone Target | sz-tgt |
+| Service Gateway | sgw |
+| Service Connector Hub | sch |
+| Stream | str |
+| Subnet | sub |
+| Tenancy | tcy |
+| Vault | vlt |
+| Virtual Cloud Network | vcn |
+| Virtual Machine | vm |
+| Vulnerability Scanning Recipe - Container | vss-recc |
+| Vulnerability Scanning Recipe - Host | vss-rech |
+| Vulnerability Scanning Target | vss-tgt |
+
+  
+# License
+
+Copyright (c) 2023 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.

landing-zones/commons/select_your_solution.pdf

@@ -0,0 +1,79 @@
+# USER IDENTITY MANAGEMENT
+
+## 1. Introduction
+
+Like in every environment, OCI has users who work with the platform or the services provisioned on it. For life cycle management these are often managed by dedicated user identity management platforms already in place at the customer's enterprise environment.
+
+Depending on the role, each user (or persona) plays, different processes are used to maintain their status and permissions.
+
+This pattern explains the personas and related processes.
+
+Before you start, take into account these considerations:
+- Never share accounts between users.
+- Never share passwords between users.
+- Never create shared accounts for tenancy global administration.
+- Never trust your password.
+
+  
+## 2. User Personas
+
+### 2.1 OCI Platform Administrator
+  
+| TYPE  |  DESCRIPTION | USER TYPE | RESPONSIBILITIES | CAPABILITIES | LIFE CYCLE | OCI GROUP MEMBERSHIP | FEDERATED | DOMAIN | 
+|---|---|---|---|---|---|---|---|---|
+| Emergency User | A dedicated group of users that are able to maintain the tenancy when nothing else works. | Human users only | - Not for daily business. <br> - Bootstrapping of Emergency Users, Federation, and Provisioning of Groups and Users. Initial Group and Policy Setup. <br>- Resolve operational issues which cannot be handled by other personas. <br>- Allowed user capabilities (sage of any user capability (apart from the local password) is prohibited! | Local password | Manual, documented process (see implementation example) | Administrators | No | Default
+Administrators |  Dedicated groups of users to manage the OCI platform resources on a daily business. Groups for specific resource types should be used to implement proper segregation of duties. | Human users | - For daily business. <br> - Resource-specific groups to maintain OCI resources. | API Keys, Auth Keys, SMTP Credentials, Customer Secret Keys, OAuth 2.0 Client Credentials | Through user provisioning where the customer identity management system is the source of truth. | | Yes | Default |
+| CI/CD process | Dedicated group for automation of OCI resource management. | Non-human user | For daily business. Several CI/CD users are for distinct tasks, i.e., one for the common tenancy configuration, and one per OE, are possible. | API Keys | Through user provisioning where the customer identity management system is the source of truth. | DevOps group(s) | Yes | Default | 
+| Auditors | A single dedicated group with read-only access to all OCI resources. | Human users<br> Non-human user | For daily business. | API Keys | Through user provisioning where the customer identity management system is the source of truth. | Auditors group | Yes | Default |
+&nbsp; 
+&nbsp; 
+
+### 2.2 Workload User
+
+| TYPE  |  DESCRIPTION | USER TYPE   | LIFE CYCLE | OCI GROUP MEMBERSHIP | FEDERATED | DOMAIN | 
+|---|---|---|---|---|---|---|
+| OS User | A user working in the VM as an OS user. Permissions are granted at the OS level. <br> *Not related to any OCI groups and policies.* | Root users <br>Human users  | If possible, through user provisioning where customer identity management system is the source of truth. | N/A | Optional | Not required<br> Dedicated | 
+| Database User | A user working in a database using a database schema user. Permissions are granted within the database. <br>*Not related to any OCI groups and policies.* | DBAs, Admin users<br>Schema users  | If possible, through user provisioning where customer identity management system is the source of truth. | N/A | Optional | Not required<br> Dedicated | 
+| Application User | A user working in an application. <br>*Not related to any OCI groups and policies.*  | Application Administrators<br>Application Users<br>Backplane processes  | If possible, through user provisioning where the customer identity management system is the source of truth. | N/A | Optional | Not required<br> Dedicated | 
+| PaaS User | A user working in PaaS services. <br>*Not related to any OCI groups and policies.*  | PaaS-related user types | If possible, through user provisioning where the customer identity management system is the source of truth. | N/A | Optional | Dedicated | 
+
+&nbsp; 
+
+## 3. Identity Federation
+
+Identity Federation will be handled by the respective Identity Domain. Implementation steps depend on the product used by the customer and are listed in the OCI platform user guide:
+
+- [SSO Between OCI Microsoft Azure](https://docs.oracle.com/en-us/iaas/Content/Identity/tutorials/azure_ad/sso_azure/azure_sso.htm)
+- [SSO With OCI and Okta](https://docs.oracle.com/en-us/iaas/Content/Identity/tutorials/okta/sso_okta/sso_okta.htm)
+- [Federating with Identity Providers](https://docs.oracle.com/en-us/iaas/Content/Identity/federating/federating_section.htm)
+
+&nbsp; 
+## 4. Identity Provisioning
+
+Identity Provisioning is the sibling part of the Identity Federation setup. Identity Federation requires user identities that are provisioned by Identity Provisioning. This includes the whole life cycle of the process (joiners/movers/leavers). When a user access has been revoked (leavers/movers) the related user capabilities will be removed automatically.
+
+Implementation Steps depend on the product used by the customer. It is highly recommended to use SCIM-based automation.
+
+The OCI platform user guide provides detailed steps for these products:
+
+- [Identity Lifecycle Management Between OCI IAM and Azure AD](https://docs.oracle.com/en-us/iaas/Content/Identity/tutorials/azure_ad/lifecycle_azure/azure_lifecycle.htm)
+- [Identity Lifecycle Management Between OCI and Okta](https://docs.oracle.com/en-us/iaas/Content/Identity/tutorials/okta/lifecycle_okta/okta-lifecycle.htm)
+
+&nbsp; 
+
+## 5. Emergency or Break Glass Process
+
+Emergency or Break Glass users are not intended for daily business but for rare emergency use cases when nothing else works anymore, i.e., no federation, no connectivity to third-party environments, etc. They are tenancy local users authenticated with multi-factor authentication (MFA) and adaptive security control.
+
+This section will be updated soon.
+
+&nbsp; 
+&nbsp; 
+
+# License
+
+Copyright (c) 2023 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.