diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 00000000..e65f3b46
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1 @@
+/workload-extensions/oci-lz-ext-ocvs/ @hrvolapeter
\ No newline at end of file
diff --git a/workload-extensions/oci-lz-ext-ocvs/README.md b/workload-extensions/oci-lz-ext-ocvs/README.md
new file mode 100644
index 00000000..b58a208f
--- /dev/null
+++ b/workload-extensions/oci-lz-ext-ocvs/README.md
@@ -0,0 +1,202 @@
+# **OCVS Landing Zone Extension**
+## **Table of Contents**
+- [**1. Introduction**](#1-introduction)
+- [**2. Design Overview**](#2-design-overview)
+- [**3. Security View**](#3-security-view)
+ - [**3.1 Compartments**](#31-compartments)
+ - [**3.2 Groups**](#32-groups)
+ - [**3.4 Policies**](#34-policies)
+- [**4. Network View**](#4-network-view)
+ - [**4.1 VCNs**](#41-vcns)
+ - [**4.2 Subnets**](#42-subnets)
+ - [**4.3 Route Tables (RTs)**](#43-route-tables-rts)
+ - [**4.4 Security Lists (SLs)**](#44-security-lists-sls)
+ - [**4.5 Gateways**](#45-gateways)
+ - [**4.5.1 Dynamic Routing Gateway (DRGs) Attachments**](#451-dynamic-routing-gateway-drgs-attachments)
+ - [**4.5.2 Service Gateway (SGs)**](#452-service-gateway-sgs)
+- [**5. Runtime View**](#5-runtime-view)
+
+
+
+
+## **1. Introduction**
+Welcome to the **OCVS Landing Zone Extension**.
+
+The OCVS Landing Zone (LZ) Extension is a secure cloud environment, designed with best practices to simplify the onboarding of OCVS workloads and enable the continuous operations of their cloud resources. This reference architecture provides an automated landing zone **configuration**.
+
+
+
+## **2. Design Overview**
+| ID | DOMAIN | DESCRIPTION |
+| ----- | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **1** | **General** | - [One-OE](../../one-oe/) LZ deployed as a foundation. - The OCVS LZ Extension will extend the One-OE LZ and add OCVS Workloads example. |
+| **2** | **Tenancy Structure** | Extend the standard landing zone compartment structure with additional compartments for OCVS-related resources: - Parent OCVS compartment.- OCVS Load Balancer.- Software defined data center (SDDC). |
+| **3** | **Groups & Policies** | Additional groups and associated policies are deployed to manage OCVS compartment resources. |
+| **4** | **Network Structure** | Additional VCNs and related elements will be added - to segregate OCVS deployment as a Spoke extensions to the OneOZ LZ Hub. |
+| **5** | **Runtime** | - There are be **three deployment steps** to provision this landing zone: **(1)** The One-OE LZ will be used as an initial setup and **(2)** extended with the OCVS LZ Extension Runtime configurations. Additional **(3)** manual configuration tasks are also required to complete the setup. - Note that the **'Operation/(OP)**' column on the next sections identifies the three moment in time when OCI resources are created.
- For more details refer to the [Runtime](#5-runtime-view) section. |
+
+
+
+
+## **3. Security View**
+
+
+### **3.1 Compartments**
+
+The OCVS LZ Extension includes the following compartments:
+> [!NOTE]
+> Compartments help you organize and control access to your resources. A compartment is a collection of related resources (such as cloud networks, compute instances, or block volumes) that can be accessed only by those groups that have been given permission by an administrator in your organization.
+
+
+
+
+
+The following table provides details on the compartments presented above, their level of deepness in the tenancy, and objectives.
+
+| ID | OP | LEVEL | NAME | OBJECTIVES |
+| ------ | ----- | ----- | ------------------------ | ---------------------------------------------- |
+| CMP.00 | OP#01 | 0 | cmp-lzp-p-platform-ocvs | Parent for all OCVS resources |
+| CMP.01 | OP#01 | 1 | cmp-p-platform-ocvs-lb | Holds OCVS Load Balancers |
+| CMP.02 | OP#01 | 1 | cmp-p-platform-ocvs-sddc | Contains software defined datacenter resources |
+
+
+
+### **3.2 Groups**
+The OCVS LZ Extension includes the following groups.
+
+> [!NOTE]
+> In OCI Identity and Access Management, groups are the links between user accounts and applications.
+
+| ID | OP | NAME | OBJECTIVES |
+| ------ | ----- | -------------------------- | ------------------------------------------- |
+| GRP.00 | OP#01 | grp-p-platform-ocvs-admins | Group for managing VMWare related resources |
+
+
+
+### **3.4 Policies**
+The OCVS LZ Extension includes the following policies:
+
+> [!NOTE]
+> A Policy is a document that specifies who can access which Oracle Cloud Infrastructure resources that your company has, and how. A policy simply allows a group to work in certain ways with specific types of resources in a particular compartment
+
+| ID | OP | NAME | OBJECTIVES |
+| ------ | ----- | -------------------------- | -------------------------------------------------------------------------------------------------------------- |
+| POL.00 | OP#01 | pcy-p-platform-ocvs-admins | Policy granting permissions for administering OCVS related resources to the *grp-p-platform-ocvs-admins* group |
+
+
+
+## **4. Network View**
+The following diagram presents the network structure of the OCVS LZ Extension.
+
+
+
+
+
+
+### **4.1 VCNs**
+The following table describes the deployed VCNs.
+
+> [!NOTE]
+> A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN.
+
+| ID | OP | NAME | OBJECTIVES |
+| ------ | ----- | -------------- | ---------------------------------- |
+| VCN.00 | OP#01 | vcn-fra-p-ocvs | Spoke VCN dedicated to OCVS set-up |
+
+
+
+### **4.2 Subnets**
+The following table describes the deployed Subnets.
+
+> [!NOTE]
+> You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.
+
+> [!IMPORTANT]
+> OCVS utlizies VLANs instead of subnets. VLANs are set-up in [OP.02](./op02-ocvs-setup/)
+
+| ID | OP | NAME | OBJECTIVES |
+| ----- | ----- | ---------------- | ------------------------- |
+| SN.00 | OP#01 | sn-fra-p-ocvs-lb | OCVS Load Balancer subnet |
+
+
+### **4.3 Route Tables (RTs)**
+The following table describes the deployed Route Tables.
+
+> [!NOTE]
+> A collection of RouteRule objects, which are used to route packets based on destination IP to a particular network entity.
+
+| ID | OP | NAME | OBJECTIVES |
+| ----- | ----- | ------------------ | ------------------------------------- |
+| RT.00 | OP#01 | rt-01-p-ocvs-vcn-l | OCVS Load Balancer subnet route table |
+
+
+
+### **4.4 Security Lists (SLs)**
+The following table describes the deployed Security Lists (SLs).
+
+> [!NOTE]
+> A security list consists of a set of ingress and egress security rules that apply to all the VNICs in any subnet that the security list is associated with. This means that all the VNICs in a given subnet are subject to the same set of security lists
+
+| ID | OP | NAME | OBJECTIVES |
+| ----- | ----- | ------------------- | --------------------------------------- |
+| SL.00 | OP#01 | sl-01-p-ocvs-vcn-lb | OCVS Load Balancer subnet security list |
+
+
+
+### **4.5 Gateways**
+#### **4.5.1 Dynamic Routing Gateway (DRGs) Attachments**
+The following tables describe the deployed DRG Attachments.
+> [!NOTE]
+> A DRG attachment serves as a link between a DRG and a network resource. A DRG can be attached to a VCN, IPSec tunnel, remote peering connection, or virtual circuit. For more information, see Overview of the Networking Service.
+
+
+| ID | OP | NAME | OBJECTIVES |
+| ------- | ----- | ------------------------- | -------------------------------------------- |
+| DRGA.00 | OP#02 | ocvs-vcn-p-drg-attachment | DRG Attachment for the OCVS spoke to the hub |
+
+
+#### **4.5.2 Service Gateway (SGs)**
+The following table describes the proposed Service Gateways.
+
+> [!NOTE]
+> A service gateway lets your virtual cloud network (VCN) privately access specific Oracle services without exposing the data to the public internet. No internet gateway or NAT gateway is required to reach those specific services. The resources in the VCN can be in a private subnet and use only private IP addresses.
+
+| ID | OP | NAME | OBJECTIVES |
+| ----- | ----- | ------------- | -------------------- |
+| SG.00 | OP#01 | sg-fra-p-ocvs | SG in the OCVSS VCN. |
+
+
+
+## **5. Runtime View**
+
+
+This chapter presents the OCVS LZ Extension operations scenarios.
+
+The operations scenarios are one of the most important elements of this design, as they represent the use cases and its key activities on the OCVS LZ Extension that create or update resources.
+
+An operation scenario is normally triggered by a service request, on a ticketing system. In a more formal definition, it should be seen as an operational process, which is a set of correlated activities executed as one unit of work, with its own frequency. The owner of each scenario will be the cloud operations team which has associated OCI Groups and Policies that allow the management of those resources.
+
+
+
+The OCVS LZ Extension has three operation scenarios described in the following table.
+
+
+
+| OP. ID | OPERATION SCENARIOS DESCRIPTION | TIME EFFORTS |
+| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------- |
+| **[OP. ID.00](../../one-oe/)** | **Deploy One-OE Landing ZOne**. Cover Core network resources (Hub VCN), Core IAM resources (compartments, group, policies), and security services. | **< 1h** |
+| **[OP. ID.01](./op01-ocvs-workload-extension/)** | **Deploy OCVS extension**. Include OCVS network resources (Spokes VCNs, Table Routes, Security Lists) and IAM OCVS resources (Groups, Policies). | **< 30m** |
+| **[OP. ID.02](./op02-ocvs-setup/)** | **OCVS Setup** | **< 15m** (excluding deployment time) |
+| **[OP. ID.03](./op03-postop-lb/)** | **Provision LB for OCVS (optional) Cleanup** | **< 15m** |
+
+
+
+
+
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.
diff --git a/workload-extensions/oci-lz-ext-ocvs/diagrams/compartments.png b/workload-extensions/oci-lz-ext-ocvs/diagrams/compartments.png
new file mode 100644
index 00000000..5bc23576
Binary files /dev/null and b/workload-extensions/oci-lz-ext-ocvs/diagrams/compartments.png differ
diff --git a/workload-extensions/oci-lz-ext-ocvs/diagrams/network.png b/workload-extensions/oci-lz-ext-ocvs/diagrams/network.png
new file mode 100644
index 00000000..a216325e
Binary files /dev/null and b/workload-extensions/oci-lz-ext-ocvs/diagrams/network.png differ
diff --git a/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/README.md b/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/README.md
new file mode 100644
index 00000000..3b6ac27d
--- /dev/null
+++ b/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/README.md
@@ -0,0 +1,193 @@
+# OP.01 - Manage OCVS Landing Zone Extension
+
+## **Table of Contents**
+
+- [**1. Summary**](#1-summary)
+- [**2. Setup IAM Configuration**](#2-setup-iam-configuration)
+ - [**2.1. Compartments**](#21-compartments)
+ - [**2.2 Groups**](#22-groups)
+ - [**2.3 Policies**](#23-policies)
+- [**3. Setup Network Configuration**](#3-setup-network-configuration)
+- [**4. Run with ORM**](#4-run-with-orm)
+- [**5. Run with Terraform CLI**](#5-run-with-terraform-cli)
+ - [**5.1 Setup Terraform Authentication**](#51-setup-terraform-authentication)
+ - [**5.2 Clone this Git repo to your Machine**](#52-clone-this-git-repo-to-your-machine)
+ - [**5.3 Clone the orchestrator Git repo to your Machine**](#53-clone-the-orchestrator-git-repo-to-your-machine)
+ - [**5.4 Change the Directory to the Terraform Orchestrator Module**](#54-change-the-directory-to-the-terraform-orchestrator-module)
+ - [**5.5 Run ```terraform init```**](#55-run-terraform-init)
+ - [**5.6 Run ```terraform plan```**](#56-run-terraform-plan)
+ - [**5.7 Run ```terraform apply```**](#57-run-terraform-apply)
+
+
+
+
+## **1. Summary**
+
+| | |
+| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **OP. ID** | OP.01 |
+| **OP. NAME** | OCVS Landing Zone Extension |
+| **OBJECTIVE** | Provision OCI OCVS Landing Zone IAM and Network Extensions. |
+| **TARGET RESOURCES** | - **Security**: Compartments, Groups, Policies- **Network**: Spoke VCNs, Route tables, Security Lists |
+| **IAM CONFIGURATION** | [oci_open_lz_one-oe_identity.auto.tfvars.json](/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_identity.auto.tfvars.json) |
+| **NETWORK CONFIGURATION** | [oci_open_lz_one-oe_network.auto.tfvars.json](/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_network.auto.tfvars.json) |
+| **PRE-ACTIVITIES** | Execute [OP.00. Deploy OneOE LZ](../../../one-oe/) |
+| **POST-ACTIVITIES** | Execute [OP.02 Manual Changes](/workload-extensions/oci-lz-ext-ocvs/op02-ocvs-setup) |
+| **RUN OPERATION** | Use [ORM](#4-run-with-orm) or use [Terraform CLI](#5-run-with-terraform-cli). |
+
+
+
+
+## **2. Setup IAM Configuration**
+
+For configuring and running the OneOE Landing Zone OCVS extension Identity Layer use the following JSON file: [oci_open_lz_one-oe_identity.auto.tfvars.json](/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_identity.auto.tfvars.json) You can customize this configuration to fit your exact OCI IAM topology.
+
+This configuration file covers three categories of resources described in the next sections.
+
+This configuration file requires changes to reference the OCIDs of the OneOE Landing Zone resources which were deployed in [OP.00. Deploy OneOE LZ](../../../one-oe/) step.
+Search for the values indicated below and replace with the correct OCIDs:
+
+| Resource | OCID Text to Replace | Description |
+| ------------------------- | --------------------------------- | ---------------------------------- |
+| Prod Platform Compartment | \ | The prod platform compartment OCID |
+
+
+
+### **2.1. Compartments**
+
+The diagram below identifies the compartments in the scope of this operation.
+
+
+
+
+
+The OCVS extension provisions 3 compartments. Parent OCVS platform compartment is created as an *example* in the platform compartment inside the **production environment**. The other 2 compartments LB and SDDC are created as nested children in the OCVS comparmetn.
+
+OneOE Landing Zones defines multiple instances of platform compartment. Platform comparment is created **for each environement**, and **one shared** platform for resources spanning multiple environments.
+
+Using this extension requires choosing the right platform for the use cases. Extension can be modified to provision multiple instances of the delpoyment. For customizations see the full [compartment resource documentation](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/tree/main/compartments).
+
+
+
+### **2.2 Groups**
+As part of the deployment the following groups are created in the [Default Identity Domain](https://docs.oracle.com/en-us/iaas/Content/Identity/domains/overview.htm):
+| Group | Description |
+| -------------------------- | ------------------------------------------------------------------------- |
+| grp-p-platform-ocvs-admins | Members of the group are able to administer OCVS and accompained services |
+
+For customizations see the full [group resoruce documentation](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/tree/main/groups)
+
+
+
+### **2.3 Policies**
+As part of the deploymnet the following policies are created:
+| Policy | Description | Manage resources | Use resources | Inspect resources |
+| -------------------------- | ------------------------------------------------------- | ---------------------------- | ------------------------------- | ----------------- |
+| pcy-p-platform-ocvs-admins | Grants group *pcy-p-platform-ocvs-admins* perminssions. | OCVS, Compute instances, VCN | NSG, Subnets, VNICs, IPs, VLANs | Security Lists |
+
+Policies contain compartment paths. The paths can change based on the modification in the previous [Compartments](#21-compartments) section. The paths need to be updated following the OCI [Policies and Compartment hierarchy](https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policies.htm#hierarchy).
+
+For customizations see the full [policy resource documentation](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/tree/main/policies)
+
+
+
+## **3. Setup Network Configuration**
+
+For configuring and running the OneOE LZ OCVS extension Network layer use the following JSON file: [oci_open_lz_one-oe_network.auto.tfvars.json](/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_network.auto.tfvars.json)
+
+This configuration file will require changes to the resources to reference the OCIDs of the OneOE Landing Zone.
+Search for the values indicated below and replace with the correct OCIDs:
+
+| Resource | OCID Text to Replace | Description |
+| ------------------------ | -------------------------------- | ---------------------------------------------------------------- |
+| Prod Network Compartment | \ | The OCID of the Prod Network Compartment deployed in step OP.00. |
+| Hub DRG | \ | The OCID of the DRG in Hub deployed in step OP.00. |
+| Hub DRG Route Table | \ | The OCID of Route table in DRG |
+
+This configuration covers the following networking diagram.
+
+
+
+
+
+
+
+For customization of the pre-defined setup please refer to the [Networking documentation](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking) for documentation and examples.
+
+The network layer covers the following resources:
+
+1. Spoke VCN - one Spoke VCN for OCVS platform
+2. Subnets - one Subnet for Load Balancers
+3. Gateway - Service Gateway to access OCI services
+4. Security List - Security list for Load Balancers allowing all ingress/egress
+5. Route Tables - One for Service Gateway, and a default route for routing all trafic through the central hub
+6. DRG Attachment - Connect spoke with the central Hub
+
+
+
+## **4. Run with ORM**
+
+| STEP | ACTION |
+| ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **1** | [](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/terraform-oci-landing-zones-orchestrator/archive/refs/tags/v2.0.0.zip&zipUrlVariables={"input_config_files_urls":"https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_identity.auto.tfvars.json,https://raw.githubusercontent.com/oracle-quickstart/terraform-oci-open-lz/master/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_network.auto.tfvars.json"}) |
+| **2** | Accept terms, wait for the configuration to load. |
+| **3** | Set the working directory to “orm-facade”. |
+| **4** | Set the stack name you prefer. |
+| **5** | Set the terraform version to 1.2.x. Click Next. |
+| **6** | Update with the links to your IAM and Network configurations (OCI Object Storage is recommended) Click Next. |
+| **7** | Un-check run apply. Click Create. |
+
+
+
+## **5. Run with Terraform CLI**
+### **5.1 Setup Terraform Authentication**
+For authenticating against the OCI tenancy terraform execute the following [instructions](common_terraform_authentication.md).
+### **5.2 Clone this Git repo to your Machine**
+```
+git clone git@github.com:oracle-quickstart/terraform-oci-open-lz.git
+```
+### **5.3 Clone the orchestrator Git repo to your Machine**
+Cloning the latest version:
+```
+git clone git@github.com:oracle-quickstart/terraform-oci-landing-zones-orchestrator.git
+```
+### **5.4 Change the Directory to the Terraform Orchestrator Module**
+Change the directory to the *terraform-oci-landing-zones-orchestrator* Terraform orchestrator module.
+### **5.5 Run ```terraform init```**
+Run ```terraform init``` to download all the required external terraform providers and Terraform modules.
+### **5.6 Run ```terraform plan```**
+Run ```terraform plan``` with the IAM and Network configuration.
+```
+terraform plan \
+-var-file ../terraform-oci-open-lz/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci-credentials.tfvars.json \
+-var-file ../terraform-oci-open-lz/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_identity.auto.tfvars.json \
+-var-file ../terraform-oci-open-lz/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_network.auto.tfvars.json
+```
+
+After the execution please analyze the output of the command above and check if it corresponds to your desired configuration.
+
+Note that the ```terraform.tfstate``` file is generated in the configuration location and not in the terraform code location. This is the expected configuration as the terraform automation can support any number of configurations and the **state file** will belong to the configuration and not to the code.
+
+The ideal scenario regarding the **state file** will be for each configuration to have a corresponding OCI Object Storage location for the state file. For more details on the Terraform state file recommended configuration please refer to the following [documentation](https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/terraformUsingObjectStore.htm).
+
+### **5.7 Run ```terraform apply```**
+Run terraform plan with the IAM and Network configuration. After its execution the configured resources will be provisioned or updated on OCI.
+```
+terraform apply \
+-var-file ../terraform-oci-open-lz/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci-credentials.tfvars.json \
+-var-file ../terraform-oci-open-lz/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_identity.auto.tfvars.json \
+-var-file ../terraform-oci-open-lz/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_network.auto.tfvars.json
+```
+You can proceed to [OP.02 OCVS Set-up](../op02-ocvs-setup/).
+
+
+
+
+
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.
diff --git a/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/common_terraform_authentication.md b/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/common_terraform_authentication.md
new file mode 100644
index 00000000..dcc2300e
--- /dev/null
+++ b/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/common_terraform_authentication.md
@@ -0,0 +1,38 @@
+## Terraform Authentication
+
+For authenticating against the OCI tenancy Terraform needs the following information:
+
+```
+"fingerprint": "",
+"private_key_path": "",
+"tenancy_id": "",
+"user_id": "",
+"region": "",
+"private_key_password": ""
+```
+
+The information above can be collected from the OCI Console by following the instructions below:
+
+- Make sure that you have an **OCI API key setup**:
+ - See https://docs.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm for directions on creating an API signing key.
+ - See https://docs.oracle.com/iaas/Content/Identity/Tasks/managingcredentials.htm on how to manage API keys in the OCI UI or API.
+- Copy your **tenancy OCID** (bottom part of OCI screen, after Tenancy OCID: heading),
+- Copy your **OCI user account OCID** (OCI Console > Identity > Users).
+- Copy the required **API key fingerprint** and **private key path** (below).
+- Fill in the full path to the SSH public and private keys (this can be used when creating new instances)
+ - See https://docs.oracle.com/iias/Content/GSG/Tasks/creatingkeys.htm for directions on how to **create this key pair**.
+
+You'll need to make a local (same folder location) copy of the [oci-credentials.tfvars.json.template](shared/oci-credentials.tfvars.json.template) to [oci-credentials.tfvars.json](oci-credentials.tfvars.json.template) and edit the newly created file to provide the collected values above.
+
+The new, edited [oci-credentials.tfvars.json](shared/oci-credentials.tfvars.json.template) file should look similar to the below:
+```
+{
+ "fingerprint": "25:84:69:40:2f:5b:d1:25:0f:eb:f3:41:ee:cb:16:03",
+ "private_key_path": "~/.oci/oci_api_key.pem",
+ "tenancy_ocid": "ocid1.tenancy.oc1....",
+ "user_ocid": "ocid1.user.oc1....",
+ "region": "eu-frankfurt-1",
+ "private_key_password": ""
+}
+```
+
\ No newline at end of file
diff --git a/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci-credentials.tfvars.json.template b/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci-credentials.tfvars.json.template
new file mode 100644
index 00000000..52135a99
--- /dev/null
+++ b/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci-credentials.tfvars.json.template
@@ -0,0 +1,9 @@
+{
+ "fingerprint": "",
+ "private_key_path": "",
+ "region": "",
+ "tenancy_ocid": "",
+ "user_ocid": "",
+ "region": "",
+ "private_key_password": ""
+}
\ No newline at end of file
diff --git a/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_identity.auto.tfvars.json b/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_identity.auto.tfvars.json
new file mode 100644
index 00000000..95f5635d
--- /dev/null
+++ b/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_identity.auto.tfvars.json
@@ -0,0 +1,54 @@
+{
+ "compartments_configuration": {
+ "default_parent_id": "",
+ "enable_delete": "true",
+ "compartments": {
+ "CMP-P-PLATFORM-OCVS-KEY": {
+ "name": "cmp-p-platform-ocvs",
+ "description": "oci-oneoe Production environment, Platform OCVS compartment",
+ "freeform_tags": {
+ "oci-open-lz": "oci-oneoe-lzp",
+ "oci-open-lz-cmp": "cmp-p-platform-ocvs"
+ },
+ "children": {
+ "CMP-P-PLATFORM-OCVS-SDDC-KEY": {
+ "name": "cmp-p-platform-ocvs-sddc",
+ "description": "oci-oneoe-customer Production environment, Platform OCVS, SDDC layer",
+ "freeform_tags": {
+ "oci-open-lz": "oci-oneoe-lzp",
+ "oci-open-lz-cmp": "cmp-p-platform-ocvs-sddc"
+ }
+ }
+ }
+ }
+ }
+ },
+ "groups_configuration": {
+ "groups": {
+ "GRP-P-PLATFORM-OCVS-ADMINS": {
+ "name": "grp-p-platform-ocvs-admins",
+ "description": "Landing Zone Prod, Production Environment, OCVS Platform Administrators Group."
+ }
+ }
+ },
+ "policies_configuration": {
+ "supplied_policies": {
+ "PCY-P-PLATFORM-OCVS-ADMINS": {
+ "name": "pcy-p-platform-ocvs-admins",
+ "description": "Policy for Production Environment, OCVS Platform Administrators.",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "allow group grp-p-platform-ocvs-admins to manage sddcs in compartment cmp-landingzone-p:cmp-prod:cmp-p-platform:cmp-p-platform-ocvs",
+ "allow group grp-p-platform-ocvs-admins to manage instances in compartment cmp-landingzone-p:cmp-prod:cmp-p-platform:cmp-p-platform-ocvs",
+ "allow group grp-p-platform-ocvs-admins to manage vcns in compartment cmp-landingzone-p:cmp-prod:cmp-p-network",
+ "allow group grp-p-platform-ocvs-admins to use subnets in compartment cmp-landingzone-p:cmp-prod:cmp-p-network",
+ "allow group grp-p-platform-ocvs-admins to use vnics in compartment cmp-landingzone-p:cmp-prod:cmp-p-network",
+ "allow group grp-p-platform-ocvs-admins to use vlans in compartment cmp-landingzone-p:cmp-prod:cmp-p-network",
+ "allow group grp-p-platform-ocvs-admins to use private-ips in compartment cmp-landingzone-p:cmp-prod:cmp-p-network",
+ "allow group grp-p-platform-ocvs-admins to inspect security-lists in compartment cmp-landingzone-p:cmp-prod:cmp-p-network",
+ "allow group grp-p-platform-ocvs-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-prod:cmp-p-network"
+ ]
+ }
+ }
+ }
+}
diff --git a/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_network.auto.tfvars.json b/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_network.auto.tfvars.json
new file mode 100644
index 00000000..77fe052a
--- /dev/null
+++ b/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_network.auto.tfvars.json
@@ -0,0 +1,78 @@
+{
+ "network_configuration": {
+ "default_compartment_id": "",
+ "default_enable_cis_checks": false,
+ "network_configuration_categories": {
+ "OCVS": {
+ "vcns": {
+ "VCN-FRA-P-OCVS-KEY": {
+ "block_nat_traffic": false,
+ "cidr_blocks": [
+ "10.1.24.0/21"
+ ],
+ "display_name": "vcn-fra-p-ocvs",
+ "dns_label": "vcnfrapocvs",
+ "is_ipv6enabled": false,
+ "is_oracle_gua_allocation_enabled": false,
+ "route_tables": {},
+ "default_security_list": {
+ "egress_rules": [],
+ "ingress_rules": [
+ {
+ "stateless": false,
+ "protocol": "ICMP",
+ "description": "ICMP type 3 code 4",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "icmp_type": 3,
+ "icmp_code": 4
+ },
+ {
+ "stateless": false,
+ "protocol": "ICMP",
+ "description": "ICMP type 3",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "icmp_type": 3,
+ "icmp_code": -1
+ }
+ ]
+ },
+ "security_lists": {},
+ "subnets": {},
+ "vcn_specific_gateways": {
+ "service_gateways": {
+ "SG-FRA-P-OVCS-KEY": {
+ "display_name": "sg-fra-p-ocvs",
+ "services": "all-services"
+ }
+ }
+ }
+ }
+ },
+ "non_vcn_specific_gateways": {
+ "inject_into_existing_drgs": {
+ "DRG-KEY": {
+ "drg_id": "",
+ "drg_attachments": {
+ "DRG-VCN-EBS-MGT-KEY": {
+ "defined_tags": null,
+ "display_name": "ocvs-vcn-p-drg-attachment",
+ "drg_route_table_id": "",
+ "network_details": {
+ "attached_resource_id": null,
+ "attached_resource_key": "VCN-FRA-P-OCVS-KEY",
+ "type": "VCN",
+ "route_table_id": null,
+ "route_table_name": null,
+ "vcn_route_type": null
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/workload-extensions/oci-lz-ext-ocvs/op02-ocvs-setup/README.md b/workload-extensions/oci-lz-ext-ocvs/op02-ocvs-setup/README.md
new file mode 100644
index 00000000..fe121856
--- /dev/null
+++ b/workload-extensions/oci-lz-ext-ocvs/op02-ocvs-setup/README.md
@@ -0,0 +1,38 @@
+# OP.02 - OCVS Set-up
+## **Table of Contents**
+- [**1. Summary**](#1-summary)
+- [**2. OCVS Deployment**](#2-ocvs-deployment)
+
+
+
+## **1. Summary**
+
+| | |
+| -------------------- | ----------------------------------------------------- |
+| **OP. ID** | OP.02 |
+| **OP. NAME** | OCVS Set-up |
+| **OBJECTIVE** | Provision OCI OCVS on top of Landing Zone Extensions. |
+| **TARGET RESOURCES** | OCVS |
+
+
+
+## **2. OCVS Deployment**
+1. Navigate to [Software-Defined Data Centers](https://cloud.oracle.com/vmware/sddcs/create) as part of VMWare service in OCI.
+2. Choose a suitable name and as a compartment select *cmp-p-platform-ocvs-sddc*, upload public SSH key.
+3. On the next page, we define clusters. We start by defining a new cluster.
+4. Hosts specification according to your requirements.
+5. On next tab as a VCN choose *vcn-fra-p-ocvs* in the *cmp-p-netowrk* compartment.
+6. Select create new subnet and VLANs.
+7. Provide desired CIDR range for the Cluster Network
+8. Review and finish the set-up
+
+
+
+
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.
diff --git a/workload-extensions/oci-lz-ext-ocvs/op03-postop-lb/README.md b/workload-extensions/oci-lz-ext-ocvs/op03-postop-lb/README.md
new file mode 100644
index 00000000..f2474b40
--- /dev/null
+++ b/workload-extensions/oci-lz-ext-ocvs/op03-postop-lb/README.md
@@ -0,0 +1,111 @@
+# OP.03 - Post-op Load Balancer (optional)
+## **Table of Contents**
+- [**1. Summary**](#1-summary)
+- [**2. Compartments**](#2-compartments)
+- [**3. Network**](#3-network)
+
+
+
+## **1. Summary**
+
+| | |
+| -------------------- | --------------------------------------- |
+| **OP. ID** | OP.3 |
+| **OP. NAME** | Post-op Load Balancer (optional) |
+| **OBJECTIVE** | Provision Load Balancer subnet for OCVS |
+| **TARGET RESOURCES** | VCN, Load Balancer |
+
+This is an optional post deployment operation to provision a Load Balancer Subnet for the OCVS with predefined routing and security rules. Load Balancer subnet can be used for creating Load Balancer for exposing parts of the OCVS either internally or externally.
+
+
+
+## **2. Compartments**
+Provision ocvs-lb compartment by modifying the `oci_open_lz_one-oe_identity.auto.tfvars.json` file to add following in the OCVS children:
+```json
+"CMP-P-PLATFORM-OCVS-LB-KEY": {
+ "name": "cmp-p-platform-ocvs-lb",
+ "description": "oci-oneoe-customer Production environment, Platform OCVS, LB layer",
+ "freeform_tags": {
+ "oci-open-lz": "oci-oneoe-lzp",
+ "oci-open-lz-cmp": "cmp-p-platform-ocvs-lb"
+ }
+}
+```
+
+
+
+## **3. Network**
+Provision LB subnet, routes, security lists by modifing the `oci_open_lz_one-oe_identity.auto.tfvars.json` file to add following parts of configuration.
+
+Route table to path `network_configuration.network_configuration_categories["VCN-FRA-P-OCVS-KEY"].route_tables`
+```json
+"RT-01-P-OCVS-VCN-LB-KEY": {
+ "display_name": "rt-01-p-ocvs-vcn-lb",
+ "route_rules": {
+ "sgw_route": {
+ "description": "Route for sgw",
+ "destination": "all-services",
+ "destination_type": "SERVICE_CIDR_BLOCK",
+ "network_entity_key": "SG-FRA-P-OVCS-KEY"
+ },
+ "drg_route": {
+ "description": "Route to DRG",
+ "destination": "0.0.0.0/0",
+ "destination_type": "CIDR_BLOCK",
+ "network_entity_id": ""
+ }
+ }
+}
+```
+
+Security list to path `network_configuration.network_configuration_categories["VCN-FRA-P-OCVS-KEY"].security_lists`
+```json
+"SL-01-P-OCVS-VCN-LB-KEY": {
+ "display_name": "sl-01-p-ocvs-vcn-lb",
+ "egress_rules": [
+ {
+ "description": "egress to 0.0.0.0/0 over ALL protocols",
+ "dst": "0.0.0.0/0",
+ "dst_type": "CIDR_BLOCK",
+ "protocol": "ALL",
+ "stateless": false
+ }
+ ],
+ "ingress_rules": [
+ {
+ "description": "ingress from 0.0.0.0/0 ALL ports",
+ "protocol": "ALL",
+ "src": "0.0.0.0/0",
+ "src_type": "CIDR_BLOCK",
+ "stateless": false
+ }
+ ]
+}
+```
+
+Subnets to path `network_configuration.network_configuration_categories["VCN-FRA-P-OCVS-KEY"].subnets`
+```json
+"SN-FRA-P-LB-KEY": {
+ "cidr_block": "10.1.28.0/24",
+ "dhcp_options_key": "default_dhcp_options",
+ "display_name": "sn-fra-p-ocvs-lb",
+ "dns_label": "snfrapocvslb",
+ "prohibit_internet_ingress": true,
+ "prohibit_public_ip_on_vnic": true,
+ "route_table_key": "RT-01-P-OCVS-VCN-LB-KEY",
+ "security_list_keys": [
+ "SL-01-P-OCVS-VCN-LB-KEY"
+ ]
+}
+```
+
+
+
+
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE) for more details.
diff --git a/workload-extensions/readme.md b/workload-extensions/readme.md
index 95f64ee2..eb6f40b9 100644
--- a/workload-extensions/readme.md
+++ b/workload-extensions/readme.md
@@ -19,10 +19,10 @@ Find below the list of available workload landing zones and our backlog. Be free
| WORKLOAD | DESCRIPTION | CONTENT |
|---|---|---|
| [**EBS**](/workload-extensions/oci-lz-ext-ebs/readme.md)| An EBS Landing Zone Extension. | Public |
+| [**OCVS**](/workload-extensions/oci-lz-ext-ocvs) | An OCVS Landing Zone Extension. | Public |
| **OKE** | An OKE Landing Zone Extension. | On Demand |
| **ExaCS** | An ExaCS Landing Zone Extension. | On Demand |
| **ExaCC** | An ExaCC Landing Zone Extension. | On Demand |
-| **OCVS** | An OCVS Landing Zone Extension. | On Demand |