Skip to content

Commit

Permalink
content review
Browse files Browse the repository at this point in the history
  • Loading branch information
@jpalmeiro
jpalmeiro committed Jul 22, 2024
1 parent 4cd2d25 commit 93a7286
Show file tree
Hide file tree
Showing 4 changed files with 74 additions and 7 deletions.
38 changes: 33 additions & 5 deletions workload-extensions/oci-lz-ext-ocvs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,20 +15,28 @@
- [**4.5.1 Dynamic Routing Gateway (DRGs) Attachments**](#451-dynamic-routing-gateway-drgs-attachments)
- [**4.5.2 Service Gateway (SGs)**](#452-service-gateway-sgs)
- [**5. Runtime View**](#5-runtime-view)


 

## **1. Introduction**
Welcome to the **OCVS Landing Zone Extension**.

The OCVS Landing Zone (LZ) Extension is a secure cloud environment, designed with best practices to simplify the onboarding of OCVS workloads and enable the continuous operations of their cloud resources. This reference architecture provides an automated landing zone **configuration**.

 

## **2. Design Overview**
| ID | DOMAIN | DESCRIPTION |
| ----- | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **1** | **General** | - [OneOE](../../one-oe/) LZ deployed as a foundation. </br>- The OCVS LZ Extension will extend the OneOE LZ and add OCVS Workloads example. </li> </ul> |
| **1** | **General** | - [One-OE](../../one-oe/) LZ deployed as a foundation. </br>- The OCVS LZ Extension will extend the One-OE LZ and add OCVS Workloads example. </li> </ul> |
| **2** | **Tenancy Structure** | Extend the standard landing zone compartment structure with additional compartments for OCVS-related resources: </br>- Parent OCVS compartment.</br>- OCVS Load Balancer.</br>- Software defined data center (SDDC). |
| **3** | **Groups & Policies** | Additional groups and associated policies are deployed to manage OCVS compartment resources. |
| **4** | **Network Structure** | Additional VCNs and related elements will be added - to segregate OCVS deployment as a Spoke extensions to the OneOZ LZ Hub. |
| **5** | **Runtime** | - There are be **three deployment steps** to provision this landing zone: **(1)** The OneOE LZ will be used as an initial setup and **(2)** extended with the OCVS LZ Extension Runtime configurations. Additional **(3)** manual configuration tasks are also required to complete the setup. </br> - Note that the **'Operation/(OP)**' column on the next sections identifies the three moment in time when OCI resources are created. <br>- For more details refer to the [Runtime](#5-runtime-view) section. |
| **5** | **Runtime** | - There are be **three deployment steps** to provision this landing zone: **(1)** The One-OE LZ will be used as an initial setup and **(2)** extended with the OCVS LZ Extension Runtime configurations. Additional **(3)** manual configuration tasks are also required to complete the setup. </br> - Note that the **'Operation/(OP)**' column on the next sections identifies the three moment in time when OCI resources are created. <br>- For more details refer to the [Runtime](#5-runtime-view) section. |


&nbsp;

## **3. Security View**

Expand All @@ -39,7 +47,9 @@ The OCVS LZ Extension includes the following compartments:
> [!NOTE]
> Compartments help you organize and control access to your resources. A compartment is a collection of related resources (such as cloud networks, compute instances, or block volumes) that can be accessed only by those groups that have been given permission by an administrator in your organization.
![Compartments](diagrams/compartments.png)
<img src="diagrams/compartments.png" width="1000" height="value">

&nbsp;

The following table provides details on the compartments presented above, their level of deepness in the tenancy, and objectives.

Expand All @@ -49,6 +59,8 @@ The following table provides details on the compartments presented above, their
| CMP.01 | OP#01 | 1 | cmp-p-platform-ocvs-lb | Holds OCVS Load Balancers |
| CMP.02 | OP#01 | 1 | cmp-p-platform-ocvs-sddc | Contains software defined datacenter resources |

&nbsp;

### **3.2 Groups**
The OCVS LZ Extension includes the following groups.

Expand All @@ -59,6 +71,8 @@ The OCVS LZ Extension includes the following groups.
| ------ | ----- | -------------------------- | ------------------------------------------- |
| GRP.00 | OP#01 | grp-p-platform-ocvs-admins | Group for managing VMWare related resources |

&nbsp;

### **3.4 Policies**
The OCVS LZ Extension includes the following policies:

Expand All @@ -69,11 +83,15 @@ The OCVS LZ Extension includes the following policies:
| ------ | ----- | -------------------------- | -------------------------------------------------------------------------------------------------------------- |
| POL.00 | OP#01 | pcy-p-platform-ocvs-admins | Policy granting permissions for administering OCVS related resources to the *grp-p-platform-ocvs-admins* group |

&nbsp;

## **4. Network View**
The following diagram presents the network structure of the OCVS LZ Extension.

![Network](diagrams/network.png)

<img src="diagrams/network.png" width="1000" height="value">

&nbsp;

### **4.1 VCNs**
The following table describes the deployed VCNs.
Expand All @@ -85,6 +103,8 @@ The following table describes the deployed VCNs.
| ------ | ----- | -------------- | ---------------------------------- |
| VCN.00 | OP#01 | vcn-fra-p-ocvs | Spoke VCN dedicated to OCVS set-up |

&nbsp;

### **4.2 Subnets**
The following table describes the deployed Subnets.

Expand All @@ -109,6 +129,8 @@ The following table describes the deployed Route Tables.
| ----- | ----- | ------------------ | ------------------------------------- |
| RT.00 | OP#01 | rt-01-p-ocvs-vcn-l | OCVS Load Balancer subnet route table |

&nbsp;

### **4.4 Security Lists (SLs)**
The following table describes the deployed Security Lists (SLs).

Expand All @@ -119,6 +141,8 @@ The following table describes the deployed Security Lists (SLs).
| ----- | ----- | ------------------- | --------------------------------------- |
| SL.00 | OP#01 | sl-01-p-ocvs-vcn-lb | OCVS Load Balancer subnet security list |

&nbsp;

### **4.5 Gateways**
#### **4.5.1 Dynamic Routing Gateway (DRGs) Attachments**
The following tables describe the deployed DRG Attachments.
Expand All @@ -141,6 +165,7 @@ The following table describes the proposed Service Gateways.
| ----- | ----- | ------------- | -------------------- |
| SG.00 | OP#01 | sg-fra-p-ocvs | SG in the OCVSS VCN. |

&nbsp;

## **5. Runtime View**

Expand All @@ -159,11 +184,14 @@ The OCVS LZ Extension has three operation scenarios described in the following t

| OP. ID | OPERATION SCENARIOS DESCRIPTION | TIME EFFORTS |
| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------- |
| **[OP. ID.00](../../one-oe/)** | **Deploy OneOE LZ**. Cover Core network resources (Hub VCN), Core IAM resources (compartments, group, policies), and security services. | **< 1h** |
| **[OP. ID.00](../../one-oe/)** | **Deploy One-OE Landing ZOne**. Cover Core network resources (Hub VCN), Core IAM resources (compartments, group, policies), and security services. | **< 1h** |
| **[OP. ID.01](./op01-ocvs-workload-extension/)** | **Deploy OCVS extension**. Include OCVS network resources (Spokes VCNs, Table Routes, Security Lists) and IAM OCVS resources (Groups, Policies). | **< 30m** |
| **[OP. ID.02](./op02-ocvs-setup/)** | **OCVS Setup** | **< 15m** (excluding deployment time) |
| **[OP. ID.03](./op03-postop-lb/)** | **Provision LB for OCVS (optional) Cleanup** | **< 15m** |

&nbsp;

&nbsp;

# License <!-- omit from toc -->

Expand Down
29 changes: 27 additions & 2 deletions workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
- [**5.6 Run ```terraform plan```**](#56-run-terraform-plan)
- [**5.7 Run ```terraform apply```**](#57-run-terraform-apply)

&nbsp;


## **1. Summary**
Expand All @@ -35,6 +36,8 @@
| **RUN OPERATION** | Use [ORM](#4-run-with-orm) or use [Terraform CLI](#5-run-with-terraform-cli). |


&nbsp;

## **2. Setup IAM Configuration**

For configuring and running the OneOE Landing Zone OCVS extension Identity Layer use the following JSON file: [oci_open_lz_one-oe_identity.auto.tfvars.json](/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_identity.auto.tfvars.json) You can customize this configuration to fit your exact OCI IAM topology.
Expand All @@ -48,18 +51,24 @@ Search for the values indicated below and replace with the correct OCIDs:
| ------------------------- | --------------------------------- | ---------------------------------- |
| Prod Platform Compartment | \<OCID-COMPARTMENT-PROD-PLATFORM> | The prod platform compartment OCID |

&nbsp;

### **2.1. Compartments**

The diagram below identifies the compartments in the scope of this operation.

![Diagram](../diagrams/compartments.png)
<img src="../diagrams/compartments.png" width="1000" height="value">

&nbsp;

The OCVS extension provisions 3 compartments. Parent OCVS platform compartment is created as an *example* in the platform compartment inside the **production environment**. The other 2 compartments LB and SDDC are created as nested children in the OCVS comparmetn.

OneOE Landing Zones defines multiple instances of platform compartment. Platform comparment is created **for each environement**, and **one shared** platform for resources spanning multiple environments.

Using this extension requires choosing the right platform for the use cases. Extension can be modified to provision multiple instances of the delpoyment. For customizations see the full [compartment resource documentation](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/tree/main/compartments).

&nbsp;

### **2.2 Groups**
As part of the deployment the following groups are created in the [Default Identity Domain](https://docs.oracle.com/en-us/iaas/Content/Identity/domains/overview.htm):
| Group | Description |
Expand All @@ -68,6 +77,8 @@ As part of the deployment the following groups are created in the [Default Ident

For customizations see the full [group resoruce documentation](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/tree/main/groups)

&nbsp;

### **2.3 Policies**
As part of the deploymnet the following policies are created:
| Policy | Description | Manage resources | Use resources | Inspect resources |
Expand All @@ -78,6 +89,8 @@ Policies contain compartment paths. The paths can change based on the modificati

For customizations see the full [policy resource documentation](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/tree/main/policies)

&nbsp;

## **3. Setup Network Configuration**

For configuring and running the OneOE LZ OCVS extension Network layer use the following JSON file: [oci_open_lz_one-oe_network.auto.tfvars.json](/workload-extensions/oci-lz-ext-ocvs/op01-ocvs-workload-extension/oci_open_lz_one-oe_network.auto.tfvars.json)
Expand All @@ -93,7 +106,11 @@ Search for the values indicated below and replace with the correct OCIDs:

This configuration covers the following networking diagram.

![Network Diagram](../diagrams/network.png)
&nbsp;

<img src="../diagrams/network.png" width="1000" height="value">

&nbsp;

For customization of the pre-defined setup please refer to the [Networking documentation](https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking) for documentation and examples.

Expand All @@ -106,6 +123,8 @@ The network layer covers the following resources:
5. Route Tables - One for Service Gateway, and a default route for routing all trafic through the central hub
6. DRG Attachment - Connect spoke with the central Hub

&nbsp;

## **4. Run with ORM**

| STEP | ACTION |
Expand All @@ -118,6 +137,8 @@ The network layer covers the following resources:
| **6** | Update with the links to your IAM and Network configurations (OCI Object Storage is recommended) Click Next. |
| **7** | Un-check run apply. Click Create. |

&nbsp;

## **5. Run with Terraform CLI**
### **5.1 Setup Terraform Authentication**
For authenticating against the OCI tenancy terraform execute the following [instructions](common_terraform_authentication.md).
Expand Down Expand Up @@ -159,6 +180,10 @@ terraform apply \
```
You can proceed to [OP.02 OCVS Set-up](../op02-ocvs-setup/).

&nbsp;

&nbsp;

# License <!-- omit from toc -->

Copyright (c) 2024 Oracle and/or its affiliates.
Expand Down
6 changes: 6 additions & 0 deletions workload-extensions/oci-lz-ext-ocvs/op02-ocvs-setup/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
- [**1. Summary**](#1-summary)
- [**2. OCVS Deployment**](#2-ocvs-deployment)

&nbsp;

## **1. Summary**

Expand All @@ -13,6 +14,8 @@
| **OBJECTIVE** | Provision OCI OCVS on top of Landing Zone Extensions. |
| **TARGET RESOURCES** | OCVS |

&nbsp;

## **2. OCVS Deployment**
1. Navigate to [Software-Defined Data Centers](https://cloud.oracle.com/vmware/sddcs/create) as part of VMWare service in OCI.
2. Choose a suitable name and as a compartment select *cmp-p-platform-ocvs-sddc*, upload public SSH key.
Expand All @@ -23,6 +26,9 @@
7. Provide desired CIDR range for the Cluster Network
8. Review and finish the set-up

&nbsp;
&nbsp;

# License <!-- omit from toc -->

Copyright (c) 2024 Oracle and/or its affiliates.
Expand Down
8 changes: 8 additions & 0 deletions workload-extensions/oci-lz-ext-ocvs/op03-postop-lb/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
- [**2. Compartments**](#2-compartments)
- [**3. Network**](#3-network)

&nbsp;

## **1. Summary**

Expand All @@ -16,6 +17,8 @@

This is an optional post deployment operation to provision a Load Balancer Subnet for the OCVS with predefined routing and security rules. Load Balancer subnet can be used for creating Load Balancer for exposing parts of the OCVS either internally or externally.

&nbsp;

## **2. Compartments**
Provision ocvs-lb compartment by modifying the `oci_open_lz_one-oe_identity.auto.tfvars.json` file to add following in the OCVS children:
```json
Expand All @@ -29,6 +32,8 @@ Provision ocvs-lb compartment by modifying the `oci_open_lz_one-oe_identity.auto
}
```

&nbsp;

## **3. Network**
Provision LB subnet, routes, security lists by modifing the `oci_open_lz_one-oe_identity.auto.tfvars.json` file to add following parts of configuration.

Expand Down Expand Up @@ -94,6 +99,9 @@ Subnets to path `network_configuration.network_configuration_categories["VCN-FRA
}
```

&nbsp;
&nbsp;

# License <!-- omit from toc -->

Copyright (c) 2024 Oracle and/or its affiliates.
Expand Down

0 comments on commit 93a7286

Please sign in to comment.