Table of Contents
1. Approach (What)
2. Architecture (How)
3. Modules Engine (Where to Start)
To simplify and reduce overall efforts on OCI Landing Zones creation, deployment, and operations, we moved from classic Terraform programmatic/coded Landing Zones to completely declarative IaC Landing Zones. In other words, for Standard Landing Zones, Tailored Landing Zones, and Workload Extensions, all OCI core resources are human-readable configuration files (json or yaml) - with zero coding needs.
By using this approach, in terms of IaC, all OCI Landing Zones share the following principles:
- Runnable Design: All OCI Landing Zones designs or workload extensions are translatable into declarative runnable IaC configurations.
- Configurable: All OCI Landing Zones are purely declarative with IaC Configurations - and not code.
- One Engine: All OCI Landing Zones use one common Terraform engine.
Several benefits can be achieved with this approach, such as:
- Reduced efforts from our customers and partners as they will not spend time coding or time enabling their operations teams in deep terraform skills.
- Reduced time-to-value or time-to-production from our customers and partners, as workloads can land earlier in OCI.
- Simpler provisioning and change operations and fewer errors with human-readable files. Cloud operations teams don't require coding skills.
- Security with separation of duties as the IaC developers do not interact with real configurations and cloud operations don't access code.
- Eliminate waste/rework by reinventing the wheel with new Terraform modules.
- A Scalable and secure operating model can be used based on GitOps, where Git is the source of truth for any cloud operation. Versioning configuration files in repositories also provides a great audit capability.
The diagram below presents the runtime architecture following a top-down flow, from design to configuration, and from configuration to the creation of OCI resources.
- The first layer presents the design elements for the Standard Landing Zones, Tailored Landing Zones, and Workload Extensions.
- The second layer (green) presents the IaC Configurations for all the design elements of the layer above. All designs are translated into declarative configurations.
- The third layer (grey) presents the tooling used to run the configurations (green) against one set of modules (yellow). Note all the terraform modules available including the orchestration on top of core resources. Any automation tool, or even a manual command, can provide this execution.
- In the last layer, it's possible to see the OCI resources instantiated by the Terraform modules in the previous layer.
The next diagram depicts the key capabilities/benefits enabled by each building block. The design strategy towards standard and tailored landing zones and workload extension, followed by the "everything configured" and the "one single-engine" principles, are key to simplifying OCI onboarding and running experience.
The following Git repositories contain the Terraform engine that enables the IaC Configurable approach. For a high-level overview please refer to OCI CIS Enhanced Modules.
| REPOSITORY | OBJECTIVE | GIT |
|---|---|---|
| Landing Zone Orchestrator | Simplifies operations by providing the ability to relate several resource types from all the other modules into one consolidated operation (i.e., one plan/apply). | View |
| Identity and Access Management | Provides the ability to configure Compartments, Groups, Policies, Dynamic Groups, etc. | View |
| Networking | Provides the ability to configure all OCI Core Network Resources (e.g., VCNs, Subnets, Route tables, Security Lists, Network Security Groups, Gateways, etc.). | View |
| Security | Provides the ability to configure OCI Security Resources (e.g., Cloud Guard, VSS, Security Zones, Vaults, etc.). | View |
| Observability | Provides the ability to configure OCI monitoring resources (e.g., Logging, Events, Alarms, Notifications, etc.). | View |
| Governance | Provides the ability to configure OCI Tagging. | View |
For unitary examples of usage please review the examples on each repository.
For complete end-to-end examples using the orchestrator and several other modules please refer to the OCI Open LZ Blueprint and Runtime View.
Copyright (c) 2024 Oracle and/or its affiliates.
Licensed under the Universal Permissive License (UPL), Version 1.0.
See LICENSE for more details.