config/schema.yml

# Copyright (c) 2022 Oracle and/or its affiliates.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.

title: "CIS (Center for Internet Security) OCI Landing Zone Quick Start"
stackDescription: "This stack deploys the CIS OCI Landing Zone Quick Start, a fully operational tenancy that combines the recommendations of CIS Foundations Benchmark for OCI with OCI architecture best practices. For details, please see https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart."
description: "This stack deploys the CIS OCI Landing Zone Quick Start, a fully operational tenancy that combines the recommendations of CIS Foundations Benchmark for OCI with OCI architecture best practices. For details, please see <a href=\"https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart\">CIS OCI Landing Zone Quick Start</a>."
schemaVersion: 1.1.0
version: "2.7.0"
locale: "en"

# URL of CIS Landing Zone logo icon used on Application Information tab.
logoUrl: "https://objectstorage.us-ashburn-1.oraclecloud.com/p/taf6kC9fSJyQDNSYbxvqxS_JsdnSu56oFZ3-1h5vI7-WfJUv77mplChopLxZPePW/n/ociateam/b/cis-landing-zone/o/landing_zone_130.png"

variableGroups:
  - title: "Environment"
    variables:
      - "region"
      - "service_label"
      - "cis_level"
      - "use_enclosing_compartment"
      - "existing_enclosing_compartment_ocid"
      - "env_advanced_options"
      - "extend_landing_zone_to_new_region"
      - "policies_in_root_compartment"
      - "enable_template_policies"
      - "rm_existing_iam_admin_group_name"
      - "rm_existing_cred_admin_group_name"
      - "rm_existing_security_admin_group_name"
      - "rm_existing_network_admin_group_name"
      - "rm_existing_appdev_admin_group_name"
      - "rm_existing_database_admin_group_name"
      - "rm_existing_exainfra_admin_group_name"
      - "rm_existing_auditor_group_name"
      - "rm_existing_announcement_reader_group_name"
      - "rm_existing_cost_admin_group_name"
      - "rm_existing_storage_admin_group_name"
      - "existing_security_fun_dyn_group_name"
      - "existing_appdev_fun_dyn_group_name"
      - "existing_compute_agent_dyn_group_name"
      - "existing_database_kms_dyn_group_name"
 
  - title: "Networking - Generic VCNs"
    variables:
      - "vcn_cidrs"
      - "net_advanced_options"
      - "vcn_names"
      - "subnets_names"
      - "subnets_sizes"
    
  - title: "Networking - Exadata Cloud Service VCNs"
    variables:
      - "exacs_vcn_cidrs"
      - "exa_advanced_options"
      - "exacs_vcn_names"
      - "exacs_client_subnet_cidrs"
      - "exacs_backup_subnet_cidrs"
      - "deploy_exainfra_cmp"
    
  - title: "Networking - Hub/Spoke"
    variables:
      - "hub_spoke_architecture"
      - "hs_advanced_options"
      - "dmz_vcn_cidr"
      - "dmz_for_firewall"
      - "dmz_number_of_subnets"
      - "dmz_subnet_size"
      
  - title: "Networking - Public Connectivity"
    variables:
      - "no_internet_access"
      - "public_src_bastion_cidrs"
      - "public_src_lbr_cidrs"
      - "public_dst_cidrs"    

  - title: "Networking - Connectivity to On-Premises"
    variables:
      - "is_vcn_onprem_connected"
      - "onprem_cidrs"
      - "onprem_src_ssh_cidrs"
  
  - title: "Networking - DRG (Dynamic Routing Gateway)"
    variables:
      - "existing_drg_id"  
    visible: 
     or:
       - is_vcn_onprem_connected
       - hub_spoke_architecture   
      
  - title: "Events and Notifications"
    variables:
      - "network_admin_email_endpoints"
      - "security_admin_email_endpoints"
      - "notifications_advanced_options"
      - "compute_admin_email_endpoints"
      - "storage_admin_email_endpoints"
      - "database_admin_email_endpoints"
      - "exainfra_admin_email_endpoints"
      - "budget_admin_email_endpoints"
      - "create_alarms_as_enabled"
      - "create_events_as_enabled"
      - "alarm_message_format"

  - title: "Object Storage"
    variables:
      - "enable_oss_bucket"
      - "existing_bucket_vault_compartment_id"
      - "existing_bucket_vault_id"
      - "existing_bucket_key_id"

  - title: "Cloud Guard"
    variables:
      - "enable_cloud_guard"
      - "enable_cloud_guard_cloned_recipes"
      - "cloud_guard_reporting_region"
      - "cloud_guard_risk_level_threshold"
      - "cloud_guard_admin_email_endpoints"

  - title: "Security Zones"
    variables:
    - "enable_security_zones"
    - "sz_security_policies"

  - title: "Logging Consolidation: Service Connector Hub"
    variables:
      - "enable_service_connector"
      - "activate_service_connector"
      - "service_connector_target_kind"
      - "existing_service_connector_bucket_vault_compartment_id"
      - "existing_service_connector_bucket_vault_id"
      - "existing_service_connector_bucket_key_id"
      - "existing_service_connector_target_stream_id"
      - "existing_service_connector_target_function_id"
  
  - title: "Vulnerability Scanning"
    variables:
      - "vss_create"
      - "vss_scan_schedule"
      - "vss_scan_day"
      - "vss_port_scan_level"
      - "vss_agent_scan_level"
      - "vss_agent_cis_benchmark_settings_scan_level"
      - "vss_enable_file_scan"
      - "vss_folders_to_scan"

  - title: "Cost Management"
    variables:
       - "create_budget"
       - "budget_alert_threshold"
       - "budget_amount"
       - "budget_alert_email_endpoints"

  - title: "Hidden Variables"
    visible: false
    variables:
      - "tenancy_ocid"
      - "user_ocid"
      - "fingerprint"
      - "private_key_path"
      - "private_key_password"
      - "existing_iam_admin_group_name"
      - "existing_cred_admin_group_name"
      - "existing_security_admin_group_name"
      - "existing_network_admin_group_name"
      - "existing_appdev_admin_group_name"
      - "existing_database_admin_group_name"
      - "existing_exainfra_admin_group_name"
      - "existing_auditor_group_name"
      - "existing_announcement_reader_group_name"
      - "existing_cost_admin_group_name"
      - "existing_storage_admin_group_name"
  
variables:
  env_advanced_options:
    type: boolean
    title: "Advanced Options"
    description: "Advanced options for IAM. For details please see <a href=\"https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/blob/main/VARIABLES.md\">VARIABLES.md</a>."
    default: false
    
  service_label:
    type: string
    title: "Service Label"
    minLength: 1
    maxLength: 8
    pattern: "^[A-Za-z][A-Za-z0-9]{1,7}$"
    description: "A unique label that gets prepended to all resources created by the Landing Zone."
    required: true

  cis_level:
    type: enum
    title: CIS Level
    description: "Determines CIS OCI Benchmark Level of services deployed by the CIS Landing Zone in the tenancy will be configured. Level 1 is be practical and prudent. Level 2 is intended for environments where security is more critical than manageability and usability. Level 2 drives the creation of an OCI Vault, buckets encryption with a customer managed key, write logs for buckets and the usage of specific policies in Security Zones. More info: <a href=\"https://www.cisecurity.org/benchmark/oracle_cloud\">CIS OCI Benchmark</a>."
    enum:
      - "1"
      - "2"
    required: true  

  region:
    type: oci:identity:region:name
    title: "Region"
    description: "The region for resources deployment."
    required: true

  use_enclosing_compartment:
    type: boolean
    title: "Use an enclosing compartment?"
    description: "Whether the Landing Zone compartments are created within an enclosing compartment. If unchecked, the Landing Zone compartments are created in the Root compartment, in which case you must have the required permissions."
    default: true
  
  existing_enclosing_compartment_ocid:
    type: oci:identity:compartment:id
    title: "Existing enclosing compartment"
    description: "The enclosing compartment where Landing Zone compartments will be created. If not provided and \"Use enclosing compartment?\" is checked, an enclosing compartment is created under the Root compartment."
    required: false 
    visible: use_enclosing_compartment

  extend_landing_zone_to_new_region:
    type: boolean
    title: "Extend Landing Zone to new region?"
    description: "Whether Landing Zone is being extended to another region. When set to true, compartments, groups, policies and resources at the home region are not provisioned. Use this when you want provision a Landing Zone in a new region, but reuse existing Landing Zone resources in the home region."
    default: false
    visible: env_advanced_options
  
  policies_in_root_compartment:
    type: enum
    title: "CREATE or USE policies in the root compartment?"
    description: "Whether policies in the root compartment should be created or simply used. If \"CREATE\", you must be sure the user executing this stack has permissions to create policies in the root compartment. If \"USE\", policies must have been created previously."
    enum:
      - "CREATE"
      - "USE"
    required: true
    default: "CREATE"
    visible: env_advanced_options

  enable_template_policies:
    type: boolean
    title: "Enable template policies?"
    description: "Whether policies should be created based on metadata associated to compartments. This is an alternative way of managing policies, enabled by the <a href=\"https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam/tree/main/policies\">CIS Landing Zone standalone IAM policy module</a>. When set to true, the grants to resources belonging to a specific compartment are combined into a single policy that is attached to the compartment itself. This differs from the default approach, where grants are combined per grantee and attached to the enclosing compartment."
    default: false
    visible: env_advanced_options  

  rm_existing_iam_admin_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing IAM admin group name"
    description: "Existing group to which IAM management policies will be granted to."
    visible: env_advanced_options 
        
  rm_existing_cred_admin_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing credentials admin group name"
    description: "Existing group to which credentials management policies will be granted to."
    visible: env_advanced_options
      
  rm_existing_security_admin_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing security admin group name"
    description: "Existing group to which security management policies will be granted to."
    visible: env_advanced_options
      
  rm_existing_network_admin_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing network admin group name"
    description: "Existing group to which network management policies will be granted to."
    visible: env_advanced_options
      
  rm_existing_appdev_admin_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing application development admin group name"
    description: "Existing group to which application development management policies will be granted to."
    visible: env_advanced_options
      
  rm_existing_database_admin_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing database admin group name"
    description: "Existing group to which database management policies will be granted to."
    visible: env_advanced_options
  
  rm_existing_exainfra_admin_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing admin group name for Exadata infrastructure"
    description: "Existing group to which Exadata infrastructure management policies will be granted to."
    visible: env_advanced_options      
  
  rm_existing_auditor_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing auditors group name"
    description: "Existing group to which auditing policies will be granted to."
    visible: env_advanced_options
      
  rm_existing_announcement_reader_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing announcement readers group name"
    description: "Existing group to which announcement reading policies will be granted to."
    visible: env_advanced_options  
  
  rm_existing_cost_admin_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing Cost Admin group name"
    description: "Existing group to which Cost management policies will be granted to."
    visible: env_advanced_options

  rm_existing_storage_admin_group_name:
    type: oci:identity:groups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing Storage Admin group name"
    description: "Existing group to which Storage management policies will be granted to."
    visible: env_advanced_options  
 
  existing_security_fun_dyn_group_name:
    type: oci:identity:dynamicgroups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing security dynamic group name"
    description: "Existing security dynamic group to run functions."
    visible: env_advanced_options

  existing_appdev_fun_dyn_group_name:
    type: oci:identity:dynamicgroups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing appdev dynamic group name"
    description: "Existing appdev dynamic group."
    visible: env_advanced_options

  existing_compute_agent_dyn_group_name:
    type: oci:identity:dynamicgroups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing compute agent dynamic group name"
    description: "Existing compute agent dynamic group for management agent access."
    visible: env_advanced_options

  existing_database_kms_dyn_group_name:
    type: oci:identity:dynamicgroups:id
    dependsOn:
      compartmentId: ${tenancy_ocid}
    title: "Existing database dynamic group name"
    description: "Existing database dynamic group for database to access keys."
    visible: env_advanced_options
 
  net_advanced_options:
    type: boolean
    title: "Advanced Options"
    description: "Advanced options for Networking. For details please see <a href=\"https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/blob/main/VARIABLES.md\">VARIABLES.md</a>."
    default: false
  
  hs_advanced_options:
    type: boolean
    title: "Advanced Options"
    description: "Advanced options for Hub/Spoke. It allows for creating a DMZ VCN. For details please see <a href=\"https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart/blob/main/VARIABLES.md\">VARIABLES.md</a>."
    default: false

  vcn_cidrs:
    type: array
    items:
      type: string
    uniqueItems: true
    required: false
    maxItems: 9
    minItems: 1
    title: "VCNs CIDR Blocks"
    description: "CIDR blocks for the VCNs in CIDR notation. Each CIDR block corresponds to one VCN. When 'Deploy Hub/Spoke Architecture?' is selected under 'Advanced Options', these VCNs are turned into spoke VCNs. (Type the name and hit enter to enter multiple values, up to a maximum of 9)"
    default: ["10.0.0.0/20"]

  vcn_names:
    type: array
    items:
      type: string
    uniqueItems: true
    maxItems: 9
    minItems: 1
    title: "VCNs Custom Names"
    description: "The VCNs custom names, overriding the default VCNs names. There must be one name corresponding to each CIDR block provided in 'VCNs CIDR Blocks', in the same order. (Type the name and hit enter to enter multiple values, up to a maximum of 9)"
    required: false
    visible: net_advanced_options
    default: []  
  
  subnets_names:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Subnets Custom Names"
    description: "List of subnets custom names to be used in each of the spoke VCNs. (Type the name and hit enter to enter multiple values). "  
    required: false
    visible: net_advanced_options
    default: []  
  
  subnets_sizes:
    type: array
    items:
      type: string
    title: "Subnets Sizes"
    description: "List of subnet sizes in bits to be used in each of the spoke VCNs. The entered values are added to the VCN prefix to get the actual subnet size. The 'nth' value corresponds to the 'nth' subnet name in Subnets Custom Names. (Type the value and hit enter to enter multiple values)." 
    required: false
    visible: net_advanced_options
    default: []  

  is_vcn_onprem_connected:
    type: boolean
    title: "Connect Landing Zone VCN(s) to on-premises network?"
    description: "Whether the VCNs are connected to the on-premises network, in which case a DRG is attached to the VCNs. If checked, either a new  DRG is deployed or an existing DRG can be reused (if you provide its OCID in 'Existing DRG OCID' field below. You must click the check box for the field to appear.) Required if 'Existing DRG OCID' is not provided and 'Block Internet Access?' is checked."
    default: false
  
  public_src_bastion_cidrs:
    type: array
    items:
      type: string
    uniqueItems: true  
    title: "Bastion Inbound SSH and RDP CIDR Blocks"
    #pattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
    description: "List of external IP ranges in CIDR notation allowed to make SSH and RDP inbound connections to bastion servers that are eventually deployed in public subnets. 0.0.0.0/0 is not allowed in the list. (Type the name and hit enter to enter multiple values)"
    default: []
    
  public_src_lbr_cidrs:
    type: array
    items:
      type: string
    uniqueItems: true  
    title: "Load Balancer Inbound HTTPS CIDR Blocks"
    #pattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
    description: "List of external IP ranges in CIDR notation allowed to make HTTPS inbound connections to a Load Balancer that is eventually deployed. (Type the name and hit enter to enter multiple values)"
    default: []

  public_dst_cidrs:
    type: array
    items:
      type: string
    uniqueItems: true  
    title: "NAT Outbound HTTPS CIDR Blocks"
    #pattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
    description: "List of external IP ranges in CIDR notation for HTTPS outbound connections. Applies to connections made over NAT Gateway. (Type the name and hit enter to enter multiple values)"
    default: []  

  existing_drg_id:
    type: string
    title: "Existing DRG OCID"
    description: "The OCID of an existing DRG, used in Hub/Spoke and when connecting to On-Premises network. Provide a value if you do NOT want the Landing Zone to deploy a DRG."
    default: ""
    visible: 
      or:
        - is_vcn_onprem_connected
        - hub_spoke_architecture
        
  onprem_cidrs:
    type: array
    items:
      type: string
    uniqueItems: true  
    title: "On-premises Network CIDR Blocks"
    #pattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
    description: "List of on-premises IP ranges allowed to connect to the Landing Zone network via a DRG. The blocks are added to route rules and NSGs. If 'Block Internet Access?' is checked, it's advised to provide values here, or your OCI network will not have any entry points."
    visible: is_vcn_onprem_connected
    
  onprem_src_ssh_cidrs:
    type: array
    items:
      type: string
    uniqueItems: true  
    title: "On-premises network CIDR Blocks Allowed to Connect over SSH and RDP"
    #pattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
    description: "List of on-premises IP ranges allowed to make SSH and RDP inbound connections."
    visible: is_vcn_onprem_connected
    
  no_internet_access:
    type: boolean
    title: "Block Internet Access?"
    description: "Determines if the VCNs are directly connected to the Internet. If left unchecked, an Internet Gateway and NAT Gateway are created for Internet connectivity. If checked, Internet Gateway and NAT Gateway are NOT created. In this case, it is recommended to check 'Connect Landing Zone VCN(s) to on-premises network?' and provide values to 'On-premises Network CIDR Blocks' in the 'Networking - Connectivity to On-Premises' section below, or your OCI network will not have any entry points."
    default: false

  hub_spoke_architecture:
    type: boolean
    title: "Deploy Hub/Spoke Architecture?"
    description: "Determines if Hub/Spoke network architecture is to be deployed.  Allows for inter-spoke routing through a DRG. If checked, either a new DRG is deployed or an existing DRG can be reused (if you provide its OCID in 'Existing DRG OCID' field below. You must click the check box for the field to appear.) With Hub/Spoke, all VCNs (generic and ExaCS) are peered through the DRG."
    required: false
  
  dmz_vcn_cidr:
    type: string
    title: "DMZ VCN CIDR Block"
    #pattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$"
    description: "IP range for the DMZ VCN in CIDR notation. DMZ VCNs are commonly used for network appliance deployments. All traffic will be routed through the DMZ VCN."
    required: ${hub_spoke_architecture}
    visible: 
     and:
       - hs_advanced_options
       - hub_spoke_architecture

  dmz_for_firewall:
    type: boolean
    title: "Use DMZ VCN for 3rd-Party Firewalls"
    description: "Determines if a 3rd party firewall will be deployed in the DMZ VCN."
    required: false
    visible: 
     and:
       - hs_advanced_options
       - hub_spoke_architecture
        
  dmz_number_of_subnets:
    type: integer
    title: "Number of Subnets in the DMZ VCN"
    description: "The number of subnets to be created in the DMZ VCN. If using the DMZ VCN for a network appliance deployment, please see the vendor's documentation or OCI reference architecture to determine the number of subnets required."
    required: false
    visible: 
     and:
       - hs_advanced_options
       - hub_spoke_architecture

  dmz_subnet_size: 
    type: integer
    title: "Size of the DMZ Subnet CIDRs"
    description:  "The number of additional bits with which to extend the DMZ VCN CIDR prefix. For instance, if the prefix of 'CIDR Block for the DMZ VCN' is 20 (/20) and 'Size of the DMZ Subnets CIDRs' is 4, subnets are going to be /24."
    required: false
    visible: 
     and:
       - hs_advanced_options
       - hub_spoke_architecture

  exacs_vcn_cidrs:
    type: array
    items:
      type: string
    uniqueItems: true
    required: false
    maxItems: 9
    minItems: 1
    title: "Exadata VCNs CIDR Blocks (Must not overlap with 192.168.128.0/20)"
    description: "CIDR blocks for the Exadata VCNs in CIDR notation. Be mindful about Exadata \"Requirements for IP Address Space\" in <a href=\"https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/exanetwork.htm\">OCI documentation</a>. (Type the name and hit enter to enter multiple values, up to a maximum of 9)"
    default: []

  exa_advanced_options:
    type: boolean
    title: "Advanced Options"
    description: "Advanced options for Exadata Cloud service infrastructure."
    default: false
  
  exacs_vcn_names:
    type: array
    items:
      type: string
    uniqueItems: true
    maxItems: 9
    minItems: 1
    title: "Exadata VCNs Custom Names"
    description: "The Exadata VCNs custom names, overriding the default Exadata VCNs names. Each provided name relates to one and only one VCN, the 'nth' value applying to the 'nth' value in 'CIDR blocks for Exadata VCNs'. (Type the name and hit enter to enter multiple values, up to a maximum of 9)"
    required: false
    default: []
    visible: exa_advanced_options
    
  exacs_client_subnet_cidrs:
    type: array
    items:
      type: string
    uniqueItems: true
    required: false
    maxItems: 9
    minItems: 1
    title: "CIDR Blocks for Exadata VCNs Client Subnets (Must not overlap with 192.168.128.0/20)"
    description: "List of CIDR blocks for the client subnets of Exadata Cloud Service VCNs, in CIDR notation. Each provided CIDR value relates to one and only one VCN, the 'nth' value applying to the 'nth' value in 'CIDR blocks for Exadata VCNs'. (Type the CIDR and hit enter to enter multiple values, up to a maximum of 9)"
    visible: exa_advanced_options
    
  exacs_backup_subnet_cidrs:
    type: array
    items:
      type: string
    uniqueItems: true
    required: false
    maxItems: 9
    minItems: 1
    title: "CIDR Blocks for Exadata Backup Subnets (Must not overlap with 192.168.128.0/20)"
    description: "List of CIDR blocks for the backup subnets of Exadata Cloud Service VCNs, in CIDR notation. Each provided CIDR value relates to one and only one VCN, the 'nth' value applying to the 'nth' value in 'CIDR blocks for Exadata VCNs'. (Type the CIDR and hit enter to enter multiple values, up to a maximum of 9)"
    visible: exa_advanced_options

  deploy_exainfra_cmp:
    type: boolean
    title: "Create Compartment for Exadata Infrastructure?"
    description: "Whether a compartment for Exadata infrastructure should be created. If unchecked, Exadata infrastructure should be created in the database compartment."
    default: false
    visible: exa_advanced_options
    
  network_admin_email_endpoints:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Network Admin Email Endpoints"
    required: true
    description: "List of email addresses for all network related notifications. (Type an email address and hit enter to enter multiple values)"

  security_admin_email_endpoints:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Security Admin Email Endpoints"
    required: true
    description: "List of email addresses for all security related notifications. (Type an email address and hit enter to enter multiple values)"

  notifications_advanced_options:
    type: boolean
    title: "Additional Notification Endpoints"
    description: "Allows for notifications that are not required by CIS Benchmark."
    default: false
  
  compute_admin_email_endpoints:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Compute Admin Email Endpoints"
    required: false
    description: "List of email addresses for all compute related notifications. (Type an email address and hit enter to enter multiple values)"
    visible: notifications_advanced_options

  storage_admin_email_endpoints:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Storage Admin Email Endpoints"
    required: false
    description: "List of email addresses for all storage related notifications. (Type an email address and hit enter to enter multiple values)"
    visible: notifications_advanced_options

  database_admin_email_endpoints:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Database Admin Email Endpoints"
    required: false
    description: "List of email addresses for all database related notifications. (Type an email address and hit enter to enter multiple values)"
    visible: notifications_advanced_options

  exainfra_admin_email_endpoints:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Exadata Infrastructure Admin Email Endpoints"
    required: false
    description: "List of email addresses for all Exadata infrastructure related notifications. (Type an email address and hit enter to enter multiple values)"
    visible: notifications_advanced_options  

  budget_admin_email_endpoints:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Budget Admin Email Endpoints"
    required: false
    description: "List of email addresses for all budget related notifications such as budget and finance. (Type an email address and hit enter to enter multiple values)"
    visible: notifications_advanced_options

  create_alarms_as_enabled:
    type: boolean
    title: "Create alarms as enabled?"
    description: "Whether a alarms should be created in an enabled state by default. If unchecked, alarms will be created but not emit alerts."
    default: false
    visible: notifications_advanced_options
    
  create_events_as_enabled:
    type: boolean
    title: "Create events as enabled?"
    description: "Whether events should be created in an enabled state by default. If unchecked, events will be created but not emit notifications."
    default: false
    visible: notifications_advanced_options

  alarm_message_format:
    type: enum
    title: "Alarm Message Format"
    description: "Format of the message sent by Alarms"
    required: true
    enum:
      - PRETTY_JSON
      - ONS_OPTIMIZED
      - RAW
    visible: notifications_advanced_options  
      
  enable_cloud_guard:
    type: boolean
    title: "Enable Cloud Guard Service? (Uncheck if Cloud Guard is already enabled and a target exists for the Root compartment)"
    description: "If selected, Cloud Guard service is enabled and the Root compartment is configured with a Cloud Guard target, as long as there is no pre-existing Cloud Guard target for the Root compartment (or target creation will fail). Keep in mind that once you select this, Cloud Guard target is managed by Landing Zone. If later on you unselect this option, the managed target is deleted and all (open, resolved and dismissed) problems associated with the deleted target are moved to 'deleted' state. This operation happens in the background and would take some time to complete. Deleted problems can be viewed from the problems page using the 'deleted' status filter. For more details on Cloud Guard problems lifecycle, see <a href=\"https://docs.oracle.com/en-us/iaas/cloud-guard/using/problems-page.htm#problems-page__sect_prob_lifecycle\">documentation</a>. If Cloud Guard is already enabled and a target exists for the Root compartment, unselect this option."
    required: true

  enable_cloud_guard_cloned_recipes:
    type: boolean
    title: "Enable Cloud Guard Cloned Recipes?"  
    description: "Whether cloned recipes are attached to the managed Cloud Guard target. If not set, Oracle managed recipes are attached."
    required: false
    visible: enable_cloud_guard
      
  cloud_guard_reporting_region:
    type: oci:identity:region:name
    title: "Reporting Region"
    description: "Cloud Guard reporting region, where Cloud Guard reporting resources are kept. If not set, it defaults to home region."
    required: false
    visible: enable_cloud_guard

  cloud_guard_risk_level_threshold:
    type: enum
    title: "Minimum Risk Level Threshold"
    description: "Determines the minimum risk level that will trigger an event and send information about the problem to the Cloud Guard Email Endpoints. E.g. a minimum risk level of High will include problems with High or Critical risk levels."
    required: false
    default: High
    enum:
      - Critical
      - High
      - Medium
      - Minor
      - Low
    visible: enable_cloud_guard  

  cloud_guard_admin_email_endpoints:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Cloud Guard Admin Email Endpoints"
    required: false
    description: "List of email addresses for Cloud Guard related notifications. (Type an email address and hit enter to enter multiple values)"
    visible: enable_cloud_guard  
  
  # Security Zone - Variables
  enable_security_zones:
    type: boolean
    title: Enable Security Zones
    description: "Determines if Security Zones are enabled in Landing Zone compartments. When set to true, the Security Zone is enabled for the enclosing compartment. If no enclosing compartment is used, then the Security Zone is not enabled."
    default: false

  sz_security_policies:
    type: array
    items:
      type: string
    uniqueItems: true
    title: Security Zone policies
    description: "List of Security Zones Policy OCIDs to add to security zone recipe. (Type a Security Zone policy OCID and hit enter to enter multiple values). To get a Security Zone policy OCID use the oci cli:  oci cloud-guard security-policy-collection list-security-policies --compartment-id your-tenancy-ocid"
    visible: 
      and:
        - ${enable_security_zones}

  # Service Connector Hub For Audit Logs - Variables
  enable_service_connector:
    type: boolean
    required: true
    title: "Enable Service Connector?"
    description: "Whether Service Connector should be enabled. If true, a single Service Connector is managed for all services log sources and the designated target specified in 'Service Connector Target Kind'. The Service Connector resource is created in INACTIVE state. To activate, check 'Activate Service Connector?' (costs may incur)."
  
  activate_service_connector:
    type: boolean
    required: true
    title: "Activate Service Connector? (This might incur some cost)"
    description: "Whether Service Connector should be activated. If true, costs my incur due to usage of Object Storage bucket, Streaming or Function."
    visible: enable_service_connector
  
  service_connector_target_kind:
    type: enum
    required: false
    title: "Service Connector Target Kind"
    description: "Service Connector Hub target resource. Valid values are 'objectstorage', 'streaming', 'functions' or 'logginganalytics'. In case of 'objectstorage', a new bucket is created. In case of 'streaming', you can provide an existing stream ocid in 'existing_service_connector_target_stream_id' and that stream is used. If no ocid is provided, a new stream is created. In case of 'functions', you must provide the existing function ocid in 'existing_service_connector_target_function_id'. If case of 'logginganalytics', a log group for Logging Analytics service is created and the service is enabled if not already."
    default: objectstorage
    visible: enable_service_connector
    enum:
      - objectstorage
      - streaming
      - functions
      - logginganalytics

  existing_service_connector_bucket_vault_compartment_id:
    type: oci:identity:compartment:id
    title: "Existing Vault Compartment"
    description: "An existing compartment for the vault with the key used to encrypt Service Connector target Object Storage bucket."
    required: false
    visible:
      and:
        - ${enable_service_connector}
        - eq:
          - service_connector_target_kind
          - "objectstorage"
        - eq:
          - cis_level
          - "2"  

  existing_service_connector_bucket_vault_id:
    type: oci:kms:vault:id
    title: "Existing Vault"
    description: "An existing vault for the key used to encrypt Service Connector target Object Storage bucket."
    required: false
    dependsOn: 
      compartmentId: ${existing_service_connector_bucket_vault_compartment_id}
    visible:
      and:
        - ${enable_service_connector}
        - eq:
          - service_connector_target_kind
          - "objectstorage"
        - eq:
          - cis_level
          - "2"

  existing_service_connector_bucket_key_id:
    type: oci:kms:key:id
    title: "Existing Encryption Key"
    description: "An existing key used to encrypt Service Connector target Object Storage bucket."
    required: false
    dependsOn: 
      compartmentId: ${existing_service_connector_bucket_vault_compartment_id}
      vaultId: ${existing_service_connector_bucket_vault_id}
    visible:
      and:
        - ${enable_service_connector}
        - eq:
          - service_connector_target_kind
          - "objectstorage"
        - eq:
          - cis_level
          - "2"

  existing_service_connector_target_stream_id:
    type: string
    required: false
    title: "Existing Target Stream"
    description: "An existing stream to be used as the Service Connector target. Only applicable if 'service_connector_target_kind' is set to 'streaming'."
    visible:
      and:
        - ${enable_service_connector}
        - eq:
          - service_connector_target_kind
          - "streaming"

  existing_service_connector_target_function_id:
    type: string
    required: false
    title: "Existing Target Function"
    description: "An existing function to be used as the Service Connector target. Only applicable if 'service_connector_target_kind' is set to 'functions'."
    visible:
      and:
        - ${enable_service_connector}
        - eq:
          - service_connector_target_kind
          - "functions"

  # Vulnerability Scanning
  vss_create:
    type: boolean
    title: "Enable Vulnerability Scanning?"
    description: "Whether Vulnerability Scanning should be enabled. If checked, a scanning recipe is enabled and scanning targets are enabled for each Landing Zone compartment."
  
  vss_scan_schedule:
    type: enum
    title: "Scanning Schedule"
    description: "When to scan. WEEKLY or DAILY."
    #default: WEEKLY
    visible: vss_create
    enum:
      - WEEKLY
      - DAILY

  vss_scan_day:
    type: enum
    title: "Scanning Day"
    description: "The day when to scan. Applies to weekly scans only."
    #default: SUNDAY
    enum:
      - SUNDAY
      - MONDAY
      - TUESDAY
      - WEDNESDAY
      - THURSDAY
      - FRIDAY
      - SATURDAY 
    visible:
      and:
        - ${vss_create}
        - eq:
          - vss_scan_schedule
          - "WEEKLY"

  vss_port_scan_level:
    type: enum
    title: "Port Scan Level"
    description : "Checks for open ports using a network mapper that searches your public IP addresses. STANDARD checks the 1000 most common port numbers, LIGHT checks the 100 most common port numbers, NONE does not check for open ports."
    enum:
      - STANDARD
      - LIGHT
      - NONE  
    visible: vss_create

  vss_agent_scan_level:
    type: enum
    title: "Agent Scan Level"
    description : "Checks for open ports on both public and private IP addresses, OS vulnerabilities; compliance with industry benchmarks, vulnerabilities in third-party application files (for application files scanning, check 'Enable File Scanning' below)."
    enum:
      - STANDARD
      - NONE  
    visible: vss_create   

  vss_agent_cis_benchmark_settings_scan_level:
    type: enum
    title: "Agent CIS Benchmark Settings Scan Level"
    description : "Checks targets for compliance with industry-standard benchmarks published by the Center for Internet Security (CIS)"
    enum:
      - STRICT
      - MEDIUM
      - LIGHTWEIGTH
      - NONE
    visible:
      and:
        - ${vss_create}
        - eq:
          - vss_agent_scan_level
          - "STANDARD"

  vss_enable_file_scan:
    type: boolean
    title: "Enable File Scanning?"
    description: "Whether file scanning is enabled."
    visible:
      and:
        - ${vss_create}
        - eq:
          - vss_agent_scan_level
          - "STANDARD"

  vss_folders_to_scan:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Folders to Scan"
    required: false
    description: "List of file system folders to scan. Required if 'Enable Folder Scanning?' is selected. Currently, the Scanning service checks for vulnerabilities only in log4j and spring4shell (Type a value and hit enter to enter multiple values)."
    visible: 
      and:
        - ${vss_create}
        - ${vss_enable_file_scan}
        - eq:
          - vss_agent_scan_level
          - "STANDARD"

# Object Storage
  enable_oss_bucket:
    type: boolean
    title: "Enable Object Storage bucket?"
    description: "Whether an Object Storage bucket should be enabled. If true, the bucket is managed in the application (AppDev) compartment. Providing an encryption key is optional. If a key is not provided and 'CIS Level' is set to 2, the Landing Zone will manage the key."
    required: false

  existing_bucket_vault_compartment_id:
    type: oci:identity:compartment:id
    title: "Existing Vault Compartment"
    description: "An existing compartment for the vault with the key used in Object Storage bucket encryption."
    required: false
    visible: 
      and: 
        - enable_oss_bucket
        - eq:
          - cis_level
          - "2"

  existing_bucket_vault_id:
    type: oci:kms:vault:id
    title: "Existing Vault"
    description: "An existing vault for the key used in Object Storage bucket encryption."
    required: false
    dependsOn: 
      compartmentId: ${existing_bucket_vault_compartment_id}
    visible: 
      and: 
        - enable_oss_bucket
        - eq:
          - cis_level
          - "2"

  existing_bucket_key_id:
    type: oci:kms:key:id
    title: "Existing Encryption Key"
    description: "An existing key used for Object Storage bucket encryption."
    required: false
    dependsOn: 
      compartmentId: ${existing_bucket_vault_compartment_id}
      vaultId: ${existing_bucket_vault_id}
    visible: 
      and: 
        - enable_oss_bucket
        - eq:
          - cis_level
          - "2"
          
# Cost Management
  create_budget:
    type: boolean
    title: "Create a default budget?"
    description: "If checked, a budget will be created at the root or enclosing compartment and based on forecast spend."
    default: false
  
  budget_alert_threshold:
    type: integer
    title: "Percentage of Budget"
    description: "The threshold for triggering the alert expressed as a percentage of the monthly forecast spend. 100% is the default."
    required: false
    visible: create_budget

  budget_amount:
    type: integer
    title: "Monthly Budget Amount (in US$)"
    description: "The amount of the budget expressed as a whole number in the currency of the customer's rate card."
    required: false
    visible: create_budget
  
  budget_alert_email_endpoints:
    type: array
    items:
      type: string
    uniqueItems: true
    title: "Budget Alert Email Endpoints"
    required: false
    visible: create_budget
    description: "List of email addresses for budget alerts. (Type an email address and hit enter to enter multiple values)"

# Variables not required to display to user
  user_ocid:
    type: string

  fingerprint:
    type: string

  private_key_path:
    type: string

  private_key_password:
    type: password

outputs:
  release:
    type: string
    title: CIS Landing Zone Release

  region:
    type: string
    title: Region

  service_label:
    type: string
    title: Service Label

  cis_level:
    type: string
    title: CIS Profile Level  

  compartments:
    type: json
    title: Compartments

  vcns:
    type: json
    title: (Spoke) Virtual Cloud Networks 

  subnets:
    type: json
    title: (Spoke) Virtual Cloud Networks Subnets  

  dmz_vcn:
    type: json
    title: DMZ (Hub) Virtual Cloud Network   

  dmz_subnets:
    type: json
    title: DMZ (Hub) Virtual Cloud Network Subnets

  bastions:
    type: json
    title: Bastions   
    
outputGroups:
  - title: Environment
    outputs:
      - ${release}
      - ${region}
      - ${service_label}
      - ${cis_level}
      - ${compartments}

  - title: Networking
    outputs:
      - ${vcns}
      - ${subnets} 
      - ${dmz_vcn}
      - ${dmz_subnets} 
      - ${bastions}      