diff --git a/CODEOWNERS b/CODEOWNERS
index 5f5f7f07..cb3be78f 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,3 +1,4 @@
/workload-extensions/ocvs/ @hrvolapeter
/workload-extensions/ebs/ @rphibbert
/addons/oci-hub-models/ @vavardan
+/addons/oci-sovereign-controls/ @vavardan @hrvolapeter @paolajuarezgomez
diff --git a/addons/oci-sovereign-controls/content/User-cmp-policies.png b/addons/oci-sovereign-controls/content/User-cmp-policies.png
new file mode 100644
index 00000000..72bf4356
Binary files /dev/null and b/addons/oci-sovereign-controls/content/User-cmp-policies.png differ
diff --git a/addons/oci-sovereign-controls/content/oci-realm.png b/addons/oci-sovereign-controls/content/oci-realm.png
new file mode 100644
index 00000000..070e8868
Binary files /dev/null and b/addons/oci-sovereign-controls/content/oci-realm.png differ
diff --git a/addons/oci-sovereign-controls/content/vault-options.png b/addons/oci-sovereign-controls/content/vault-options.png
new file mode 100644
index 00000000..90bb21cf
Binary files /dev/null and b/addons/oci-sovereign-controls/content/vault-options.png differ
diff --git a/addons/oci-sovereign-controls/identity.auto.tfvars.json b/addons/oci-sovereign-controls/identity.auto.tfvars.json
new file mode 100644
index 00000000..9dbfd6c2
--- /dev/null
+++ b/addons/oci-sovereign-controls/identity.auto.tfvars.json
@@ -0,0 +1,212 @@
+{
+
+ "groups_configuration": {
+ "groups": {
+ "GRP-STR-OE-NETWORK-ADMINS": {
+ "name": "grp-str-network-admins",
+ "description": "GRP.06 Tenancy global and shared network administration group, including common OE network elements."
+ },
+ "GRP-STR-OE-SECURITY-ADMINS": {
+ "name": "grp-str-security-admins",
+ "description": "GRP.07 Tenancy global and shared security administration group."
+ },
+ "GRP-STR-LZP-P-PROJ1-APP-ADMINS": {
+ "name": "grp-str-lzp-p-proj1-app-admins",
+ "description": "GRP.OE.08 Group responsible for administrating PROD/PROJ1/APP related applications."
+ },
+ "GRP-STR-LZP-P-PROJ1-DB-ADMINS": {
+ "name": "grp-str-lzp-p-proj1-db-admins",
+ "description": "GRP.OE.09 Group responsible for administrating PROD/PROJ1/DB related databases."
+ },
+ "GRP-STR-LZP-P-PROJ1-INFRA-ADMINS": {
+ "name": "grp-str-lzp-p-proj1-infra-admins",
+ "description": "GRP.OE.10 Group responsible for administrating PROD/PROJ1/INFRA related infrastructure."
+ }
+ }
+ },
+ "policies_configuration": {
+ "enable_cis_benchmark_checks": "false",
+ "supplied_policies": {
+ "PCY-OE-SERVICES": {
+ "name": "pcy-services",
+ "description": "POL.00 Open LZ policy for all supported resources in the tenancy.",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "allow service cloudguard to manage cloudevents-rules in tenancy where target.rule.type='managed'",
+ "allow service cloudguard to read tenancies in tenancy",
+ "allow service cloudguard to read all-resources in tenancy",
+ "allow service cloudguard to use network-security-groups in tenancy",
+ "Allow any-user to { WLP_BOM_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}",
+ "Allow any-user to { WLP_CONFIG_READ } in tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}",
+ "Endorse any-user to { WLP_LOG_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }",
+ "Endorse any-user to { WLP_METRICS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }",
+ "Endorse any-user to { WLP_ADHOC_QUERY_READ } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent' }",
+ "Endorse any-user to { WLP_ADHOC_RESULTS_CREATE } in any-tenancy where all { request.principal.id = target.agent.id, request.principal.type = 'workloadprotectionagent'}",
+ "allow service vulnerability-scanning-service to manage instances in tenancy",
+ "allow service vulnerability-scanning-service to read compartments in tenancy",
+ "allow service vulnerability-scanning-service to read repos in tenancy",
+ "allow service vulnerability-scanning-service to read vnics in tenancy",
+ "allow service vulnerability-scanning-service to read vnic-attachments in tenancy",
+ "allow service osms to read instances in tenancy",
+ "allow service blockstorage, oke, streaming, Fssoc1Prod, objectstorage-eu-frankfurt-1 to use keys in tenancy"
+ ]
+ },
+
+ "PCY-OE-NETWORK-ADMINISTRATION": {
+ "name": "pcy-network-administration",
+ "description": "POL.06 Open LZ policy which allows grp-str-network-admins group users to manage all network resources in the compartment.",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "allow group grp-str-network-admins to use cloud-shell in tenancy where request.region='str'",
+ "allow group grp-str-network-admins to read usage-budgets in tenancy where request.region='str'",
+ "allow group grp-str-network-admins to read usage-reports in tenancy where request.region='str'",
+ "allow group grp-str-network-admins to read objectstorage-namespaces in tenancy where request.region='str'",
+ "allow group grp-str-network-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-network where request.region='str'",
+ "allow group grp-str-network-admins to manage virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-network where request.region='str'",
+ "allow group grp-str-network-admins to manage dns in compartment cmp-landingzone-p:cmp-lzp-network where request.region='str'",
+ "allow group grp-str-network-admins to manage load-balancers in compartment cmp-landingzone-p:cmp-lzp-network where request.region='str'",
+ "allow group grp-str-network-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-network where request.region='str'",
+ "allow group grp-str-network-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-network where request.region='str'",
+ "allow group grp-str-network-admins to manage ons-family in compartment cmp-landingzone-p:cmp-lzp-network where request.region='str'",
+ "allow group grp-str-network-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-network where request.region='str'",
+ "allow group grp-str-network-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-network where request.region='str'",
+ "allow group grp-str-network-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-network "
+ ]
+ },
+ "PCY-OE-SECURITY-ADMINISTRATION": {
+ "name": "pcy-security-administration",
+ "description": "POL.07 Open LZ policy which allows grp-str-security-admins group users to manage all security resources in the security compartment.",
+ "compartment_id": "TENANCY-ROOT",
+ "statements": [
+ "allow group grp-str-security-admins to use cloud-shell in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to read usage-budgets in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to read usage-reports in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to read objectstorage-namespaces in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to manage cloudevents-rules in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to manage cloud-guard-family in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to read tenancies in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to manage tag-namespaces in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to manage tag-defaults in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to manage repos in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to read audit-events in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to read app-catalog-listing in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to read instance-images in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to inspect buckets in tenancy where request.region='str'",
+ "allow group grp-str-security-admins to read all-resources in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage instance-family in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage volume-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.region='str', request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}",
+ "allow group grp-str-security-admins to manage object-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.region='str', request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}",
+ "allow group grp-str-security-admins to manage file-family in compartment cmp-landingzone-p:cmp-lzp-security where all{request.region='str', request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}",
+ "allow group grp-str-security-admins to manage vaults in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage keys in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage secret-family in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage logging-family in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage serviceconnectors in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage streams in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage ons-family in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage functions-family in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage waas-family in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage security-zone in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage orm-stacks in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage orm-jobs in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage orm-config-source-providers in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage vss-family in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to read work-requests in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage bastion-family in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to read instance-agent-plugins in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage cloudevents-rules in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage alarms in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage metrics in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to use key-delegate in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to read virtual-network-family in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to use subnets in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to use network-security-groups in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to use vnics in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to manage private-ips in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'",
+ "allow group grp-str-security-admins to read keys in compartment cmp-landingzone-p:cmp-lzp-security where request.region='str'"
+ ]
+ },
+ "PCY-LZP-PROJECTS-COMMON-NETWORK": {
+ "name": "pcy-lzp-p-projects-common-network",
+ "description": "Open LZ policy which allows the different production projects groups to access common networking resources in the Prod. Network.",
+ "compartment_id": "CMP-LANDINGZONE-P-KEY",
+ "statements": [
+ "allow group grp-str-lzp-p-proj1-app-admins,grp-str-lzp-p-proj1-db-admins to read virtual-network-family in compartment cmp-lzp-prod:cmp-lzp-p-network where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins,grp-str-lzp-p-proj1-db-admins to use subnets in compartment cmp-lzp-prod:cmp-lzp-p-network where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins,grp-str-lzp-p-proj1-db-admins to use network-security-groups in compartment cmp-lzp-prod:cmp-lzp-p-network where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins,grp-str-lzp-p-proj1-db-admins to use vnics in compartment cmp-lzp-prod:cmp-lzp-p-network where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins,grp-str-lzp-p-proj1-db-admins to manage private-ips in compartment cmp-lzp-prod:cmp-lzp-p-network where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins,grp-str-lzp-p-proj1-db-admins to use load-balancers in compartment cmp-lzp-prod:cmp-lzp-p-networ where request.region='str'"
+ ]
+ },
+ "PCY-LZP-P-PROJ1-APP-ADMINISTRATORS-POLICY": {
+ "name": "pcy-lzp-p-proj1-app-administration",
+ "description": "Open LZ policy which allows the grp-str-lzp-p-proj1-app-admins group users to manage applications in the PROD/PROJ1/APP application compartment.",
+ "compartment_id": "CMP-LZP-P-PROJECTS-KEY",
+ "statements": [
+ "allow group grp-str-lzp-p-proj1-app-admins to use cloud-shell in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to read all-resources in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to use network-security-groups in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage functions-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage api-gateway-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage ons-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage streams in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage cluster-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage alarms in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage metrics in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage logging-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage instance-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage volume-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where all{request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'} where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage object-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where all{request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'} where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage file-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where all{request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'} where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage repos in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage orm-stacks in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage orm-jobs in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage orm-config-source-providers in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to read audit-events in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to read work-requests in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage bastion-session in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage cloudevents-rules in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to read instance-agent-plugins in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage keys in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to use key-delegate in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to manage secret-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-app where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-app-admins to read repos in compartment cmp-lzp-p-proj1 where request.region='str'"
+ ]
+ },
+ "PCY-LZP-P-PROJ1-DB-ADMINISTRATORS-POLICY": {
+ "name": "pcy-lzp-p-proj1-db-administration",
+ "description": "Open LZ policy which allows the grp-str-lzp-p-proj1-db-admins group users to manage databases in the OE1/PROD/DEPTA/PROJ1 database compartment.",
+ "compartment_id": "CMP-LZP-P-PROJECTS-KEY",
+ "statements": [
+ "allow group grp-str-lzp-p-proj1-db-admins to use cloud-shell in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to read all-resources in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to use network-security-groups in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage database-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage autonomous-database-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage ons-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage alarms in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage metrics in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage logging-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage instance-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage volume-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where all{request.region='str', request.permission != 'VOLUME_BACKUP_DELETE', request.permission != 'VOLUME_DELETE', request.permission != 'BOOT_VOLUME_BACKUP_DELETE'}",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage object-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where all{request.region='str', request.permission != 'OBJECT_DELETE', request.permission != 'BUCKET_DELETE'}",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage file-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where all{request.region='str', request.permission != 'FILE_SYSTEM_DELETE', request.permission != 'MOUNT_TARGET_DELETE', request.permission != 'EXPORT_SET_DELETE', request.permission != 'FILE_SYSTEM_DELETE_SNAPSHOT', request.permission != 'FILE_SYSTEM_NFSv3_UNEXPORT'}",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage orm-stacks in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage orm-jobs in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage orm-config-source-providers in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to read audit-events in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to read work-requests in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage bastion-session in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage data-safe-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage cloudevents-rules in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to read instance-agent-plugins in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to use vnics in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage keys in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to use key-delegate in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'",
+ "allow group grp-str-lzp-p-proj1-db-admins to manage secret-family in compartment cmp-lzp-p-proj1:cmp-lzp-p-proj1-db where request.region='str'"
+ ]
+ }
+ }
+ }
+}
diff --git a/addons/oci-sovereign-controls/implementation.md b/addons/oci-sovereign-controls/implementation.md
new file mode 100644
index 00000000..a835a360
--- /dev/null
+++ b/addons/oci-sovereign-controls/implementation.md
@@ -0,0 +1,68 @@
+# Sovereign Controls Implementation
+
+## Table of contents
+- [Summary](#summary)
+- [1. Groups](#1-groups)
+- [2. Policies](#2-policies)
+- [3. Quota Policies](#3-quota-policies)
+- [4. Security Zones](#3-security-zones)
+
+## Summary
+This guide covers the implementation of the principles outlined in the [Sovereign Controls add-on](./readme.md) document. As an example, we are going to implement restrictions for a German customer using EU Sovereign Cloud who wants to restrict data to the `eu-frankfurt-2` region. However, configuration files can be modified to specifically fit the sovereign requirements of any customer.
+
+## Requirements
+Sovereign add-ons can be configured on top of any [OCI landing zone model](https://blogs.oracle.com/cloud-infrastructure/post/new-standardized-oci-landing-zones-framework). In this example, the Sovereign Landing Zone is built on top of the One-OE Landing Zone.[One-OE](../../blueprints/one-oe/) is a single operating-entity landing zone utilizing Oracle best practices for deployments in commercial regions. The Sovereign Landing Zone takes One-OE a step further and modifies it to meet the requirements of customers for sovereign regulations, either in EU Sovereign Cloud regions or any other OCI deployment models.
+
+## IAM Layer
+You can find configuration examples for groups, policies, and quotas in [identity.auto.tfvars.json](./identity_svrgn.auto.tfvars.json) file.
+
+## 1. Groups
+If a certain user group needs to be restricted to provisioning resources in a specific region, it's recommended to create a region-specific group. As IAM groups are global resources, we denote the region specificity using a naming convention, e.g., `grp-${region}-security-admins`. You can see an example configuration in the [identity.auto.tfvars.json](./identity.auto.tfvars.json) file, section `groups_configuration`. These groups can either extend the default groups provided by a landing zone or replace them if only a specific region is required.
+
+> [!WARNING]
+> Groups and policies controlling access permissions to IAM need to be always applied in the [Home Region](https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingregions.htm#The) otherwise they have no effect.
+
+## 2. Policies
+Policies are applied to region-specific groups created in the previous step. All policies in the Sovereign Landing Zone add-on use the same permissions as in [One-OE](../../blueprints/one-oe) LZ, but with the addition of a condition to limit the permission to a specific region e.g.
+```
+Allow group grp-str-security-admins to manage all-resources in tenancy where request.region = 'str'
+```
+
+## 3. Quota Policies
+Use Quota Policies in Oracle Cloud Infrastructure to control resource creation based on a region within compartments/tenancy. Quota Policies limit the number of resources that can be created in a Compartment/Tenancy based on the region. In this example, the customer wants to ensure there is no quota available in the regions other than `eu-frankfurt-2` region.
+```
+zero compute-core quota /*/ in tenancy where request.region != 'eu-frankfurt-2'
+zero database quota /*/ in tenancy where request.region != 'eu-frankfurt-2'
+zero vcn quota /*/ in tenancy where request.region != 'eu-frankfurt-2'
+zero filesystem quota /*/ in tenancy where request.region != 'eu-frankfurt-2'
+zero object-storage quota /*/ in tenancy where request.region != 'eu-frankfurt-2'
+```
+
+> [!NOTE]
+> The provided list of Quota Policies is not exhaustive and includes only the most common services used for storing data. See [Available Quota by Service](https://docs.oracle.com/en-us/iaas/Content/Quotas/Concepts/resourcequotas_topic-Available_Quotas_by_Service.htm) for a full list.
+
+Additionally for a multi-tenancy set-up [Governance Rules](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/organization_management_overview.htm#governance_rules) in Organizations service can be used to impose restriction on Child Tenancy
+
+## Security Layer
+
+You can find configuration examples for security zones in [security.auto.tfvars.json](./security_svrgn.auto.tfvars.json) file.
+
+## 4. Security Zones
+OCI Sovereign Landing Zone proposes a strong security posture using all OCI capabilities, including Security Zones. Security Zones apply a security strategy to OCI cloud compartments and prevent actions that could undermine customers’ security posture. Security Zones policies can be applied to various types of cloud infrastructure (network, compute, storage, databases, etc.) to ensure the security of cloud resources and prevent security misconfigurations. Users determine which policies are appropriate for their needs by defining custom policy sets for each security zone.
+
+The Sovereign Landing Zone implements the same configuration outlined in the [One-OE blueprint](https://github.com/oci-landing-zones/oci-landing-zone-operating-entities/tree/master/blueprints/one-oe/design). It includes five recipes that serve as examples of best practices. Security zones are defined using policy OCIDs, which are tied to specific realms. For sovereign realms, you must use the appropriate OCID, as the generic configuration is not valid. Refer to the provided example for the correct configuration.
+```
+"SZ-RCP-LZP-03-SHARED-NETWORK-KEY": {
+ "name": "sz-rcp-lzp-03-shared-network",
+ "description": "Recipe 03 Shared Network",
+ "compartment_id": "CMP-LZP-SECURITY-KEY",
+ "cis_level": "2",
+ "security_policies_ocids": [
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaavolswrbfqy6qn2qe7zek2dumml6pbmyzv47q6jfwdatrywmqumba",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaayxn5ccbavcx5w35uoozguju5zlovvtbnuvnrduxpdp3vsho33lba",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaazlzn66zeazf5npw46qah3wlqpfrugv7w4tjbomit2msr43stidga",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaaw6v2nz4unovq3joqk6pguxpaqriws2vzd7gvpldgai47tl72wseq"
+
+ ]
+ },
+```
diff --git a/addons/oci-sovereign-controls/readme.md b/addons/oci-sovereign-controls/readme.md
new file mode 100644
index 00000000..7b15f976
--- /dev/null
+++ b/addons/oci-sovereign-controls/readme.md
@@ -0,0 +1,199 @@
+# Sovereign Controls
+
+## Table of contents
+ - [Summary](#summary)
+ - [Principle 1. Location](#principle-1-location)
+ - [Policies](#policies)
+ - [Quota Policies](#quota-policies)
+ - [Principle 2. Isolation](#principle-2-isolation)
+ - [Principle 3. Access Management](#principle-3-access-management)
+ - [IAM](#iam)
+ - [Audit Service logs](#audit-service-logs)
+ - [Cloud Guard and Security Zones](#cloud-guard-and-security-zones)
+ - [Vulnerability scanning](#vulnerability-scanning)
+ - [Principle 4. Encryption](#principle-4-encryption)
+ - [Vaults and key management](#vaults-and-key-management)
+
+## Summary
+A Sovereign Landing Zone (SLZ) is a specialized cloud environment tailored to meet strict data sovereignty, compliance, and security requirements, often mandated by government regulations or specific organizational policies. While all OCI landing zones are designed with enhanced security features, the Sovereign Landing Zone model is specifically recommended for organizations or government entities handling sensitive or regulated data. This model includes additional Sovereign Controls that ensure data remains within specified geographic or jurisdictional boundaries, reinforcing compliance with local data residency laws and regulations.
+
+To configure a Sovereign Landing Zone, this section outlines four key Sovereign principles: Location, Isolation, Access Management, and Encryption. For more in-depth information on these topics, we also recommend reviewing the [Oracle Cloud Infrastructure Sovereign Cloud Principles](https://docs.oracle.com/en-us/iaas/Content/Resources/Assets/whitepapers/oracle-sovereign-cloud-principles.pdf).
+
+Additionally, we provide a [Sovereign implementation guide](./implementation.md) that outlines the steps to extend any existing OCI Landing Zone with the Sovereign Controls add-on. To illustrate the concepts of a Sovereign Landing Zone, we will use a German customer as an example for implementing Sovereign Controls. However, these principles can be applied by any customer to comply with local regulations.
+
+## Principle 1. Location
+
+[OCI realms](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm) are physical boundaries of a cloud offering, accompanied by potentially different operations teams and possibly part of different Oracle legal entities, depending on the offering. Realms consist of multiple regions, dedicated networking, and a control plane, resulting in complete isolation between realms. Regions within a realm are located in multiple physical locations. Each region has one or more availability domains (ADs). An AD is bound to a specific data center. When a customer subscribes to OCI Cloud, a new [tenancy](https://docs.oracle.com/en/cloud/foundation/cloud_architecture/governance/tenancy.html) is created in a contractually agreed realm. A tenant is a logical boundary, creating an isolated environment for each customer. By default, a tenant is subscribed only to the [Home Region](https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingregions.htm); however, with the required policies, the tenancy can subscribe to all available regions within the realm (subject to service limits). Location can be controlled using the Sovereign Landing Zone with policies outlined below. In our example of a German customer mandated to keep data within the EU Sovereign Cloud (eu-frankfurt-2 region), they can limit their tenancy’s data locations to this region and prevent storing data in any other region.
+
+Oracle Cloud has a set of different cloud deployment capabilities such as [Public Cloud](https://www.oracle.com/cloud/public-cloud-regions/), [Oracle Alloy](https://www.oracle.com/cloud/alloy/), [EU Sovereign Cloud](https://www.oracle.com/cloud/eu-sovereign-cloud/), [OCI Dedicated Region](https://www.oracle.com/cloud/cloud-at-customer/dedicated-region/). Each of these are located in their own realm.
+
+A Tenancy consists of one or more [Compartments](https://docs.oracle.com/en/cloud/foundation/cloud_architecture/governance/compartments.html). Compartments are used for logical separation of resources within a tenancy. Compartments can be nested and hold resources and permission assignments. To control access rights [policies](https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm) are used to bind permissions to a specific user group.
+
+Within a realm, policies and quotas can be utilized to limit resource usage in other OCI regions. Oracle Cloud offers a diverse range of services to support various needs, including compute, storage, database, and artificial intelligence services. This principle ensures that these services are used responsibly and within established regions.
+
+### Policies
+Policies can be used to restrict permissions to a specific region by limiting access to resources in other regions. Here's an example of a limit policy for the eu-frankfurt-2 (for short, STR) region, which is the OCI EU Sovereign Cloud Germany Central region.
+```
+Allow group str-admins to manage all-resources in tenancy where request.region = 'str'
+```
+A policy limit like this can be applied to any required policy. Note that IAM-related permissions always need to be assigned in the Home Region. If it’s necessary to manage multiple segregated locations with different regulations, it’s recommended to consider using a child tenancy to set up different boundaries.
+
+### Quota Policies
+Use Quota Policies in Oracle Cloud Infrastructure to control resource consumption and creation based on a region within Compartments or Tenancy. Quota Policies limit the number of resources that can be created in a Compartment or Tenancy based on the region. In this example, the customer wants to ensure there is no quota available in regions other than the eu-frankfurt-2 (STR for short) region.
+```
+zero compute-core quota /*/ in tenancy where request.region != 'eu-frankfurt-2'
+zero database quota /*/ in tenancy where request.region != 'eu-frankfurt-2'
+zero vcn quota /*/ in tenancy where request.region != 'eu-frankfurt-2'
+zero filesystem quota /*/ in tenancy where request.region != 'eu-frankfurt-2'
+zero object-storage quota /*/ in tenancy where request.region != 'eu-frankfurt-2'
+```
+The provided list of Quota Policies is not exhaustive and includes only the most common services used for storing data. See [Available Quota by Service](https://docs.oracle.com/en-us/iaas/Content/Quotas/Concepts/resourcequotas_topic-Available_Quotas_by_Service.htm) for a full list.
+
+Additionally, for a multi-tenancy setup, the [Governance Rules](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/organization_management_overview.htm#governance_rules) in the Organizations service can be used to impose restrictions on child tenancies.
+
+
+ 
+
+
+
+## Principle 2. Isolation
+Oracle Cloud offering is, at a high level segregated into two components: the Control Plane and the Data Plane. The Control Plane is managed by Oracle and is used for managing and orchestrating underlying infrastructure using Console or APIs. The Control Plane ensures logical separation between different customers. The Data Plane results from user configuration of services in the Control Plane and defines virtual resources like Networking, Databases, and Compute instances.
+
+An organization should have the assurance that its data remains in the physical and logical environments that it has selected.
+
+We can identify different levels of **isolation**: physical isolation, logical isolation, and network isolation.
+
+* **Physical isolation** can be achieved using various dedicated cloud deployment options such as Dedicated Regions (DRCC), Isolated Regions (for mission-critical or classified workloads), and Alloy (for partners building their own cloud solutions). Physical isolation applies to both the Data and Control Planes. Additionally, within a region, customers can further isolate their resources from one another:
+- One region is made up of 1 to 3 Availability Domains. Availability Domains are isolated from each other, fault-tolerant, and very unlikely to fail simultaneously. Because Availability Domains do not share infrastructure such as power, cooling, or the internal Availability Domain network, a failure in one Availability Domain within a region is unlikely to impact the availability of the others within the same region.
+- Each Availability Domain consists of 3 Fault Domains. A Fault Domain is a grouping of hardware within an Availability Domain. Fault Domains provide anti-affinity: they let you distribute your instances so that the instances are not on the same physical hardware within a single Availability Domain. A hardware failure or compute hardware maintenance event that affects one Fault Domain does not affect instances in other Fault Domains.
+
+* **Logical isolation** each customer gets their own dedicated Data Plane, which can be further separated using Compartments and Tenancies.
+
+* **Network isolation** can be achieved by following best practices in network infrastructure, such as using a hub-and-spoke model. Customer networking is done in the Data Plane with the option to define required networking gateways like Internet Gateway and NAT Gateway. Once you have chosen your network layout and gateways, you can deploy firewalls to segregate the network. See [Hub models](../addons/oci-hub-models) for reference. By default, to respect the "Sovereignty by design" approach, there are no networking gateways configured at all in your new tenant. Some customers with strong isolation requirements only connect their cloud tenant to their internal data center using FastConnect.
+
+In the example of a German customer, they use the OCI Console as a way to access the control plane. They deploy their resources in the eu-frankfurt-2 (STR) region, inside 1 Availability Domain, but spread applications across 3 Fault Domains. The Data Plane is further segregated using Compartments. The network is fully internal, with only RFC 1918 IP addresses routable. There's no access to the Internet (no NAT or Internet Gateway is deployed). FastConnect is used to connect from on-premises to the OCI Data Plane.
+
+Sovereign Landing Zone addresses all three types of isolation, meeting any customer requirements.
+
+The following diagram illustrates different options for logical isolation, enabled through compartment structures or a multi-tenancy approach.
+
+
+
+Customers access cloud resources and services through their cloud tenancy. A cloud tenancy is a secure and isolated partition of OCI, and it exists only in a single realm. Within the tenancy, customers can access services and deploy workloads across all regions within that realm by default. However, you can set up policies to restrict access. Customers can only access regions within the realm of their tenancy.
+
+OCI provides this technical assurance by grouping regions and then separating these groups of regions through strict geographic segmentation and physical and logical network isolation. OCI has multiple realms, including a commercial public cloud realm, an EU Sovereign Cloud realm, and multiple government cloud realms for the US, UK, and Australia. Dedicated Region, Isolated Region, and Alloy deployment are also contained within their own separate realm.
+
+## Principle 3. Access Management
+Organizations can use the following core OCI services to implement a comprehensive approach to access management:
+- **Identity and Access Management (IAM)** - provides centralized access control and identity management.
+- **Audit service logs** - provide visibility into all actions performed in the cloud.
+- **Cloud Guard and Security Zones** - work together to define and enforce security policies and take corrective action when issues are detected.
+- **Vulnerability scanning**.
+
+The OCI Sovereign Landing Zone meets the security guidelines outlined in the CIS Oracle Cloud Infrastructure Foundations Benchmark v2.0.0. For more details on the certification, visit [CIS Security](https://www.cisecurity.org/benchmark/oracle_cloud).
+
+### IAM
+Identity and Access Management in OCI is controlled by:
+- **Compartments** are logical separations of resources and can be nested.
+- **Groups** are collections of users within the Identity Domain.
+- **Policies** bind permissions to a group in a specific compartment.
+
+
+ 
+
+
+These resources are key building blocks in the Sovereign Landing Zone. The Sovereign Landing Zone has been designed with CIS Benchmarks as a guiding principle and is compliant with Level 1 CIS Benchmarks out of the box.
+
+OCI IAM, by default, enforces MFA for local accounts. If Identity Federation is used, we instead rely on an external Identity Provider to ensure the user has been properly authenticated using MFA.
+
+In the Sovereign Landing Zone, we include concepts such as Segregation of Duties and Isolation of Resources. These [security controls](https://github.com/oracle-quickstart/terraform-oci-open-lz/tree/master/one-oe/design#12-vision) allow customers to start a cloud journey with a set of best practices that can be deployed within a few minutes.
+
+### Audit Service logs
+For different legal regulations, it might be required to keep access logs for a certain period of time. The Sovereign Landing Zone, out of the box, sets up an empty bucket for storing logs. This bucket can be additionally configured with [Data Retention Rules](https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/usingretentionrules.htm), which can be modified to a specific period as required. Data Retention Rules provide attestation that files haven't been modified since creation and prevent their removal until the retention period expires. This means that even an attacker who gains Administrator rights wouldn't be able to tamper with the logs for the duration of the retention period.
+
+For pricing information about Object Storage see [Object Storage Pricing](https://www.oracle.com/cloud/storage/pricing/).
+
+### Cloud Guard and Security Zones
+Cloud Guard is a security posture management service. It allows you to set up preemptive and remedial actions if security policies are violated. The Sovereign Landing Zone comes with a pre-configured Cloud Guard for common rules and implements Security Zones to enforce parts of the CIS security controls.
+
+The following [recipes](./recipes.md) are part of the Sovereign Landing Zone and can be used in Security Zones.
+
+### Vulnerability scanning
+Oracle Cloud Infrastructure Vulnerability Scanning Service gives teams the confidence that all instances on OCI have the latest security patches. Combined with Oracle Cloud Guard, operations teams gain a unified view of all instances to quickly remediate any open ports or patch unsafe packages discovered by the Vulnerability Scanning Service.
+
+Vulnerability scanning fully supports Oracle Linux, CentOS, and Ubuntu, with partial support for Windows. In the case of a large number of Windows instances, it's recommended to use an additional endpoint security solution. Vulnerability scanning uses NVD, OVAL, and CIS as sources for common vulnerabilities. It's not recommended to use Vulnerability Scanning in Virtual Machine DB Systems, as they are closely monitored by other services, which contain custom patches for high performance and availability. Instead, follow [Updating DB Systems](https://docs.oracle.com/iaas/dbcs/doc/update-db-system.html) guide.
+
+The vulnerability scanning service is deployed in the Sovereign Landing zone without requiring any further modifications.
+
+## Principle 4. Encryption
+In OCI, data encryption is applied at all stages of the data lifecycle - at rest, in transit, and in use.
+
+**Data at rest**: Data encryption at rest in OCI is enabled by default across all storage services, including block, object, and file storage, as well as Oracle's platform services. This automatic process ensures data encryption without requiring user intervention. Then Oracle provides customers with complete freedom of choice for key management:
+- for customers who don't want to deal with a key management process, Oracle completely manages the encryption keys, simplifying security for users.
+- for enhanced control and to meet stricter regulatory requirements, customers can entirely manage keys and their lifecycle, and choose where keys are stored, you can refer to the next paragraph for the details.
+
+**Data in transit**: All control plane data in transit is encrypted using Transport Layer Security (TLS) 1.2 or later, ensuring that data transmitted across the network is securely encrypted and never sent in plaintext. Additionally, all data transmitted between availability domains and regions within OCI is protected using MACsec.
+Customers utilizing FastConnect for private connections between their on-premises data centers and OCI can also enable MACsec encryption to secure this traffic.
+While Oracle manages in-transit encryption for control plane components, customers are responsible for implementing encryption for any in-transit data associated with their custom components or applications.
+
+**Data in use**: OCI's confidential computing ensures that data remains encrypted during processing. It encrypts and isolates in-use data and the applications processing that data at the hardware level.
+A confidential instance is a compute virtual machine (VM) or bare metal instance where both the data and the application processing the data are encrypted and isolated upon processing. It prevents unauthorized access or modification of either the data or the application, during processing.
+
+
+
+### Vaults and key management
+In this section, we will explore encryption keys, focusing on who manages the encryption keys you use in the cloud and where these keys are stored.
+
+Oracle Cloud Infrastructure (OCI) offers key management options in the following categories:
+
+* **Oracle-Managed Encryption**: In this model, Oracle manages the encryption keys on your behalf, allowing you to focus on managing your applications.
+* **Customer-Managed Encryption**: This approach gives you full control over managing encryption keys and the Hardware Security Modules (HSMs) that securely store these keys.
+
+OCI Key Management Service (KMS) offers the following levels of key storage options:
+
+**1. Internal Key Storage Options**:
+
+**1.1 Virtual Vault**: Virtual Vault is a multi-tenant encryption service where your keys are stored in HSM partitions shared with other customers. It is the default encryption service in Vault.
+
+**1.2 Virtual Private Vault**: Private Vault is a single-tenant encryption service that stores keys in a private HSM partition with isolated cores specifically for your tenancy.
+
+Both Vault options (Virtual Vault and Virtual Private Vault) allow you to create encryption keys stored in one of the following ways:
+ * **Software-Protected**: Cryptographic operations and key storage occur on a bare metal server, with keys secured at rest using a root key from the HSM.
+ * **HSM-Protected**: All cryptographic operations and key storage are performed within the HSM.
+
+**1.3 Dedicated KMS**: Dedicated KMS provides a single-tenant HSM partition as a service, offering a fully isolated environment for key storage and management. The main distinction from Private Vault is the level of control over the HSM partitions.
+
+**2. External Key Storage Options**: OCI External KMS allows you to use your own third-party key management system to protect data in OCI services. You retain control over the keys and HSMs outside of OCI, managing their administration and security. Master Encryption Keys (MEKs) are always stored outside of OCI. EKMS provides a separation between key management and encrypted resources in OCI. For more information, visit: [Oracle Sovereign Cloud Solutions - OCI External KMS](https://blogs.oracle.com/cloud-infrastructure/post/oracle-sovereign-cloud-solutions-oci-external-kms)
+
+For more information, please refer to the [OCI Vault FAQ](https://www.oracle.com/security/cloud-security/key-management/faq/) and [Key Management Pricelist](https://www.oracle.com/security/cloud-security/pricing/#key-management)
+
+From a sovereignty point of view, it is recommended to have customer-managed keys stored on an external key storage. In order not to incur any cost. The Sovereign Landing Zone uses the **Virtual Vault: customer-managed software encryption keys** option, but we do recommend you consider options with HSM storage or external key storage based on the regulation requirements.
+
+
+
+
+ OCI's Key Management Offerings
+
+
+ 
+
+
+
+
+**Data in Use: Confidential Computing**: In a very strict environment requiring only confidential compute shapes, confidential computing can be enforced using quotas.
+
+```
+zero standard1-core-count quotas in tenancy where request.region != 'eu-frankfurt-2'
+set compute-core quota standard-e4-core-count to 480 in tenancy where request.region != 'eu-frankfurt-2'
+set compute-core quota standard-e3-core-ad-count to 480 in tenancy where request.region != 'eu-frankfurt-2'
+```
+
+
+
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE.txt) for more details.
diff --git a/addons/oci-sovereign-controls/recipes.md b/addons/oci-sovereign-controls/recipes.md
new file mode 100644
index 00000000..64c90c04
--- /dev/null
+++ b/addons/oci-sovereign-controls/recipes.md
@@ -0,0 +1,83 @@
+# Cloud Guard Recipes
+
+**RECIPE 1**
+
+| category | description |
+| ------------------ | ------------------------------------------------------------------------------------------------ |
+| Deny Public Access | Object Storage buckets in a security zone can't be public. |
+| Deny Public Access | Databases in a security zone can't be assigned to public subnets. They must use private subnets. |
+
+
+**RECIPE 2**
+| category | description |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Include | RECIPE 1 Statements |
+| Require Encryption | Block volumes in a security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle. |
+| Require Encryption | Boot volumes in a security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle. |
+| Require Encryption | Object Storage buckets in a security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle. |
+| Require Encryption | File systems in the security zone must use a customer-managed master encryption key in the Vault service. They can't use the default encryption key managed by Oracle. |
+
+
+**RECIPE 3**
+| category | description |
+| ------------------------------ | -------------------------------------------------------------------------------------------------- |
+| Include | RECIPE 1 Statements |
+| Include | RECIPE 2 Statements |
+| Restrict Resource Modification | You can't delete a VCN in the security zone. |
+| Restrict Resource Modification | You can't delete VCN security list in the security zone. |
+| Restrict Resource Modification | You can't delete a VCN network security group in the security zone. |
+| Restrict Resource Movement | You can't move a subnet in a security zone to a compartment that is not in the same security zone. |
+
+
+**RECIPE 4**
+
+| category | description |
+| ------------------ | ----------------------------------------------------------------------------- |
+| Include | RECIPE 1 Statements |
+| Include | RECIPE 2 Statements |
+| Include | RECIPE 3 Statements |
+| Deny Public Access | Subnets in a security zone can't be public. All subnets must be private. |
+| Deny Public Access | You can't add an internet gateway to a VCN within the security zone. |
+| Deny Public Access | Load balancers in a security zone can't be public. All load balancers must be | private. |
+| Deny Public Access | Deny public network access in cloud shell. |
+
+
+**RECIPE 5**
+
+| category | description |
+| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
+| Include | RECIPE 1 Statements |
+| Include | RECIPE 2 Statements |
+| Include | RECIPE 3 Statements |
+| Include | RECIPE 4 Statements |
+| Restrict Resource Association | You can't attach a block storage volume in a security zone to a compute instance that isn't in the same security zone. |
+| Restrict Resource Association | You can't attach a block storage volume to a compute instance in a security zone if the volume isn't in the same security zone. |
+| Restrict Resource Association | You can't attach a boot volume in a security zone to a compute instance that isn't in the same security zone. |
+| Restrict Resource Association | You can't attach a boot volume to a compute instance in a security zone if the volume isn't in the same security zone. |
+| Restrict Resource Association | You can't launch a compute instance in a security zone if its boot volume isn't in the same security zone. |
+| Restrict Resource Association | You can't launch a compute instance using a boot volume in a security zone if the instance isn't in the same security zone. |
+| Restrict Resource Association | You can't move a block volume to a security zone if it's attached to a compute instance that isn't in the same security zone. |
+| Restrict Resource Association | You can't move a boot volume to a security zone if it's attached to a compute instance that isn't in the same security zone. |
+| Restrict Resource Association | You can't export a file system in the security zone through a mount target that isn't in the same security zone. |
+| Restrict Resource Association | You can't export a file system through a mount target in a security zone if the file system isn't in the same security zone. |
+| Restrict Resource Association | You can't create a mount target that uses a subnet in a security zone if the mount target isn't in the same security zone. |
+| Restrict Resource Movement | You can't move a compute instance in a security zone to a compartment that is not in the same security zone. |
+| Restrict Resource Movement | You can't move a compute instance to a security zone from a compartment that is not in the same security zone. |
+| Restrict Resource Movement | You can't move a block volume in a security zone to a compartment that is not in the same security zone. |
+| Restrict Resource Movement | You can't move a boot volume in a security zone to a compartment that is not in the same security zone. |
+| Restrict Resource Movement | You can't move a bucket from a security zone to a standard compartment. |
+| Restrict Resource Movement | You can't move a database from a security zone to a standard compartment. |
+| Restrict Resource Movement | You can't move a database from a standard compartment to a security zone if its Data Guard association isn't in a security zone. |
+| Restrict Resource Movement | You can't move a file system in the security zone to a compartment that is not in the same security zone. |
+| Restrict Resource Movement | You can't move a mount target in the security zone to a compartment that is not in the same security zone. |
+
+
+
+
+# License
+
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](/LICENSE.txt) for more details.
diff --git a/addons/oci-sovereign-controls/security.auto.tfvars.json b/addons/oci-sovereign-controls/security.auto.tfvars.json
new file mode 100644
index 00000000..c0715f33
--- /dev/null
+++ b/addons/oci-sovereign-controls/security.auto.tfvars.json
@@ -0,0 +1,163 @@
+{
+ "cloud_guard_configuration": {
+ "enable_cloud_guard": "true",
+ "tenancy_id": "TENANCY-ROOT",
+ "compartment_id": "TENANCY-ROOT",
+ "target_resource_id": "TENANCY-ROOT",
+ "name_prefix": null,
+ "self_manage_resources": "false",
+ "target_resource_name": null,
+ "target_resource_type": "COMPARTMENT",
+ "enable_cloned_recipes": "false",
+ "configuration_detector_recipe_name": null,
+ "activity_detector_recipe_name": null,
+ "threat_detector_recipe_name": null,
+ "responder_recipe_name": null,
+ "targets": {
+ "CG-TGT-ROOT-KEY": {
+ "name": "cg-tgt-root",
+ "compartment_id": "TENANCY-ROOT",
+ "target_resource_type": "COMPARTMENT",
+ "resource_id": "TENANCY-ROOT",
+ "use_cloned_recipes": "false"
+ }
+ }
+ },
+ "security_zones_configuration": {
+ "tenancy_ocid": "TENANCY-ROOT",
+ "recipes": {
+ "SZ-RCP-LZP-01-CIS-LVL-1-KEY": {
+ "name": "sz-rcp-lzp-01-CIS-Level-1",
+ "description": "Recipe 01 CIS Level 1",
+ "compartment_id": "CMP-LZP-SECURITY-KEY",
+ "cis_level": "1"
+ },
+ "SZ-RCP-LZP-02-CIS-LVL-2-KEY": {
+ "name": "sz-rcp-lzp-02-CIS-Level-2",
+ "description": "Recipe 02 CIS Level 2",
+ "compartment_id": "CMP-LZP-SECURITY-KEY",
+ "cis_level": "2"
+ },
+ "SZ-RCP-LZP-03-SHARED-NETWORK-KEY": {
+ "name": "sz-rcp-lzp-03-shared-network",
+ "description": "Recipe 03 Shared Network",
+ "compartment_id": "CMP-LZP-SECURITY-KEY",
+ "cis_level": "2",
+ "security_policies_ocids": [
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaavolswrbfqy6qn2qe7zek2dumml6pbmyzv47q6jfwdatrywmqumba",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaayxn5ccbavcx5w35uoozguju5zlovvtbnuvnrduxpdp3vsho33lba",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaazlzn66zeazf5npw46qah3wlqpfrugv7w4tjbomit2msr43stidga",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaaw6v2nz4unovq3joqk6pguxpaqriws2vzd7gvpldgai47tl72wseq"
+ ]
+ },
+ "SZ-RCP-LZP-04-ENV-NETWORK-KEY": {
+ "name": "sz-rcp-lzp-04-environment-network",
+ "description": "Recipe 04 Environment Network",
+ "compartment_id": "CMP-LZP-SECURITY-KEY",
+ "cis_level": "2",
+ "security_policies_ocids": [
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaavolswrbfqy6qn2qe7zek2dumml6pbmyzv47q6jfwdatrywmqumba",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaayxn5ccbavcx5w35uoozguju5zlovvtbnuvnrduxpdp3vsho33lba",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaazlzn66zeazf5npw46qah3wlqpfrugv7w4tjbomit2msr43stidga",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaaw6v2nz4unovq3joqk6pguxpaqriws2vzd7gvpldgai47tl72wseq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaak5wxfr2r6kxmtd6bq6hqhyywfkj6pcnl74g3iui6qnlq7rof4ezq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaabs6kboflsfan2lihfnodhbeb75r4nxiolhlobvj6vqclx6j5yyha",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaa6j7b5bf3ytsno7a45r7xupqt2q342q2hlecnf7fgqpkq67stakda",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaamewv6k5a7cik6ds6m6bsijwkiixpfzgsqzvrjlns5pxg6lslrzgq"
+ ]
+ },
+ "SZ-RCP-LZP-05-WORKLOADS-KEY": {
+ "name": "sz-rcp-lzp-05-workloads",
+ "description": "Recipe 05 Workloads",
+ "compartment_id": "CMP-LZP-SECURITY-KEY",
+ "cis_level": "2",
+ "security_policies_ocids": [
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaavolswrbfqy6qn2qe7zek2dumml6pbmyzv47q6jfwdatrywmqumba",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaayxn5ccbavcx5w35uoozguju5zlovvtbnuvnrduxpdp3vsho33lba",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaazlzn66zeazf5npw46qah3wlqpfrugv7w4tjbomit2msr43stidga",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaaw6v2nz4unovq3joqk6pguxpaqriws2vzd7gvpldgai47tl72wseq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaak5wxfr2r6kxmtd6bq6hqhyywfkj6pcnl74g3iui6qnlq7rof4ezq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaabs6kboflsfan2lihfnodhbeb75r4nxiolhlobvj6vqclx6j5yyha",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaa6j7b5bf3ytsno7a45r7xupqt2q342q2hlecnf7fgqpkq67stakda",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaamewv6k5a7cik6ds6m6bsijwkiixpfzgsqzvrjlns5pxg6lslrzgq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaaf45c2imtiuyxbccuwrh3s7is5lokpx5ksr4heu46c6mz6k35dsqa",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaa5qtljtbaeacnhfhr7hfs5nd3jp6jin6grbdgf6izkf4ukxmatjpa",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaa6oycc62uuvpi6oddkzku6x2vzhraud7ynkbdeols5i4khwroklva",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaauvfkentmqda6mq7lxekkstjpe7kwgmrpkadzt7krhrt66tliourq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaa544n6cyqrq6tato53ohh7vcz523af5dtuz6x54efhs6mb7bcw54a",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaay32fadjsdgsytdpyn4busugqftko2shttseljqbagapngiatxepa",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaaqlpaf5tc3xfqdzdw2rtx7hk4ifywzml3eh3upspeh4s6x4epaskq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaaxou4266jlusvklor34czqvloa64k5dsok5cejug2bxi2jvqy32zq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaak2x2aomzhqoeg2bf4zgqyr3bg2ppsfhupn2xvu66zpuz7kbvae5a",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaauah5cz3vxzpdvw4uz32hcgcmhogvuhacgyc7z3al42tfjey46eea",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaawebiliesbgzdguac5m5u332oj66afaab6ruovydpsdoexloguweq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaa2lfkaypfwyykhbz65zlgc4lvypl64axzhnsqmegllgiyxbweruya",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaah3k66efqfgo5ccjgvtkwbfpzj5yjajmw7vt5eub6ma4jp6su55zq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaajscm24dhll5wk65k6q4mmkopiykpqrumtururitjaxk3j4ibe3ua",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaaol3pxbbikegih24c7l4um7wqeeun2dpkvgm3izz5syf755xfscgq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaawol5fz6qkrkxm5ui7n3car44e5wbs54thnku2hjxwaedi5ee6htq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaaegi6cweu5jqwipqhj5quz4pebfd76djed4lfogslzuawqavkrsjq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaarkvvuzwtc6xwwr57zg6fymgkco3lbt35c7r4lnahw4ab5i3vkbrq",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaauhuzsidaju3mwy3llsetvm3dlc6ftel65ielfu7h4hg6q2cfsrxa",
+ "ocid1.securityzonessecuritypolicy.oc19..aaaaaaaawec56szedvf6hogbbnu7cxywm4xkmta53wuo7lenceiqyr4bx5hq"
+ ]
+ }
+ },
+ "security_zones": {
+ "SZ-TGT-LZP-CISL2-KEY": {
+ "name": "sz-tgt-lzp-cisl2",
+ "compartment_id": "CMP-LANDINGZONE-P-KEY",
+ "recipe_key": "SZ-RCP-LZP-02-CIS-LVL-2-KEY"
+ }
+ }
+ },
+ "scanning_configuration": {
+ "default_compartment_id": "CMP-LZP-SECURITY-KEY",
+ "host_recipes": {
+ "VSS-RECH-LZP-KEY": {
+ "name": "vss-rech-lzp",
+ "port_scan_level": "STANDARD",
+ "schedule_settings": {
+ "type": "WEEKLY",
+ "day_of_week": "SUNDAY"
+ },
+ "agent_settings": {
+ "scan_level": "STANDARD",
+ "vendor": "OCI",
+ "cis_benchmark_scan_level": "STRICT"
+ },
+ "file_scan_settings": {
+ "enable": true,
+ "scan_recurrence": "FREQ=WEEKLY;INTERVAL=2;WKST=SU",
+ "folders_to_scan": ["/"],
+ "operating_system": "LINUX"
+ }
+ }
+ },
+ "host_targets": {
+ "VSS-TGT-LZP-KEY": {
+ "name": "vss-tgt-lzp",
+ "target_compartment_id": "CMP-LANDINGZONE-P-KEY",
+ "host_recipe_id": "VSS-RECH-LZP-KEY"
+ }
+ }
+ },
+ "vaults_configuration": {
+ "default_compartment_id": "CMP-LZP-SECURITY-KEY",
+ "vaults": {
+ "VLT-LZP-SHARED-SECURITY-KEY": {
+ "name": "vlt-lzp-shared-security"
+ }
+ },
+ "keys": {
+ "KEY-LZP-OSS-AUDIT-BKT-KEY": {
+ "name": "key-lzp-oss-audit-bkt",
+ "protection_mode": "SOFTWARE",
+ "vault_key": "VLT-LZP-SHARED-SECURITY-KEY",
+ "service_grantees": ["objectstorage-eu-frankfurt-1"],
+ "group_grantees": ["grp-security-admins"],
+ "versions": ["1","2"]
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/addons/readme.md b/addons/readme.md
index ae3b9eb9..48fbfe38 100644
--- a/addons/readme.md
+++ b/addons/readme.md
@@ -13,8 +13,7 @@ An **add-on** is Landing Zone complementary element, or mechanisms that provide
| 1 | 
**[OCI Learn LZ](/addons/oci-learn-lz/readme.md)**| A Landing Zone **training** to learn how to design and run a Landing Zone without code. | [Available](/addons/oci-learn-lz/readme.md) |
| 2 | 
**[OCI Network Hubs](/addons/oci-hub-models/readme.md)** | A set of **OCI Network Hub topologies** applicable to any landing zone or OCI deployment. | [Available](/addons/oci-hub-models/readme.md) |
| 3 | 
**[Oracle Access Governance](/addons/oci-oag/README.md)** | Guidelines to increase the **security governance** of your Landing Zones with OAG. | [Available](/addons/oci-oag/README.md) |
-
-
+| 4 | **[OCI Sovereign Controls](./oci-sovereign-controls/)** | A set of **OCI Sovereign Controls** applicable to any OCI LZ deployment. | [Available](./oci-sovereign-controls/) |