Release 1.0.2 (#3)

* Initial commit

* Lanz-3565

* optional load balancer

* Add compute instance and cloudinit shell script

* updates to cloudinit.sh

* use compatible compute image for GPU shapes

* schema created

* networking updates

* schema update

* update instance with new marketplace image

* update instance with fault domain

* update default name

* update gpu image and hostname

* LANZ-3568_doco complete

* Corrected a typo in DEPLOYMENT-GUIDE.md

* Release date is To Be Determined

* update type

* fix typo

* LANZ-3568 doco for add-nsg-option

* Update Documentation

* Update Tagging

* Release 1.0.1

* README.md update for Known Issues

* Lanz 3807

* enable boot volume encryption with cis level 2

* Add CIS Level 2 Compliance

* Update Documentation

* fix merge conflicts

---------

Co-authored-by: shelby_willis <shelby.willis@oracle.com>
Co-authored-by: erna_guerrero <erna.guerrero@oracle.com>
Co-authored-by: Gregg MacKeigan <gregg.mackeigan@oracle.com>

Author: 4 people

ai_transaction_monitoring_workload/README.md

@@ -95,14 +95,23 @@ Once you have the data in the right format, you can pass it through the model to
 
 Please see the [Deployment Guide](DEPLOYMENT-GUIDE.md) for instructions on how to set up an OCI tenancy as a prerequisite. See also the details below on making GPU compute capacity available in that tenancy.
 
+Within this module you will find the [examples](../ai_transaction_monitoring_workload/examples) folder. The folder contains an example that is a fully runnable Terraform configuration (without the public load balancer) that you can quickly test and put to use by modifying the input data according to your own needs.
+
+After training your GNN model (like GraphSAGE) on transactional data, during inference, you can input a new transaction (or a batch of transactions) into the model. The model would then analyze the transaction's features (and potentially its connections in the graph, like related transactions or accounts) and output a prediction, such as a score or label that indicates whether the transaction is fraudulent or not.
+
 ### GPU Compute Capacity
 
 Note that to use NVIDIA GPU compute instances in an OCI Availability Domain (AD), a prerequisite is to increase service limit counts for the GPU shape(s) you need to use.  Before attempting to deploy this workload, please **open an OCI service request to make the necessary adjustments** under Tenancy Administration > Limits, Quotas and Usage.
 
-![increased GPU service limts](../images/GPU_svc_lmts.png)
+![increased GPU service limits](../images/GPU_svc_lmts.png)
 
 See [Known Issues](#known-issues) below for more details, including how to accept the "Oracle and Nvidia Terms of Use".
 
+### CIS Level Benchmark
+
+This workload provides the option to choose which [CIS OCI Benchmark Level](https://www.cisecurity.org/benchmark/oracle_cloud) to apply to resources with the input variable *cis_level*. The benchmark defines configuration profiles, relating to criticality levels of particular security controls. Items in Level 1 intend to be practical and prudent, providing security focused best-practice hardening of a technology. Level 2 extends level 1 and is intended for environments where security is more critical than manageability and usability, acting as defense-in-depth measure.
+
+CIS Level 1 ensures Legacy IMDS Metadata V1 endpoints on compute instances are disabled. CIS Level 2 extends that and encrypts block volumes with a customer-managed key.
 
 ## CIS OCI Foundations Benchmark Modules Collection
 
@@ -156,3 +165,7 @@ Released under the Universal Permissive License v1.0 as shown at <https://oss.or
 
     Further Information: Out of capacity for shape VM.GPU.A10.1 in availability domain wxyz:US-ASHBURN-AD-1 and fault domain FAULT-DOMAIN-1. Try creating the instance without specifying fault domain or try again later.
   ```
+
+**3. Compute GPU Shapes Are Not Supported by Shielded Instances and Secure Boot**
+
+  * Be aware that UEFI Secure Boot is not available when using GPU shapes in OCI.  See [Shielded Instances > Supported Shapes and Images](https://docs.oracle.com/en-us/iaas/Content/Compute/References/shielded-instances.htm#shielded-instances-supported-shapes).

ai_transaction_monitoring_workload/RELEASE-NOTES.md

@@ -1,5 +1,9 @@
 # AI Transaction Monitoring Workload Release Notes
 
+## July 18, 2025 Release Notes - 1.0.2
+    1. Added CIS Level toggle and support for CIS Level 1 and 2 benchmark.
+    2. Added customer key input and ability to disable legacy Instance Metadata Service (IMDS) endpoints.
+
 ## May 30, 2025 Release Notes - 1.0.1
     1. Tag namespace updated to include ocilz prefix and tag default updated to include current release number.
     2. General bug fixes.

ai_transaction_monitoring_workload/SPEC.md

@@ -14,15 +14,16 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_workload_compute"></a> [workload\_compute](#module\_workload\_compute) | github.com/oci-landing-zones/terraform-oci-modules-workloads//cis-compute-storage | v0.1.9 |
-| <a name="module_workload_lb"></a> [workload\_lb](#module\_workload\_lb) | github.com/oci-landing-zones/terraform-oci-cis-landing-zone-networking.git | v0.7.3/modules/l7\_load\_balancers |
+| <a name="module_workload_compute"></a> [workload\_compute](#module\_workload\_compute) | github.com/oci-landing-zones/terraform-oci-modules-workloads//cis-compute-storage | v0.2.1 |
+| <a name="module_workload_lb"></a> [workload\_lb](#module\_workload\_lb) | github.com/oci-landing-zones/terraform-oci-cis-landing-zone-networking.git | v0.7.5/modules/l7_load_balancers |
+| <a name="module_workload_tags"></a> [workload\_tags](#module\_workload\_tags) | github.com/oci-landing-zones/terraform-oci-modules-governance//tags | v0.1.5                           |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [oci\_core\_images.gpu_images](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core\_images) | data source |
-| [oci\_core\_subnet.lb_subnet](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core\_subnet) | data source |
+| [oci_core_images.gpu_images](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core_images) | data source |
+| [oci_core_subnet.lb_subnet](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core_subnet) | data source |
 
 ## Inputs
 
@@ -32,19 +33,21 @@
 | <a name="input_app_nsg_ocid"></a> [app\_nsg\_ocid](#input\_app\_nsg\_ocid) | OCID of the existing Network Security Group (NSG). Required security rules should be set up prior to workload deployment. | `string` | `null` | no |
 | <a name="input_app_subnet_ocid"></a> [app\_subnet\_ocid](#input\_app\_subnet\_ocid) | OCID of the existing App Subnet. | `string` | `null` | no |
 | <a name="input_block_volume_size"></a> [block\_volume\_size](#input\_block\_volume\_size) | Block volume size (in GBs) to be attached to the compute instance. | `number` | `200` | no |
+| <a name="input_cis_level"></a> [cis\_level](#input\_cis\_level) | Determines CIS OCI Benchmark Level to apply on workload managed resources. Level 1 is be practical and prudent. Level 2 is intended for environments where security is more critical than manageability and usability. Level 2 drives the creation of block volume encryption with a customer managed key. | `string` | `"1"` | no |
 | <a name="input_compute_availability_domain"></a> [compute\_availability\_domain](#input\_compute\_availability\_domain) | Availability domain where the compute instance will be deployed. Default is AD-1. | `number` | `1` | no |
 | <a name="input_compute_boot_volume_size"></a> [compute\_boot\_volume\_size](#input\_compute\_boot\_volume\_size) | Boot volume size (in GBs) of the compute instance. | `number` | `250` | no |
 | <a name="input_compute_fault_domain"></a> [compute\_fault\_domain](#input\_compute\_fault\_domain) | Fault domain where the compute instance will be deployed. Default is FD-1. | `number` | `1` | no |
 | <a name="input_compute_shape"></a> [compute\_shape](#input\_compute\_shape) | GPU-based shape of the compute instance. | `string` | `"VM.GPU.A10.1"` | no |
 | <a name="input_compute_ssh_public_key"></a> [compute\_ssh\_public\_key](#input\_compute\_ssh\_public\_key) | Public SSH Key used to access the compute instance. | `string` | `null` | no |
+| <a name="input_customer_key_ocid"></a> [customer\_key\_ocid](#input\_customer\_key\_ocid) | OCID of the customer-managed encryption key. Required for CIS Level 2. | `string` | `null` | no |
 | <a name="input_fingerprint"></a> [fingerprint](#input\_fingerprint) | n/a | `string` | `""` | no |
 | <a name="input_lb_policy"></a> [lb\_policy](#input\_lb\_policy) | The load balancing policy for distributing incoming traffic to backend servers. | `string` | `"ROUND_ROBIN"` | no |
 | <a name="input_lb_subnet_ocid"></a> [lb\_subnet\_ocid](#input\_lb\_subnet\_ocid) | OCID of the Load Balancer Subnet. | `string` | `""` | no |
-| <a name="input_private_key_password"></a> [private\_key\_password](#input\_private\_key\_password) | n/a | `string` | `""` | no |
-| <a name="input_private_key_path"></a> [private\_key\_path](#input\_private\_key\_path) | n/a | `string` | `""` | no |
+| <a name="input_private_key_password"></a> [private\_key\_password](#input\_private\_key\_password) | Private key password | `string` | `""` | no |
+| <a name="input_private_key_path"></a> [private\_key\_path](#input\_private\_key\_path) | Private key path | `string` | `""` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region where resources are deployed. | `string` | n/a | yes |
-| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | General | `string` | `""` | no |
-| <a name="input_user_ocid"></a> [user\_ocid](#input\_user\_ocid) | n/a | `string` | `""` | no |
+| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | Tenancy OCID | `string` | `""` | no |
+| <a name="input_user_ocid"></a> [user\_ocid](#input\_user\_ocid) | User OCID | `string` | `""` | no |
 | <a name="input_workload_compartment_ocid"></a> [workload\_compartment\_ocid](#input\_workload\_compartment\_ocid) | OCID of the existing Workload Compartment. | `string` | `null` | no |
 | <a name="input_workload_name"></a> [workload\_name](#input\_workload\_name) | Name of the workload. Default name is TMS | `string` | `"TMS"` | no |
 

ai_transaction_monitoring_workload/examples/instance-without-public-load-balancer/variables.tf

@@ -54,6 +54,11 @@ variable "app_nsg_ocid" {
   default     = null
 }
 
+variable "customer_key_ocid" {
+  description = "OCID of the customer-managed encryption key. Required for CIS Level 2."
+  type        = string
+  default     = null
+}
 # ------------------------------------------------------
 # ----- Compute Instance
 #-------------------------------------------------------
@@ -88,6 +93,12 @@ variable "compute_fault_domain" {
   default     = 1
 }
 
+variable "compute_disable_legacy_imds_endpoints" {
+  description = "Whether the compute instance legacy metadata service endpoints should be disabled. Legacy service endpoints such as IMDSv1 are disabled by default. Set to `true` to disable legacy service endpoints."
+  type        = bool
+  default     = true
+}
+
 # ------------------------------------------------------
 # ----- Block Volume
 #-------------------------------------------------------

ai_transaction_monitoring_workload/mon_tags.tf

@@ -3,11 +3,10 @@
 
 locals {
   # These values can be used in an override file.
-  tag_namespace_name           = ""
-  all_tags_defined_tags        = {}
-  all_tags_freeform_tags       = {}
-
-  tag_default_value = fileexists("${path.module}/release.txt") ? "${file("${path.module}/release.txt")}" : "undefined"
+  tag_namespace_name       = ""
+  all_tags_defined_tags    = {}
+  all_tags_freeform_tags   = {}
+  tag_default_value        = fileexists("${path.module}/release.txt") ? "${file("${path.module}/release.txt")}" : "undefined"
 
   tags_configuration = {
     default_compartment_id = var.tenancy_ocid
@@ -27,7 +26,7 @@ locals {
             tag_defaults = {
               WORKLOAD-TAG-DEFAULT = {
                 compartment_ids = [var.workload_compartment_ocid]
-                default_value = local.tag_default_value
+                default_value   = local.tag_default_value
               }
             }
           }

ai_transaction_monitoring_workload/net_instance.tf

@@ -15,9 +15,9 @@ data "oci_core_images" "gpu_images" {
     values = ["NATIVE"]
   }
   filter {
-    name = "display_name"
+    name   = "display_name"
     values = ["\\w*GPU\\w*"]
-    regex = true
+    regex  = true
   }
 }
 
@@ -26,10 +26,11 @@ locals {
     default_compartment_id      = var.workload_compartment_ocid
     default_subnet_id           = var.app_subnet_ocid
     default_ssh_public_key_path = var.compute_ssh_public_key
-    instances                   = {
+    instances = {
       WORKLOAD-INSTANCE = {
-        shape     = var.compute_shape
-        name      = "${var.workload_name}-instance"
+        shape                         = var.compute_shape
+        name                          = "${var.workload_name}-instance"
+        disable_legacy_imds_endpoints = var.cis_level == "2" ? true : var.compute_disable_legacy_imds_endpoints
         placement = {
           availability_domain = var.compute_availability_domain
           fault_domain        = var.compute_fault_domain
@@ -50,41 +51,49 @@ locals {
           disable_monitoring = false
           disable_management = false
           plugins = [
-            {name = "Custom Logs Monitoring", enabled = true},
-            {name = "Compute Instance Run Command", enabled = true},
-            {name = "Compute Instance Monitoring", enabled = true}
+            { name = "Custom Logs Monitoring", enabled = true },
+            { name = "Compute Instance Run Command", enabled = true },
+            { name = "Compute Instance Monitoring", enabled = true }
           ]
         }
         cloud_init = {
           script_file = "./cloudinit.sh"
         }
+        encryption = {
+          encrypt_in_transit_on_instance_create = true
+          kms_key_id                            = var.cis_level == "2" ? var.customer_key_ocid : null
+        }
       }
     }
   }
   storage_configuration = {
     default_compartment_id = var.workload_compartment_ocid
     block_volumes = {
       BLOCK-VOLUME = {
-        display_name = "${var.workload_name}-block-volume"
-        volume_size = var.block_volume_size
+        display_name        = "${var.workload_name}-block-volume"
+        volume_size         = var.block_volume_size
         availability_domain = var.compute_availability_domain
         attach_to_instances = [{
-          device_name = null
-          instance_id = "WORKLOAD-INSTANCE"
+          device_name     = null
+          instance_id     = "WORKLOAD-INSTANCE"
           attachment_type = "paravirtualized"
-      }]
+        }]
+        encryption = {
+          encrypt_in_transit = true
+          kms_key_id         = var.cis_level == "2" ? var.customer_key_ocid : null
+        }
       }
     }
   }
 }
 
 module "workload_compute" {
-  source = "github.com/oci-landing-zones/terraform-oci-modules-workloads//cis-compute-storage?ref=v0.1.9"
+  source = "github.com/oci-landing-zones/terraform-oci-modules-workloads//cis-compute-storage?ref=v0.2.1"
   providers = {
-    oci = oci
+    oci                                  = oci
     oci.block_volumes_replication_region = oci
   }
   instances_configuration = local.instances_configuration
-  tenancy_ocid = var.tenancy_ocid
-  storage_configuration = local.storage_configuration
+  tenancy_ocid            = var.tenancy_ocid
+  storage_configuration   = local.storage_configuration
 }

ai_transaction_monitoring_workload/release.txt

@@ -1 +1 @@
-1.0.1
+1.0.2

ai_transaction_monitoring_workload/schema.yml

@@ -15,6 +15,7 @@ variableGroups:
   - title: "General"
     variables:
       - "workload_name"
+      - "cis_level"
       - "workload_compartment_ocid"
       - "app_subnet_compartment_ocid"
       - "app_subnet_ocid"
@@ -31,6 +32,10 @@ variableGroups:
       - "compute_availability_domain"
       - "compute_fault_domain"
       - "block_volume_size"
+      - "customer_key_compartment_ocid"
+      - "vault_ocid"
+      - "customer_key_ocid"
+      - "compute_disable_legacy_imds_endpoints"
 
   - title: "Hidden Variables"
     variables:
@@ -56,6 +61,15 @@ variables:
     required: true
     default: "TMS"
 
+  cis_level:
+    type: enum
+    title: "CIS Level"
+    description: "Choose the CIS OCI Benchmark Level to apply on workload managed resources. Level 1 (default) is be practical and prudent. Level 2 is intended for environments where security is more critical than manageability and usability. Level 2 drives the creation of block volume encryption with a customer managed key. More info: <a href=\"https://www.cisecurity.org/benchmark/oracle_cloud\">CIS OCI Benchmark</a>."
+    required: true
+    enum:
+      - "1"
+      - "2"
+
   workload_compartment_ocid:
     type: oci:identity:compartment:id
     title: "Workload Compartment OCID"
@@ -176,12 +190,53 @@ variables:
     required: false
     default: 200
 
+  customer_key_compartment_ocid:
+    type: oci:identity:compartment:id
+    title: "Customer-Managed Key Compartment"
+    description: "Choose the compartment where the customer-managed key and vault are contained. Required for CIS Level 2."
+    required: false
+    visible:
+      eq:
+        - ${cis_level}
+        - "2"
+
+  vault_ocid:
+    type: oci:kms:vault:id
+    title: "Customer-Managed Vault"
+    description: "Choose the vault that contains the customer-managed key. Required for CIS Level 2."
+    required: false
+    dependsOn:
+      compartmentId: ${customer_key_compartment_ocid}
+    visible:
+      eq:
+        - ${cis_level}
+        - "2"
+
+  customer_key_ocid:
+    type: oci:kms:key:id
+    title: "Customer-Managed Key"
+    description: "Choose the customer-managed key used to encrypt boot and block volumes. Required for CIS Level 2."
+    required: false
+    dependsOn:
+      compartmentId: ${customer_key_compartment_ocid}
+      vaultId: ${vault_ocid}
+    visible:
+      eq:
+        - ${cis_level}
+        - "2"
+
+  compute_disable_legacy_imds_endpoints:
+    type: boolean
+    title: "Disable the Legacy Metadata Service Endpoints?"
+    description: "Check to disable the Legacy Metadata Service endpoints. Required for CIS Level 2."
+    required: false
+
 # ------------------------------------------------------
 # ------------   Hidden Vars  --------------------------
 #-------------------------------------------------------
 
   lb_policy:
-    description: "The load balancing policy for distrubuting incoming traffic to backend servers."
+    description: "The load balancing policy for distributing incoming traffic to backend servers."
     type: string
     default: "ROUND_ROBIN"
     visible: false

ai_transaction_monitoring_workload/variables.tf

@@ -54,6 +54,17 @@ variable "app_nsg_ocid" {
   default     = null
 }
 
+variable "cis_level" {
+  description = "Determines CIS OCI Benchmark Level to apply on workload managed resources. Level 1 is be practical and prudent. Level 2 is intended for environments where security is more critical than manageability and usability. Level 2 drives the creation of block volume encryption with a customer managed key."
+  type        = string
+  default     = "1"
+}
+
+variable "customer_key_ocid" {
+  description = "OCID of the customer-managed encryption key. Required for CIS Level 2."
+  type        = string
+  default     = null
+}
 # ------------------------------------------------------
 # ----- Compute Instance
 #-------------------------------------------------------
@@ -88,6 +99,12 @@ variable "compute_fault_domain" {
   default     = 1
 }
 
+variable "compute_disable_legacy_imds_endpoints" {
+  description = "Whether the compute instance legacy metadata service endpoints should be disabled. Legacy service endpoints such as IMDSv1 are disabled by default. Set to `true` to disable legacy service endpoints."
+  type        = bool
+  default     = true
+}
+
 # ------------------------------------------------------
 # ----- Block Volume
 #-------------------------------------------------------