Add demo presentation + 14 deliverables for PharmaCorp Mexico scenario
- gen_demo_deck.py: Generates 11-slide demo presentation using Oracle FY26 template. LLM-agnostic messaging (works on Claude, Codex, GPT, Gemini). Before/After comparison, 14 live prompts in table format. - examples/output-demo-pharma-mx/: Complete deliverable set for a pharma migration scenario (ExaCS X6 → OCI ExaCS X11M, dual-region DR, SOX). One file per skill option (1-14): pptx, drawio, pdf, xlsx, json, yaml. - Improved prompts: richer discovery context (SOX compliance, dual FastConnect, Hub-Spoke, OCI Vault), intentionally flawed arch for WA review (1/23 passed), DEP field findings, ECAL gap analysis. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
348
examples/output-demo-pharma-mx/opt05-wa-scorecard.yaml
Normal file
348
examples/output-demo-pharma-mx/opt05-wa-scorecard.yaml
Normal file
@@ -0,0 +1,348 @@
|
||||
well_architected_scorecard:
|
||||
overall_status: GAPS_IDENTIFIED
|
||||
generated_date: '2026-04-12T23:15:18.437115'
|
||||
architecture_name: /tmp/demo-flawed-arch.yaml
|
||||
customer: Demo Flawed Arch
|
||||
summary:
|
||||
total_checks: 23
|
||||
total_passed: 1
|
||||
total_gaps: 22
|
||||
high_severity_gaps: 10
|
||||
medium_severity_gaps: 10
|
||||
low_severity_gaps: 2
|
||||
pillars:
|
||||
security_compliance:
|
||||
status: GAPS_IDENTIFIED
|
||||
checks_passed: 0
|
||||
checks_total: 15
|
||||
categories:
|
||||
identity_access:
|
||||
passed: 0
|
||||
total: 4
|
||||
gaps:
|
||||
- check_id: SEC-IAM-001
|
||||
area: Identity & Access
|
||||
finding: no IAM policy strategy defined or broad permissions used
|
||||
severity: HIGH
|
||||
recommendation: architecture specifies granular IAM policies per compartment/service
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
- check_id: SEC-IAM-002
|
||||
area: Identity & Access
|
||||
finding: no MFA mentioned in identity setup
|
||||
severity: HIGH
|
||||
recommendation: MFA is specified in identity configuration
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
- check_id: SEC-IAM-003
|
||||
area: Identity & Access
|
||||
finding: no mention of admin account restrictions
|
||||
severity: HIGH
|
||||
recommendation: separate admin groups defined for operations
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
- check_id: SEC-IAM-004
|
||||
area: Identity & Access
|
||||
finding: stored credentials or API keys used for service accounts
|
||||
severity: HIGH
|
||||
recommendation: instance principals or resource principals specified for
|
||||
service-to-service auth
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
resource_isolation:
|
||||
passed: 0
|
||||
total: 3
|
||||
gaps:
|
||||
- check_id: SEC-ISO-001
|
||||
area: Resource Isolation
|
||||
finding: flat compartment structure or no compartment strategy
|
||||
severity: HIGH
|
||||
recommendation: hierarchical compartment structure defined
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
- check_id: SEC-ISO-002
|
||||
area: Resource Isolation
|
||||
finding: no tagging strategy defined
|
||||
severity: MEDIUM
|
||||
recommendation: defined tag namespaces with cost, environment, and owner
|
||||
tags
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
- check_id: SEC-ISO-004
|
||||
area: Resource Isolation
|
||||
finding: user credentials used for cross-resource access
|
||||
severity: HIGH
|
||||
recommendation: resource principals used for cross-service access
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
database_security:
|
||||
passed: 0
|
||||
total: 0
|
||||
gaps: []
|
||||
data_protection:
|
||||
passed: 0
|
||||
total: 2
|
||||
gaps:
|
||||
- check_id: SEC-DAT-001
|
||||
area: Data Protection
|
||||
finding: any storage service without encryption at rest
|
||||
severity: HIGH
|
||||
recommendation: encryption at rest specified for all storage services
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
- check_id: SEC-DAT-002
|
||||
area: Data Protection
|
||||
finding: using Oracle-managed keys or no key management strategy
|
||||
severity: MEDIUM
|
||||
recommendation: OCI Vault specified for key management
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
network_security:
|
||||
passed: 0
|
||||
total: 3
|
||||
gaps:
|
||||
- check_id: SEC-NET-001
|
||||
area: Network Security
|
||||
finding: only Security Lists used without NSGs
|
||||
severity: MEDIUM
|
||||
recommendation: NSGs used as primary network security mechanism
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
- check_id: SEC-NET-002
|
||||
area: Network Security
|
||||
finding: SSH open to 0.0.0.0/0
|
||||
severity: HIGH
|
||||
recommendation: SSH access restricted to specific CIDR ranges or bastion
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
- check_id: SEC-NET-004
|
||||
area: Network Security
|
||||
finding: OCI services accessed via internet gateway
|
||||
severity: MEDIUM
|
||||
recommendation: Service Gateway configured in VCN
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
monitoring_audit:
|
||||
passed: 0
|
||||
total: 3
|
||||
gaps:
|
||||
- check_id: SEC-MON-001
|
||||
area: Monitoring & Audit
|
||||
finding: Cloud Guard not included in architecture
|
||||
severity: HIGH
|
||||
recommendation: Cloud Guard configured with appropriate recipes
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
- check_id: SEC-MON-002
|
||||
area: Monitoring & Audit
|
||||
finding: audit service not mentioned or retention not configured
|
||||
severity: MEDIUM
|
||||
recommendation: Audit service enabled (enabled by default, verify retention)
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
- check_id: SEC-MON-003
|
||||
area: Monitoring & Audit
|
||||
finding: no VCN Flow Logs configured
|
||||
severity: MEDIUM
|
||||
recommendation: VCN Flow Logs enabled for critical subnets
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
reliability_resilience:
|
||||
status: PASS_WITH_RECOMMENDATIONS
|
||||
checks_passed: 0
|
||||
checks_total: 1
|
||||
categories:
|
||||
scalability:
|
||||
passed: 0
|
||||
total: 1
|
||||
gaps:
|
||||
- check_id: REL-SCL-002
|
||||
area: Scalability
|
||||
finding: no service limit review planned
|
||||
severity: LOW
|
||||
recommendation: service limit review mentioned in deployment plan
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html
|
||||
fault_tolerant_networking:
|
||||
passed: 0
|
||||
total: 0
|
||||
gaps: []
|
||||
data_backup:
|
||||
passed: 0
|
||||
total: 0
|
||||
gaps: []
|
||||
data_replication:
|
||||
passed: 0
|
||||
total: 0
|
||||
gaps: []
|
||||
disaster_recovery:
|
||||
passed: 0
|
||||
total: 0
|
||||
gaps: []
|
||||
performance_cost:
|
||||
status: PASS_WITH_RECOMMENDATIONS
|
||||
checks_passed: 0
|
||||
checks_total: 2
|
||||
categories:
|
||||
compute_sizing:
|
||||
passed: 0
|
||||
total: 0
|
||||
gaps: []
|
||||
storage_strategy:
|
||||
passed: 0
|
||||
total: 0
|
||||
gaps: []
|
||||
network_tuning:
|
||||
passed: 0
|
||||
total: 0
|
||||
gaps: []
|
||||
cost_management:
|
||||
passed: 0
|
||||
total: 2
|
||||
gaps:
|
||||
- check_id: PERF-CST-003
|
||||
area: Cost Management
|
||||
finding: no budget alerts configured
|
||||
severity: MEDIUM
|
||||
recommendation: OCI Budgets configured with alert thresholds
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/index.html
|
||||
- check_id: PERF-CST-004
|
||||
area: Cost Management
|
||||
finding: no cost attribution tagging strategy
|
||||
severity: MEDIUM
|
||||
recommendation: cost-tracking tags defined and enforced
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/index.html
|
||||
operational_efficiency:
|
||||
status: GAPS_IDENTIFIED
|
||||
checks_passed: 1
|
||||
checks_total: 5
|
||||
categories:
|
||||
deployment_strategy:
|
||||
passed: 0
|
||||
total: 1
|
||||
gaps:
|
||||
- check_id: OPS-DEP-001
|
||||
area: Deployment Strategy
|
||||
finding: no IaC strategy specified
|
||||
severity: HIGH
|
||||
recommendation: Terraform or Resource Manager specified for infrastructure
|
||||
provisioning
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
|
||||
workload_monitoring:
|
||||
passed: 1
|
||||
total: 2
|
||||
gaps:
|
||||
- check_id: OPS-MON-003
|
||||
area: Workload Monitoring
|
||||
finding: no centralized log analysis solution
|
||||
severity: MEDIUM
|
||||
recommendation: OCI Logging Analytics configured
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
|
||||
os_management:
|
||||
passed: 0
|
||||
total: 0
|
||||
gaps: []
|
||||
operations_support:
|
||||
passed: 0
|
||||
total: 2
|
||||
gaps:
|
||||
- check_id: OPS-SUP-001
|
||||
area: Operations Support
|
||||
finding: no support plan consideration
|
||||
severity: LOW
|
||||
recommendation: Oracle support plan level specified and matches criticality
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
|
||||
- check_id: OPS-SUP-002
|
||||
area: Operations Support
|
||||
finding: no notification configuration
|
||||
severity: MEDIUM
|
||||
recommendation: OCI Notifications configured for operational events
|
||||
wa_reference: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
|
||||
distributed_cloud:
|
||||
status: NOT_APPLICABLE
|
||||
checks_passed: 0
|
||||
checks_total: 0
|
||||
categories: {}
|
||||
action_items:
|
||||
high_priority:
|
||||
- check_id: SEC-IAM-001
|
||||
pillar: Identity & Access
|
||||
finding: no IAM policy strategy defined or broad permissions used
|
||||
recommendation: architecture specifies granular IAM policies per compartment/service
|
||||
- check_id: SEC-IAM-002
|
||||
pillar: Identity & Access
|
||||
finding: no MFA mentioned in identity setup
|
||||
recommendation: MFA is specified in identity configuration
|
||||
- check_id: SEC-IAM-003
|
||||
pillar: Identity & Access
|
||||
finding: no mention of admin account restrictions
|
||||
recommendation: separate admin groups defined for operations
|
||||
- check_id: SEC-IAM-004
|
||||
pillar: Identity & Access
|
||||
finding: stored credentials or API keys used for service accounts
|
||||
recommendation: instance principals or resource principals specified for service-to-service
|
||||
auth
|
||||
- check_id: SEC-ISO-001
|
||||
pillar: Resource Isolation
|
||||
finding: flat compartment structure or no compartment strategy
|
||||
recommendation: hierarchical compartment structure defined
|
||||
- check_id: SEC-ISO-004
|
||||
pillar: Resource Isolation
|
||||
finding: user credentials used for cross-resource access
|
||||
recommendation: resource principals used for cross-service access
|
||||
- check_id: SEC-DAT-001
|
||||
pillar: Data Protection
|
||||
finding: any storage service without encryption at rest
|
||||
recommendation: encryption at rest specified for all storage services
|
||||
- check_id: SEC-NET-002
|
||||
pillar: Network Security
|
||||
finding: SSH open to 0.0.0.0/0
|
||||
recommendation: SSH access restricted to specific CIDR ranges or bastion
|
||||
- check_id: SEC-MON-001
|
||||
pillar: Monitoring & Audit
|
||||
finding: Cloud Guard not included in architecture
|
||||
recommendation: Cloud Guard configured with appropriate recipes
|
||||
- check_id: OPS-DEP-001
|
||||
pillar: Deployment Strategy
|
||||
finding: no IaC strategy specified
|
||||
recommendation: Terraform or Resource Manager specified for infrastructure provisioning
|
||||
medium_priority:
|
||||
- check_id: SEC-ISO-002
|
||||
pillar: Resource Isolation
|
||||
finding: no tagging strategy defined
|
||||
recommendation: defined tag namespaces with cost, environment, and owner tags
|
||||
- check_id: SEC-DAT-002
|
||||
pillar: Data Protection
|
||||
finding: using Oracle-managed keys or no key management strategy
|
||||
recommendation: OCI Vault specified for key management
|
||||
- check_id: SEC-NET-001
|
||||
pillar: Network Security
|
||||
finding: only Security Lists used without NSGs
|
||||
recommendation: NSGs used as primary network security mechanism
|
||||
- check_id: SEC-NET-004
|
||||
pillar: Network Security
|
||||
finding: OCI services accessed via internet gateway
|
||||
recommendation: Service Gateway configured in VCN
|
||||
- check_id: SEC-MON-002
|
||||
pillar: Monitoring & Audit
|
||||
finding: audit service not mentioned or retention not configured
|
||||
recommendation: Audit service enabled (enabled by default, verify retention)
|
||||
- check_id: SEC-MON-003
|
||||
pillar: Monitoring & Audit
|
||||
finding: no VCN Flow Logs configured
|
||||
recommendation: VCN Flow Logs enabled for critical subnets
|
||||
- check_id: PERF-CST-003
|
||||
pillar: Cost Management
|
||||
finding: no budget alerts configured
|
||||
recommendation: OCI Budgets configured with alert thresholds
|
||||
- check_id: PERF-CST-004
|
||||
pillar: Cost Management
|
||||
finding: no cost attribution tagging strategy
|
||||
recommendation: cost-tracking tags defined and enforced
|
||||
- check_id: OPS-MON-003
|
||||
pillar: Workload Monitoring
|
||||
finding: no centralized log analysis solution
|
||||
recommendation: OCI Logging Analytics configured
|
||||
- check_id: OPS-SUP-002
|
||||
pillar: Operations Support
|
||||
finding: no notification configuration
|
||||
recommendation: OCI Notifications configured for operational events
|
||||
low_priority:
|
||||
- check_id: REL-SCL-002
|
||||
pillar: Scalability
|
||||
finding: no service limit review planned
|
||||
recommendation: service limit review mentioned in deployment plan
|
||||
- check_id: OPS-SUP-001
|
||||
pillar: Operations Support
|
||||
finding: no support plan consideration
|
||||
recommendation: Oracle support plan level specified and matches criticality
|
||||
references:
|
||||
framework: https://docs.oracle.com/en/solutions/oci-best-practices/index.html
|
||||
security: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-security-and-compliance1.html
|
||||
reliability: https://docs.oracle.com/en/solutions/oci-best-practices/reliable-and-resilient-cloud-topology-practices1.html
|
||||
operations: https://docs.oracle.com/en/solutions/oci-best-practices/best-practices-operating-cloud-deployments-efficiency.html
|
||||
distributed: https://docs.oracle.com/en/solutions/oci-best-practices/effective-strategies-distributed-cloud-implementation1.html
|
||||
Reference in New Issue
Block a user