initial version

This commit is contained in:
2026-03-18 18:03:44 -03:00
commit 9d269e902b
136 changed files with 28175 additions and 0 deletions

View File

@@ -0,0 +1,149 @@
# Application Patterns Library
# Proven application-level architecture patterns for common workload types
# Referenced during DESIGN/Future to select the right application architecture
patterns:
# --- Web Application Patterns ---
- id: app_web_traditional
name: "Traditional Web Application (3-Tier)"
description: "Classic presentation → application → database architecture on OCI"
applicable_when:
- "Java/J2EE, .NET, PHP, or Python web application"
- "WebLogic, Tomcat, or similar app server"
- "Stateful sessions or shared filesystem dependencies"
oci_architecture:
presentation_tier: "Load Balancer (public) → WAF"
application_tier: "Compute instances (VM.Standard.E4.Flex) in Instance Pool with auto-scaling"
database_tier: "ADB-S or DBCS depending on feature requirements"
networking: "Public subnet (LB) → Private subnet (app) → Private subnet (DB)"
technology_patterns: [compute_scaling, database_ha_adb_s, networking_basic, security_baseline]
considerations:
- "WebLogic clustering needs shared storage (FSS) or session replication"
- "Consider OKE if team has container skills and wants to modernize"
- id: app_web_cloud_native
name: "Cloud-Native Web Application"
description: "Containerized microservices on OKE with managed services"
applicable_when:
- "New application or major refactoring opportunity"
- "Team has Kubernetes experience"
- "Need rapid scaling and deployment"
oci_architecture:
presentation_tier: "Load Balancer → API Gateway"
application_tier: "OKE (managed K8s) with HPA auto-scaling"
database_tier: "ADB-S (OLTP) + autonomous JSON for microservice data"
messaging: "OCI Streaming (Kafka-compatible) for event-driven"
technology_patterns: [compute_scaling, database_ha_adb_s, networking_hub_spoke]
# --- Batch Processing Patterns ---
- id: app_batch_processing
name: "Batch / ETL Processing"
description: "Scheduled data processing, reporting, or ETL workloads"
applicable_when:
- "Nightly batch jobs, report generation, data warehousing"
- "Variable compute needs (high during batch windows)"
oci_architecture:
compute: "Preemptible instances or Functions for cost optimization"
orchestration: "Resource Scheduler or cron-based"
database: "ADB-S with auto-scaling (scale up during batch, scale down after)"
storage: "Object Storage for staging data"
technology_patterns: [database_ha_adb_s, compute_scaling]
considerations:
- "ADB-S auto-scaling takes 2-3 min to activate — pre-scale for predictable batch windows"
# --- Analytics Patterns ---
- id: app_analytics_lakehouse
name: "Analytics / Lakehouse"
description: "Data warehouse and analytics platform on OCI"
applicable_when:
- "Business intelligence, reporting, or advanced analytics"
- "Data from multiple sources needs consolidation"
- "Self-service analytics for business users"
oci_architecture:
ingestion: "GoldenGate or OCI Data Integration for CDC"
storage: "Object Storage (data lake) + ADB-DW (warehouse)"
analytics: "Oracle Analytics Cloud (OAC)"
governance: "Data Catalog for metadata management"
technology_patterns: [database_ha_adb_s]
# --- Hybrid Patterns ---
- id: app_hybrid_cloud
name: "Hybrid Cloud (On-Prem + OCI)"
description: "Application split across on-prem and OCI with connectivity"
applicable_when:
- "Cannot migrate everything at once"
- "Some workloads must stay on-prem (data gravity, regulation)"
- "Want to extend capacity to cloud"
oci_architecture:
connectivity: "FastConnect (primary) + IPSec VPN (backup)"
networking: "Hub-spoke VCN with DRG"
data_sync: "GoldenGate for bidirectional replication"
dns: "OCI DNS with split-horizon"
technology_patterns: [networking_hub_spoke, database_ha_adb_s]
considerations:
- "Latency between on-prem and OCI affects application performance"
- "FastConnect provisioning takes 2-4 weeks"
- "Consider data gravity — move compute to where data lives"
# --- Migration Patterns ---
- id: app_lift_and_shift
name: "Lift and Shift Migration"
description: "Move existing workloads to OCI with minimal changes"
applicable_when:
- "Timeline pressure (hardware EOL, contract expiry)"
- "Application is stable and not being modernized"
- "Want to get to cloud quickly, optimize later"
oci_architecture:
compute: "VM shapes matching current specs (use sizing ratios from kb/sizing/)"
database: "DBCS if feature compatibility requires, ADB-S if possible"
storage: "Block Volume (replacing SAN), FSS (replacing NFS)"
technology_patterns: [networking_basic, security_baseline]
considerations:
- "May not realize full cloud benefits initially"
- "Plan a Phase 2 optimization after stabilization"
- id: app_replatform
name: "Re-Platform (Lift, Tinker, Shift)"
description: "Migrate with targeted changes to leverage managed services"
applicable_when:
- "Want cloud benefits without full re-architecture"
- "Can accept minor application changes"
- "Database can move to managed service (ADB-S, MySQL HeatWave)"
oci_architecture:
compute: "OKE or Compute with auto-scaling"
database: "ADB-S (autonomous) vs DBCS (managed)"
storage: "Object Storage replacing file-based integrations"
technology_patterns: [database_ha_adb_s, compute_scaling]
considerations:
- "Test application compatibility with ADB-S restrictions early"
- "Connection string changes may require app config updates"
# --- Disaster Recovery Patterns ---
- id: app_dr_active_passive
name: "Active-Passive DR"
description: "Primary region active, standby region for failover"
applicable_when:
- "RTO 1-4 hours, RPO < 1 hour"
- "Cost-conscious — don't want to run full duplicate"
oci_architecture:
primary: "Full deployment in primary region"
standby: "Dormant compute (scaled down) + DB replica (Data Guard)"
failover: "DNS switchover + compute scale-up"
technology_patterns: [database_dr_cross_region, networking_hub_spoke]
- id: app_dr_active_active
name: "Active-Active Multi-Region"
description: "Both regions serve traffic, mutual failover"
applicable_when:
- "RTO < 15 min, RPO ~ 0"
- "Geo-distributed users"
- "Budget supports dual infrastructure"
oci_architecture:
both_regions: "Full deployment with load balancing"
database: "ADB-S with Autonomous Data Guard (bidirectional)"
traffic: "OCI Traffic Management for geo-steering"
technology_patterns: [database_dr_cross_region, database_ha_adb_s]
considerations:
- "Application must handle eventual consistency for cross-region writes"
- "Significantly higher cost (nearly 2x)"

View File

@@ -0,0 +1,107 @@
---
last_verified: 2026-03-16
pattern:
id: architecture-principles
name: "Architecture Principles (ECAL)"
category: governance
---
description: >
Formalized decision-making principles aligned with Oracle's ECAL framework.
The skill selects applicable principles based on the workload profile and
presents them in the proposal as the governance framework for the architecture.
principles:
design:
- id: "D-01"
name: "Operational Simplicity"
principle: "Keep architecture simple. If still complex, simplify again."
rationale: "Complex solutions tend to be inflexible, non-agile, and operationally fragile."
applies_when: "always"
- id: "D-02"
name: "Application First (SaaS > PaaS > IaaS)"
principle: "Always consider application services first, platform services second, infrastructure services as last resort."
rationale: "Higher-level services reduce operational burden and accelerate delivery."
applies_when: "always"
- id: "D-03"
name: "Use-Case Fit"
principle: "Map workloads into applicable use-cases. Architectural simplicity and operational success come from re-use."
rationale: "Custom architectures are expensive to build and maintain. Reference architectures exist for a reason."
applies_when: "always"
- id: "D-04"
name: "Hybrid-Ready"
principle: "Solution should run in hybrid mode, accounting for network bandwidth and latency."
rationale: "Most enterprise migrations have a hybrid phase. Architecture must work during transition."
applies_when: "on-prem exists or migration is phased"
- id: "D-05"
name: "HA for Business Continuity"
principle: "Architect for availability, prepare for disaster, leverage cloud's built-in resilience."
rationale: "HA is cheaper to build in from day 1 than to retrofit."
applies_when: "always"
- id: "D-06"
name: "Compliance by Design"
principle: "Consider required compliance requirements and existing policies from the initial design phase."
rationale: "Retrofitting compliance is orders of magnitude more expensive than designing for it."
applies_when: "compliance requirements identified (PCI, HIPAA, banking, GDPR)"
deployment:
- id: "P-01"
name: "Automation First"
principle: "Strive to automate production processes from the beginning — infrastructure as code, seeded features."
rationale: "Manual processes don't scale, are error-prone, and create key-person dependencies."
applies_when: "always"
- id: "P-02"
name: "Environment Separation"
principle: "Production always separated from test and dev. Clear lifecycle policy."
rationale: "Prevents accidental data exposure and configuration drift."
applies_when: "always"
- id: "P-03"
name: "API-Centric Integration"
principle: "Prefer integration via REST APIs over lower-level network protocols."
rationale: "APIs are versionable, documentable, and testable. Direct DB links are fragile."
applies_when: "integration points exist"
- id: "P-04"
name: "Data Security at Rest and In Transit"
principle: "Encrypt data at rest (TDE) and in transit (SQL*Net encryption). Key management from day 1."
rationale: "Encryption is a baseline, not an option. Key management complexity grows with scale."
applies_when: "always"
- id: "P-05"
name: "Unified Identity Management"
principle: "All users managed in central identity system. SSO. Federation where applicable."
rationale: "Distributed identity is a security liability."
applies_when: "always"
service:
- id: "S-01"
name: "Cloud Monitoring & Management"
principle: "Map management and monitoring requirements explicitly. Use cloud-native tools first."
rationale: "Observability gaps become operational crises during incidents."
applies_when: "always"
- id: "S-02"
name: "Issue & Incident Management"
principle: "Design for service. Adopt incident management with clear ownership, governance, and SLAs."
rationale: "Without defined escalation paths, incidents become crises."
applies_when: "always"
- id: "S-03"
name: "Solution Lifecycle"
principle: "Map governance for cloud solution lifecycle. Apply ITIL/ITSM frameworks. Readiness for continuous change."
rationale: "Cloud evolves constantly. The architecture must evolve with it."
applies_when: "always"
- id: "S-04"
name: "Cloud Onboarding"
principle: "Setup PoC environment first. Early Customer Success Management involvement."
rationale: "Hands-on validation before commitment reduces risk and builds confidence."
applies_when: "customer is new to OCI"

View File

@@ -0,0 +1,217 @@
---
last_verified: 2026-03-18
pattern:
id: business-drivers
name: "Business Drivers Framework"
category: define
---
description: >
Categorizes customer business drivers into four pillars (Strategic,
Financial, Business Ops, IT Ops) and maps them to cloud value
propositions. Used during DEFINE phase to structure the Value Story
and during CONFIRM to frame the Solution Proposal. Source: ECAL 3.1.
# ═══════════════════════════════════════════════════════════════
# The Four Pillars
# ═══════════════════════════════════════════════════════════════
pillars:
strategic:
label: "Strategic"
headline: "Business Transformation to Cloud"
description: >
Long-term strategic positioning. Cloud as enabler for business
model evolution, M&A, market expansion, or competitive defense.
common_drivers:
- "Cloud-first / cloud-native strategy mandated by CxO"
- "Digital transformation initiative"
- "Merger or acquisition requiring platform consolidation"
- "Geographic expansion requiring global infrastructure"
- "Competitive pressure from cloud-native disruptors"
- "Board/investor mandate for technology modernization"
- "Innovation enablement (AI/ML, IoT, blockchain)"
value_propositions:
- "Cloud-based solution with enterprise features"
- "On-premise security with cloud economics (C@C, dedicated region)"
- "Customer-defined security model"
- "Data sovereignty and residency guarantees"
- "Multi-cloud and hybrid flexibility"
financial:
label: "Financial"
headline: "Cost Optimization"
description: >
Direct financial impact. CAPEX→OPEX shift, license optimization,
support cost reduction, consumption-based pricing.
common_drivers:
- "Reduce total cost of ownership (TCO)"
- "Shift from CAPEX to OPEX model"
- "Optimize Oracle licensing (ULA wind-down, BYOL)"
- "Reduce data center costs (power, cooling, space, staff)"
- "Support rebate / simplified licensing"
- "Avoid hardware refresh cycle"
- "Consumption-based pricing alignment with business cycles"
value_propositions:
- "Subscription and consumption-based commercials"
- "Simplified licensing (BYOL, universal credits)"
- "PAYG flexibility for variable workloads"
- "Support cost reduction via managed services"
- "Elimination of hardware refresh capex"
quantification_tips:
- "Compare 3-year TCO: current state vs. OCI (include staff, power, space)"
- "Factor in support rebate for moving to OCI"
- "Account for BYOL savings (if eligible)"
- "Include non-prod savings (auto-scaling, auto-stop)"
business_ops:
label: "Business Operations"
headline: "Faster Time to Market"
description: >
Business agility and speed. Faster development cycles, quicker
deployment of new capabilities, reduced time-to-value.
common_drivers:
- "Faster development and deployment of new applications"
- "Reduce release cycle from months to weeks"
- "Enable self-service provisioning for developers"
- "Data platform for analytics and decision-making"
- "Support rapid experimentation and A/B testing"
- "Enable mobile/digital channels faster"
- "Partner and ecosystem integration"
value_propositions:
- "Faster development of customer-facing and internal apps"
- "Data platform implementation (lakehouse, analytics)"
- "Self-service database provisioning"
- "CI/CD and DevOps enablement"
- "Integration with partner ecosystems"
it_ops:
label: "IT Operations"
headline: "Operational Efficiency"
description: >
IT team productivity and operational excellence. Reduce toil,
improve reliability, automate operations.
common_drivers:
- "Reduce DBA / sysadmin toil (patching, backups, monitoring)"
- "Improve availability and reduce unplanned downtime"
- "Standardize operations across environments"
- "Automate provisioning and lifecycle management"
- "Improve disaster recovery posture"
- "Address skill gaps (hard to hire Oracle DBAs)"
- "Consolidate tooling and reduce tool sprawl"
- "Performance improvement without hardware throw"
value_propositions:
- "Oracle Managed Cloud environment"
- "Autonomous operations (ADB self-tuning, self-patching)"
- "Data platform implementation and consolidation"
- "Performance improvement via Exadata architecture"
- "Unified monitoring and management (OCI native tools)"
# ═══════════════════════════════════════════════════════════════
# Mapping: Business Driver → Hypothesis Family
# ═══════════════════════════════════════════════════════════════
# Use this to quickly map a customer's stated driver to a
# hypothesis family for the Value Story
hypothesis_families:
db_consolidation:
triggers:
- "Too many databases across too many platforms"
- "Hardware refresh coming due"
- "DBA team stretched thin"
- "License compliance concerns"
use_cases:
- "Consolidation of N databases to shared platform"
- "Transform to fully managed operations"
- "Improved elasticity and cost control"
- "Standardized backup, HA, and DR"
typical_services:
- "ADB-S or ADB-D (for consolidation)"
- "ExaCS or ExaCC (for large scale)"
- "OEM for fleet management"
pillar_alignment: ["financial", "it_ops"]
cloud_migration:
triggers:
- "Data center lease expiring"
- "Cloud-first mandate"
- "Competitive pressure"
- "EOL hardware or software"
use_cases:
- "Lift-and-shift existing Oracle workloads"
- "Re-platform to managed services"
- "Hybrid cloud (keep some on-prem)"
typical_services:
- "OCI Compute (VM/BM)"
- "ExaCS (for Oracle DB workloads)"
- "ADB-S (for re-platform)"
- "FastConnect + VPN"
pillar_alignment: ["strategic", "financial"]
modernization:
triggers:
- "Legacy app can't support new business requirements"
- "Technical debt is slowing delivery"
- "Need for microservices or API-first"
- "AI/ML capabilities required"
use_cases:
- "Re-architect legacy apps to cloud-native"
- "Add AI/ML capabilities to existing workflows"
- "Microservices decomposition"
- "APEX rapid app development"
typical_services:
- "OKE (Kubernetes)"
- "ADB-S + APEX"
- "OCI AI Services"
- "API Gateway + Functions"
pillar_alignment: ["business_ops", "strategic"]
dr_and_resilience:
triggers:
- "Recent outage or near-miss"
- "Audit finding on DR gaps"
- "Insurance or compliance requirement"
- "Business continuity plan update"
use_cases:
- "Cross-region DR for critical workloads"
- "Active-active for zero RPO"
- "Pilot light DR for cost optimization"
typical_services:
- "Cross-region ADG"
- "Full Stack DR"
- "Object Storage for backups"
pillar_alignment: ["it_ops", "strategic"]
compliance_driven:
triggers:
- "New regulation (DORA, NIS2, GDPR enforcement)"
- "Audit finding requiring remediation"
- "Data sovereignty requirement"
- "Industry-specific mandate (banking, healthcare)"
use_cases:
- "Data residency with OCI regions or dedicated region"
- "Encryption and key management (customer-managed keys)"
- "Access controls and audit trail"
- "Isolated compute (C@C, dedicated region)"
typical_services:
- "OCI Vault (KMS)"
- "Data Safe"
- "Cloud Guard"
- "ExaCC or Dedicated Region"
pillar_alignment: ["strategic", "it_ops"]
# ═══════════════════════════════════════════════════════════════
# Usage in the skill
# ═══════════════════════════════════════════════════════════════
skill_usage:
define_phase:
- "Parse discovery notes to identify which pillar(s) are dominant"
- "Use pillar alignment to select the right hypothesis family"
- "Structure the Value Story around the dominant 1-2 pillars"
- "Use value_propositions as talking points for the proposal"
confirm_phase:
- "Frame the Solution Proposal business case around the identified pillars"
- "Use quantification_tips for the financial pillar"
- "Map each architecture decision back to the business driver"

View File

@@ -0,0 +1,128 @@
# Business Patterns Library
# Proven business-level patterns that map customer drivers to OCI solution strategies
# Referenced during DEFINE/Ideate to formulate value hypotheses
patterns:
# --- Cost Optimization Patterns ---
- id: biz_cost_reduction_db
name: "Database Cost Reduction"
business_driver: cost_reduction
hypothesis_template: "Migrate {n} Oracle databases from {current_platform} to ADB-S, reducing total DB cost by {pct}% through autonomous operations and BYOL/ULA leverage"
applicable_when:
- "Customer runs Oracle databases on-prem or in AWS/Azure"
- "Existing ULA or BYOL licenses available"
- "DBA team spends >50% time on maintenance tasks"
typical_outcome:
cost_savings: "40-70% vs on-prem, 30-50% vs AWS RDS Oracle"
operational_savings: "50-80% reduction in DBA administrative effort"
evidence:
- "ADB-S automates patching, tuning, backups"
- "BYOL cost advantage vs AWS License Included"
technology_patterns: [database_ha_adb_s, database_dr_cross_region]
risks: ["Feature compatibility gaps", "Migration complexity for customized DBs"]
- id: biz_cost_reduction_compute
name: "Compute Cost Optimization"
business_driver: cost_reduction
hypothesis_template: "Right-size and modernize {n} compute workloads to OCI Flex shapes with auto-scaling, reducing compute spend by {pct}%"
applicable_when:
- "Over-provisioned VMs on-prem or in another cloud"
- "Variable workload patterns with steady-state over-provisioning"
typical_outcome:
cost_savings: "30-50% through right-sizing + auto-scaling"
technology_patterns: [compute_scaling]
# --- Modernization Patterns ---
- id: biz_app_modernization
name: "Application Modernization"
business_driver: modernization
hypothesis_template: "Modernize {app_name} from {current_stack} to cloud-native on OKE, improving deployment frequency from {current_freq} to {target_freq}"
applicable_when:
- "Monolithic application limiting agility"
- "Slow deployment cycles (monthly or longer)"
- "Team has or is building container/K8s skills"
typical_outcome:
deployment_frequency: "From monthly to daily/weekly"
scalability: "Horizontal auto-scaling vs vertical only"
technology_patterns: [compute_scaling]
risks: ["Requires significant app refactoring", "Team skill gap"]
- id: biz_db_modernization
name: "Database Modernization (non-Oracle)"
business_driver: modernization
hypothesis_template: "Migrate {db_engine} to OCI-managed {target_service}, eliminating operational overhead while maintaining application compatibility"
applicable_when:
- "Running self-managed MySQL, PostgreSQL, or MongoDB"
- "Want to reduce operational burden without app rewrite"
typical_outcome:
operational_savings: "Automated backups, patching, HA"
technology_patterns: [database_ha_adb_s]
# --- Compliance Patterns ---
- id: biz_compliance_driven
name: "Compliance-Driven Migration"
business_driver: compliance
hypothesis_template: "Migrate {scope} to OCI to meet {compliance_framework} requirements by {deadline}, leveraging OCI's built-in compliance controls"
applicable_when:
- "Upcoming compliance audit or certification deadline"
- "Current infrastructure doesn't meet regulatory requirements"
- "Data residency or sovereignty requirements"
typical_outcome:
compliance: "Certification-ready infrastructure"
timeline: "Typically 8-16 weeks for standard compliance scope"
technology_patterns: [security_baseline, compliance_pci]
risks: ["Compliance scope creep", "Shared responsibility model gaps"]
# --- Hardware EOL / Contract Expiry Patterns ---
- id: biz_hardware_eol
name: "Hardware End-of-Life Migration"
business_driver: hardware_eol
hypothesis_template: "Migrate {n} workloads from EOL {hardware} to OCI before {eol_date}, avoiding {cost} hardware refresh while gaining cloud elasticity"
applicable_when:
- "On-prem hardware approaching end of support"
- "Capital expenditure avoidance is a driver"
- "Timeline is fixed by hardware support dates"
typical_outcome:
capex_avoidance: "Avoid $X hardware refresh"
opex_model: "Shift to predictable OpEx"
technology_patterns: [database_ha_adb_s, compute_scaling, networking_basic]
- id: biz_contract_expiry
name: "Cloud Contract Expiry / Repatriation"
business_driver: contract_expiry
hypothesis_template: "Migrate {n} workloads from {incumbent_cloud} to OCI before contract renewal, reducing cloud spend by {pct}% with better Oracle licensing economics"
applicable_when:
- "AWS/Azure contract up for renewal"
- "Running Oracle workloads on non-Oracle cloud"
- "Significant Oracle license cost on AWS/Azure"
typical_outcome:
cost_savings: "30-60% for Oracle DB workloads (BYOL advantage)"
technology_patterns: [database_ha_adb_s, networking_hub_spoke]
# --- Performance Patterns ---
- id: biz_performance_improvement
name: "Performance Improvement"
business_driver: performance
hypothesis_template: "Migrate {workload} to OCI {target_service} to achieve {target_metric}, resolving current {pain_point}"
applicable_when:
- "Current platform cannot meet performance SLAs"
- "Latency or throughput is a business-impacting issue"
- "Exadata-class performance needed without Exadata cost"
typical_outcome:
performance: "2-5x improvement typical with ADB-S/ExaCS"
technology_patterns: [database_ha_adb_s]
# --- Consolidation Patterns ---
- id: biz_consolidation
name: "Database Consolidation"
business_driver: consolidation
hypothesis_template: "Consolidate {n} Oracle databases into {target_n} ADB-S instances, reducing management complexity and licensing footprint"
applicable_when:
- "Many small Oracle databases (sprawl)"
- "Under-utilized database instances"
- "License optimization opportunity"
typical_outcome:
license_reduction: "40-60% fewer required OCPUs"
operational_reduction: "Manage N instead of N*10 instances"
technology_patterns: [database_ha_adb_s]

View File

@@ -0,0 +1,94 @@
---
last_verified: 2026-03-14
pattern: PCI-DSS Compliance Overlay
category: compliance
---
description: |
Additional security controls required for PCI-DSS compliance on OCI.
Builds on top of the security-baseline pattern.
pci_scope_definition:
cardholder_data_environment:
- "Databases storing PAN (Primary Account Number)"
- "Application servers processing card data"
- "Network segments carrying card data"
out_of_scope:
- "Reporting databases (if no PAN)"
- "Development environments (if no real card data)"
- "Management/monitoring infrastructure"
recommendation: |
Minimize PCI scope aggressively. Use tokenization to remove PAN
from most systems. Only the tokenization service and payment
gateway should be in scope.
controls:
network_segmentation:
pci_req: "Requirement 1: Network segmentation"
implementation:
- "Dedicated VCN for CDE (Cardholder Data Environment)"
- "NSGs restricting traffic to/from CDE"
- "Network Firewall for traffic inspection between CDE and non-CDE"
- "No internet-facing services in CDE subnet"
- "Document all network flows in and out of CDE"
encryption:
pci_req: "Requirement 3 & 4: Protect stored and transmitted data"
implementation:
- "TDE with customer-managed keys (OCI Vault) for databases"
- "TLS 1.2+ for all data in transit"
- "Column-level encryption for PAN if stored"
- "Key rotation per PCI requirements (annual minimum)"
- "Data masking for non-production environments (Data Safe)"
access_control:
pci_req: "Requirement 7 & 8: Access control"
implementation:
- "Dedicated compartment for CDE resources"
- "IAM policies restricting CDE access to authorized personnel"
- "MFA required for all CDE access"
- "Privileged access management with session recording"
- "Quarterly access reviews"
monitoring:
pci_req: "Requirement 10: Logging and monitoring"
implementation:
- "Centralized logging (OCI Logging + SIEM integration)"
- "Audit trail for all CDE access (OCI Audit)"
- "Real-time alerting for security events (Cloud Guard)"
- "Log retention minimum 12 months (1 year online, archive older)"
- "Daily log review process"
vulnerability_management:
pci_req: "Requirement 5 & 6: Vulnerability management"
implementation:
- "Vulnerability Scanning service for compute instances"
- "Data Safe security assessments for databases"
- "Automated patching via OS Management"
- "Web Application Firewall (WAF) for public endpoints"
- "Quarterly vulnerability scans, annual penetration tests"
dr_for_pci:
pci_req: "Requirement 12: DR and business continuity"
implementation:
- "Cross-region DR for CDE (same PCI controls in DR region)"
- "DR region must also be PCI-compliant"
- "Annual DR drill with PCI scope validation"
oci_pci_services:
- service: "OCI Vault"
role: "Customer-managed encryption keys"
- service: "Data Safe"
role: "Database security assessment, data masking, audit"
- service: "Cloud Guard"
role: "Threat detection, security posture management"
- service: "WAF"
role: "Web application firewall for public endpoints"
- service: "Bastion"
role: "Secure access to CDE without public IPs"
- service: "Network Firewall"
role: "Traffic inspection between CDE and non-CDE"
- service: "Vulnerability Scanning"
role: "Automated vulnerability detection"
- service: "OS Management"
role: "Automated patching"

View File

@@ -0,0 +1,72 @@
---
last_verified: 2026-03-14
pattern: Compute Scaling
category: compute
---
description: |
Auto-scaling and load balancing patterns for OCI compute workloads.
patterns:
instance_pool_autoscaling:
name: "Instance Pool Auto-Scaling"
components:
- "Instance Pool with instance configuration"
- "Auto-scaling policy (metric-based or schedule-based)"
- "Load Balancer (flexible or network)"
scaling_metrics:
- "CPU utilization"
- "Memory utilization"
- "Custom metrics via Monitoring service"
scaling_speed: "New instances in 2-5 minutes"
when_to_use:
- "Stateless applications"
- "Web/API tiers"
- "Batch processing with variable load"
oke_horizontal_pod_autoscaling:
name: "OKE Horizontal Pod Autoscaler"
components:
- "OKE cluster with managed nodes"
- "HPA resource definitions"
- "Cluster Autoscaler for node scaling"
scaling_metrics:
- "CPU utilization"
- "Memory utilization"
- "Custom metrics"
scaling_speed: "Pods: seconds, Nodes: 5-10 minutes"
when_to_use:
- "Containerized microservices"
- "Applications already on Kubernetes"
oke_virtual_nodes:
name: "OKE Virtual Nodes (Serverless)"
components:
- "OKE cluster with virtual node pool"
- "No node management required"
scaling_speed: "Seconds (no node provisioning)"
when_to_use:
- "Burst workloads"
- "Event-driven container workloads"
- "Teams that don't want to manage nodes"
load_balancing:
flexible_lb:
type: "Layer 7 (HTTP/HTTPS)"
features:
- "SSL termination"
- "Path-based routing"
- "Session persistence"
- "Health checks"
- "WAF integration"
bandwidth: "10 Mbps to 8 Gbps"
use_for: "Web applications, API endpoints"
network_lb:
type: "Layer 4 (TCP/UDP)"
features:
- "Ultra-low latency"
- "Preserves source IP"
- "Health checks"
bandwidth: "Up to line rate"
use_for: "Database connections, non-HTTP protocols, high-throughput"

View File

@@ -0,0 +1,90 @@
# Pattern: Cross-Region Database DR
# Composable architecture block for cross-region disaster recovery
pattern:
name: "Cross-Region Database DR"
id: database_dr_cross_region
category: database-dr
description: |
Cross-region disaster recovery using Autonomous Data Guard or Active Data Guard to
maintain an asynchronous standby database in a remote OCI region. Provides protection
against full-region outages with RPO measured in seconds and RTO in minutes. Applicable
to ADB-S, DBCS, and ExaCS deployments.
variants:
- id: adb_s_cross_region
name: "ADB-S Cross-Region Autonomous Data Guard"
topology: "ADB-S primary in Region A, Autonomous Data Guard standby in Region B"
rpo: "Seconds (asynchronous replication)"
rto: "< 15 minutes (automated switchover/failover)"
use_when:
- "ADB-S workload requires regional DR"
- "RPO of seconds is acceptable"
- "Fully managed DR with minimal operational overhead"
- id: dbcs_cross_region
name: "DBCS Cross-Region Active Data Guard"
topology: "DBCS primary in Region A, ADG standby in Region B"
rpo: "Seconds to minutes (asynchronous)"
rto: "Minutes to 1 hour depending on automation"
use_when:
- "DBCS workload requires regional DR"
- "Custom database configuration needed"
- "Manual or scripted failover acceptable"
- id: exacs_cross_region
name: "ExaCS Cross-Region Active Data Guard"
topology: "ExaCS primary in Region A, ADG standby in Region B"
rpo: "Seconds to minutes (asynchronous)"
rto: "Minutes to 1 hour depending on automation"
use_when:
- "ExaCS workload requires regional DR"
- "High-performance database with regional protection"
- "Consolidated databases on Exadata with cross-region standby"
preconditions:
- "Primary database provisioned and operational"
- "DR region selected with matching service availability"
- "Network connectivity between regions (remote VCN peering via DRG or dedicated infrastructure)"
- "Sufficient quota in DR region for standby compute and storage"
- "For DBCS/ExaCS: Active Data Guard license (EE-HP or EE-EP, or BYOL with ADG option)"
implied_services:
- service: dns_traffic_management
reason: "Automated DNS failover to redirect application traffic to DR region"
- service: oci_notifications
reason: "Alerting on replication lag, failover events, and switchover status"
- service: monitoring
reason: "Track replication lag, standby apply rate, and DR readiness"
conflicts:
- pattern: "sync_data_guard_cross_region"
reason: "Synchronous Data Guard is not supported cross-region due to latency; only asynchronous replication is available"
gotchas:
- "Cross-region Active/Autonomous Data Guard is asynchronous only — RPO is always > 0"
- "Cross-region data transfer costs apply for redo log transport between regions"
- "Switchover is planned (zero data loss, brief outage) vs. failover is unplanned (potential data loss up to RPO)"
- "After failover, old primary must be reinstated or re-created — not automatic for DBCS/ExaCS"
- "Application connection strings must be updated or use DNS-based failover"
- "ADB-S cross-region DR requires both regions to support ADB-S"
- "DR readiness should be validated with periodic switchover drills"
cost_impact:
- "Full standby compute and storage cost in DR region (same as primary)"
- "Cross-region network egress charges for redo transport"
- "For ADB-S: standby OCPU/ECPU billed at same rate as primary"
- "DNS Traffic Management: per-zone and per-query charges"
- "Consider reserved capacity in DR region for cost optimization"
sizing_rules:
- "Standby must be same shape and size as primary to ensure failover performance"
- "Network bandwidth: estimate redo generation rate (typically 10-50 Mbps per 10K TPS)"
- "Storage in DR region must match primary storage allocation"
- "For ExaCS: same Exadata infrastructure shape required in DR region"
references:
- "https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/autonomous-data-guard.html"
- "https://docs.oracle.com/en/cloud/paas/base-database/index.html"
- "https://docs.oracle.com/en/database/oracle/oracle-database/19/sbydb/"

View File

@@ -0,0 +1,97 @@
---
last_verified: 2026-03-14
pattern: Database Disaster Recovery
category: database
---
description: |
DR patterns for Oracle databases on OCI. Covers active-passive,
active-active, and pilot light approaches.
tiers:
tier_1_mission_critical:
name: "Mission Critical"
rto: "<15 minutes"
rpo: "<1 minute"
pattern: "Active-passive with automatic failover"
implementation:
adb_s: "Cross-region ADG with auto-failover"
exacs: "Cross-region Data Guard with FSFO + Observer"
cost_multiplier: "2x (full standby)"
testing: "Quarterly automated DR drill"
tier_2_business_critical:
name: "Business Critical"
rto: "<1 hour"
rpo: "<15 minutes"
pattern: "Active-passive with manual failover"
implementation:
adb_s: "Cross-region ADG with manual switchover"
exacs: "Cross-region Data Guard without FSFO"
cost_multiplier: "2x (full standby) or 1.5x (scaled-down standby)"
testing: "Semi-annual DR drill"
tier_3_standard:
name: "Standard"
rto: "<4 hours"
rpo: "<1 hour"
pattern: "Pilot light or backup-restore"
implementation:
adb_s: "Cross-region backup with restore-on-demand"
exacs: "RMAN backups to Object Storage, cross-region replicated"
cost_multiplier: "1.1x (backup storage only)"
testing: "Annual DR drill"
dr_regions:
recommended_pairs:
- primary: "US East (Ashburn)"
dr: "US West (Phoenix)"
latency_ms: "~60"
- primary: "UK South (London)"
dr: "Germany Central (Frankfurt)"
latency_ms: "~15"
- primary: "Japan East (Tokyo)"
dr: "Japan Central (Osaka)"
latency_ms: "~10"
- primary: "Brazil East (Sao Paulo)"
dr: "Brazil Southeast (Vinhedo)"
latency_ms: "~5"
migration_cutover:
zero_downtime:
tools: ["ZDM with GoldenGate", "Data Guard switchover"]
prerequisites:
- "GoldenGate configured and replicating"
- "Application connection strings use TNS aliases"
- "DNS TTL reduced before cutover"
steps:
- "Verify replication lag is zero"
- "Stop writes to source"
- "Verify final sync"
- "Switch application connection strings"
- "Validate application functionality"
- "Decommission source (after bake period)"
planned_downtime:
tools: ["Data Pump", "RMAN restore", "ZDM physical"]
typical_downtime: "2-8 hours depending on database size"
steps:
- "Announce maintenance window"
- "Take final backup/export"
- "Restore/import to target"
- "Switch application connections"
- "Validate"
gotchas:
- id: DR-001
issue: "Cross-region ADG network latency affects commit performance"
impact: "Synchronous mode adds latency to every commit"
recommendation: "Use asynchronous for cross-region (default), accept seconds of RPO"
- id: DR-002
issue: "DR standby compute may not be available during regional disaster"
impact: "If DR region is also impacted, compute capacity may be limited"
recommendation: "Use capacity reservations in DR region for critical workloads"
- id: DR-003
issue: "Application tier DR often forgotten"
impact: "Database fails over but app tier is not available"
recommendation: "Include app tier in DR plan — Terraform for on-demand provisioning"

View File

@@ -0,0 +1,71 @@
# Pattern: ADB-S High Availability
# Composable architecture block for Autonomous Database Serverless HA
pattern:
name: "ADB-S High Availability"
id: database_ha_adb_s
category: database-ha
description: |
Autonomous Database Serverless (ADB-S) provides built-in high availability through
Transparent Application Continuity (TAC) and automated failover. TAC replays in-flight
transactions transparently after infrastructure failures, masking outages from applications.
For additional protection, Autonomous Data Guard provides a same-region standby with
synchronous replication for zero data loss.
variants:
- id: local_ha
name: "Built-in Local HA (TAC)"
topology: "Same-region, ADB-S infrastructure-managed failover"
rpo: "0"
rto: "~0 perceived (transparent replay via TAC)"
use_when:
- "Standard HA for ADB-S workloads"
- "Application can tolerate brief transparent replay"
- "No separate standby database required"
- id: local_standby
name: "Same-Region Autonomous Data Guard Standby"
topology: "Primary + Standby in same region via Autonomous Data Guard"
rpo: "0 (synchronous replication)"
rto: "< 30 seconds (automatic switchover)"
use_when:
- "Zero RPO mandatory"
- "Protection against full AD or FD failure"
- "Read-only offload to standby needed"
preconditions:
- "ADB-S instance provisioned (Shared infrastructure)"
- "Private endpoint recommended for production workloads"
- "VCN with Service Gateway for secure OCI service access"
- "Wallet or mTLS connectivity configured for clients"
implied_services:
- service: service_gateway
reason: "Secure access to OCI services without internet traversal"
- service: oci_vault
reason: "Customer-managed encryption keys for TDE"
- service: data_safe
reason: "Database security posture management, auditing, and masking"
gotchas:
- "TAC replay does not cover all operations — UTL_HTTP calls, DBMS_PIPE, NOCACHE sequences, and external interactions are not replayed"
- "Auto-scaling takes 2-3 minutes to add OCPUs; plan base capacity for burst tolerance"
- "Autonomous Data Guard standby is read-only; cannot run DML on standby"
- "Switchover requires brief downtime; failover is automatic on primary failure"
- "TAC requires JDBC Thin driver 18c+ or ODP.NET with TAC enabled in connection string"
cost_impact:
- "Built-in local HA (TAC): no additional cost, included in ADB-S"
- "Autonomous Data Guard standby: billed at same compute (OCPU/ECPU) rate as primary"
- "Standby storage is additional and billed at standard ADB-S storage rates"
- "Auto-scaling can increase OCPU cost up to 3x base during peaks"
sizing_rules:
- "Standby must be same shape and OCPU/ECPU count as primary for seamless failover"
- "Storage on standby mirrors primary automatically"
- "Base OCPU count should handle normal workload without relying on auto-scaling for HA events"
references:
- "https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/autonomous-data-guard.html"
- "https://docs.oracle.com/en/cloud/paas/autonomous-database/serverless/adbsb/application-continuity-autonomous.html"

View File

@@ -0,0 +1,76 @@
# Pattern: Active Data Guard HA/DR
# Composable architecture block for Oracle Database high availability
pattern:
name: "Active Data Guard"
id: active_data_guard
category: database-ha
applies_to: [adb_s, adb_d, dbcs, exacs]
description: |
Oracle Active Data Guard provides real-time data protection with a standby database
that can be used for read-only queries, reporting, and backups while maintaining
synchronous or asynchronous replication from the primary.
variants:
- id: adg_same_region
name: "Same-Region ADG (HA)"
topology: "Primary + Standby in same region, different ADs or FDs"
rpo: "0 (synchronous)"
rto: "< 30 seconds (automatic failover with FSFO)"
use_when:
- "99.99% SLA requirement"
- "Zero RPO mandatory"
- "Read-only offload needed"
- id: adg_cross_region
name: "Cross-Region ADG (DR)"
topology: "Primary in Region A, Standby in Region B"
rpo: "> 0 (asynchronous, typically seconds to minutes)"
rto: "Minutes to 1 hour depending on automation"
use_when:
- "Regional disaster recovery required"
- "RPO of seconds acceptable"
- "Regulatory requirement for geo-separation"
- id: adg_hybrid
name: "Same-Region HA + Cross-Region DR"
topology: "Primary + Local Standby (sync) + Remote Standby (async)"
rpo: "0 local, seconds remote"
rto: "< 30s local, minutes remote"
use_when:
- "Maximum protection: HA + DR"
- "Mission-critical workloads"
preconditions:
- "Oracle Database Enterprise Edition with Active Data Guard option"
- "BYOL: customer must have ADG license or ULA"
- "License Included: ADG included with ADB-S, ExaCS EE-HP/EE-EP"
- "For ADB-S: Autonomous Data Guard (managed, no manual config)"
implied_services:
- service: data_guard
- service: dns_traffic_management
reason: "DNS failover for application connection string update"
when: "cross_region"
- service: oci_notifications
reason: "Alert on failover events"
conflicts:
- pattern: "backup_restore_only"
reason: "ADG provides real-time replication; backup-restore is a subset"
cost_impact:
- "Standby database incurs full compute + storage cost"
- "For ADB-S: standby OCPUs billed at same rate"
- "Cross-region: additional network egress for redo transport"
- "BYOL: ADG license required (included in EE-EP)"
sizing_rules:
- "Standby must be same shape/OCPU as primary for failover"
- "For read-only offload: standby can handle ~80% of primary read capacity"
- "Network bandwidth for redo: estimate 10-50 Mbps per 10K TPS (varies by workload)"
references:
- "https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/autonomous-data-guard.html"
- "https://docs.oracle.com/en/database/oracle/oracle-database/19/sbydb/"

View File

@@ -0,0 +1,87 @@
---
last_verified: 2026-03-14
pattern: Database High Availability
category: database
---
description: |
Patterns for achieving high availability for Oracle databases on OCI.
Covers ADB-S, ADB-D, ExaCS, and DBCS configurations.
patterns:
adb_s_ha:
name: "ADB-S Built-in HA"
availability: "99.95% SLA"
rto: "<30 seconds"
rpo: "0 (synchronous)"
components:
- "ADB-S with Autonomous Data Guard (same-region)"
- "Automatic failover enabled"
- "No additional configuration needed"
cost_impact: "2x OCPU cost (standby billed at same rate)"
when_to_use:
- "Standard HA requirement"
- "Same-region protection sufficient"
notes:
- "Standby is provisioned automatically when ADG is enabled"
- "Failover is transparent to applications using recommended connection strings"
- "Switchover for planned maintenance is automatic"
adb_s_cross_region:
name: "ADB-S Cross-Region ADG"
availability: "99.95% SLA per region, survives region failure"
rto: "<5 minutes (automatic), <30 minutes (manual)"
rpo: "Seconds (asynchronous replication)"
components:
- "ADB-S primary in Region 1"
- "ADB-S standby in Region 2 (cross-region ADG)"
- "Optional: Refreshable clone in Region 2 for reporting"
cost_impact: "2x OCPU + inter-region data transfer"
when_to_use:
- "Compliance requires geo-redundant DR"
- "RTO < 30 minutes for region failure"
- "Business-critical workloads"
notes:
- "Cross-region ADG is asynchronous — RPO is not zero"
- "Automatic failover requires ADG Auto-Failover configuration"
- "Test failover quarterly"
exacs_rac_ha:
name: "ExaCS RAC High Availability"
availability: "99.95%+ (RAC + Data Guard)"
rto: "<60 seconds (RAC failover)"
rpo: "0 (synchronous within RAC)"
components:
- "ExaCS with multi-node RAC"
- "Data Guard to standby ExaCS (same or cross-region)"
- "Fast-Start Failover (FSFO) with Observer"
cost_impact: "2x infrastructure for Data Guard standby"
when_to_use:
- "Application requires RAC"
- "Sub-minute RTO required"
- "High-throughput OLTP workloads"
dbcs_ha:
name: "DBCS 2-Node RAC + Data Guard"
availability: "99.95%"
rto: "<60 seconds (RAC), <5 minutes (Data Guard)"
rpo: "0 (synchronous within region)"
components:
- "DBCS 2-node RAC (primary)"
- "DBCS Data Guard standby"
cost_impact: "3x compute (2 RAC + 1 DG standby)"
when_to_use:
- "Moderate workloads needing HA"
- "Budget doesn't allow Exadata"
decision_tree: |
Need HA for Oracle Database?
├── Using ADB-S?
│ ├── Same-region sufficient → Enable ADG (built-in)
│ └── Cross-region required → Cross-region ADG
├── Using ExaCS?
│ ├── RAC for local HA
│ └── Data Guard for DR (same or cross-region)
└── Using DBCS?
├── 2-node RAC for local HA
└── Data Guard for DR

View File

@@ -0,0 +1,678 @@
---
last_verified: 2026-03-18
pattern:
id: ecal-artefacts-catalog
name: "ECAL 3.1 Artefacts Catalog"
category: governance
---
description: >
Complete catalog of ECAL 3.1 artefacts across all 9 steps.
Each entry has: description, purpose, ECAL role, and whether
the OCI Deal Accelerator skill can generate it. Source: ECAL 3.1
Practitioners Guides (01-09).
# auto_generate: skill produces this artefact
# assist: skill provides partial content or structure
# reference: skill references this but customer/team produces it
# out_of_scope: purely delivery/commercial, skill doesn't touch
# ═══════════════════════════════════════════════════════════════
# DEFINE PHASE
# ═══════════════════════════════════════════════════════════════
define:
ideate:
- id: "DEF-01"
name: "Customer Profile"
what: "Strategic business goals, Oracle footprint, industry analysis, competitor positioning"
why: "Understand what drives the customer so the PoV resonates with their strategic goals"
how: "Account team intel, annual reports, web research, Business Model Canvas"
skill_support: "assist"
skill_notes: "Skill can research public info and structure into profile template"
customer_facing: false
- id: "DEF-02"
name: "Strategy Map"
what: "Customer goals → strategies → capabilities → enablers mapping"
why: "Links Oracle products to business strategy. Arguably most important ECAL artefact"
how: "Leverage Customer Profile, annual reports, Value Navigator"
skill_support: "assist"
skill_notes: "Skill can draft from discovery notes; needs customer validation"
customer_facing: false
- id: "DEF-03"
name: "Point of View (PoV)"
what: "Hypothesis about customer need, business benefit, SMART-evaluated"
why: "Go to customer with validated ideas that have significant business value"
how: "Review Pattern Library, Sales Central, quantify with Business Case"
skill_support: "auto_generate"
skill_notes: "Skill generates as 'value hypothesis' in value-story.yaml"
customer_facing: false
- id: "DEF-04"
name: "Ideation Workshop"
what: "Design Thinking workshop to formulate and validate PoV"
why: "Ensure no bias, everyone thinking about customer needs"
how: "Brainstorming, group discussion, NEXT/V2V methodology"
skill_support: "reference"
skill_notes: "Skill can generate agenda and talking points"
customer_facing: true
- id: "DEF-05"
name: "Business Case"
what: "Executive summary, drivers, recommended solution, benefits, timeline, risks"
why: "Communicate business value of cloud adoption"
how: "Use Value Navigator, work with customer on the model"
skill_support: "auto_generate"
skill_notes: "Skill generates via business-case.yaml template + deck"
customer_facing: true
- id: "DEF-06"
name: "Value Story"
what: "Compelling vision of the PoV and why customer should adopt it"
why: "Continue discussion with customer, tailor the PoV"
how: "External Ideation template, PowerPoint, demo, mockup"
skill_support: "auto_generate"
skill_notes: "Skill generates via value-story.yaml template"
customer_facing: true
validate:
- id: "DEF-07"
name: "Value Story Delivery"
what: "Half-day workshop presenting the Value Story to customer"
why: "Validate ideas with customer, do discovery through engagement"
how: "Presentations, whiteboards, exercises — be creative"
skill_support: "assist"
skill_notes: "Skill can generate workshop deck and discussion guide"
customer_facing: true
plan:
- id: "DEF-08"
name: "Joint Engagement Plan (JEP)"
what: "Outline plan for Design phase: activities, resources, timeline, scope"
why: "Customer must commit resources; cannot design in isolation"
how: "Use ECAL template, be clear on scope and outcomes"
skill_support: "auto_generate"
skill_notes: "Skill generates via joint-engagement-plan.yaml template"
customer_facing: true
# ═══════════════════════════════════════════════════════════════
# DESIGN PHASE — CURRENT STEP
# ═══════════════════════════════════════════════════════════════
design:
current:
identify_constraints:
- id: "DES-01"
name: "Business Constraints"
what: "Time, funding, legal, compliance, resource, technology constraints"
why: "Constraints impact Future State Architecture, Roadmap, and Proposal"
how: "Collect from customer via workshops or Constraints Questionnaire"
skill_support: "assist"
skill_notes: "Skill captures in workload-profile.yaml constraints section"
customer_facing: false
- id: "DES-02"
name: "Security Constraints"
what: "Security requirements, GDPR, regulatory needs"
why: "Security is major concern in cloud adoption"
how: "Security checklist, assess need for Oracle Security team"
skill_support: "assist"
skill_notes: "Skill flags compliance requirements from discovery notes"
customer_facing: true
capture_current_state:
- id: "DES-03"
name: "Current State Process & Capability Map"
what: "Business processes/capabilities currently in scope, single-slide view"
why: "Shows Oracle understands customer business needs"
how: "Cloud Notation Business Architecture, neutral language (no Oracle buzzwords)"
skill_support: "reference"
skill_notes: "Business architecture — needs customer input"
customer_facing: true
- id: "DES-04"
name: "Discovery Questionnaire"
what: "Structured collection of customer IT landscape"
why: "Build/understand current state, validate hypotheses"
how: "Send template to customer or fill collaboratively"
skill_support: "auto_generate"
skill_notes: "Skill generates via templates/discovery-questionnaire.yaml"
customer_facing: true
- id: "DES-05"
name: "Current State Apps & Tech Portfolio"
what: "Systems, assets, integrations, strategy per application"
why: "Understand environment, build Current State Architecture"
how: "Portfolio Assessment Workbook — Systems, Assets, Integrations tabs"
skill_support: "assist"
skill_notes: "Skill structures from discovery questionnaire responses"
customer_facing: true
- id: "DES-06"
name: "Security Baseline & Guidance"
what: "Current security posture and requirements"
why: "Baseline for designing security in future state"
how: "Security team assessment"
skill_support: "reference"
skill_notes: "References kb/well-architected/security.yaml"
customer_facing: true
- id: "DES-07"
name: "Operational RACI (Current)"
what: "How customer currently runs operations — services, SLAs, responsibilities"
why: "Understand current ops model to design future ops that fit"
how: "Request operational definitions, frameworks (ITIL), service levels"
skill_support: "assist"
skill_notes: "Skill maps to operational-raci.yaml models"
customer_facing: false
- id: "DES-08"
name: "Prioritization Matrix"
what: "Applications scored by criticality, fit, potential, risk"
why: "Focus on highest-value, lowest-risk initiatives first"
how: "Score each app on 5 criteria, weighted calculation"
skill_support: "auto_generate"
skill_notes: "Skill generates from discovery-questionnaire.yaml prioritization section"
customer_facing: true
- id: "DES-09"
name: "Current State Architecture"
what: "Architecture diagrams of current environment in scope"
why: "Baseline for Future State Architecture"
how: "Receive from customer or draw using Cloud Notation"
skill_support: "assist"
skill_notes: "Skill can generate .drawio from description"
customer_facing: true
future:
solution_design:
- id: "DES-10"
name: "Future State Process & Capability Map"
what: "Business capabilities covered by proposed solution"
why: "Shows Oracle understands and addresses customer needs"
how: "Map capabilities to Oracle products, use Cloud Notation"
skill_support: "reference"
skill_notes: "Business architecture — needs customer validation"
customer_facing: true
- id: "DES-11"
name: "Future State Apps & Tech Portfolio"
what: "Oracle/3rd party products mapped to business capabilities"
why: "Bridges capability map to architecture"
how: "List capabilities per product, show integration relationships"
skill_support: "assist"
skill_notes: "Skill can map from service selection"
customer_facing: true
- id: "DES-12"
name: "Future State Architecture"
what: "Application + Technology architecture diagrams"
why: "Communicates solution vision internally and to customer"
how: "Cloud Notation, review with ECAL team, iterate"
skill_support: "auto_generate"
skill_notes: "Skill generates .drawio via oci_diagram_gen.py"
customer_facing: true
- id: "DES-13"
name: "Solution Roadmap"
what: "Phased implementation plan by value/risk"
why: "Complex solutions can't be delivered in one step"
how: "Divide by criteria (org, region, risk), prioritize high-value/low-risk"
skill_support: "auto_generate"
skill_notes: "Skill includes roadmap slide in deck"
customer_facing: true
- id: "DES-14"
name: "Extension Catalog"
what: "Custom extensions beyond OOTB Oracle products"
why: "Highlights gaps requiring custom development"
how: "Identify missing capabilities, clarify implementation"
skill_support: "reference"
skill_notes: "Customer-specific; skill flags potential gaps"
customer_facing: true
- id: "DES-15"
name: "Integration Catalog"
what: "All non-OOTB integrations with data flows, volumes, frequency"
why: "Communicate integration effort and responsibility"
how: "Map all inter-component data flows, include volumes"
skill_support: "assist"
skill_notes: "Skill can list integrations from architecture"
customer_facing: true
- id: "DES-16"
name: "Information & BI Model"
what: "Data flows, MDM, analytics architecture"
why: "Document where data resides and how it's managed"
how: "Data Ecosystem reference architecture, Cloud Notation"
skill_support: "reference"
skill_notes: "Reference patterns in kb/patterns/"
customer_facing: true
deployment_design:
- id: "DES-17"
name: "Datacentre Design"
what: "Which services run in which region/DC for each environment"
why: "Data locality, regulatory compliance, HA strategy"
how: "Map components to OCI regions, include on-prem/multi-cloud"
skill_support: "auto_generate"
skill_notes: "Skill includes region mapping in architecture"
customer_facing: true
- id: "DES-18"
name: "Lifecycle Management Design"
what: "CI/CD, dev-to-prod automation, IaC approach"
why: "Automation is critical for cloud operational success"
how: "OCI DevOps, Terraform, Resource Manager"
skill_support: "assist"
skill_notes: "Skill recommends IaC approach in deployment design"
customer_facing: true
- id: "DES-19"
name: "Network Design"
what: "Connectivity between DCs, within DCs, to users"
why: "Well-defined networking is critical for solution success"
how: "Cloud Notation, show gateways, protocols, public/private"
skill_support: "auto_generate"
skill_notes: "Skill includes networking in .drawio diagrams"
customer_facing: true
- id: "DES-20"
name: "Identity & Access Design"
what: "How users access the system, authentication, authorization"
why: "IAM is critical non-functional requirement"
how: "End-to-end identity across proposed and existing systems"
skill_support: "assist"
skill_notes: "Skill recommends IAM approach from patterns"
customer_facing: true
- id: "DES-21"
name: "Environment Catalog"
what: "List of all environments: prod, dev, test, DR with sizing"
why: "Understand total solution size for accurate BoM"
how: "Discuss with team and customer, use environment-catalogue.yaml"
skill_support: "auto_generate"
skill_notes: "Skill generates from kb/patterns/environment-catalogue.yaml"
customer_facing: true
- id: "DES-22"
name: "Recovery Model"
what: "HA/DR architecture for different failure scenarios"
why: "Customers need to understand business continuity"
how: "Map RTO/RPO requirements to HA/DR patterns"
skill_support: "auto_generate"
skill_notes: "Skill generates from service-tiering.yaml + HA/DR patterns"
customer_facing: true
- id: "DES-23"
name: "Management Design"
what: "Monitoring tools, alerting, operations management"
why: "Operational readiness is critical for customer confidence"
how: "Map to OCI native tools or customer's existing tools"
skill_support: "assist"
skill_notes: "Skill recommends monitoring stack in operations model"
customer_facing: true
- id: "DES-24"
name: "Data Locality & Data Security"
what: "Where controlled data resides, encryption, key management"
why: "Data security is highest customer concern"
how: "Map data locations, encryption methods, key management"
skill_support: "assist"
skill_notes: "Skill flags data residency and encryption in architecture"
customer_facing: true
transition_design:
- id: "DES-25"
name: "Implementation Plan"
what: "Prioritized implementation/migration of capabilities"
why: "Most organizations can't change architecture in one phase"
how: "Implementation partner responsibility; SA validates compatibility"
skill_support: "assist"
skill_notes: "Skill generates high-level migration plan slides"
customer_facing: true
- id: "DES-26"
name: "Implementation RACI"
what: "Who does what during implementation"
why: "Clear roles prevent rework and delays"
how: "High-level tasks with R/A/C/I per role"
skill_support: "assist"
skill_notes: "Skill can draft from engagement-raci.yaml adopt section"
customer_facing: true
- id: "DES-27"
name: "Provisioning Plan / Map"
what: "How each component gets provisioned and brought into service"
why: "Basis for actual provisioning of services"
how: "Map BoM components to provisioning steps"
skill_support: "reference"
skill_notes: "Delivery partner responsibility"
customer_facing: true
- id: "DES-28"
name: "Adoption Plan"
what: "How customer adopts the cloud service post-provisioning"
why: "Ensure availability of resources and service levels"
how: "Cloud Adoption Services (CAS), business readiness"
skill_support: "reference"
skill_notes: "CAS/delivery partner responsibility"
customer_facing: true
service_design:
- id: "DES-29"
name: "Operational Services RACI"
what: "Runtime responsibilities for operating/supporting the solution"
why: "Clear ops responsibilities prevent go-live surprises"
how: "Map to operational-raci.yaml models (fully/co/self managed)"
skill_support: "auto_generate"
skill_notes: "Skill generates from kb/patterns/operational-raci.yaml"
customer_facing: true
- id: "DES-30"
name: "Operational Services Design"
what: "9 categories of operational service model for running the solution"
why: "Customer needs to know best practices for operating in cloud"
how: "Use 9 Enduring Capabilities framework"
skill_support: "assist"
skill_notes: "Skill generates operations model from template"
customer_facing: true
demo_poc:
- id: "DES-31"
name: "PoC Joint Execution Plan"
what: "Scope, approach, timeline, success criteria for PoC"
why: "Structured PoC with bilateral commitment"
how: "Define scope, test architectures, use cases, ground rules"
skill_support: "reference"
skill_notes: "Customer-specific; skill can outline structure"
customer_facing: true
- id: "DES-32"
name: "Demo / PoC Delivery"
what: "Execution of demo or proof of concept"
why: "Prove technical feasibility or address customer concerns"
how: "Demo Central, Cloud Trials, custom PoC"
skill_support: "reference"
skill_notes: "Execution activity, not a document"
customer_facing: true
bom_sizing:
- id: "DES-33"
name: "Architecture Review"
what: "Team review of all architecture artefacts before BoM"
why: "Ensure team alignment on proposed solution"
how: "Review meeting with complete account team"
skill_support: "auto_generate"
skill_notes: "Skill runs WA validation via validate-architecture.py"
customer_facing: false
- id: "DES-34"
name: "Bill of Materials & Sizing"
what: "All pricing and sizing for each solution component"
why: "Summarizes all software/hardware/service costs"
how: "Map from Future State Architecture + sizing model"
skill_support: "auto_generate"
skill_notes: "Skill generates cost estimate from kb/pricing/ + kb/sizing/"
customer_facing: true
confirm:
- id: "DES-35"
name: "Solution Proposal"
what: "High-impact customer presentation of the proposed solution"
why: "Enable customer to decide whether to proceed to Deliver"
how: "Collect all designs, simplify, merge with business drivers"
skill_support: "auto_generate"
skill_notes: "Skill generates .pptx deck via oci_deck_gen.py"
customer_facing: true
- id: "DES-36"
name: "Partner / Services Proposal"
what: "Implementation + operational services cost estimate"
why: "Complete solution = products + implementation + operations"
how: "Work with OC/ACS/partners based on Design artefacts"
skill_support: "reference"
skill_notes: "OC/ACS/partner responsibility"
customer_facing: true
- id: "DES-37"
name: "RFx Response"
what: "Formal response to customer RFI/RFQ/RFP"
why: "Formal stage in customer buying cycle"
how: "Qualify, plan, manage response, QA, submit"
skill_support: "reference"
skill_notes: "Sales/BD responsibility; skill provides technical content"
customer_facing: true
- id: "DES-38"
name: "Commercial Agreement"
what: "Commercial terms: cloud credits, BYOL, ELA, pricing"
why: "Customer needs to understand costs to proceed"
how: "Sales/CSM use BoM to produce commercial terms"
skill_support: "reference"
skill_notes: "Sales responsibility"
customer_facing: true
# ═══════════════════════════════════════════════════════════════
# DELIVER PHASE
# ═══════════════════════════════════════════════════════════════
deliver:
adopt:
establish_governance:
- id: "DEL-01"
name: "Architecture Governance"
what: "Compliance review process for projects vs. enterprise architecture"
why: "Ensure original vision is realized during implementation"
how: "Regular meetings, architecture compliance checklists"
skill_support: "reference"
skill_notes: "Implementation team responsibility"
customer_facing: true
- id: "DEL-02"
name: "Operating Model"
what: "How existing processes/tools change for the new solution"
why: "Without agreed model, risk of project failure"
how: "Assess org capabilities using Operational Service RACI/Design"
skill_support: "auto_generate"
skill_notes: "Skill generates via templates/operations-model.yaml"
customer_facing: true
- id: "DEL-03"
name: "Business Transition Plan"
what: "Managing business change and readiness for go-live"
why: "Business must change processes/org to realize value"
how: "Analysis of business strategy, process standardization"
skill_support: "reference"
skill_notes: "CAS/delivery partner responsibility"
customer_facing: true
- id: "DEL-04"
name: "Training & Communication Plan"
what: "End-user training strategy and project communication"
why: "Effective communication is difference between success and failure"
how: "Review Adoption Plan, determine training delivery method"
skill_support: "reference"
skill_notes: "Delivery partner responsibility"
customer_facing: true
manage_project:
- id: "DEL-05"
name: "Project Governance"
what: "Oversight framework: steering committee, change control, escalation"
why: "Key elements that make a project successful"
how: "Define governance structure, reporting, risk management"
skill_support: "reference"
skill_notes: "PM responsibility"
customer_facing: true
- id: "DEL-06"
name: "Project Plan"
what: "Detailed steps with timelines for deployment"
why: "Identify critical path, stick to timelines"
how: "Detailed iteration of high-level Implementation Plan"
skill_support: "reference"
skill_notes: "Implementation partner responsibility"
customer_facing: true
- id: "DEL-07"
name: "Project Delivery"
what: "Execute the project per plan and governance"
why: "Correctly mobilising prevents delays"
how: "Onboard team, enable, kick off, deliver"
skill_support: "reference"
skill_notes: "Execution activity"
customer_facing: false
- id: "DEL-08"
name: "Signoff & Close"
what: "Validate and sign off all elements of solution"
why: "Formal confirmation before moving to production"
how: "Confirm configs, integrations, data migrations complete"
skill_support: "reference"
skill_notes: "PM responsibility"
customer_facing: true
customer_adoption:
- id: "DEL-09"
name: "Contracts & Policy Review"
what: "Review all agreements associated with the project"
why: "Incomplete understanding puts project at risk"
how: "Review with customer, note risks"
skill_support: "reference"
skill_notes: "Legal/commercial responsibility"
customer_facing: true
- id: "DEL-10"
name: "Readiness Assessment"
what: "Ensure project team has right skills and assets"
why: "Lack of tools/docs/processes becomes obstacle"
how: "Review requirements, define readiness assets"
skill_support: "reference"
skill_notes: "PM responsibility"
customer_facing: false
- id: "DEL-11"
name: "Configuration & Customization"
what: "Build the solution: configs, customizations, integrations"
why: "Build per agreed architecture and deployment design"
how: "Delivery partner method (e.g., TCM)"
skill_support: "reference"
skill_notes: "Delivery team execution"
customer_facing: false
- id: "DEL-12"
name: "Security Build"
what: "Final review and build of security configuration"
why: "Confirm solution built per Identity & Access Design"
how: "Delivery partner method"
skill_support: "reference"
skill_notes: "Delivery team execution"
customer_facing: false
- id: "DEL-13"
name: "Data Migration"
what: "Extract, load, validate data from source to target"
why: "Confirm data migrates correctly and safely"
how: "DMS, GoldenGate, Data Pump, RMAN, ZDM"
skill_support: "assist"
skill_notes: "Skill recommends migration tools in architecture"
customer_facing: false
- id: "DEL-14"
name: "Validation & Testing"
what: "Business process validation and technical testing"
why: "Confirm solution ready for production"
how: "Process playback, final validation, sign-off"
skill_support: "reference"
skill_notes: "Delivery team + customer execution"
customer_facing: true
- id: "DEL-15"
name: "Business Enablement"
what: "End-user training delivery"
why: "Users must be effective with new solution"
how: "Per Training Plan, Oracle University"
skill_support: "reference"
skill_notes: "Training team responsibility"
customer_facing: true
- id: "DEL-16"
name: "Go-Live & Hypercare"
what: "Cutover to production + intensive post-go-live support"
why: "Reduce risk and provide better customer experience"
how: "Support, data integrity, availability monitoring"
skill_support: "auto_generate"
skill_notes: "Skill generates go-live-checklist.yaml"
customer_facing: true
operate:
- id: "DEL-17"
name: "Cloud Operating Framework"
what: "Detailed 52-week operational plan based on Operating Model"
why: "Cloud operations very different from on-premise"
how: "Create plan covering all 9 operational capability areas"
skill_support: "reference"
skill_notes: "ACS/delivery partner responsibility"
customer_facing: true
- id: "DEL-18"
name: "OCI Operationalization Framework"
what: "5-milestone methodology for deploying workloads to OCI"
why: "Blueprint for operationalizing OCI quickly"
how: "Preparation → Conceptual Arch → Physical Arch → Operations → Workloads"
skill_support: "reference"
skill_notes: "NAC framework; skill aligns architecture with milestones"
customer_facing: true
improve:
- id: "DEL-19"
name: "Retrospective"
what: "Team review: what worked, what didn't, what to improve"
why: "Key ECAL principle: learn fast, capture feedback"
how: "3-4 hour meeting, inspect → identify → output actions"
skill_support: "auto_generate"
skill_notes: "Skill generates via templates/lessons-learned.yaml"
customer_facing: false
- id: "DEL-20"
name: "Value Realization"
what: "Post-implementation review against Business Case metrics"
why: "Validate if benefits were actually realized"
how: "Formal or informal review of adoption, impact, benefits"
skill_support: "auto_generate"
skill_notes: "Skill generates via templates/success-criteria.yaml"
customer_facing: true
- id: "DEL-21"
name: "Customer Success Story"
what: "Single-slide summary: who, challenge, approach, value"
why: "Share success with wider community and other customers"
how: "Collect from Business Case, build storyline with customer"
skill_support: "reference"
skill_notes: "Account team responsibility; skill can structure"
customer_facing: true
- id: "DEL-22"
name: "Improvement Actions"
what: "Consolidated improvement plan from operations insights"
why: "Continuous improvement, may lead back to new DEFINE cycle"
how: "Consolidate actions, discuss with customer PM, track"
skill_support: "reference"
skill_notes: "Feeds back into DEFINE for next engagement"
customer_facing: true
# ═══════════════════════════════════════════════════════════════
# SUMMARY STATS
# ═══════════════════════════════════════════════════════════════
summary:
total_artefacts: 60
auto_generate: 16 # skill produces complete artefact
assist: 14 # skill provides partial content
reference: 30 # skill references but team produces
define_phase: 8
design_phase: 38
deliver_phase: 22

View File

@@ -0,0 +1,916 @@
---
last_verified: 2026-03-18
pattern:
id: engagement-raci
name: "ECAL Engagement RACI"
category: governance
---
description: >
Defines who is Responsible, Accountable, Consulted, and Informed for each
ECAL artefact during the engagement lifecycle. This is the PROCESS RACI
(who does what during pre-sales), not the operational RACI (who runs
the solution post-go-live). Source: ECAL 3.1 Practitioners Guides.
roles:
EA: "Enterprise Architect"
SE: "Solution Engineer"
BA: "Business Architect"
CS: "Customer Success"
DA: "Deployment Architect"
VC: "Value Consulting"
Sales: "Sales"
MS: "Managed Services"
CloudOps: "Cloud Operations"
Customer: "Customer"
raci_definitions:
R: "Responsible — executes and delivers the artefact"
A: "Accountable — signs off, owns the outcome (max one per artefact)"
C: "Consulted — contributes expertise, reviewed before completion"
I: "Informed — notified of the result"
# ═══════════════════════════════════════════════════════════════
# DEFINE PHASE
# ═══════════════════════════════════════════════════════════════
define:
ideate:
step_purpose: >
Understand the customer situation and propose a potential solution
(value story) that resonates with their business drivers.
artefacts:
- name: "Customer Profile"
EA: "A/R"
SE: "R"
BA: "C"
CS: "C"
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "C"
Customer: "I"
- name: "Strategy Map"
EA: "C"
SE: "R/A"
BA: "I"
CS: "I"
DA: "I"
VC: ""
Sales: ""
MS: ""
CloudOps: "C"
Customer: ""
- name: "Point of View"
EA: "A/R"
SE: "R"
BA: "C"
CS: "C"
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "C"
Customer: ""
- name: "Ideation Workshop"
EA: "C"
SE: "A/R"
BA: "C"
CS: "C"
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "C"
Customer: "R"
- name: "Business Case"
# Roles filled during Ideate are minimal; revisited in Confirm
EA: ""
SE: ""
BA: ""
CS: ""
DA: ""
VC: ""
Sales: ""
MS: ""
CloudOps: ""
Customer: ""
- name: "Value Story"
EA: "A/R"
SE: "R"
BA: "C"
CS: "C"
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "C"
Customer: ""
validate:
step_purpose: >
Present the Point of View to the customer and validate the ideas.
Assess impact and customer willingness to investigate a solution.
artefacts:
- name: "Value Story Delivery"
EA: "A/R"
SE: "R"
BA: "C"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "R"
Customer: "R"
plan:
step_purpose: >
Once the PoV is validated, plan the Design phase activities,
resources, and timeline as a joint plan with the customer.
artefacts:
- name: "Joint Engagement Plan"
EA: "A/R"
SE: "C"
BA: "R"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "C"
Customer: "R"
# ═══════════════════════════════════════════════════════════════
# DESIGN PHASE
# ═══════════════════════════════════════════════════════════════
design:
current:
step_purpose: >
Understand the customer's context: current architecture, business
processes, constraints, and priorities relevant to the engagement.
artefacts:
- name: "Business Constraints"
EA: "R/A"
SE: ""
BA: "R"
CS: ""
DA: "C"
VC: "I"
Sales: "C"
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Security Constraints"
EA: "R/A"
SE: ""
BA: "R"
CS: ""
DA: "C"
VC: "C"
Sales: "C"
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Current State Process & Capability Map"
EA: "R/A"
SE: "R"
BA: "C"
CS: "C"
DA: "C"
VC: "C"
Sales: ""
MS: ""
CloudOps: "I"
Customer: "R/C"
- name: "Discovery Questionnaire"
EA: "R/A"
SE: ""
BA: "R"
CS: ""
DA: "C"
VC: "R"
Sales: "C"
MS: "C"
CloudOps: "I"
Customer: "R/C"
- name: "Current State Apps & Tech Portfolio"
EA: "R/A"
SE: ""
BA: "R"
CS: ""
DA: "C"
VC: "I"
Sales: "C"
MS: "C"
CloudOps: "I"
Customer: "R/C"
- name: "Operational RACI (Current)"
EA: "R/A"
SE: ""
BA: ""
CS: "C"
DA: "C"
VC: ""
Sales: "C"
MS: ""
CloudOps: ""
Customer: "R/C"
- name: "Prioritization Matrix"
EA: "R/A"
SE: ""
BA: "R"
CS: ""
DA: "C"
VC: "I"
Sales: "C"
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Current State Architecture"
EA: "R/A"
SE: ""
BA: "R"
CS: ""
DA: "C"
VC: "I"
Sales: "C"
MS: "C"
CloudOps: "I"
Customer: ""
future:
step_purpose: >
Create the overall solution: architecture, deployment design,
transition plan, service design, sizing, and BoM.
solution_design:
- name: "Future State Process & Capability Map"
EA: "R/A"
SE: "C"
BA: "C"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
- name: "Future State Apps & Tech Portfolio"
EA: "R/A"
SE: "C"
BA: "C"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
- name: "Future State Architecture"
EA: "R/A"
SE: "C"
BA: "C"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
- name: "Solution Roadmap"
EA: "R/A"
SE: "C"
BA: "C"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
- name: "Extension Catalog"
EA: "R/A"
SE: "C"
BA: "C"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
- name: "Integration Catalog"
EA: "R/A"
SE: "C"
BA: "C"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
- name: "Information & BI Model"
EA: "R/A"
SE: "C"
BA: "C"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
deployment_design:
- name: "Deployment Design"
EA: "R/A"
SE: ""
BA: "C"
CS: "I"
DA: "R/C"
VC: ""
Sales: ""
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Datacentre Design"
EA: "R/A"
SE: ""
BA: "C"
CS: ""
DA: "R/C"
VC: ""
Sales: ""
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Lifecycle Management Design"
EA: "R/A"
SE: ""
BA: "C"
CS: ""
DA: "R/C"
VC: ""
Sales: ""
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Network Design"
EA: "R/A"
SE: ""
BA: "C"
CS: ""
DA: "R/C"
VC: ""
Sales: ""
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Identity & Access Design"
EA: "R/A"
SE: ""
BA: "C"
CS: ""
DA: "R/C"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
- name: "Environment Catalog"
EA: "R/A"
SE: ""
BA: "C"
CS: ""
DA: "R/C"
VC: ""
Sales: ""
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Recovery Model"
EA: "R/A"
SE: ""
BA: "C"
CS: ""
DA: "R/C"
VC: ""
Sales: ""
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Management Design"
EA: "R/A"
SE: ""
BA: "C"
CS: ""
DA: "R/C"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
- name: "Data Locality & Data Security"
EA: "R/A"
SE: ""
BA: "C"
CS: ""
DA: "R/C"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
transition_design:
- name: "Implementation Plan"
EA: "A"
SE: "C"
BA: ""
CS: "I"
DA: "R/C"
VC: ""
Sales: "C"
MS: ""
CloudOps: "I"
Customer: "C"
- name: "Implementation RACI"
EA: "A"
SE: "C"
BA: ""
CS: ""
DA: "R"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
- name: "Provisioning Plan / Map"
EA: "A"
SE: "C"
BA: "C"
CS: ""
DA: "R"
VC: ""
Sales: ""
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Adoption Plan"
EA: "A"
SE: "C"
BA: ""
CS: ""
DA: "R"
VC: ""
Sales: ""
MS: ""
CloudOps: "I"
Customer: "C"
service_design:
- name: "Operational Services RACI"
EA: "A"
SE: ""
BA: ""
CS: ""
DA: ""
VC: ""
Sales: "R"
MS: "C"
CloudOps: "I"
Customer: "C"
- name: "Operational Services Design"
EA: "A"
SE: ""
BA: ""
CS: ""
DA: ""
VC: ""
Sales: "R"
MS: "C"
CloudOps: "I"
Customer: "C"
demo_poc:
- name: "PoC Joint Execution Plan"
EA: "A"
SE: ""
BA: "R"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "C"
Customer: "I"
- name: "Demo / PoC Delivery"
EA: "A"
SE: ""
BA: "R"
CS: ""
DA: "C"
VC: ""
Sales: ""
MS: ""
CloudOps: "C"
Customer: "I"
bom_sizing:
- name: "Architecture Review"
EA: "C/I"
SE: ""
BA: "C/R"
CS: ""
DA: "C/I"
VC: ""
Sales: "C/I"
MS: ""
CloudOps: "R/A"
Customer: ""
- name: "Bill of Materials & Sizing"
EA: "C/I"
SE: ""
BA: "C/R"
CS: ""
DA: "C/I"
VC: ""
Sales: "C/I"
MS: ""
CloudOps: "R/A"
Customer: ""
confirm:
step_purpose: >
Assemble design work into a high-impact Solution Proposal that
enables the customer to validate and decide to proceed.
artefacts:
- name: "Solution Proposal"
EA: "A/R"
SE: "C"
BA: "C"
CS: ""
DA: "C"
VC: "C"
Sales: ""
MS: ""
CloudOps: "C"
Customer: "I"
- name: "Partner / Services Proposal"
EA: "C"
SE: ""
BA: ""
CS: ""
DA: "A/R"
VC: ""
Sales: "R"
MS: ""
CloudOps: "C"
Customer: "C"
- name: "RFx Response"
EA: "C"
SE: "C"
BA: "A/R/C"
CS: "I"
DA: ""
VC: ""
Sales: ""
MS: ""
CloudOps: "C"
Customer: "I"
- name: "Commercial Agreement"
EA: "C"
SE: "C"
BA: "C"
CS: ""
DA: "C"
VC: ""
Sales: "C"
MS: ""
CloudOps: "A/R"
Customer: "R"
# ═══════════════════════════════════════════════════════════════
# DELIVER PHASE
# ═══════════════════════════════════════════════════════════════
deliver:
adopt:
step_purpose: >
Transition from proposed architecture to implementation.
Pre-sales → delivery handover without rework.
establish_governance:
- name: "Architecture Governance"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Operating Model"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Business Transition Plan"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Training & Communication Plan"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
manage_project:
- name: "Project Governance"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Project Plan"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Project Delivery"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Signoff & Close"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
customer_adoption:
- name: "Contracts & Policy Review"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Readiness Assessment"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Configuration & Customization"
EA: "A/R"
SE: ""
BA: "I"
CS: ""
DA: "R"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Security Build"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Data Migration"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Validation & Testing"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Business Enablement"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
- name: "Go-Live & Hypercare"
EA: "C"
SE: ""
BA: "I"
CS: ""
DA: "R/A"
VC: "R/C/I"
Sales: "R"
MS: "I"
CloudOps: ""
Customer: "R"
operate:
step_purpose: >
Solution is live. Operational capabilities from the Operating Model
are performed to retain vitality. Business outcome reporting active.
artefacts:
- name: "Cloud Operating Framework"
EA: ""
SE: ""
BA: ""
CS: "I"
DA: "R"
VC: ""
Sales: "R"
MS: "R"
CloudOps: ""
Customer: "R/A"
- name: "OCI Operationalization Framework"
EA: ""
SE: ""
BA: ""
CS: ""
DA: "R/A"
VC: ""
Sales: "R/C"
MS: ""
CloudOps: ""
Customer: "C/I"
improve:
step_purpose: >
Capture learnings, validate value delivery, identify next
hypothesis to tackle. Feed improvements back into ECAL.
artefacts:
- name: "Retrospective"
EA: "C/I"
SE: "C/I"
BA: ""
CS: "R"
DA: "R/A"
VC: ""
Sales: "R"
MS: "R"
CloudOps: ""
Customer: "C"
- name: "Value Realization"
EA: "C/I"
SE: "C/I"
BA: ""
CS: "R"
DA: "R/A"
VC: ""
Sales: "R"
MS: "R"
CloudOps: ""
Customer: "C"
- name: "Customer Success Story"
EA: "C/I"
SE: "C/I"
BA: ""
CS: "R"
DA: "R/A"
VC: ""
Sales: "R"
MS: "R"
CloudOps: ""
Customer: "C"
- name: "Improvement Actions"
EA: "C/I"
SE: "C/I"
BA: ""
CS: "R/A"
DA: "R"
VC: ""
Sales: "R"
MS: "R"
CloudOps: ""
Customer: "C"
# ═══════════════════════════════════════════════════════════════
# LESSONS LEARNED PER STEP (from ECAL Practitioners Guides)
# ═══════════════════════════════════════════════════════════════
lessons_learned:
define:
- "Listen to the customer and also to each other"
- "Don't defend your Point of View to the customer, listen for ideas"
- "Understand what the customer is saying"
- "Make Point of View SMART: Specific, Measurable, Attainable, Relevant, Time-based"
- "Think carefully about whether it's right to proceed"
- "Do you have a senior customer sponsor that will support you?"
current:
- "Frame the problem — don't gather requirements"
- "Capture current state in terms of people, process and technology"
- "Be collaborative with the customer and share everything"
- "Use whatever works — try top down and bottom up"
- "Understand the business context, business drivers and desired outcomes"
- "Be very clear about the scope — which systems are in and out"
future:
- "Always look for a quick win for the customer"
- "The operational model is just as important as the architecture"
- "Don't forget non-production environments"
- "Security and data locality must be understood early, don't leave it too late"
confirm:
- "Propositions must be SMART in a customer context"
- "Ensure you have evidence to support all positions"
- "The Roadmap must be achievable"
- "Think about the person you are presenting to — what does it mean for them"
- "Quality of the presentation is very important — it must look professional"
adopt:
- "Look for a Minimum Viable Product (or service) that delivers real customer benefits early"
- "Incremental delivery phases should maximize customer value per the roadmap"
- "Always consider how to help the customer with adoption and ownership"
- "Architecture artifacts are constantly refined as more is learned during Deliver"
improve:
- "Leverage any opportunity to capture a successful outcome as a customer story"
- "Look back at every project for opportunities to improve"
- "Keep in touch with the customer and track how the project is going"
- "Share your learning with your team"
- "Feed back suggested improvements to the ECAL process"

View File

@@ -0,0 +1,48 @@
---
last_verified: 2026-03-16
pattern:
id: environment-catalogue
name: "Environment Catalogue"
category: operations
---
description: >
Defines the standard environments for each workload tier. The skill
generates the catalogue from the workload profile by expanding each
database into its required environments based on tier.
environment_templates:
platinum:
environments:
- { env: "Production", sizing: "full", isolation: "dedicated CDB, dedicated infra", ha: "RAC + ADG sync" }
- { env: "Pre-Production", sizing: "75% of prod", isolation: "dedicated CDB", ha: "optional RAC" }
- { env: "Dev/Test", sizing: "25% of prod", isolation: "shared CDB OK", ha: "none" }
- { env: "DR", sizing: "100% of prod", isolation: "same as prod", ha: "sync ADG or GG active-active" }
gold:
environments:
- { env: "Production", sizing: "full", isolation: "dedicated CDB, private endpoint", ha: "TAC + ADG local" }
- { env: "Pre-Production", sizing: "50% of prod", isolation: "refreshable clone OK", ha: "none" }
- { env: "Dev/Test", sizing: "25% of prod", isolation: "full clone, auto-stop nights", ha: "none" }
- { env: "DR", sizing: "100% of prod", isolation: "cross-region ADG", ha: "async ADG" }
silver:
environments:
- { env: "Production", sizing: "full", isolation: "shared CDB OK", ha: "single instance" }
- { env: "Pre-Production", sizing: "50% of prod", isolation: "refreshable clone", ha: "none" }
- { env: "Dev/Test", sizing: "25% of prod", isolation: "full clone, auto-stop", ha: "none" }
- { env: "DR", sizing: "N/A", isolation: "backup to Object Storage", ha: "restore from backup" }
bronze:
environments:
- { env: "Production", sizing: "full", isolation: "shared CDB, oversubscribed OK", ha: "none" }
- { env: "Dev/Test", sizing: "same as prod", isolation: "shared CDB", ha: "none" }
- { env: "DR", sizing: "N/A", isolation: "DB export only", ha: "restore from export" }
cost_optimization_rules:
- "Pre-Prod: use Refreshable Clones when read-only testing is sufficient"
- "Dev/Test: auto-stop weeknights (7PM-7AM) + weekends = ~65% savings"
- "Dev/Test: use minimum OCPU (1-2), no auto-scaling"
- "DR standby: consider pilot light (Terraform on-demand) for Silver/Bronze"
- "Bronze DR: DB export to Object Storage is cheapest, no standby OCPU"

View File

@@ -0,0 +1,98 @@
# Pattern: Basic VCN Networking
# Composable architecture block for single-VCN 3-tier network layout
pattern:
name: "Basic VCN Networking"
id: networking_basic
category: networking
description: |
Single VCN with a 3-tier subnet layout providing public, application, and data
tiers. Suitable for standalone workloads, small-to-medium deployments, and as a
starting point before evolving to hub-spoke topology. Public subnet hosts load
balancers and bastion, private app subnet hosts compute/containers, and private
data subnet hosts databases and storage.
topology:
vcn:
cidr: "10.0.0.0/16"
dns_label: "vcnmain"
subnets:
- name: "Public Subnet"
cidr: "10.0.0.0/24"
type: public
purpose: "Load balancers, bastion host, WAF endpoints"
usable_ips: 251
- name: "App Private Subnet"
cidr: "10.0.1.0/24"
type: private
purpose: "Compute instances, OKE worker nodes, application servers"
usable_ips: 251
- name: "Data Private Subnet"
cidr: "10.0.2.0/24"
type: private
purpose: "Databases (ADB-S, DBCS), file storage, object storage private endpoints"
usable_ips: 251
components:
- name: "VCN"
purpose: "Virtual Cloud Network — isolated network boundary"
- name: "Public Subnet"
purpose: "Internet-facing resources (LBaaS, Bastion)"
- name: "App Private Subnet"
purpose: "Application tier — no direct internet access"
- name: "Data Private Subnet"
purpose: "Database tier — no direct internet access"
- name: "Internet Gateway (IGW)"
purpose: "Inbound and outbound internet access for public subnet"
- name: "NAT Gateway"
purpose: "Outbound-only internet access for private subnets (patches, APIs)"
- name: "Service Gateway"
purpose: "Private access to OCI services (Object Storage, ADB-S) without internet"
- name: "Route Tables"
purpose: "Per-subnet routing rules for IGW, NAT GW, and Service GW"
- name: "Network Security Groups (NSGs)"
purpose: "Stateful firewall rules applied per VNIC for fine-grained access control"
preconditions:
- "Compartment created for the workload"
- "CIDR ranges planned and non-overlapping with other VCNs or on-premises networks"
- "Region and availability domain selected"
implied_services:
- service: igw
reason: "Internet access for public subnet resources"
- service: nat_gateway
reason: "Outbound internet for private subnets without exposing inbound"
- service: service_gateway
reason: "Private connectivity to OCI services (Object Storage, Autonomous DB)"
design_rules:
- "Place application and database resources in private subnets — never expose directly to internet"
- "Use Network Security Groups (NSGs) instead of Security Lists for per-resource granularity"
- "Use Service Gateway for all OCI service access to avoid internet routing and egress costs"
- "Assign one route table per subnet for clarity and maintainability"
- "Use DNS hostnames within the VCN for service discovery"
- "Enable VCN Flow Logs on all subnets for security auditing"
- "Place load balancers in the public subnet; backends in the app private subnet"
gotchas:
- "VCN CIDR blocks are immutable after creation — plan address space carefully before provisioning"
- "NSG rules are limited to 120 rules per NSG (60 ingress + 60 egress by default)"
- "Security Lists are stateful by default but have a 5-tuple limit; prefer NSGs for complex rule sets"
- "NAT Gateway is regional and supports up to 20 Gbps; may need multiple for high-throughput workloads"
- "Service Gateway only routes to OCI services — not a general-purpose private link"
- "Subnet size cannot be changed after creation; plan for growth"
- "Default security list allows all egress; tighten for production"
cost_impact:
- "VCN: free (no charge for the VCN itself)"
- "Subnets: free"
- "Internet Gateway: free"
- "NAT Gateway: per-hour charge + per-GB data processing"
- "Service Gateway: free"
- "VCN Flow Logs: charged via Logging service ingestion rates"
references:
- "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm"
- "https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/bestpractices.htm"

View File

@@ -0,0 +1,86 @@
# Pattern: Hub-Spoke Network Topology via DRG
# Composable architecture block for enterprise networking
pattern:
name: "Hub-Spoke Network via DRG"
id: hub_spoke_drg
category: networking
description: |
Hub-spoke topology using OCI Dynamic Routing Gateway (DRG) v2 as the central
routing hub. Spoke VCNs attach to the DRG for inter-VCN routing, on-premises
connectivity (FastConnect/VPN), and centralized security inspection.
topology:
hub:
components:
- "DRG (Dynamic Routing Gateway) — central router"
- "Hub VCN (optional) — for shared services, Network Firewall, Bastion"
- "Service Gateway — OCI service access without internet"
- "NAT Gateway — outbound internet for private subnets"
- "Network Firewall (optional) — deep packet inspection, IDS/IPS"
spokes:
components:
- "Spoke VCN per workload/environment"
- "VCN attachment to DRG"
- "Route table on DRG attachment for traffic steering"
use_when:
- "Multiple workloads or environments needing isolation"
- "On-premises connectivity via FastConnect or VPN"
- "Centralized security inspection required"
- "Shared services (Bastion, DNS, NTP) across workloads"
- "Enterprise landing zone deployment"
when_not_to_use:
- "Single VCN deployment (no need for hub-spoke complexity)"
- "< 3 VCNs and no on-prem connectivity"
- "POC or dev-only environment"
preconditions:
- "DRG v2 (default in all regions)"
- "Non-overlapping CIDR ranges across VCNs"
- "Sufficient IP address planning"
implied_services:
- service: drg
reason: "Central routing hub"
- service: vcn
reason: "Hub and spoke VCNs"
- service: service_gateway
reason: "OCI service access"
- service: nat_gateway
reason: "Outbound internet for private subnets"
- service: route_tables
reason: "Traffic steering via DRG attachments"
optional_services:
- service: network_firewall
when: "Deep packet inspection, IDS/IPS required"
placement: "Hub VCN, inline between DRG and spokes"
- service: fastconnect
when: "On-premises connectivity"
- service: vpn
when: "Backup connectivity or lower-cost option"
conflicts:
- pattern: "local_peering"
reason: "DRG replaces local peering for inter-VCN routing. Don't mix both."
cidr_guidance:
- "Use /16 per VCN for growth headroom"
- "Use /24 per subnet (251 usable IPs)"
- "Reserve /8 or /12 supernet for all OCI CIDRs"
- "Avoid overlapping with on-prem ranges"
- "Example: 10.0.0.0/16 (hub), 10.1.0.0/16 (spoke 1), 10.2.0.0/16 (spoke 2)"
cost_impact:
- "DRG: free (no charge for the gateway itself)"
- "VCN peering via DRG: no data transfer charges within same region"
- "Cross-region via DRG: data transfer charges apply"
- "Network Firewall: per-hour + per-GB processing"
- "FastConnect: port fee + data transfer (inbound free)"
references:
- "https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm"
- "https://docs.oracle.com/en/solutions/hub-spoke-network-drg/"

View File

@@ -0,0 +1,72 @@
---
last_verified: 2026-03-14
pattern: Hub-and-Spoke Networking
category: networking
---
description: |
Hub-and-spoke VCN topology for enterprise OCI deployments.
Centralizes shared services (firewalls, DNS, connectivity) in a hub VCN
with spoke VCNs for workloads.
architecture:
hub_vcn:
purpose: "Shared services, connectivity, security inspection"
components:
- "DRG (Dynamic Routing Gateway)"
- "Network Firewall (optional)"
- "DNS resolver"
- "FastConnect / VPN termination"
- "Bastion service"
- "Management subnet"
cidr_example: "10.0.0.0/16"
spoke_vcns:
purpose: "Workload isolation"
examples:
- name: "Production"
cidr: "10.1.0.0/16"
subnets:
- "Public subnet (LB): 10.1.0.0/24"
- "Private subnet (App): 10.1.1.0/24"
- "Private subnet (DB): 10.1.2.0/24"
- name: "Non-Production"
cidr: "10.2.0.0/16"
- name: "DMZ"
cidr: "10.3.0.0/16"
connectivity:
hub_to_spoke: "VCN attachments via DRG"
spoke_to_spoke: "Transit routing through DRG (no direct peering needed)"
on_prem: "FastConnect or VPN to DRG in hub"
when_to_use:
- "Multiple environments (prod, non-prod, DMZ)"
- "Centralized connectivity to on-prem"
- "Security inspection required between workloads"
- "Shared services (DNS, NTP, monitoring) across workloads"
when_NOT_to_use:
- "Single-VCN deployments"
- "Simple architectures with 1-2 workloads"
ip_planning:
recommendation: |
Plan CIDR ranges before deployment. Overlapping CIDRs prevent peering.
Use /16 for VCNs, /24 for subnets. Reserve ranges for future growth.
example_scheme:
hub: "10.0.0.0/16"
production: "10.1.0.0/16"
non_production: "10.2.0.0/16"
dmz: "10.3.0.0/16"
dr_region: "10.128.0.0/9"
gotchas:
- id: HUB-001
issue: "DRG route table limits"
impact: "Max 200 route rules per DRG route table"
recommendation: "Aggregate routes where possible, plan for scale"
- id: HUB-002
issue: "Network Firewall throughput"
impact: "Inspect all traffic adds latency and cost"
recommendation: "Only inspect north-south and selected east-west traffic"

View File

@@ -0,0 +1,70 @@
---
last_verified: 2026-03-16
pattern:
id: operational-raci
name: "Operational RACI Matrix"
category: operations
---
description: >
Defines responsibilities across customer and Oracle/partner teams for
ongoing operations. R=Responsible (does the work), A=Accountable (owns
the outcome), C=Consulted, I=Informed. Generated from the engagement
model (fully managed, co-managed, or self-managed).
# Three operational models — the skill selects based on discovery
models:
fully_managed:
description: "Oracle/partner manages everything. Customer consumes DB as a service."
trigger: "Customer says 'DBA-less', 'no DBA team', 'fully managed', or team_skills is low"
raci:
- { activity: "DB provisioning", customer: "I", oracle: "R/A" }
- { activity: "DB patching & upgrades", customer: "I", oracle: "R/A" }
- { activity: "Backup & recovery", customer: "I", oracle: "R/A" }
- { activity: "Performance monitoring", customer: "I", oracle: "R/A" }
- { activity: "Performance tuning", customer: "C", oracle: "R/A" }
- { activity: "Security configuration", customer: "A", oracle: "R" }
- { activity: "Access control (IAM)", customer: "R/A", oracle: "C" }
- { activity: "Data Safe / audit review", customer: "A", oracle: "R" }
- { activity: "Incident response (DB)", customer: "I", oracle: "R/A" }
- { activity: "Incident response (app)", customer: "R/A", oracle: "C" }
- { activity: "Capacity planning", customer: "C", oracle: "R/A" }
- { activity: "DR testing", customer: "A", oracle: "R" }
- { activity: "Schema changes", customer: "R/A", oracle: "I" }
- { activity: "App deployment", customer: "R/A", oracle: "I" }
- { activity: "Network changes", customer: "R/A", oracle: "C" }
- { activity: "Cost optimization review", customer: "A", oracle: "R" }
- { activity: "Oracle SR escalation", customer: "C", oracle: "R/A" }
- { activity: "Compliance reporting", customer: "A", oracle: "R" }
co_managed:
description: "Customer has DBAs but wants Oracle/partner for complex ops."
trigger: "Customer says 'we have DBAs but no cloud experience', or team exists but is small"
raci:
- { activity: "DB provisioning", customer: "R", oracle: "C" }
- { activity: "DB patching & upgrades", customer: "R", oracle: "C" }
- { activity: "Backup & recovery", customer: "R/A", oracle: "C" }
- { activity: "Performance monitoring", customer: "R", oracle: "I" }
- { activity: "Performance tuning", customer: "R", oracle: "C" }
- { activity: "Security configuration", customer: "R/A", oracle: "C" }
- { activity: "Access control (IAM)", customer: "R/A", oracle: "I" }
- { activity: "Incident response (DB)", customer: "R", oracle: "C" }
- { activity: "Incident response (app)", customer: "R/A", oracle: "I" }
- { activity: "Capacity planning", customer: "R", oracle: "C" }
- { activity: "DR testing", customer: "R", oracle: "C" }
- { activity: "Schema changes", customer: "R/A", oracle: "I" }
- { activity: "Oracle SR escalation", customer: "R", oracle: "C" }
self_managed:
description: "Customer manages everything. Oracle provides platform only."
trigger: "Customer has strong DBA team with cloud experience, or explicitly says 'we manage'"
raci:
- { activity: "DB provisioning", customer: "R/A", oracle: "I" }
- { activity: "DB patching & upgrades", customer: "R/A", oracle: "I" }
- { activity: "Backup & recovery", customer: "R/A", oracle: "I" }
- { activity: "Performance monitoring", customer: "R/A", oracle: "I" }
- { activity: "Security configuration", customer: "R/A", oracle: "I" }
- { activity: "Incident response", customer: "R/A", oracle: "I" }
- { activity: "DR testing", customer: "R/A", oracle: "I" }
- { activity: "Oracle SR escalation", customer: "R/A", oracle: "C" }

View File

@@ -0,0 +1,64 @@
# Pattern: CIS Security Baseline
# Composable architecture block for security foundation
pattern:
name: "CIS OCI Security Baseline"
id: cis_baseline
category: security
description: |
Security baseline aligned with CIS Oracle Cloud Infrastructure Foundations
Benchmark. Provides IAM, network, encryption, monitoring, and governance
controls as a foundation for all OCI deployments.
always_include: true
applies_to: "all_workloads"
controls:
identity:
- "Least-privilege IAM policies per compartment"
- "MFA for all human users"
- "Break-glass admin account (not used for daily ops)"
- "Instance principals for service-to-service auth"
- "Federation with customer IdP (AD, Okta, SAML)"
- "No API keys stored in code or config files"
compartments:
- "Hierarchical compartment structure by workload/environment"
- "Network, Security, AppDev, Database compartments at minimum"
- "Defined tags for cost tracking, environment, owner"
networking:
- "NSGs preferred over Security Lists"
- "No SSH from 0.0.0.0/0 — use Bastion Service"
- "Service Gateway for OCI service access"
- "VCN Flow Logs enabled"
- "WAF on all internet-facing endpoints"
encryption:
- "OCI Vault for customer-managed keys"
- "TDE with customer-managed keys for databases"
- "Encryption at rest for all storage services"
- "TLS on all load balancers"
monitoring:
- "Cloud Guard enabled with detector recipes"
- "OCI Audit with 365-day retention"
- "Vulnerability Scanning for compute instances"
- "Security Zones for production compartments"
governance:
- "Budgets and cost alerts per compartment"
- "Notification topics for security events"
- "Tagging enforcement via tag defaults"
implied_services:
- cloud_guard
- oci_vault
- bastion
- vulnerability_scanning
- notifications
references:
- "https://www.cisecurity.org/benchmark/oracle_cloud"
- "https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart"

View File

@@ -0,0 +1,96 @@
---
last_verified: 2026-03-14
pattern: Security Baseline
category: security
---
description: |
Minimum security configuration for any OCI deployment. Covers IAM,
networking, encryption, monitoring, and compliance foundations.
layers:
identity:
name: "Identity & Access Management"
requirements:
- item: "MFA for all users"
implementation: "Enable MFA in IAM, enforce via policy"
priority: critical
- item: "Least-privilege policies"
implementation: "Use compartments + IAM policies, avoid broad allow statements"
priority: critical
- item: "No API keys for production"
implementation: "Use instance principals or resource principals"
priority: high
- item: "Federated identity"
implementation: "SAML/OIDC federation with corporate IdP"
priority: high
- item: "Break-glass procedure"
implementation: "Documented emergency access with MFA-protected tenancy admin"
priority: high
network:
name: "Network Security"
requirements:
- item: "Private subnets for all workloads"
implementation: "Only load balancers and bastion in public subnets"
priority: critical
- item: "NSGs over security lists"
implementation: "Granular VNIC-level firewall rules"
priority: high
- item: "Service Gateway for OCI services"
implementation: "Private path to Object Storage, ADB, etc."
priority: high
- item: "WAF for public-facing applications"
implementation: "OCI WAF with OWASP rule sets"
priority: high
- item: "No public IPs on databases"
implementation: "Use private endpoints, Bastion for admin access"
priority: critical
encryption:
name: "Encryption"
requirements:
- item: "Encryption at rest (default)"
implementation: "OCI encrypts all data at rest by default (Oracle-managed keys)"
priority: critical
- item: "Customer-managed keys for sensitive data"
implementation: "OCI Vault with HSM-backed keys"
priority: high
- item: "TLS 1.2+ for all connections"
implementation: "Enforce in load balancer, database, API configurations"
priority: critical
- item: "TDE for databases"
implementation: "Enabled by default on ADB, configure on DBCS/ExaCS"
priority: critical
monitoring:
name: "Monitoring & Audit"
requirements:
- item: "Audit logging enabled"
implementation: "OCI Audit service (enabled by default, 365-day retention)"
priority: critical
- item: "Cloud Guard enabled"
implementation: "Detect misconfigurations and threats"
priority: high
- item: "VCN Flow Logs"
implementation: "Enable on critical subnets for network forensics"
priority: medium
- item: "Alarms for security events"
implementation: "Monitoring alarms + Notifications for critical events"
priority: high
- item: "Data Safe for databases"
implementation: "Security assessment, user assessment, data masking"
priority: high
compute:
name: "Compute Security"
requirements:
- item: "OS Management for patching"
implementation: "OCI OS Management service for automated patching"
priority: high
- item: "Bastion service for SSH"
implementation: "No direct SSH from internet, use OCI Bastion"
priority: critical
- item: "Instance metadata v2"
implementation: "Disable v1 to prevent SSRF attacks"
priority: high

View File

@@ -0,0 +1,106 @@
---
last_verified: 2026-03-16
pattern:
id: service-tiering
name: "Database Service Tiering Model"
category: operations
---
description: >
Maps customer workloads to standardized service tiers based on business
criticality, availability requirements, and compliance needs. Each tier
defines the HA/DR topology, support model, backup strategy, and operational
responsibilities. Derived from Oracle's ECAL transformational framework.
tiers:
platinum:
label: "Platinum"
description: "Mission-critical, zero tolerance for downtime"
example_workloads: ["Core banking", "Payment processing", "Trading systems", "Telco network"]
sla:
uptime: "99.999%"
rto: "0 (near-zero with TAC + RAC)"
rpo: "0 (synchronous replication)"
planned_downtime: "0 (even for upgrades — edition-based redefinition)"
support: "24x7, 10 min response"
architecture:
ha: "RAC (multi-node) + TAC/AC"
dr: "Synchronous ADG + GoldenGate active-active (optional)"
backup: "ZDLRA or Autonomous Recovery Service, continuous"
isolation: "Full physical isolation — dedicated CDB, dedicated infrastructure"
encryption: "TDE + DB Vault + Key Vault + SQL*Net encryption"
oci_mapping:
primary: "ExaCS or ADB-D (for RAC + full control)"
alternative: "ADB-S only if application is TAC-compatible and RPO=0 is met by local ADG"
cost_impact: "Highest — dedicated infra, dual-site, 24x7 support"
gold:
label: "Gold"
description: "Business-critical, tolerable brief outage"
example_workloads: ["CRM", "ERP", "eCommerce", "Risk analytics"]
sla:
uptime: "99.99%"
rto: "1-4 hours"
rpo: "5-15 minutes"
planned_downtime: "4x 4hr/year maintenance windows"
support: "24x7, 4 hour response"
architecture:
ha: "TAC + local ADG (auto-failover)"
dr: "Asynchronous cross-region ADG"
backup: "Autonomous Recovery Service, incremental forever"
isolation: "Dedicated CDB (dedicated home), instance caged (not oversubscribed)"
encryption: "TDE + Key Vault"
oci_mapping:
primary: "ADB-S Serverless (with TAC + ADG)"
alternative: "ExaCS if RAC explicitly needed or >128 OCPU sustained"
cost_impact: "High — primary + standby OCPU cost, cross-region DR"
silver:
label: "Silver"
description: "Important but recoverable from backup"
example_workloads: ["HR systems", "Financials", "Internal portals", "Reporting"]
sla:
uptime: "99.5%"
rto: "1 day"
rpo: "1 day"
planned_downtime: "4x 4hr/year maintenance windows"
support: "24x7, 8 hour response"
architecture:
ha: "Single instance or RAC optional"
dr: "Offsite backup only — no real-time replication"
backup: "Automated daily backup, 30-day retention"
isolation: "Shared CDB (shared binaries) acceptable"
encryption: "TDE recommended, DB Vault optional"
oci_mapping:
primary: "ADB-S Serverless (no ADG needed)"
alternative: "Base DB Service for legacy compatibility"
cost_impact: "Medium — no standby cost, shared infrastructure"
bronze:
label: "Bronze"
description: "Non-critical, best-effort recovery"
example_workloads: ["Dev/Test", "Room booking", "Internal tools", "Sandbox"]
sla:
uptime: "98%"
rto: "Best effort"
rpo: "Best effort"
planned_downtime: "Flexible"
support: "Business hours, 2 day response"
architecture:
ha: "None — single instance"
dr: "Database export or backup to Object Storage"
backup: "Weekly backup, 7-day retention"
isolation: "Shared CDB, oversubscribed OK"
encryption: "TDE optional"
oci_mapping:
primary: "ADB-S Serverless (minimum OCPU, auto-scaling off)"
alternative: "VM DB Standard Edition for cost"
cost_impact: "Lowest — minimal resources, no redundancy"
auto_assignment_rules:
- "If customer says '99.99%' or 'zero downtime' → Platinum or Gold (ask which)"
- "If customer says 'PCI' or 'banking regulations' → minimum Gold"
- "If workload type is 'dev/test' → Bronze unless explicitly stated otherwise"
- "If customer says 'reporting' or 'read-only' → Silver unless SLA says otherwise"
- "If no SLA stated → assign Silver and flag for confirmation"