diff --git a/README.md b/README.md index 94e0c35..ff00c41 100644 --- a/README.md +++ b/README.md @@ -21,8 +21,7 @@ Deploy Oracle Cloud services using Oracle [always free](https://docs.oracle.com/ * [Requirements](#requirements) * [Setup RSA Key](#example-rsa-key-generation) * [Oracle provider setup](#oracle-provider-setup) -* [Variables](#other-variables-to-adjust) -* [Common resources](#common-resources) +* [Project setup](#project-setup) * [Firewall](#firewall) * [OS](#os) * [Shape](#shape) @@ -30,11 +29,17 @@ Deploy Oracle Cloud services using Oracle [always free](https://docs.oracle.com/ ### Repository structure -There are three examples: +In this repositroy there are 7 terrafrom modules, in order of dependency: -* Deploy a [simple compute instance](simple-instance/) -* Deploy two instances behind a network load balancer using an [instance pool](instance-pool/) -* Deploy a [k3s-cluster](k3s-cluster/) +* [simple-vcn](simple-vcn/) - Setup a VCN with two PUBLIC subnets +* [private-vcn](private-vcn/) - Setup a VCN with one PUBLIC subnet and one PRIVATE subnet +* [nat-instance](nat-instance/) - Setup a NAT instance (with the Oracle always free account you can't deploy a NAT gateway) +* [simple-instance](simple-instance/) - Deploy a simple instance in a private or public subnet +* [instance-pool](instance-pool/) - Deploy multiple instances using a Oracle instance pool and instance configurations +* [load-balancer](load-balancer/) - Deploy a public load balancer (Layer 7 HTTP) +* [network-load-balancer](network-load-balancer/) - Deploy a private load balancer (Layer 4 TCP) + +For more information on how to use this modules follow the examples in the *examples* directory. To use this repository, clone this repository and use the *example* directory as base dir. ### Requirements @@ -44,6 +49,12 @@ To use this repo you will need: Once you get the account, follow the *Before you begin* and *1. Prepare* step in [this](https://docs.oracle.com/en-us/iaas/developer-tutorials/tutorials/tf-provider/01-summary.htm) document. +You need also: + +* [Terraform](https://www.terraform.io/) - Terraform is an open-source infrastructure as code software tool that provides a consistent CLI workflow to manage hundreds of cloud services. Terraform codifies cloud APIs into declarative configuration files. +* [kubectl](https://kubernetes.io/docs/tasks/tools/) - The Kubernetes command-line tool (optional) +* [oci cli](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm) - Oracle command line interface (optional) + #### Example RSA key generation To use terraform with the Oracle Cloud infrastructure you need to generate an RSA key. Generate the rsa key with: @@ -58,9 +69,15 @@ replace ** with your name or a string you prefer. **NOTE** ~/.oci/-oracle-cloud_public.pem this string will be used on the *terraform.tfvars* used by the Oracle provider plugin, so please take note of this string. +### Project setup + +Once you have cloned this repo, change directory to [examples](examples/) dir and choose the example you prefer: *private subnet* or main.tf or *public subnet* main.tf-public file. Edit the example file and set the needed variables (*change-me* variables). Crate a *terraform.tfvars* file, for more detail see [Oracle provider setup](#oracle-provider-setup) and read all the modules requirements in each module directory. + +Or if you prefer you can create a new empty directory in your workspace and start a new project from scratch. To setup the project follow the README.md in the [examples](examples/) directory. + ### Oracle provider setup -In any subdirectory of this repo you need to create a terraform.tfvars file, the file will look like: +This is an example of the *terraform.tfvars* file: ``` fingerprint = "" @@ -78,48 +95,71 @@ The compartment_ocid is the same as tenency_ocid. The fingerprint is the fingerprint of your RSA key, you can find this vale under User setting > API Keys -### Other variables to adjust +#### How to find the availability doamin name -Before triggering the infrastructure deployment adjust the following variables (vars.tf in each subdirectory): +To find the list of the availability domains run this command on che Cloud Shell: -* region, set the correct region based on your needs -* availability_domain, set you availability domain, you can get the availability domain string in the "*Create instance* form. Once you are in the create instance procedure under the placement section click "Edit" and copy the string that begin with *iAdc:*. Example iAdc:EU-ZURICH-1-AD-1 -* default_fault_domain, set de default fault domain, choose one of: FAULT-DOMAIN-1, FAULT-DOMAIN-2, FAULT-DOMAIN-3 -* PATH_TO_PUBLIC_KEY, this variable have to point at your ssh public key -* oci_core_vcn_cidr, set the default VCN subnet cidr -* oci_core_subnet_cidr10, set the default subnet cidr -* oci_core_subnet_cidr11, set the secondary subnet cidr -* tutorial_tag_key, set a key used to tag all the deployed resources -* tutorial_tag_value, set the value of the tutorial_tag_key -* my_public_ip_address, set your public ip address - -### Common resources - -All the environments share the same network and security list configurations. +``` +oci iam availability-domain list +{ + "data": [ + { + "compartment-id": "", + "id": "ocid1.availabilitydomain.oc1..xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + "name": "iAdc:EU-ZURICH-1-AD-1" + } + ] +} +``` -The network setup create: +#### How to list all the OS images -* One VCN (10.0.0.0/16 subnet), you can setup a custom network CIDR in oci_core_vcn_cidr variable. -* Two subnets, the first subnet (default) is the 10.0.0.0/24 range, the second subnet is 10.0.1.0/24 range. You can customize the subnets CIDR in oci_core_subnet_cidr10 and oci_core_subnet_cidr11 variables. +To filter the OS images by shape and OS run this command on che Cloud Shell: -The security list rules are: +``` +oci compute image list --compartment-id --operating-system "Canonical Ubuntu" --shape "VM.Standard.A1.Flex" +{ + "data": [ + { + "agent-features": null, + "base-image-id": null, + "billable-size-in-gbs": 2, + "compartment-id": null, + "create-image-allowed": true, + "defined-tags": {}, + "display-name": "Canonical-Ubuntu-20.04-aarch64-2022.01.18-0", + "freeform-tags": {}, + "id": "ocid1.image.oc1.eu-zurich-1.aaaaaaaag2uyozo7266bmg26j5ixvi42jhaujso2pddpsigtib6vfnqy5f6q", + "launch-mode": "NATIVE", + "launch-options": { + "boot-volume-type": "PARAVIRTUALIZED", + "firmware": "UEFI_64", + "is-consistent-volume-naming-enabled": true, + "is-pv-encryption-in-transit-enabled": true, + "network-type": "PARAVIRTUALIZED", + "remote-data-volume-type": "PARAVIRTUALIZED" + }, + "lifecycle-state": "AVAILABLE", + "listing-type": null, + "operating-system": "Canonical Ubuntu", + "operating-system-version": "20.04", + "size-in-mbs": 47694, + "time-created": "2022-01-27T22:53:34.270000+00:00" + }, +``` -* By default only the incoming ICMP, SSH and HTTP traffic is allowed from your public ip. You can setup your public ip in my_public_ip_address variable. -* By default all the outgoing traffic is allowed -* A second security list rule (Custom security list) open all the incoming http traffic -* Both default security list and the custom security list are associated on both subnets -* Network flow from the private VCN subnet is allowed +**Note:** this setup was only tested with Ubuntu 20.04 ### Firewall -By default firewall on the compute instances is disabled. On some test the firewall has created some problems +By default firewall on the compute instances is disabled (except for the nat instance). ### Software installed In the simple-instance example and in the instance-pool example nginx will be installed by default. -Nginx is used for testing the security list rules an the correct setup of the Load Balancer (instance-pool example). +Nginx is used for testing the security list rules an the correct setup of the Load Balancer. -On the k3s-cluster example, k3s will be automatically installed on all the machines. +On the k3s-cluster example, k3s will be automatically installed on all the machines. **NOTE** k3s-cluster setup has moved to [this](https://github.com/garutilorenzo/k3s-oci-cluster) repository. ### OS diff --git a/instance-pool/.terraform.lock.hcl b/examples/.terraform.lock.hcl similarity index 54% rename from instance-pool/.terraform.lock.hcl rename to examples/.terraform.lock.hcl index 43373d9..7a61178 100644 --- a/instance-pool/.terraform.lock.hcl +++ b/examples/.terraform.lock.hcl @@ -2,19 +2,20 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/oci" { - version = "4.49.0" + version = "4.65.0" hashes = [ - "h1:m7/VNDahueBZf6EqJjxsGsOuzBVWnfrzL3ekdr0mr0k=", - "zh:2114836ae6a863da2f40917a18478e6af67d42d5e1a05ecd1297a6802fa765a1", - "zh:2f53dfff1919cf4750467c65fc658570dc99868f7524d3abeb05a9f6e174c046", - "zh:38f6b9fb5e73ea7de1ee2cefe28c83f308c96a14a69c91f4da352f27007b31d0", - "zh:3dcb0a5652113b893cf5f9af7ba3ee4fed900e000d80e045eb6e9151768ed691", - "zh:3deef7b6b30926dc817e72aa19ef700ffab1b2f4d41be136fe4253bb14c8cd9c", - "zh:49fc2e23d30677eff73dc10ae1ef316bdfe8b133f0a71c414333e7400c3a95e1", - "zh:517b962143ae8012e65086ef5d5c81e4701ffde092747b594edfaf5f664111d0", - "zh:5d3b0303f68b8196048d97b4730b0424a60db8cb13700ae1980cdd84dc211a27", - "zh:6d17bd39ba47f3c5fda7d67d9f986b872ed1cdcb72677e2f1d1eba1567200f58", - "zh:c6de06c6f0947c9315b10a723edf96eecdf3ef03947948761032f061339e5b49", + "h1:u91ohqk/pahoLdQ3gC+JXRMHFRgXQVIEnlDI4jzTiS0=", + "zh:0e3afc3787f5b818f35d6c4267c80000a111a8a0d08926c3f2ae1d3f4c2d16af", + "zh:1243b6bf14e86eb513baeabece654fd81723ae7fe95ad73fa7c6a16e7d27afaf", + "zh:784af9fb081dbcc10e19d4bbb4c0557fb8ee9330582b42ed64bbe083e0add3a0", + "zh:789752d30528e8926cccf197140ce8bf6993b12a0394bd6d545f354ac89ccaad", + "zh:7c8acc2d26fc0b8961c822dd909da68818ed9c4f99b87518d90eb737ad5300b6", + "zh:9f5eb00a3bf910af1127a221807f32d6de7eac0bcbc4fdbe1871b570a527cc1b", + "zh:a84fe99efe27e86cd7402f932bd74cea51e226416cfa50bdbdf0eae4d957d2cb", + "zh:b9d28470b8d35faf2932913a48b374356ab39871bf50d6767921e346f421c4a7", + "zh:cd3abe20894f807397e9dc613f7d549952f0f9bc6bc2e4dc3c9ff03ecfd626ac", + "zh:dd4b1a62bfa50bb2d3c378bdef3e82ecfed393f72c0ffa8ecb02b5cc663a599b", + "zh:fa3870391ca08a09af4508f9d44e5d42837852e9d8a18f084bdc1743ef20571c", ] } diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 0000000..2c486cf --- /dev/null +++ b/examples/README.md @@ -0,0 +1,62 @@ +# Examples + +In this folder there are two examples: + +* main.tf - Use a private subnet with a nat instance, all services are deployed on the pivate subnet. (Default example) +* main.tf-public - Use a public subnet, all the services are deployed in the public subnet. (Disabled example) + +If you want to use the public example, rename the *main.tf-public* in *main.tf*. Keep **ONLY ONE** *.tf file. + +Now adjust all the *change-me* variables inside the main.tf file. Once you have setup your environment, we are ready to init terraform: + +``` +Initializing modules... + +Initializing the backend... + +Initializing provider plugins... +- Reusing previous version of hashicorp/oci from the dependency lock file +- Reusing previous version of hashicorp/template from the dependency lock file +- Using previously-installed hashicorp/oci v4.65.0 +- Using previously-installed hashicorp/template v2.2.0 + +Terraform has been successfully initialized! + +You may now begin working with Terraform. Try running "terraform plan" to see +any changes that are required for your infrastructure. All Terraform commands +should now work. + +If you ever set or change modules or backend configuration for Terraform, +rerun this command to reinitialize your working directory. If you forget, other +commands will detect it and remind you to do so if necessary. +``` + +### Deploy + +We are now ready to deploy our infrastructure. First we ask terraform to plan the execution with: + +``` +terraform plan +``` + +now we can deploy our resources with: + +``` +terraform apply +``` + +### Connect to private instances + +We can connect to the private instances using the nat instance as Jump server: + +``` +ssh -J bastion@ ubuntu@ +``` + +### Start a project from scratch + +If you want to create a new project from scratch you need three files: + +* terraform.tfvars - More details in [Oracle provider setup](../README.md#oracle-provider-setup) +* main.tf - download main.tf file or main.tf-public based on your needs. If you choose main.tf-public **remember** to rename the file in main.tf +* provider.tf - download the file from this directory \ No newline at end of file diff --git a/examples/main.tf b/examples/main.tf new file mode 100644 index 0000000..948b8cd --- /dev/null +++ b/examples/main.tf @@ -0,0 +1,152 @@ +variable "compartment_ocid" { + type = string +} + +variable "tenancy_ocid" { + type = string +} + +variable "user_ocid" { + type = string +} + +variable "fingerprint" { + type = string +} + +variable "private_key_path" { + type = string +} + +variable "region" { + default = "" +} + +variable "environment" { + default = "staging" +} + +variable "availability_domain" { + default = "" +} + +module "private-vcn" { + region = var.region + compartment_ocid = var.compartment_ocid + my_public_ip_cidr = "" + environment = var.environment + source = "../private-vcn" +} + +output "vcn_id" { + value = module.private-vcn.vcn_id +} + +output "public_subnet_id" { + value = module.private-vcn.public_subnet_id +} + +output "private_subnet_id" { + value = module.private-vcn.private_subnet_id +} + +output "security_list_id" { + value = module.private-vcn.security_list_id +} + +output "public_subnet_cidr" { + value = module.private-vcn.public_subnet_cidr +} + +module "nat-instance" { + region = var.region + compartment_ocid = var.compartment_ocid + availability_domain = var.availability_domain + vcn_id = module.private-vcn.vcn_id + private_subnet_id = module.private-vcn.private_subnet_id + public_subnet_id = module.private-vcn.public_subnet_id + environment = var.environment + source = "../nat-instance" +} + +output "nat_instance_id" { + value = module.nat-instance.nat_instance_id +} + +output "nat_instance_public_ip" { + value = module.nat-instance.nat_instance_public_ip +} + +module "simple-instance" { + region = var.region + compartment_ocid = var.compartment_ocid + availability_domain = var.availability_domain + is_private = true + private_subnet_id = module.private-vcn.private_subnet_id + public_subnet_id = module.private-vcn.public_subnet_id + environment = var.environment + source = "../simple-instance" +} + +output "instance_ip" { + value = module.simple-instance.instance_ip +} + +module "instance-pool" { + region = var.region + compartment_ocid = var.compartment_ocid + availability_domain = var.availability_domain + is_private = true + private_subnet_id = module.private-vcn.private_subnet_id + public_subnet_id = module.private-vcn.public_subnet_id + public_subnet_cidr = module.private-vcn.public_subnet_cidr + environment = var.environment + source = "../instance-pool" +} + +output "instance_pool_ips" { + value = module.instance-pool.instances_ips +} + +output "instance_pool_id" { + value = module.instance-pool.instance_pool_id +} + +output "instance_pool_size" { + value = module.instance-pool.instance_pool_size +} + + +module "load-balancer" { + region = var.region + compartment_ocid = var.compartment_ocid + is_private = false + instance_pool_id = module.instance-pool.instance_pool_id + instance_pool_size = module.instance-pool.instance_pool_size + vcn_id = module.private-vcn.vcn_id + private_subnet_id = module.private-vcn.private_subnet_id + public_subnet_id = module.private-vcn.public_subnet_id + environment = var.environment + source = "../load-balancer" +} + +output "lb_ip" { + value = module.load-balancer.lb_ip +} + +module "network-load-balancer" { + region = var.region + compartment_ocid = var.compartment_ocid + is_private = true + instance_pool_id = module.instance-pool.instance_pool_id + instance_pool_size = module.instance-pool.instance_pool_size + vcn_id = module.private-vcn.vcn_id + private_subnet_id = module.private-vcn.private_subnet_id + public_subnet_id = module.private-vcn.public_subnet_id + environment = var.environment + source = "../network-load-balancer" +} + +output "internal_lb_ip" { + value = module.network-load-balancer.lb_ip +} \ No newline at end of file diff --git a/examples/main.tf-public b/examples/main.tf-public new file mode 100644 index 0000000..9707543 --- /dev/null +++ b/examples/main.tf-public @@ -0,0 +1,130 @@ +variable "compartment_ocid" { + type = string +} + +variable "tenancy_ocid" { + type = string +} + +variable "user_ocid" { + type = string +} + +variable "fingerprint" { + type = string +} + +variable "private_key_path" { + type = string +} + +variable "region" { + default = "" +} + +variable "environment" { + default = "staging" +} + +variable "availability_domain" { + default = "" +} + +module "simple-vcn" { + region = var.region + compartment_ocid = var.compartment_ocid + my_public_ip_cidr = "" + environment = var.environment + source = "../simple-vcn" +} + +output "vcn_id" { + value = module.simple-vcn.vcn_id +} + +output "public_subnet_id" { + value = module.simple-vcn.public_subnet_id +} + +output "secondary_public_subnet_id" { + value = module.simple-vcn.secondary_public_subnet_id +} + +output "security_list_id" { + value = module.simple-vcn.security_list_id +} + +output "public_subnet_cidr" { + value = module.simple-vcn.public_subnet_cidr +} + +module "simple-instance" { + region = var.region + compartment_ocid = var.compartment_ocid + availability_domain = var.availability_domain + private_subnet_id = module.simple-vcn.secondary_public_subnet_id + public_subnet_id = module.simple-vcn.public_subnet_id + environment = var.environment + source = "../simple-instance" +} + +output "instance_ip" { + value = module.simple-instance.instance_ip +} + +module "instance-pool" { + region = var.region + compartment_ocid = var.compartment_ocid + availability_domain = var.availability_domain + private_subnet_id = module.simple-vcn.secondary_public_subnet_id + public_subnet_id = module.simple-vcn.public_subnet_id + public_subnet_cidr = module.simple-vcn.public_subnet_cidr + environment = var.environment + source = "../instance-pool" +} + +output "instance_pool_ips" { + value = module.instance-pool.instances_ips +} + +output "instance_pool_id" { + value = module.instance-pool.instance_pool_id +} + +output "instance_pool_size" { + value = module.instance-pool.instance_pool_size +} + +module "load-balancer" { + region = var.region + compartment_ocid = var.compartment_ocid + is_private = false + instance_pool_id = module.instance-pool.instance_pool_id + instance_pool_size = module.instance-pool.instance_pool_size + vcn_id = module.simple-vcn.vcn_id + private_subnet_id = module.simple-vcn.secondary_public_subnet_id + public_subnet_id = module.simple-vcn.public_subnet_id + environment = var.environment + source = "../load-balancer" +} + +output "lb_ip" { + value = module.load-balancer.lb_ip +} + +module "network-load-balancer" { + region = var.region + compartment_ocid = var.compartment_ocid + is_private = true + instance_pool_id = module.instance-pool.instance_pool_id + instance_pool_size = module.instance-pool.instance_pool_size + vcn_id = module.simple-vcn.vcn_id + private_subnet_id = module.simple-vcn.secondary_public_subnet_id + public_subnet_id = module.simple-vcn.public_subnet_id + environment = var.environment + source = "../network-load-balancer" +} + +output "internal_lb_ip" { + value = module.network-load-balancer.lb_ip +} \ No newline at end of file diff --git a/instance-pool/provider.tf b/examples/provider.tf similarity index 100% rename from instance-pool/provider.tf rename to examples/provider.tf diff --git a/instance-pool/README.md b/instance-pool/README.md index 2273dd2..18da8c8 100644 --- a/instance-pool/README.md +++ b/instance-pool/README.md @@ -1,115 +1,34 @@ -# Instance pool with network load balancer +# Instance pool -This example will deploy: +This module will deploy an Instance pool made by two compute instances. Also this module will create one instance configuration used by the instance pool. -* one instance configuration used by the instance pool -* one instance pool -* two Oracle compute instances launched by the instance pool -* one network load balancer, that will route the traffic from the internet to our instance pool instances +If you choose to publish this compute instances in a private subnet, you need a NAT instance (refer to nat-instance module). The nat instance can be used also as bation host to reach the private instance, or if you prefer you can deploy a dedicated bastion host (refer to bastion-host module). -The network load balancer is made by: +### Requirements -* one listener (port 80) -* one backed set -* one backed for each of the instances in the instance pool +* One vcn with a public or private subnet (simple-vcn or private-vcn module) +* One nat instance if the instance pool *is_private* (nat-instance module) -### Extra variables +### Module variables -In this example an extra variable is used: +| Var | Required | Desc | +| ------- | ------- | ----------- | +| `region` | `yes` | set the correct OCI region based on your needs | +| `availability_domain` | `yes` | Set the correct availability domain. See [how](../README.md#how-to-find-the-availability-doamin-name) to find the availability domain| +| `compartment_ocid` | `yes` | Set the correct compartment ocid. See [how](../README.md#oracle-provider-setup) to find the compartment ocid | +| `environment` | `yes` | Current work environment (Example: staging/dev/prod). This value is used for tag all the deployed resources | +| `private_subnet_id` | `yes` | Private subnet OCID | +| `public_subnet_id` | `yes` | Public subnet OCID | +| `public_subnet_cidr` | `yes` | Public subnet CIDR | +| `instance_pool_size` | `no` | Number of instances in the instance pool. Default: 2 | +| `fault_domains` | `no` | Fault list. Default: FAULT-DOMAIN-1, FAULT-DOMAIN-2, FAULT-DOMAIN-3 | +| `PATH_TO_PUBLIC_KEY` | `no` | Path to your public ssh key (Default: "~/.ssh/id_rsa.pub) | +| `is_private` | `no` | Bool value. If true the instance pool will be deployed in a private subnet. Default: false | +| `os_image_id` | `no` | OS image OCID. Default: ocid1.image.oc1.eu-zurich-1.aaaaaaaag2uyozo7266bmg26j5ixvi42jhaujso2pddpsigtib6vfnqy5f6q - Canonical-Ubuntu-20.04-aarch64-2022.01.18-0 | -* fault_domains. This variable is a list of fault domains where our instance pool will deploy our instances -* instance_pool_size. Number of instances to launch in the instance pool +### Output -**Remember** to set the provider [settings](https://github.com/garutilorenzo/oracle-cloud-terraform-examples#oracle-provider-setup) and ajust all the [variables](https://github.com/garutilorenzo/oracle-cloud-terraform-examples#other-variables-to-adjust) +The module will output: -### Deploy - -To deploy the infrastructure: - -``` -terraform init - -terraform plan - -terraform apply -``` - -wait terraform to complete the operation, when terraform successfully finished the deployment you will see in the output the public ip addresses of the instances and the public ip address of the network load balancer: - -``` -Apply complete! Resources: 14 added, 0 changed, 0 destroyed. - -Outputs: - -instances_ips = [ - "152.x.x.x", - "152.x.x.x", -] -lb_ip = tolist([ - { - "ip_address" = "152.x.x.x" - "is_public" = true - "reserved_ip" = tolist([]) - }, -]) -``` - -now you can ssh into the machine: - -``` -ssh ubuntu@152.x.x.x - -... -35 updates can be applied immediately. -25 of these updates are standard security updates. -To see these additional updates run: apt list --upgradable - - - -The programs included with the Ubuntu system are free software; -the exact distribution terms for each program are described in the -individual files in /usr/share/doc/*/copyright. - -Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by -applicable law. - -To run a command as administrator (user "root"), use "sudo ". -See "man sudo_root" for details. - -ubuntu@inst-ikudx-ubuntu-instance-pool:~$ -``` - -Test the connection to the load balancer: - -``` -curl -v 152.x.x.x -* Trying 152.x.x.x:80... -* TCP_NODELAY set -* Connected to 152.x.x.x (152.x.x.x) port 80 (#0) -> GET / HTTP/1.1 -> Host: 152.x.x.x -> User-Agent: curl/7.68.0 -> Accept: */* -> -* Mark bundle as not supporting multiuse -< HTTP/1.1 200 OK -< Server: nginx/1.18.0 (Ubuntu) -< Date: Wed, 27 Oct 2021 15:39:51 GMT -< Content-Type: text/html -< Content-Length: 672 -< Last-Modified: Wed, 27 Oct 2021 15:33:26 GMT -< Connection: keep-alive -< ETag: "61797146-2a0" -< Accept-Ranges: bytes -... -... -... -``` - -**NOTE** You have to wait all the backends to be in HEALTH state before reaching successfully the load balancer. - -### Cleanup - -``` -terraform destroy -``` \ No newline at end of file +* instances_ips, IPs of the instances +* instance_pool_id, Instance pool OCID \ No newline at end of file diff --git a/instance-pool/data.tf b/instance-pool/data.tf index 01f632f..8186021 100644 --- a/instance-pool/data.tf +++ b/instance-pool/data.tf @@ -4,7 +4,7 @@ data "template_cloudinit_config" "ubuntu_init" { part { content_type = "text/x-shellscript" - content = templatefile("${path.module}/files/oci-ubuntu-install.sh", {}) + content = templatefile("${path.module}/files/oci-ubuntu-install.sh", { public_subnet_cidr = var.public_subnet_cidr }) } } diff --git a/instance-pool/files/oci-ubuntu-install.sh b/instance-pool/files/oci-ubuntu-install.sh index 461dfb9..5bf509b 100644 --- a/instance-pool/files/oci-ubuntu-install.sh +++ b/instance-pool/files/oci-ubuntu-install.sh @@ -9,6 +9,84 @@ systemctl start nginx hostname=$(hostname) +cat < /etc/nginx/nginx.conf +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Set real ip + ## + + set_real_ip_from 127.0.0.1; + set_real_ip_from ${public_subnet_cidr}; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} +EOF + +systemctl restart nginx.service + cat < /var/www/html/index.nginx-debian.html diff --git a/instance-pool/instancepool.tf b/instance-pool/instancepool.tf index 66ce753..9a59652 100644 --- a/instance-pool/instancepool.tf +++ b/instance-pool/instancepool.tf @@ -11,13 +11,11 @@ resource "oci_core_instance_pool" "ubuntu_instance_pool" { placement_configurations { availability_domain = var.availability_domain - primary_subnet_id = oci_core_subnet.default_oci_core_subnet10.id + primary_subnet_id = var.is_private == true ? var.private_subnet_id : var.public_subnet_id fault_domains = var.fault_domains } size = var.instance_pool_size - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + freeform_tags = local.tags } \ No newline at end of file diff --git a/instance-pool/local.tf b/instance-pool/local.tf new file mode 100644 index 0000000..0a67071 --- /dev/null +++ b/instance-pool/local.tf @@ -0,0 +1,6 @@ +locals { + tags = { + "oracle-tutorial" = "terraform" + "environment" = "${var.environment}" + } +} \ No newline at end of file diff --git a/instance-pool/network.tf b/instance-pool/network.tf deleted file mode 100644 index 38beb6a..0000000 --- a/instance-pool/network.tf +++ /dev/null @@ -1,55 +0,0 @@ -resource "oci_core_vcn" "default_oci_core_vcn" { - cidr_block = var.oci_core_vcn_cidr - compartment_id = var.compartment_ocid - display_name = "Default OCI core vcn" - dns_label = "defaultvcn" - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} - -resource "oci_core_subnet" "default_oci_core_subnet10" { - cidr_block = var.oci_core_subnet_cidr10 - compartment_id = var.compartment_ocid - display_name = "${var.oci_core_subnet_cidr10} (default) OCI core subnet" - dns_label = "defaultsubnet10" - route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id - vcn_id = oci_core_vcn.default_oci_core_vcn.id - security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} - -resource "oci_core_subnet" "oci_core_subnet11" { - cidr_block = var.oci_core_subnet_cidr11 - compartment_id = var.compartment_ocid - display_name = "${var.oci_core_subnet_cidr11} OCI core subnet" - dns_label = "defaultsubnet11" - route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id - vcn_id = oci_core_vcn.default_oci_core_vcn.id - security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} - - -resource "oci_core_internet_gateway" "default_oci_core_internet_gateway" { - compartment_id = var.compartment_ocid - display_name = "Internet Gateway Default OCI core vcn" - enabled = "true" - vcn_id = oci_core_vcn.default_oci_core_vcn.id - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} - -resource "oci_core_default_route_table" "default_oci_core_default_route_table" { - route_rules { - destination = "0.0.0.0/0" - destination_type = "CIDR_BLOCK" - network_entity_id = oci_core_internet_gateway.default_oci_core_internet_gateway.id - } - manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id -} \ No newline at end of file diff --git a/instance-pool/output.tf b/instance-pool/output.tf index 0a094f0..1918c75 100644 --- a/instance-pool/output.tf +++ b/instance-pool/output.tf @@ -2,9 +2,13 @@ output "instances_ips" { depends_on = [ data.oci_core_instance_pool_instances.ubuntu_instance_pool_instances, ] - value = data.oci_core_instance.ubuntu_instance_pool_instances_ips.*.public_ip + value = var.is_private == true ? data.oci_core_instance.ubuntu_instance_pool_instances_ips.*.private_ip : data.oci_core_instance.ubuntu_instance_pool_instances_ips.*.public_ip } -output "lb_ip" { - value = oci_network_load_balancer_network_load_balancer.test_network_load_balancer.ip_addresses +output "instance_pool_id" { + value = oci_core_instance_pool.ubuntu_instance_pool.id +} + +output "instance_pool_size" { + value = oci_core_instance_pool.ubuntu_instance_pool.size } \ No newline at end of file diff --git a/instance-pool/security.tf b/instance-pool/security.tf deleted file mode 100644 index 37064fe..0000000 --- a/instance-pool/security.tf +++ /dev/null @@ -1,76 +0,0 @@ -resource "oci_core_default_security_list" "default_security_list" { - compartment_id = var.compartment_ocid - manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_security_list_id - - display_name = "Default security list" - egress_security_rules { - destination = "0.0.0.0/0" - protocol = "all" - } - - ingress_security_rules { - protocol = 1 # icmp - source = var.my_public_ip_address - - description = "Allow icmp from ${var.my_public_ip_address}" - - } - - ingress_security_rules { - protocol = 6 # tcp - source = var.my_public_ip_address - - description = "Allow SSH from ${var.my_public_ip_address}" - - tcp_options { - min = 22 - max = 22 - } - } - - ingress_security_rules { - protocol = 6 # tcp - source = var.my_public_ip_address - - description = "Allow HTTP from ${var.my_public_ip_address}" - - tcp_options { - min = 80 - max = 80 - } - } - - ingress_security_rules { - protocol = "all" - source = var.oci_core_vcn_cidr - - description = "Allow all from vcn subnet" - } - - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} - -resource "oci_core_security_list" "custom_security_list" { - compartment_id = var.compartment_ocid - vcn_id = oci_core_vcn.default_oci_core_vcn.id - - display_name = "Custom security list" - - ingress_security_rules { - protocol = 6 # tcp - source = "0.0.0.0/0" - - description = "Allow HTTP from all" - - tcp_options { - min = 80 - max = 80 - } - } - - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} \ No newline at end of file diff --git a/instance-pool/template.tf b/instance-pool/template.tf index b8fe4f8..ffa2e9b 100644 --- a/instance-pool/template.tf +++ b/instance-pool/template.tf @@ -2,16 +2,13 @@ resource "oci_core_instance_configuration" "ubuntu_template" { compartment_id = var.compartment_ocid display_name = "Ubuntu 20.04 instance config" - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + instance_details { instance_type = "compute" launch_details { - #Optional agent_config { is_management_disabled = "false" is_monitoring_disabled = "false" @@ -36,8 +33,8 @@ resource "oci_core_instance_configuration" "ubuntu_template" { compartment_id = var.compartment_ocid create_vnic_details { - assign_public_ip = true - subnet_id = oci_core_subnet.default_oci_core_subnet10.id + assign_public_ip = var.is_private == true ? false : true + subnet_id = var.is_private == true ? var.private_subnet_id : var.public_subnet_id } display_name = "Ubuntu Template" @@ -58,4 +55,6 @@ resource "oci_core_instance_configuration" "ubuntu_template" { } } } + + freeform_tags = local.tags } \ No newline at end of file diff --git a/instance-pool/vars.tf b/instance-pool/vars.tf index 40263a0..47c5937 100644 --- a/instance-pool/vars.tf +++ b/instance-pool/vars.tf @@ -2,28 +2,12 @@ variable "compartment_ocid" { } -variable "tenancy_ocid" { - -} - variable "region" { - default = "" -} - -variable "user_ocid" { - -} - -variable "fingerprint" { - -} - -variable "private_key_path" { } variable "availability_domain" { - default = "" + } variable "fault_domains" { @@ -32,37 +16,37 @@ variable "fault_domains" { } variable "PATH_TO_PUBLIC_KEY" { - default = "~/.ssh/id_rsa.pub" -} - -variable "os_image_id" { - default = "ocid1.image.oc1.eu-zurich-1.aaaaaaaam4u4w4dprotagbxx4glcmjtndbkunzs5kvz5qpkqybemlv4wds3a" # Ubuntu 20.04 + type = string + default = "~/.ssh/id_rsa.pub" + description = "Path to your public key" } -variable "oci_core_vcn_cidr" { - default = "10.0.0.0/16" +variable "environment" { + type = string } -variable "oci_core_subnet_cidr10" { - default = "10.0.0.0/24" +variable "is_private" { + type = bool + default = false } -variable "oci_core_subnet_cidr11" { - default = "10.0.1.0/24" +variable "public_subnet_id" { + type = string } -variable "instance_pool_size" { - default = 2 +variable "private_subnet_id" { + type = string } -variable "tutorial_tag_key" { - default = "oracle-tutorial" +variable "public_subnet_cidr" { + type = string } -variable "tutorial_tag_value" { - default = "terraform" +variable "os_image_id" { + default = "ocid1.image.oc1.eu-zurich-1.aaaaaaaag2uyozo7266bmg26j5ixvi42jhaujso2pddpsigtib6vfnqy5f6q" # Canonical-Ubuntu-20.04-aarch64-2022.01.18-0 } -variable "my_public_ip_address" { - default = "" +variable "instance_pool_size" { + type = number + default = 2 } \ No newline at end of file diff --git a/k3s-cluster/.terraform.lock.hcl b/k3s-cluster/.terraform.lock.hcl deleted file mode 100644 index deb0221..0000000 --- a/k3s-cluster/.terraform.lock.hcl +++ /dev/null @@ -1,54 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/oci" { - version = "4.49.0" - hashes = [ - "h1:m7/VNDahueBZf6EqJjxsGsOuzBVWnfrzL3ekdr0mr0k=", - "zh:2114836ae6a863da2f40917a18478e6af67d42d5e1a05ecd1297a6802fa765a1", - "zh:2f53dfff1919cf4750467c65fc658570dc99868f7524d3abeb05a9f6e174c046", - "zh:38f6b9fb5e73ea7de1ee2cefe28c83f308c96a14a69c91f4da352f27007b31d0", - "zh:3dcb0a5652113b893cf5f9af7ba3ee4fed900e000d80e045eb6e9151768ed691", - "zh:3deef7b6b30926dc817e72aa19ef700ffab1b2f4d41be136fe4253bb14c8cd9c", - "zh:49fc2e23d30677eff73dc10ae1ef316bdfe8b133f0a71c414333e7400c3a95e1", - "zh:517b962143ae8012e65086ef5d5c81e4701ffde092747b594edfaf5f664111d0", - "zh:5d3b0303f68b8196048d97b4730b0424a60db8cb13700ae1980cdd84dc211a27", - "zh:6d17bd39ba47f3c5fda7d67d9f986b872ed1cdcb72677e2f1d1eba1567200f58", - "zh:c6de06c6f0947c9315b10a723edf96eecdf3ef03947948761032f061339e5b49", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.1.0" - hashes = [ - "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=", - "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc", - "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626", - "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff", - "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2", - "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992", - "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427", - "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc", - "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f", - "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b", - "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7", - "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a", - ] -} - -provider "registry.terraform.io/hashicorp/template" { - version = "2.2.0" - hashes = [ - "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", - "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", - "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", - "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", - "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", - "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", - "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", - "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", - "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", - "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", - "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", - ] -} diff --git a/k3s-cluster/README.md b/k3s-cluster/README.md index f6bb678..98ed42a 100644 --- a/k3s-cluster/README.md +++ b/k3s-cluster/README.md @@ -1,183 +1,3 @@ # k3s cluster -This example will deploy: - -* one Oracle compute instance, k3s-server -* one instance configuration used by the instance pool -* one instance pool -* three Oracle compute instances launched by the instance pool, k3s-agents -* one network load balancer, that will route the traffic from the internet to our instance pool instances - -The network load balancer is made by: - -* two listener (port 80, and 443) -* two backed set, one for the http listener and one for the https listener -* one backed for each of the instances in the instance pool - -The traffic is routed from the internet to the traefik ingress controller. - -### Extra variables - -In this example an extra variable is used: - -* k3s_server_private_ip, private ip address that will be associated to the k3s-server -* fault_domains, this variable is a list of fault domains where our instance pool will deploy our instances -* instance_pool_size, number of instances to launch in the instance pool. Number of k3s agents to deploy -* k3s_token, token used to install the k3s cluster -* install_longhorn, boolean value, if true (default) will install [longhorn](https://longhorn.io/) block storage -* longhorn_release, longorn release version - -**Remember** to set the provider [settings](https://github.com/garutilorenzo/oracle-cloud-terraform-examples#oracle-provider-setup) and ajust all the [variables](https://github.com/garutilorenzo/oracle-cloud-terraform-examples#other-variables-to-adjust) - -### Deploy - -To deploy the infrastructure: - -``` -terraform init - -terraform plan - -terraform apply -``` - -wait terraform to complete the operation, when terraform successfully finished the deployment you will see in the output the public ip addresses of the k3s-server instance, the public ip addresses of the k3s-agents instances and the public ip address of the network load balancer: - -``` -Apply complete! Resources: 14 added, 0 changed, 0 destroyed. - -Outputs: - -k3s_server_ip = "152.x.x.x" -k3s_agents_ips = [ - "152.x.x.x", - "152.x.x.x", - "152.x.x.x", -] -lb_ip = tolist([ - { - "ip_address" = "133.x.x.x" - "is_public" = true - "reserved_ip" = tolist([]) - }, -]) -``` - -now you can ssh into the k3s-server machine: - -``` -ssh ubuntu@152.x.x.x - -... -35 updates can be applied immediately. -25 of these updates are standard security updates. -To see these additional updates run: apt list --upgradable - - - -The programs included with the Ubuntu system are free software; -the exact distribution terms for each program are described in the -individual files in /usr/share/doc/*/copyright. - -Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by -applicable law. - -To run a command as administrator (user "root"), use "sudo ". -See "man sudo_root" for details. - -ubuntu@k3s-server:~$ -``` - -Test the connection to the load balancer: - -``` -curl -v http://132.x.x.x/ -* Trying 132.x.x.x:80... -* TCP_NODELAY set -* Connected to 132.x.x.x (132.x.x.x) port 80 (#0) -> GET / HTTP/1.1 -> Host: 132.x.x.x -> User-Agent: curl/7.68.0 -> Accept: */* -> -* Mark bundle as not supporting multiuse -< HTTP/1.1 404 Not Found -< Content-Type: text/plain; charset=utf-8 -< X-Content-Type-Options: nosniff -< Date: Wed, 27 Oct 2021 13:20:05 GMT -< Content-Length: 19 -< -404 page not found -* Connection #0 to host 132.x.x.x left intact -``` - -**NOTE** You have to wait all the backends to be in HEALTH state before reaching successfully the load balancer. - -**NOTE 2** 404 is a correct response since there are no deployment yet - -### Cluster management - -To manage the cluster, open a ssh connection to the k3s-server. - -**List the nodes** - -``` -root@k3s-server:~# kubectl get nodes -NAME STATUS ROLES AGE VERSION -inst-vr4sv-k3s-agents Ready 23m v1.21.5+k3s2 -inst-zkcyl-k3s-agents Ready 23m v1.21.5+k3s2 -k3s-server Ready control-plane,master 23m v1.21.5+k3s2 -inst-fhayc-k3s-agents Ready 23m v1.21.5+k3s2 -``` - -**Get the pods running on kube-system namespace** - -``` -kubectl get pods -n kube-system -NAME READY STATUS RESTARTS AGE -coredns-7448499f4d-jwgzt 1/1 Running 0 34m -metrics-server-86cbb8457f-qjgr9 1/1 Running 0 34m -local-path-provisioner-5ff76fc89d-56c7n 1/1 Running 0 34m -helm-install-traefik-crd-9ftr8 0/1 Completed 0 34m -helm-install-traefik-2v48n 0/1 Completed 2 34m -svclb-traefik-2x9q9 2/2 Running 0 33m -svclb-traefik-d72cf 2/2 Running 0 33m -svclb-traefik-jq5wv 2/2 Running 0 33m -svclb-traefik-xnhgs 2/2 Running 0 33m -traefik-97b44b794-4dz2x 1/1 Running 0 33m -``` - -**Get the pods running on longhorn-system namespace (optional)** - -``` -root@k3s-server:~# kubectl get pods -n longhorn-system -NAME READY STATUS RESTARTS AGE -longhorn-ui-788fd8cf9d-76x84 1/1 Running 0 29m -longhorn-manager-97vzd 1/1 Running 0 29m -longhorn-driver-deployer-5dff5c7554-c7wbk 1/1 Running 0 29m -longhorn-manager-sq2xn 1/1 Running 1 29m -csi-attacher-75588bff58-xv9sn 1/1 Running 0 28m -csi-resizer-5c88bfd4cf-ngm2j 1/1 Running 0 28m -engine-image-ei-d4c780c6-ktvs7 1/1 Running 0 28m -csi-provisioner-669c8cc698-mqvjx 1/1 Running 0 28m -longhorn-csi-plugin-9x5wj 2/2 Running 0 28m -engine-image-ei-d4c780c6-r7r2t 1/1 Running 0 28m -csi-provisioner-669c8cc698-tvs9r 1/1 Running 0 28m -csi-resizer-5c88bfd4cf-h8g6w 1/1 Running 0 28m -instance-manager-e-7aca498c 1/1 Running 0 28m -instance-manager-r-98153684 1/1 Running 0 28m -longhorn-csi-plugin-wf24d 2/2 Running 0 28m -csi-snapshotter-69f8bc8dcf-n85hq 1/1 Running 0 28m -longhorn-csi-plugin-82hv5 2/2 Running 0 28m -longhorn-csi-plugin-rlcw2 2/2 Running 0 28m -longhorn-manager-rttww 1/1 Running 1 29m -instance-manager-e-e43d97f9 1/1 Running 0 28m -longhorn-manager-47zxl 1/1 Running 1 29m -instance-manager-r-de0dc83b 1/1 Running 0 28m -engine-image-ei-d4c780c6-hp4mb 1/1 Running 0 28m -engine-image-ei-d4c780c6-hcwpg 1/1 Running 0 28m -instance-manager-r-464299ad 1/1 Running 0 28m -instance-manager-e-ccb8666b 1/1 Running 0 28m -instance-manager-r-3b35070e 1/1 Running 0 28m -instance-manager-e-9d117ead 1/1 Running 0 28m -``` \ No newline at end of file +Please refer to [this](https://github.com/garutilorenzo/k3s-oci-cluster) repository \ No newline at end of file diff --git a/k3s-cluster/data.tf b/k3s-cluster/data.tf deleted file mode 100644 index ca5b70a..0000000 --- a/k3s-cluster/data.tf +++ /dev/null @@ -1,32 +0,0 @@ -data "template_cloudinit_config" "k3s_server_tpl" { - gzip = true - base64_encode = true - - part { - content_type = "text/x-shellscript" - content = templatefile("${path.module}/files/k3s-install-server.sh", { k3s_token = var.k3s_token, is_k3s_server = true, k3s_url = var.k3s_server_private_ip, install_longhorn = var.install_longhorn, longhorn_release = var.longhorn_release }) - } -} - -data "template_cloudinit_config" "k3s_agent_tpl" { - gzip = true - base64_encode = true - - part { - content_type = "text/x-shellscript" - content = templatefile("${path.module}/files/k3s-install-agent.sh", { k3s_token = var.k3s_token, is_k3s_server = false, k3s_url = var.k3s_server_private_ip }) - } -} - -data "oci_core_instance_pool_instances" "k3s_agents_instances" { - depends_on = [ - oci_core_instance_pool.k3s_agents, - ] - compartment_id = var.compartment_ocid - instance_pool_id = oci_core_instance_pool.k3s_agents.id -} - -data "oci_core_instance" "k3s_agents_instances_ips" { - count = var.instance_pool_size - instance_id = data.oci_core_instance_pool_instances.k3s_agents_instances.instances[count.index].id -} \ No newline at end of file diff --git a/k3s-cluster/files/k3s-install-agent.sh b/k3s-cluster/files/k3s-install-agent.sh deleted file mode 100644 index 0a3e43d..0000000 --- a/k3s-cluster/files/k3s-install-agent.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# Disable firewall -/usr/sbin/netfilter-persistent stop -/usr/sbin/netfilter-persistent flush - -systemctl stop netfilter-persistent.service -systemctl disable netfilter-persistent.service - -# END Disable firewall - -apt-get update -apt-get install -y software-properties-common jq -DEBIAN_FRONTEND=noninteractive apt-get upgrade -y - -local_ip=$(curl -s -H "Authorization: Bearer Oracle" -L http://169.254.169.254/opc/v2/vnics/ | jq -r '.[0].privateIp') -flannel_iface=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)') - -until (curl -sfL https://get.k3s.io | K3S_TOKEN=${k3s_token} K3S_URL=https://${k3s_url}:6443 sh -s - --node-ip $local_ip --flannel-iface $flannel_iface); do - echo 'k3s did not install correctly' - sleep 2 -done \ No newline at end of file diff --git a/k3s-cluster/files/k3s-install-server.sh b/k3s-cluster/files/k3s-install-server.sh deleted file mode 100644 index bdbdce7..0000000 --- a/k3s-cluster/files/k3s-install-server.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash - -# Disable firewall -/usr/sbin/netfilter-persistent stop -/usr/sbin/netfilter-persistent flush - -systemctl stop netfilter-persistent.service -systemctl disable netfilter-persistent.service - -# END Disable firewall - -apt-get update -apt-get install -y software-properties-common jq -DEBIAN_FRONTEND=noninteractive apt-get upgrade -y - -local_ip=$(curl -s -H "Authorization: Bearer Oracle" -L http://169.254.169.254/opc/v2/vnics/ | jq -r '.[0].privateIp') -flannel_iface=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)') - -echo "Cluster init!" -until (curl -sfL https://get.k3s.io | K3S_TOKEN=${k3s_token} sh -s - --node-ip $local_ip --advertise-address $local_ip --flannel-iface $flannel_iface); do - echo 'k3s did not install correctly' - sleep 2 -done - -%{ if is_k3s_server } -until kubectl get pods -A | grep 'Running'; do - echo 'Waiting for k3s startup' - sleep 5 -done - -%{ if install_longhorn } -wget https://raw.githubusercontent.com/longhorn/longhorn/${longhorn_release}/deploy/longhorn.yaml -sed -i 's/#- name: KUBELET_ROOT_DIR/- name: KUBELET_ROOT_DIR/g' longhorn.yaml -sed -i 's/# value: \/var\/lib\/rancher\/k3s\/agent\/kubelet/ value: \/var\/lib\/kubelet/g' longhorn.yaml - -kubectl apply -f longhorn.yaml -%{ endif } - -%{ endif } \ No newline at end of file diff --git a/k3s-cluster/k3s-agents.tf b/k3s-cluster/k3s-agents.tf deleted file mode 100644 index be22306..0000000 --- a/k3s-cluster/k3s-agents.tf +++ /dev/null @@ -1,24 +0,0 @@ -resource "oci_core_instance_pool" "k3s_agents" { - - lifecycle { - create_before_destroy = true - ignore_changes = [load_balancers, freeform_tags] - } - - display_name = "k3s-agents" - compartment_id = var.compartment_ocid - instance_configuration_id = oci_core_instance_configuration.k3s_agent_template.id - - placement_configurations { - availability_domain = var.availability_domain - primary_subnet_id = oci_core_subnet.default_oci_core_subnet10.id - fault_domains = var.fault_domains - } - - size = var.instance_pool_size - - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}", - "k3s-cluster" = "agent" - } -} \ No newline at end of file diff --git a/k3s-cluster/lb.tf b/k3s-cluster/lb.tf deleted file mode 100644 index fbe9c2b..0000000 --- a/k3s-cluster/lb.tf +++ /dev/null @@ -1,82 +0,0 @@ -resource "oci_network_load_balancer_network_load_balancer" "k3s_load_balancer" { - depends_on = [ - oci_core_instance_pool.k3s_agents, - ] - - compartment_id = var.compartment_ocid - display_name = "k3s load balancer" - subnet_id = oci_core_subnet.oci_core_subnet11.id - - is_private = false - is_preserve_source_destination = false - - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} - -resource "oci_network_load_balancer_listener" "k3s_http_listener" { - default_backend_set_name = oci_network_load_balancer_backend_set.k3s_http_backend_set.name - name = "k3s http listener" - network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id - port = 80 - protocol = "TCP" -} - -resource "oci_network_load_balancer_listener" "k3s_https_listener" { - default_backend_set_name = oci_network_load_balancer_backend_set.k3s_https_backend_set.name - name = "k3s https listener" - network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id - port = 443 - protocol = "TCP" -} - -resource "oci_network_load_balancer_backend_set" "k3s_http_backend_set" { - health_checker { - protocol = "TCP" - port = 80 - } - - name = "k3s http backend" - network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id - policy = "FIVE_TUPLE" - is_preserve_source = true -} - -resource "oci_network_load_balancer_backend_set" "k3s_https_backend_set" { - health_checker { - protocol = "TCP" - port = 80 - } - - name = "k3s https backend" - network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id - policy = "FIVE_TUPLE" - is_preserve_source = true -} - -resource "oci_network_load_balancer_backend" "k3s_http_backend" { - depends_on = [ - oci_core_instance_pool.k3s_agents, - ] - - count = var.instance_pool_size - backend_set_name = oci_network_load_balancer_backend_set.k3s_http_backend_set.name - network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id - port = 80 - - target_id = data.oci_core_instance_pool_instances.k3s_agents_instances.instances[count.index].id -} - -resource "oci_network_load_balancer_backend" "k3s_https_backend" { - depends_on = [ - oci_core_instance_pool.k3s_agents, - ] - - count = var.instance_pool_size - backend_set_name = oci_network_load_balancer_backend_set.k3s_https_backend_set.name - network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id - port = 443 - - target_id = data.oci_core_instance_pool_instances.k3s_agents_instances.instances[count.index].id -} \ No newline at end of file diff --git a/k3s-cluster/output.tf b/k3s-cluster/output.tf deleted file mode 100644 index 5ac85cd..0000000 --- a/k3s-cluster/output.tf +++ /dev/null @@ -1,14 +0,0 @@ -output "k3s_server_ip" { - value = oci_core_instance.k3s_server.public_ip -} - -output "k3s_agents_ips" { - depends_on = [ - data.oci_core_instance_pool_instances.k3s_agents_instances, - ] - value = data.oci_core_instance.k3s_agents_instances_ips.*.public_ip -} - -output "lb_ip" { - value = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.ip_addresses -} \ No newline at end of file diff --git a/k3s-cluster/provider.tf b/k3s-cluster/provider.tf deleted file mode 100644 index 7a78460..0000000 --- a/k3s-cluster/provider.tf +++ /dev/null @@ -1,7 +0,0 @@ -provider "oci" { - tenancy_ocid = var.tenancy_ocid - user_ocid = var.user_ocid - private_key_path = var.private_key_path - fingerprint = var.fingerprint - region = var.region -} \ No newline at end of file diff --git a/k3s-cluster/security.tf b/k3s-cluster/security.tf deleted file mode 100644 index 3728f8c..0000000 --- a/k3s-cluster/security.tf +++ /dev/null @@ -1,76 +0,0 @@ -resource "oci_core_default_security_list" "default_security_list" { - compartment_id = var.compartment_ocid - manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_security_list_id - - display_name = "Default security list" - egress_security_rules { - destination = "0.0.0.0/0" - protocol = "all" - } - - ingress_security_rules { - protocol = 1 # icmp - source = var.my_public_ip_address - - description = "Allow icmp from ${var.my_public_ip_address}" - - } - - ingress_security_rules { - protocol = 6 # tcp - source = var.my_public_ip_address - - description = "Allow SSH from ${var.my_public_ip_address}" - - tcp_options { - min = 22 - max = 22 - } - } - - ingress_security_rules { - protocol = 6 # tcp - source = var.my_public_ip_address - - description = "Allow HTTP from ${var.my_public_ip_address}" - - tcp_options { - min = 80 - max = 80 - } - } - - ingress_security_rules { - protocol = "all" - source = var.oci_core_vcn_cidr - - description = "Allow all from vcn subnet" - } - - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} - -resource "oci_core_security_list" "custom_security_list" { - compartment_id = var.compartment_ocid - vcn_id = oci_core_vcn.default_oci_core_vcn.id - - display_name = "Custom security list" - - ingress_security_rules { - protocol = 6 # tcp - source = "0.0.0.0/0" - - description = "Allow HTTP from all" - - tcp_options { - min = 80 - max = 80 - } - } - - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} \ No newline at end of file diff --git a/k3s-cluster/template.tf b/k3s-cluster/template.tf deleted file mode 100644 index dd21cbc..0000000 --- a/k3s-cluster/template.tf +++ /dev/null @@ -1,61 +0,0 @@ -resource "oci_core_instance_configuration" "k3s_agent_template" { - - compartment_id = var.compartment_ocid - display_name = "Ubuntu 20.04 instance k3s agent configuration" - - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } - - instance_details { - instance_type = "compute" - - launch_details { - - agent_config { - is_management_disabled = "false" - is_monitoring_disabled = "false" - - plugins_config { - desired_state = "DISABLED" - name = "Vulnerability Scanning" - } - - plugins_config { - desired_state = "ENABLED" - name = "Compute Instance Monitoring" - } - - plugins_config { - desired_state = "DISABLED" - name = "Bastion" - } - } - - availability_domain = var.availability_domain - compartment_id = var.compartment_ocid - - create_vnic_details { - assign_public_ip = true - subnet_id = oci_core_subnet.default_oci_core_subnet10.id - } - - display_name = "Ubuntu k3s agent template" - - metadata = { - "ssh_authorized_keys" = file(var.PATH_TO_PUBLIC_KEY) - "user_data" = data.template_cloudinit_config.k3s_agent_tpl.rendered - } - - shape = "VM.Standard.A1.Flex" - shape_config { - memory_in_gbs = "6" - ocpus = "1" - } - source_details { - image_id = var.os_image_id - source_type = "image" - } - } - } -} \ No newline at end of file diff --git a/k3s-cluster/vars.tf b/k3s-cluster/vars.tf deleted file mode 100644 index 810b8cc..0000000 --- a/k3s-cluster/vars.tf +++ /dev/null @@ -1,88 +0,0 @@ -variable "compartment_ocid" { - -} - -variable "tenancy_ocid" { - -} - -variable "region" { - default = "" -} - -variable "user_ocid" { - -} - -variable "fingerprint" { - -} - -variable "private_key_path" { - -} - -variable "availability_domain" { - default = "" -} - -variable "default_fault_domain" { - default = "FAULT-DOMAIN-1" -} - -variable "fault_domains" { - type = list(any) - default = ["FAULT-DOMAIN-1", "FAULT-DOMAIN-2", "FAULT-DOMAIN-3"] -} - -variable "PATH_TO_PUBLIC_KEY" { - default = "~/.ssh/id_rsa.pub" -} - -variable "os_image_id" { - default = "ocid1.image.oc1.eu-zurich-1.aaaaaaaam4u4w4dprotagbxx4glcmjtndbkunzs5kvz5qpkqybemlv4wds3a" # Ubuntu 20.04 -} - -variable "oci_core_vcn_cidr" { - default = "10.0.0.0/16" -} - -variable "oci_core_subnet_cidr10" { - default = "10.0.0.0/24" -} - -variable "oci_core_subnet_cidr11" { - default = "10.0.1.0/24" -} - -variable "k3s_server_private_ip" { - default = "10.0.0.50" -} - -variable "instance_pool_size" { - default = 3 -} - -variable "tutorial_tag_key" { - default = "oracle-tutorial" -} - -variable "tutorial_tag_value" { - default = "k3s-terraform" -} - -variable "my_public_ip_address" { - default = "" -} - -variable "k3s_token" { - default = "2aaf122eed3409ds2c6fagfad4073-92dcdgade664d8c1c7f49z" -} - -variable "install_longhorn" { - default = true -} - -variable "longhorn_release" { - default = "v1.2.2" -} \ No newline at end of file diff --git a/load-balancer/README.md b/load-balancer/README.md new file mode 100644 index 0000000..8149784 --- /dev/null +++ b/load-balancer/README.md @@ -0,0 +1,25 @@ +# Load balancer (Layer 7) + +This module will deploy a Load Balancer (L7). The LB can be public or private (*is_private* variable). The LB will be attached to the instances in a instance pool (*instance_pool_id* variable). Also this module will deploy one Network security group that will be attached to the Load Balancer, this NSG will allow traffic on port 80 only to the LB. + +### Requirements + +* One vcn with a public or private subnet (simple-vcn or private-vcn module) + +### Module variables + +| Var | Required | Desc | +| ------- | ------- | ----------- | +| `region` | `yes` | set the correct OCI region based on your needs | +| `compartment_ocid` | `yes` | Set the correct compartment ocid. See [how](../README.md#oracle-provider-setup) to find the compartment ocid | +| `vcn_id` | `yes` | The VCN OCID | +| `private_subnet_id` | `yes` | Private subnet OCID | +| `public_subnet_id` | `yes` | Public subnet OCID | +| `instance_pool_size` | `yes` | Instance pool size | +| `instance_pool_id` | `yes` | Instance pool ocid OCID | +| `is_private` | `no` | Bool value. If true the LB will be a private LB (no public ip) Default: false | +| `lb_shape` | `no` | Load balancer shape. Default: flexible | + +### Output + +lb_ip, LB public or private ip address \ No newline at end of file diff --git a/load-balancer/data.tf b/load-balancer/data.tf new file mode 100644 index 0000000..f529b0b --- /dev/null +++ b/load-balancer/data.tf @@ -0,0 +1,9 @@ +data "oci_core_instance_pool_instances" "ubuntu_instance_pool_instances" { + compartment_id = var.compartment_ocid + instance_pool_id = var.instance_pool_id +} + +data "oci_core_instance" "ubuntu_instance_pool_instances_ips" { + count = var.instance_pool_size + instance_id = data.oci_core_instance_pool_instances.ubuntu_instance_pool_instances.instances[count.index].id +} \ No newline at end of file diff --git a/load-balancer/lb.tf b/load-balancer/lb.tf new file mode 100644 index 0000000..26429aa --- /dev/null +++ b/load-balancer/lb.tf @@ -0,0 +1,47 @@ +resource "oci_load_balancer_load_balancer" "load_balancer_l7" { + compartment_id = var.compartment_ocid + display_name = "LB Layer 7" + shape = var.lb_shape + subnet_ids = [var.public_subnet_id] + network_security_group_ids = [oci_core_network_security_group.public_lb_nsg.id] + + ip_mode = "IPV4" + is_private = var.is_private + + shape_details { + maximum_bandwidth_in_mbps = 10 + minimum_bandwidth_in_mbps = 10 + } + + freeform_tags = local.tags +} + +# HTTP +resource "oci_load_balancer_listener" "http_listener" { + default_backend_set_name = oci_load_balancer_backend_set.http_backend_set.name + load_balancer_id = oci_load_balancer_load_balancer.load_balancer_l7.id + name = "http_listener" + port = 80 + protocol = "HTTP" +} + +resource "oci_load_balancer_backend_set" "http_backend_set" { + health_checker { + protocol = "HTTP" + port = 80 + url_path = "/" + return_code = 200 + } + + load_balancer_id = oci_load_balancer_load_balancer.load_balancer_l7.id + name = "http_backend_set" + policy = "ROUND_ROBIN" +} + +resource "oci_load_balancer_backend" "http_backend" { + count = var.instance_pool_size + backendset_name = oci_load_balancer_backend_set.http_backend_set.name + ip_address = data.oci_core_instance.ubuntu_instance_pool_instances_ips[count.index].private_ip + load_balancer_id = oci_load_balancer_load_balancer.load_balancer_l7.id + port = 80 +} \ No newline at end of file diff --git a/load-balancer/local.tf b/load-balancer/local.tf new file mode 100644 index 0000000..0a67071 --- /dev/null +++ b/load-balancer/local.tf @@ -0,0 +1,6 @@ +locals { + tags = { + "oracle-tutorial" = "terraform" + "environment" = "${var.environment}" + } +} \ No newline at end of file diff --git a/load-balancer/nsg.tf b/load-balancer/nsg.tf new file mode 100644 index 0000000..4a3fb4b --- /dev/null +++ b/load-balancer/nsg.tf @@ -0,0 +1,26 @@ +resource "oci_core_network_security_group" "public_lb_nsg" { + compartment_id = var.compartment_ocid + vcn_id = var.vcn_id + display_name = "Public LB nsg" + + freeform_tags = local.tags +} + +resource "oci_core_network_security_group_security_rule" "allow_http_from_all" { + network_security_group_id = oci_core_network_security_group.public_lb_nsg.id + direction = "INGRESS" + protocol = 6 # tcp + + description = "Allow HTTP from all" + + source = "0.0.0.0/0" + source_type = "CIDR_BLOCK" + stateless = false + + tcp_options { + destination_port_range { + max = 80 + min = 80 + } + } +} \ No newline at end of file diff --git a/load-balancer/output.tf b/load-balancer/output.tf new file mode 100644 index 0000000..423cb42 --- /dev/null +++ b/load-balancer/output.tf @@ -0,0 +1,3 @@ +output "lb_ip" { + value = oci_load_balancer_load_balancer.load_balancer_l7.ip_addresses +} \ No newline at end of file diff --git a/load-balancer/vars.tf b/load-balancer/vars.tf new file mode 100644 index 0000000..b1a673a --- /dev/null +++ b/load-balancer/vars.tf @@ -0,0 +1,42 @@ +variable "compartment_ocid" { + +} + +variable "region" { + +} + +variable "environment" { + type = string +} + +variable "instance_pool_id" { + type = string +} + +variable "is_private" { + type = bool + default = false +} + +variable "lb_shape" { + type = string + default = "flexible" +} + +variable "vcn_id" { + type = string +} + +variable "public_subnet_id" { + type = string +} + +variable "private_subnet_id" { + type = string +} + +variable "instance_pool_size" { + type = number + default = 2 +} \ No newline at end of file diff --git a/nat-instance/README.md b/nat-instance/README.md new file mode 100644 index 0000000..55d70c9 --- /dev/null +++ b/nat-instance/README.md @@ -0,0 +1,35 @@ +# NAT instance + +This module will deploy a NAT instance. If you use a private subnet with an always free account you will need a nat instance to give internet access to the private subnet. With the always free account you can't use/deploy a NAT gateway. + +Also this module will setup a new route table and will attach this new route to the private subnet. + +### Requirements + +* One vcn with a public or private subnet (simple-vcn or private-vcn module) + +### Module variables + +| Var | Required | Desc | +| ------- | ------- | ----------- | +| `region` | `yes` | set the correct OCI region based on your needs | +| `availability_domain` | `yes` | Set the correct availability domain. See [how](../README.md#how-to-find-the-availability-doamin-name) to find the availability domain| +| `compartment_ocid` | `yes` | Set the correct compartment ocid. See [how](../README.md#oracle-provider-setup) to find the compartment ocid | +| `vcn_id` | `yes` | The VCN OCID | +| `private_subnet_id` | `yes` | Private subnet OCID | +| `public_subnet_id` | `yes` | Public subnet OCID | +| `default_fault_domain` | `no` | Fault domain where the instance will be deployed. Default: FAULT-DOMAIN-1 | +| `PATH_TO_PUBLIC_KEY` | `no` | Path to your public ssh key (Default: "~/.ssh/id_rsa.pub) | +| `os_image_id` | `no` | OS image OCID. Default: ocid1.image.oc1.eu-zurich-1.aaaaaaaag2uyozo7266bmg26j5ixvi42jhaujso2pddpsigtib6vfnqy5f6q - Canonical-Ubuntu-20.04-aarch64-2022.01.18-0 | +| `setup_bastion` | `no` | Bool variable. Setup the nat instance as bastion host. Default: true | +| `bastion_user` | `no` | Bastion username. Default: bastion | +| `bastion_group` | `no` | Bastion group. Default: bastion | +| `ssh_keys_path` | `no` | List of ssh keys allowed to connect to the nat instance as bastion user. Default: ["~/.ssh/id_rsa.pub"] | + + +### Output + +The module will output: + +* nat_instance_id, NAT instance OCID +* nat_instance_public_ip, NAT instance public ip \ No newline at end of file diff --git a/nat-instance/data.tf b/nat-instance/data.tf new file mode 100644 index 0000000..828adee --- /dev/null +++ b/nat-instance/data.tf @@ -0,0 +1,34 @@ +data "template_cloudinit_config" "nat_instance_init" { + gzip = true + base64_encode = true + + part { + filename = "init.cfg" + content_type = "text/cloud-config" + content = templatefile("${path.module}/files/cloud-config-base.yaml", {}) + } + + part { + content_type = "text/x-shellscript" + content = templatefile("${path.module}/files/setup_bastion.sh", { ssh_keys = local.ssh_keys, setup_bastion = var.setup_bastion, bastion_user = var.bastion_user, bastion_group = var.bastion_group }) + } +} + +data "oci_core_vnic_attachments" "nat_instance_vnics" { + depends_on = [ + oci_core_instance.nat_instance + ] + + compartment_id = var.compartment_ocid + availability_domain = var.availability_domain + instance_id = oci_core_instance.nat_instance.id +} + +data "oci_core_private_ips" "nat_instance_private_ips_by_nic" { + depends_on = [ + oci_core_instance.nat_instance + ] + ip_address = oci_core_instance.nat_instance.private_ip + subnet_id = var.public_subnet_id + vnic_id = data.oci_core_vnic_attachments.nat_instance_vnics.vnic_id +} \ No newline at end of file diff --git a/nat-instance/files/cloud-config-base.yaml b/nat-instance/files/cloud-config-base.yaml new file mode 100644 index 0000000..96c93ad --- /dev/null +++ b/nat-instance/files/cloud-config-base.yaml @@ -0,0 +1,12 @@ +#cloud-config +write_files: +- path: /etc/sysctl.d/98-ip-forward.conf + content: | + net.ipv4.ip_forward = 1 +runcmd: + - apt-get update + - apt install -y firewalld + - firewall-offline-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o enp0s3 -j MASQUERADE + - firewall-offline-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp0s3 -j ACCEPT + - /bin/systemctl restart firewalld + - sysctl -p /etc/sysctl.d/98-ip-forward.conf \ No newline at end of file diff --git a/nat-instance/files/setup_bastion.sh b/nat-instance/files/setup_bastion.sh new file mode 100644 index 0000000..48a54c3 --- /dev/null +++ b/nat-instance/files/setup_bastion.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +%{ if setup_bastion } + + +groupadd ${bastion_group} +useradd -d /home/${bastion_user} -r -g ${bastion_group} ${bastion_user} +mkdir -p /home/${bastion_user}/.ssh +touch /home/${bastion_user}/.ssh/authorized_keys +%{ for ssh_key in ssh_keys } +echo "${ssh_key}" >> /home/${bastion_user}/.ssh/authorized_keys +%{ endfor } +chown -R ${bastion_group}:${bastion_user} /home/${bastion_user}/ +chmod 400 /home/${bastion_user}/.ssh/authorized_keys + +cat <> /etc/ssh/sshd_config +Match Group ${bastion_group} + AllowAgentForwarding no + AllowTcpForwarding yes + X11Forwarding no + PermitTunnel no + GatewayPorts no + ForceCommand echo 'This account can only be used for ProxyJump (ssh -J)' +EOD + +systemctl restart sshd.service + +%{ endif } \ No newline at end of file diff --git a/nat-instance/local.tf b/nat-instance/local.tf new file mode 100644 index 0000000..a56e8dc --- /dev/null +++ b/nat-instance/local.tf @@ -0,0 +1,8 @@ +locals { + tags = { + "oracle-tutorial" = "terraform" + "environment" = "${var.environment}" + } + + ssh_keys = [for ssh_key in var.ssh_keys_path : file(ssh_key)] +} \ No newline at end of file diff --git a/k3s-cluster/k3s-server.tf b/nat-instance/nat_instance.tf similarity index 61% rename from k3s-cluster/k3s-server.tf rename to nat-instance/nat_instance.tf index bee9ba8..27d3af9 100644 --- a/k3s-cluster/k3s-server.tf +++ b/nat-instance/nat_instance.tf @@ -1,4 +1,4 @@ -resource "oci_core_instance" "k3s_server" { +resource "oci_core_instance" "nat_instance" { agent_config { is_management_disabled = "false" is_monitoring_disabled = "false" @@ -26,25 +26,25 @@ resource "oci_core_instance" "k3s_server" { availability_domain = var.availability_domain compartment_id = var.compartment_ocid fault_domain = var.default_fault_domain - + create_vnic_details { - assign_private_dns_record = "true" - assign_public_ip = "true" - subnet_id = oci_core_subnet.default_oci_core_subnet10.id - private_ip = var.k3s_server_private_ip + assign_private_dns_record = true + assign_public_ip = true + subnet_id = var.public_subnet_id + skip_source_dest_check = true } - display_name = "k3s-server" + display_name = "NATINSTANCE" instance_options { - are_legacy_imds_endpoints_disabled = "false" + are_legacy_imds_endpoints_disabled = false } - is_pv_encryption_in_transit_enabled = "true" + is_pv_encryption_in_transit_enabled = true metadata = { "ssh_authorized_keys" = file(var.PATH_TO_PUBLIC_KEY) - "user_data" = data.template_cloudinit_config.k3s_server_tpl.rendered + "user_data" = data.template_cloudinit_config.nat_instance_init.rendered } shape = "VM.Standard.A1.Flex" @@ -58,8 +58,5 @@ resource "oci_core_instance" "k3s_server" { source_type = "image" } - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - "k3s-cluster" = "server" - } + freeform_tags = local.tags } \ No newline at end of file diff --git a/nat-instance/output.tf b/nat-instance/output.tf new file mode 100644 index 0000000..b43f86f --- /dev/null +++ b/nat-instance/output.tf @@ -0,0 +1,7 @@ +output "nat_instance_id" { + value = oci_core_instance.nat_instance.id +} + +output "nat_instance_public_ip" { + value = oci_core_instance.nat_instance.public_ip +} \ No newline at end of file diff --git a/nat-instance/route_table.tf b/nat-instance/route_table.tf new file mode 100644 index 0000000..351c8b7 --- /dev/null +++ b/nat-instance/route_table.tf @@ -0,0 +1,23 @@ +resource "oci_core_route_table" "nat_instance_route_table" { + + depends_on = [ + oci_core_instance.nat_instance + ] + + compartment_id = var.compartment_ocid + vcn_id = var.vcn_id + display_name = "NAT instance route table" + + route_rules { + network_entity_id = data.oci_core_private_ips.nat_instance_private_ips_by_nic.private_ips[0].id + + description = "Route internet traffic via nat instance" + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + } +} + +resource "oci_core_route_table_attachment" "attach_route_table" { + subnet_id = var.private_subnet_id + route_table_id = oci_core_route_table.nat_instance_route_table.id +} \ No newline at end of file diff --git a/nat-instance/vars.tf b/nat-instance/vars.tf new file mode 100644 index 0000000..5685d6c --- /dev/null +++ b/nat-instance/vars.tf @@ -0,0 +1,67 @@ +variable "compartment_ocid" { + +} + +variable "region" { + +} + +variable "availability_domain" { + +} + +variable "environment" { + type = string +} + +variable "PATH_TO_PUBLIC_KEY" { + type = string + default = "~/.ssh/id_rsa.pub" + description = "Path to your public key" +} + +variable "setup_bastion" { + type = bool + default = true +} + +variable "bastion_user" { + type = string + default = "bastion" +} + +variable "bastion_group" { + type = string + default = "bastion" +} + +variable "ssh_keys_path" { + type = list(any) + default = ["~/.ssh/id_rsa.pub"] +} + +variable "default_fault_domain" { + default = "FAULT-DOMAIN-1" +} + +variable "fault_domains" { + type = list(any) + default = ["FAULT-DOMAIN-1", "FAULT-DOMAIN-2", "FAULT-DOMAIN-3"] +} + +variable "vcn_id" { + type = string +} + +variable "private_subnet_id" { + type = string +} + +variable "public_subnet_id" { + type = string +} + +variable "os_image_id" { + type = string + default = "ocid1.image.oc1.eu-zurich-1.aaaaaaaag2uyozo7266bmg26j5ixvi42jhaujso2pddpsigtib6vfnqy5f6q" # Canonical-Ubuntu-20.04-aarch64-2022.01.18-0 +} \ No newline at end of file diff --git a/network-load-balancer/README.md b/network-load-balancer/README.md new file mode 100644 index 0000000..defa8e1 --- /dev/null +++ b/network-load-balancer/README.md @@ -0,0 +1,24 @@ +# Network load balancer (Layer 4) + +This module will deploy a Network Load Balancer (L4). The LB can be public or private (*is_private* variable). The LB will be attached to the instances in a instance pool (*instance_pool_id* variable). + +### Requirements + +* One vcn with a public or private subnet (simple-vcn or private-vcn module) + +### Module variables + +| Var | Required | Desc | +| ------- | ------- | ----------- | +| `region` | `yes` | set the correct OCI region based on your needs | +| `compartment_ocid` | `yes` | Set the correct compartment ocid. See [how](../README.md#oracle-provider-setup) to find the compartment ocid | +| `vcn_id` | `yes` | The VCN OCID | +| `private_subnet_id` | `yes` | Private subnet OCID | +| `public_subnet_id` | `yes` | Public subnet OCID | +| `instance_pool_size` | `yes` | Instance pool size | +| `instance_pool_id` | `yes` | Instance pool ocid OCID | +| `is_private` | `no` | Bool value. If true the LB will be a private LB (no public ip) Default: true | + +### Output + +lb_ip, LB public or private ip address \ No newline at end of file diff --git a/network-load-balancer/data.tf b/network-load-balancer/data.tf new file mode 100644 index 0000000..f529b0b --- /dev/null +++ b/network-load-balancer/data.tf @@ -0,0 +1,9 @@ +data "oci_core_instance_pool_instances" "ubuntu_instance_pool_instances" { + compartment_id = var.compartment_ocid + instance_pool_id = var.instance_pool_id +} + +data "oci_core_instance" "ubuntu_instance_pool_instances_ips" { + count = var.instance_pool_size + instance_id = data.oci_core_instance_pool_instances.ubuntu_instance_pool_instances.instances[count.index].id +} \ No newline at end of file diff --git a/instance-pool/lb.tf b/network-load-balancer/lb.tf similarity index 52% rename from instance-pool/lb.tf rename to network-load-balancer/lb.tf index 67e966d..2fb7231 100644 --- a/instance-pool/lb.tf +++ b/network-load-balancer/lb.tf @@ -1,49 +1,38 @@ -resource "oci_network_load_balancer_network_load_balancer" "test_network_load_balancer" { - depends_on = [ - oci_core_instance_pool.ubuntu_instance_pool, - ] - +resource "oci_network_load_balancer_network_load_balancer" "load_balancer_l4" { compartment_id = var.compartment_ocid - display_name = "Test Network LB" - subnet_id = oci_core_subnet.oci_core_subnet11.id + display_name = "Network LB Layer 4" + subnet_id = var.private_subnet_id - is_private = false + is_private = var.is_private is_preserve_source_destination = false - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + freeform_tags = local.tags } -resource "oci_network_load_balancer_listener" "test_listener" { - #Required - default_backend_set_name = oci_network_load_balancer_backend_set.test_backend_set.name +resource "oci_network_load_balancer_listener" "http_listener_l4" { + default_backend_set_name = oci_network_load_balancer_backend_set.http_backend_set_l4.name name = "LB test listener" - network_load_balancer_id = oci_network_load_balancer_network_load_balancer.test_network_load_balancer.id + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.load_balancer_l4.id port = 80 protocol = "TCP" } -resource "oci_network_load_balancer_backend_set" "test_backend_set" { +resource "oci_network_load_balancer_backend_set" "http_backend_set_l4" { health_checker { protocol = "TCP" port = 80 } name = "Backend set test" - network_load_balancer_id = oci_network_load_balancer_network_load_balancer.test_network_load_balancer.id + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.load_balancer_l4.id policy = "FIVE_TUPLE" is_preserve_source = true } -resource "oci_network_load_balancer_backend" "test_backend" { - depends_on = [ - oci_core_instance_pool.ubuntu_instance_pool, - ] - +resource "oci_network_load_balancer_backend" "http_backend_l4" { count = var.instance_pool_size - backend_set_name = oci_network_load_balancer_backend_set.test_backend_set.name - network_load_balancer_id = oci_network_load_balancer_network_load_balancer.test_network_load_balancer.id + backend_set_name = oci_network_load_balancer_backend_set.http_backend_set_l4.name + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.load_balancer_l4.id port = 80 target_id = data.oci_core_instance_pool_instances.ubuntu_instance_pool_instances.instances[count.index].id diff --git a/network-load-balancer/local.tf b/network-load-balancer/local.tf new file mode 100644 index 0000000..0a67071 --- /dev/null +++ b/network-load-balancer/local.tf @@ -0,0 +1,6 @@ +locals { + tags = { + "oracle-tutorial" = "terraform" + "environment" = "${var.environment}" + } +} \ No newline at end of file diff --git a/network-load-balancer/output.tf b/network-load-balancer/output.tf new file mode 100644 index 0000000..2613ee4 --- /dev/null +++ b/network-load-balancer/output.tf @@ -0,0 +1,3 @@ +output "lb_ip" { + value = oci_network_load_balancer_network_load_balancer.load_balancer_l4.ip_addresses +} \ No newline at end of file diff --git a/network-load-balancer/vars.tf b/network-load-balancer/vars.tf new file mode 100644 index 0000000..50311f4 --- /dev/null +++ b/network-load-balancer/vars.tf @@ -0,0 +1,37 @@ +variable "compartment_ocid" { + +} + +variable "region" { + +} + +variable "environment" { + type = string +} + +variable "instance_pool_id" { + type = string +} + +variable "is_private" { + type = bool + default = true +} + +variable "vcn_id" { + type = string +} + +variable "public_subnet_id" { + type = string +} + +variable "private_subnet_id" { + type = string +} + +variable "instance_pool_size" { + type = number + default = 2 +} \ No newline at end of file diff --git a/private-vcn/README.md b/private-vcn/README.md new file mode 100644 index 0000000..683dbbe --- /dev/null +++ b/private-vcn/README.md @@ -0,0 +1,35 @@ +# Simple compute instance + +This example will deploy a one VCN with one public subnet ad one private subnet. Also this modules deploy a security list with the following rueles: + +* egress, all traffic allowed +* ingress, traffica allowed on port 22 only from *my_public_ip_cidr* + +### Requirements + +No Requirement + +### Module variables + +| Var | Required | Desc | +| ------- | ------- | ----------- | +| `region` | `yes` | set the correct OCI region based on your needs | +| `compartment_ocid` | `yes` | Set the correct compartment ocid. See [how](../README.md#oracle-provider-setup) to find the compartment ocid | +| `my_public_ip_cidr` | `yes` | A public ip CIDR allowed to reach the OCI resources | +| `environment` | `yes` | Current work environment (Example: staging/dev/prod). This value is used for tag all the deployed resources | +| `oci_core_vcn_dns_label` | `no` | VCN DNS label. Default: defaultvcn | +| `oci_core_subnet_dns_label10` | `no` | First subnet DNS label. Default: publicsubnet10 | +| `oci_core_subnet_dns_label11` | `no` | Second subnet DNS label. Default: privatesubnet11 | +| `oci_core_vcn_cidr` | `no` | VCN CIDR. Default: 10.0.0.0/16 | +| `oci_core_subnet_cidr10` | `no` | First subnet CIDR. Default: 10.0.0.0/24 | +| `oci_core_subnet_cidr11` | `no` | Second subnet CIDR. Default: 10.0.1.0/24 | + +### Output + +The module will output: + +* vcn_id, the VCN OCID +* public_subnet_id, the public subnet OCID +* private_subnet_id, the private subnet OCID +* security_list_id, the security list OCID +* public_subnet_cidr, the public subnet CIDR \ No newline at end of file diff --git a/private-vcn/local.tf b/private-vcn/local.tf new file mode 100644 index 0000000..0a67071 --- /dev/null +++ b/private-vcn/local.tf @@ -0,0 +1,6 @@ +locals { + tags = { + "oracle-tutorial" = "terraform" + "environment" = "${var.environment}" + } +} \ No newline at end of file diff --git a/k3s-cluster/network.tf b/private-vcn/network.tf similarity index 53% rename from k3s-cluster/network.tf rename to private-vcn/network.tf index 38beb6a..45bf248 100644 --- a/k3s-cluster/network.tf +++ b/private-vcn/network.tf @@ -2,47 +2,39 @@ resource "oci_core_vcn" "default_oci_core_vcn" { cidr_block = var.oci_core_vcn_cidr compartment_id = var.compartment_ocid display_name = "Default OCI core vcn" - dns_label = "defaultvcn" - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + dns_label = var.oci_core_vcn_dns_label + freeform_tags = local.tags } resource "oci_core_subnet" "default_oci_core_subnet10" { cidr_block = var.oci_core_subnet_cidr10 compartment_id = var.compartment_ocid - display_name = "${var.oci_core_subnet_cidr10} (default) OCI core subnet" - dns_label = "defaultsubnet10" + display_name = "${var.oci_core_subnet_cidr10} (default) PUBLIC OCI core subnet" + dns_label = var.oci_core_subnet_dns_label10 route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id vcn_id = oci_core_vcn.default_oci_core_vcn.id - security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + security_list_ids = [oci_core_default_security_list.default_security_list.id] + freeform_tags = local.tags } resource "oci_core_subnet" "oci_core_subnet11" { - cidr_block = var.oci_core_subnet_cidr11 - compartment_id = var.compartment_ocid - display_name = "${var.oci_core_subnet_cidr11} OCI core subnet" - dns_label = "defaultsubnet11" - route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id - vcn_id = oci_core_vcn.default_oci_core_vcn.id - security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + cidr_block = var.oci_core_subnet_cidr11 + compartment_id = var.compartment_ocid + display_name = "${var.oci_core_subnet_cidr11} PRIVATE OCI core subnet" + dns_label = var.oci_core_subnet_dns_label11 + vcn_id = oci_core_vcn.default_oci_core_vcn.id + prohibit_public_ip_on_vnic = true + prohibit_internet_ingress = true + security_list_ids = [oci_core_default_security_list.default_security_list.id] + freeform_tags = local.tags } - resource "oci_core_internet_gateway" "default_oci_core_internet_gateway" { compartment_id = var.compartment_ocid display_name = "Internet Gateway Default OCI core vcn" enabled = "true" vcn_id = oci_core_vcn.default_oci_core_vcn.id - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + freeform_tags = local.tags } resource "oci_core_default_route_table" "default_oci_core_default_route_table" { diff --git a/private-vcn/output.tf b/private-vcn/output.tf new file mode 100644 index 0000000..d2ba64e --- /dev/null +++ b/private-vcn/output.tf @@ -0,0 +1,19 @@ +output "vcn_id" { + value = oci_core_vcn.default_oci_core_vcn.id +} + +output "public_subnet_id" { + value = oci_core_subnet.default_oci_core_subnet10.id +} + +output "private_subnet_id" { + value = oci_core_subnet.oci_core_subnet11.id +} + +output "security_list_id" { + value = oci_core_default_security_list.default_security_list.id +} + +output "public_subnet_cidr" { + value = oci_core_subnet.default_oci_core_subnet10.cidr_block +} \ No newline at end of file diff --git a/private-vcn/security.tf b/private-vcn/security.tf new file mode 100644 index 0000000..0c9fa70 --- /dev/null +++ b/private-vcn/security.tf @@ -0,0 +1,39 @@ +resource "oci_core_default_security_list" "default_security_list" { + compartment_id = var.compartment_ocid + manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_security_list_id + + display_name = "Default security list" + egress_security_rules { + destination = "0.0.0.0/0" + protocol = "all" + } + + ingress_security_rules { + protocol = 1 # icmp + source = var.my_public_ip_cidr + + description = "Allow icmp from ${var.my_public_ip_cidr}" + + } + + ingress_security_rules { + protocol = 6 # tcp + source = var.my_public_ip_cidr + + description = "Allow SSH from ${var.my_public_ip_cidr}" + + tcp_options { + min = 22 + max = 22 + } + } + + ingress_security_rules { + protocol = "all" + source = var.oci_core_vcn_cidr + + description = "Allow all from vcn subnet" + } + + freeform_tags = local.tags +} \ No newline at end of file diff --git a/private-vcn/vars.tf b/private-vcn/vars.tf new file mode 100644 index 0000000..1001a6f --- /dev/null +++ b/private-vcn/vars.tf @@ -0,0 +1,45 @@ +variable "compartment_ocid" { + +} + +variable "region" { + +} + +variable "fault_domains" { + type = list(any) + default = ["FAULT-DOMAIN-1", "FAULT-DOMAIN-2", "FAULT-DOMAIN-3"] +} + +variable "oci_core_vcn_cidr" { + default = "10.0.0.0/16" +} + +variable "oci_core_subnet_cidr10" { + default = "10.0.0.0/24" +} + +variable "oci_core_subnet_cidr11" { + default = "10.0.1.0/24" +} + +variable "oci_core_subnet_dns_label10" { + default = "publicsubnet10" +} + +variable "oci_core_vcn_dns_label" { + default = "defaultvcn" +} + +variable "oci_core_subnet_dns_label11" { + default = "privatesubnet11" +} + +variable "my_public_ip_cidr" { + type = string + description = "My public ip CIDR" +} + +variable "environment" { + type = string +} \ No newline at end of file diff --git a/simple-instance/.terraform.lock.hcl b/simple-instance/.terraform.lock.hcl deleted file mode 100644 index 43373d9..0000000 --- a/simple-instance/.terraform.lock.hcl +++ /dev/null @@ -1,36 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/oci" { - version = "4.49.0" - hashes = [ - "h1:m7/VNDahueBZf6EqJjxsGsOuzBVWnfrzL3ekdr0mr0k=", - "zh:2114836ae6a863da2f40917a18478e6af67d42d5e1a05ecd1297a6802fa765a1", - "zh:2f53dfff1919cf4750467c65fc658570dc99868f7524d3abeb05a9f6e174c046", - "zh:38f6b9fb5e73ea7de1ee2cefe28c83f308c96a14a69c91f4da352f27007b31d0", - "zh:3dcb0a5652113b893cf5f9af7ba3ee4fed900e000d80e045eb6e9151768ed691", - "zh:3deef7b6b30926dc817e72aa19ef700ffab1b2f4d41be136fe4253bb14c8cd9c", - "zh:49fc2e23d30677eff73dc10ae1ef316bdfe8b133f0a71c414333e7400c3a95e1", - "zh:517b962143ae8012e65086ef5d5c81e4701ffde092747b594edfaf5f664111d0", - "zh:5d3b0303f68b8196048d97b4730b0424a60db8cb13700ae1980cdd84dc211a27", - "zh:6d17bd39ba47f3c5fda7d67d9f986b872ed1cdcb72677e2f1d1eba1567200f58", - "zh:c6de06c6f0947c9315b10a723edf96eecdf3ef03947948761032f061339e5b49", - ] -} - -provider "registry.terraform.io/hashicorp/template" { - version = "2.2.0" - hashes = [ - "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", - "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", - "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", - "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", - "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", - "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", - "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", - "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", - "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", - "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", - "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", - ] -} diff --git a/simple-instance/README.md b/simple-instance/README.md index fed7b2a..63ce9da 100644 --- a/simple-instance/README.md +++ b/simple-instance/README.md @@ -1,64 +1,29 @@ # Simple compute instance -This example will deploy a single Oracle compute instance. +This module will deploy a single Oracle compute instance, in a private or in a public subnet. -### Extra variables +If you choose to publish this compute instance in a private subnet, you need a NAT instance (refer to nat-instance module). The nat instance can be used also as bation host to reach the private instance, or if you prefer you can deploy a dedicated bastion host (refer to bastion-host module). -In this example an extra variable is used: +### Requirements -* fault_domain, this variable indicate in which fault domain our instance will be launched +* One vcn with a public or private subnet (simple-vcn or private-vcn module) +* One nat instance if the instance *is_private* (nat-instance module) -**Remember** to set the provider [settings](https://github.com/garutilorenzo/oracle-cloud-terraform-examples#oracle-provider-setup) and ajust all the [variables](https://github.com/garutilorenzo/oracle-cloud-terraform-examples#other-variables-to-adjust) +### Module variables -### Deploy +| Var | Required | Desc | +| ------- | ------- | ----------- | +| `region` | `yes` | set the correct OCI region based on your needs | +| `availability_domain` | `yes` | Set the correct availability domain. See [how](../README.md#how-to-find-the-availability-doamin-name) to find the availability domain| +| `compartment_ocid` | `yes` | Set the correct compartment ocid. See [how](../README.md#oracle-provider-setup) to find the compartment ocid | +| `vcn_id` | `yes` | The VCN OCID | +| `private_subnet_id` | `yes` | Private subnet OCID | +| `public_subnet_id` | `yes` | Public subnet OCID | +| `environment` | `yes` | Current work environment (Example: staging/dev/prod). This value is used for tag all the deployed resources | +| `default_fault_domain` | `no` | Fault domain where the instance will be deployed. Default: FAULT-DOMAIN-1 | +| `is_private` | `no` | Bool value. If true the instance will be deployed in a private subnet. Default: false | +| `os_image_id` | `no` | OS image OCID. Default: ocid1.image.oc1.eu-zurich-1.aaaaaaaag2uyozo7266bmg26j5ixvi42jhaujso2pddpsigtib6vfnqy5f6q - Canonical-Ubuntu-20.04-aarch64-2022.01.18-0 | -To deploy the infrastructure: +### Output -``` -terraform init - -terraform plan - -terraform apply -``` - -wait terraform to complete the operation, when terraform successfully finished the deployment you will see in the output the public ip address of the instance: - -``` -Apply complete! Resources: 8 added, 0 changed, 0 destroyed. - -Outputs: - -instance_ip = "152.x.x.x" -``` - -now you can ssh into the machine: - -``` -ssh ubuntu@152.x.x.x - -... -35 updates can be applied immediately. -25 of these updates are standard security updates. -To see these additional updates run: apt list --upgradable - - - -The programs included with the Ubuntu system are free software; -the exact distribution terms for each program are described in the -individual files in /usr/share/doc/*/copyright. - -Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by -applicable law. - -To run a command as administrator (user "root"), use "sudo ". -See "man sudo_root" for details. - -ubuntu@ubuntu-instance:~$ -``` - -### Cleanup - -``` -terraform destroy -``` \ No newline at end of file +The module will show the instane ip: public or private (based on the value of the variable *is_private*) \ No newline at end of file diff --git a/simple-instance/compute.tf b/simple-instance/compute.tf index 9c43f31..45a4990 100644 --- a/simple-instance/compute.tf +++ b/simple-instance/compute.tf @@ -28,18 +28,18 @@ resource "oci_core_instance" "ubuntu_oci_instance" { fault_domain = var.default_fault_domain create_vnic_details { - assign_private_dns_record = "true" - assign_public_ip = "true" - subnet_id = oci_core_subnet.default_oci_core_subnet10.id + assign_private_dns_record = true + assign_public_ip = var.is_private == true ? false : true + subnet_id = var.is_private == true ? var.private_subnet_id : var.public_subnet_id } display_name = "Ubuntu Instance" instance_options { - are_legacy_imds_endpoints_disabled = "false" + are_legacy_imds_endpoints_disabled = false } - is_pv_encryption_in_transit_enabled = "true" + is_pv_encryption_in_transit_enabled = true metadata = { "ssh_authorized_keys" = file(var.PATH_TO_PUBLIC_KEY) @@ -57,7 +57,5 @@ resource "oci_core_instance" "ubuntu_oci_instance" { source_type = "image" } - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + freeform_tags = local.tags } \ No newline at end of file diff --git a/simple-instance/local.tf b/simple-instance/local.tf new file mode 100644 index 0000000..0a67071 --- /dev/null +++ b/simple-instance/local.tf @@ -0,0 +1,6 @@ +locals { + tags = { + "oracle-tutorial" = "terraform" + "environment" = "${var.environment}" + } +} \ No newline at end of file diff --git a/simple-instance/output.tf b/simple-instance/output.tf index 68bd4dd..7e02ee1 100644 --- a/simple-instance/output.tf +++ b/simple-instance/output.tf @@ -1,3 +1,3 @@ output "instance_ip" { - value = oci_core_instance.ubuntu_oci_instance.public_ip + value = var.is_private == true ? oci_core_instance.ubuntu_oci_instance.private_ip : oci_core_instance.ubuntu_oci_instance.public_ip } \ No newline at end of file diff --git a/simple-instance/provider.tf b/simple-instance/provider.tf deleted file mode 100644 index 7a78460..0000000 --- a/simple-instance/provider.tf +++ /dev/null @@ -1,7 +0,0 @@ -provider "oci" { - tenancy_ocid = var.tenancy_ocid - user_ocid = var.user_ocid - private_key_path = var.private_key_path - fingerprint = var.fingerprint - region = var.region -} \ No newline at end of file diff --git a/simple-instance/security.tf b/simple-instance/security.tf deleted file mode 100644 index da4d910..0000000 --- a/simple-instance/security.tf +++ /dev/null @@ -1,76 +0,0 @@ -resource "oci_core_default_security_list" "default_security_list" { - compartment_id = var.compartment_ocid - manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_security_list_id - - display_name = "Default security list" - egress_security_rules { - destination = "0.0.0.0/0" - protocol = "all" - } - - ingress_security_rules { - protocol = 1 # icmp - source = var.my_public_ip_address - - description = "Allow icmp from ${var.my_public_ip_address}" - - } - - ingress_security_rules { - protocol = 6 # tcp - source = var.my_public_ip_address - - description = "Allow SSH from ${var.my_public_ip_address}" - - tcp_options { - min = 22 - max = 22 - } - } - - ingress_security_rules { - protocol = 6 # tcp - source = var.my_public_ip_address - - description = "Allow HTTP from ${var.my_public_ip_address}" - - tcp_options { - min = 80 - max = 80 - } - } - - ingress_security_rules { - protocol = "all" - source = var.oci_core_vcn_cidr - - description = "Allow all from vcn subnet" - } - - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} - -resource "oci_core_security_list" "custom_security_list" { - compartment_id = var.compartment_ocid - vcn_id = oci_core_vcn.default_oci_core_vcn.id - - display_name = "Custom security list" - - ingress_security_rules { - protocol = 6 # tcp - source = "0.0.0.0/0" - - description = "Allow HTTP from all" - - tcp_options { - min = 80 - max = 80 - } - } - - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } -} \ No newline at end of file diff --git a/simple-instance/vars.tf b/simple-instance/vars.tf index 7be3fa0..ac4c141 100644 --- a/simple-instance/vars.tf +++ b/simple-instance/vars.tf @@ -2,62 +2,41 @@ variable "compartment_ocid" { } -variable "tenancy_ocid" { - -} - variable "region" { - default = "" -} - -variable "user_ocid" { - -} - -variable "fingerprint" { - -} - -variable "private_key_path" { } variable "availability_domain" { - default = "" -} -variable "default_fault_domain" { - default = "FAULT-DOMAIN-1" } variable "PATH_TO_PUBLIC_KEY" { - default = "~/.ssh/id_rsa.pub" -} - -variable "os_image_id" { - default = "ocid1.image.oc1.eu-zurich-1.aaaaaaaam4u4w4dprotagbxx4glcmjtndbkunzs5kvz5qpkqybemlv4wds3a" # Ubuntu 20.04 + type = string + default = "~/.ssh/id_rsa.pub" + description = "Path to your public key" } -variable "oci_core_vcn_cidr" { - default = "10.0.0.0/16" +variable "environment" { + type = string } -variable "oci_core_subnet_cidr10" { - default = "10.0.0.0/24" +variable "is_private" { + type = bool + default = false } -variable "oci_core_subnet_cidr11" { - default = "10.0.1.0/24" +variable "public_subnet_id" { + type = string } -variable "tutorial_tag_key" { - default = "oracle-tutorial" +variable "private_subnet_id" { + type = string } -variable "tutorial_tag_value" { - default = "terraform" +variable "default_fault_domain" { + default = "FAULT-DOMAIN-1" } -variable "my_public_ip_address" { - default = "" +variable "os_image_id" { + default = "ocid1.image.oc1.eu-zurich-1.aaaaaaaag2uyozo7266bmg26j5ixvi42jhaujso2pddpsigtib6vfnqy5f6q" # Canonical-Ubuntu-20.04-aarch64-2022.01.18-0 } \ No newline at end of file diff --git a/simple-vcn/README.md b/simple-vcn/README.md new file mode 100644 index 0000000..32feedf --- /dev/null +++ b/simple-vcn/README.md @@ -0,0 +1,35 @@ +# Simple compute instance + +This module will deploy a one VCN with two public subnets. Also this modules deploy a security list with the following rueles: + +* egress, all traffic allowed +* ingress, traffica allowed on port 22 only from *my_public_ip_cidr* + +### Requirements + +No Requirement + +### Module variables + +| Var | Required | Desc | +| ------- | ------- | ----------- | +| `region` | `yes` | set the correct OCI region based on your needs | +| `compartment_ocid` | `yes` | Set the correct compartment ocid. See [how](../README.md#oracle-provider-setup) to find the compartment ocid | +| `my_public_ip_cidr` | `yes` | A public ip CIDR allowed to reach the OCI resources | +| `environment` | `yes` | Current work environment (Example: staging/dev/prod). This value is used for tag all the deployed resources | +| `oci_core_vcn_dns_label` | `no` | VCN DNS label. Default: defaultvcn | +| `oci_core_subnet_dns_label10` | `no` | First subnet DNS label. Default: publicsubnet10 | +| `oci_core_subnet_dns_label11` | `no` | Second subnet DNS label. Default: publicsubnet11 | +| `oci_core_vcn_cidr` | `no` | VCN CIDR. Default: 10.0.0.0/16 | +| `oci_core_subnet_cidr10` | `no` | First subnet CIDR. Default: 10.0.0.0/24 | +| `oci_core_subnet_cidr11` | `no` | Second subnet CIDR. Default: 10.0.1.0/24 | + +### Output + +The module will output: + +* vcn_id, the VCN OCID +* public_subnet_id, the public subnet OCID +* secondary_public_subnet_id, the secondary public subnet OCID +* security_list_id, the security list OCID +* public_subnet_cidr, the public subnet CIDR \ No newline at end of file diff --git a/simple-vcn/local.tf b/simple-vcn/local.tf new file mode 100644 index 0000000..0a67071 --- /dev/null +++ b/simple-vcn/local.tf @@ -0,0 +1,6 @@ +locals { + tags = { + "oracle-tutorial" = "terraform" + "environment" = "${var.environment}" + } +} \ No newline at end of file diff --git a/simple-instance/network.tf b/simple-vcn/network.tf similarity index 67% rename from simple-instance/network.tf rename to simple-vcn/network.tf index 4867d1a..9f25159 100644 --- a/simple-instance/network.tf +++ b/simple-vcn/network.tf @@ -2,36 +2,30 @@ resource "oci_core_vcn" "default_oci_core_vcn" { cidr_block = var.oci_core_vcn_cidr compartment_id = var.compartment_ocid display_name = "Default OCI core vcn" - dns_label = "defaultvcn" - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + dns_label = var.oci_core_vcn_dns_label + freeform_tags = local.tags } resource "oci_core_subnet" "default_oci_core_subnet10" { cidr_block = var.oci_core_subnet_cidr10 compartment_id = var.compartment_ocid - display_name = "${var.oci_core_subnet_cidr10} (default) OCI core subnet" - dns_label = "defaultsubnet10" + display_name = "${var.oci_core_subnet_cidr10} (default) PUBLIC OCI core subnet" + dns_label = var.oci_core_subnet_dns_label10 route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id vcn_id = oci_core_vcn.default_oci_core_vcn.id - security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + security_list_ids = [oci_core_default_security_list.default_security_list.id] + freeform_tags = local.tags } resource "oci_core_subnet" "oci_core_subnet11" { cidr_block = var.oci_core_subnet_cidr11 compartment_id = var.compartment_ocid - display_name = "${var.oci_core_subnet_cidr11} OCI core subnet" - dns_label = "defaultsubnet11" + display_name = "${var.oci_core_subnet_cidr11} PUBLIC OCI core subnet" + dns_label = var.oci_core_subnet_dns_label11 route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id vcn_id = oci_core_vcn.default_oci_core_vcn.id - security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + security_list_ids = [oci_core_default_security_list.default_security_list.id] + freeform_tags = local.tags } resource "oci_core_internet_gateway" "default_oci_core_internet_gateway" { @@ -39,9 +33,7 @@ resource "oci_core_internet_gateway" "default_oci_core_internet_gateway" { display_name = "Internet Gateway Default OCI core vcn" enabled = "true" vcn_id = oci_core_vcn.default_oci_core_vcn.id - freeform_tags = { - "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" - } + freeform_tags = local.tags } resource "oci_core_default_route_table" "default_oci_core_default_route_table" { diff --git a/simple-vcn/output.tf b/simple-vcn/output.tf new file mode 100644 index 0000000..e7fa23b --- /dev/null +++ b/simple-vcn/output.tf @@ -0,0 +1,19 @@ +output "vcn_id" { + value = oci_core_vcn.default_oci_core_vcn.id +} + +output "public_subnet_id" { + value = oci_core_subnet.default_oci_core_subnet10.id +} + +output "secondary_public_subnet_id" { + value = oci_core_subnet.oci_core_subnet11.id +} + +output "security_list_id" { + value = oci_core_default_security_list.default_security_list.id +} + +output "public_subnet_cidr" { + value = oci_core_subnet.default_oci_core_subnet10.cidr_block +} \ No newline at end of file diff --git a/simple-vcn/security.tf b/simple-vcn/security.tf new file mode 100644 index 0000000..0c9fa70 --- /dev/null +++ b/simple-vcn/security.tf @@ -0,0 +1,39 @@ +resource "oci_core_default_security_list" "default_security_list" { + compartment_id = var.compartment_ocid + manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_security_list_id + + display_name = "Default security list" + egress_security_rules { + destination = "0.0.0.0/0" + protocol = "all" + } + + ingress_security_rules { + protocol = 1 # icmp + source = var.my_public_ip_cidr + + description = "Allow icmp from ${var.my_public_ip_cidr}" + + } + + ingress_security_rules { + protocol = 6 # tcp + source = var.my_public_ip_cidr + + description = "Allow SSH from ${var.my_public_ip_cidr}" + + tcp_options { + min = 22 + max = 22 + } + } + + ingress_security_rules { + protocol = "all" + source = var.oci_core_vcn_cidr + + description = "Allow all from vcn subnet" + } + + freeform_tags = local.tags +} \ No newline at end of file diff --git a/simple-vcn/vars.tf b/simple-vcn/vars.tf new file mode 100644 index 0000000..c73e395 --- /dev/null +++ b/simple-vcn/vars.tf @@ -0,0 +1,45 @@ +variable "compartment_ocid" { + +} + +variable "region" { + +} + +variable "fault_domains" { + type = list(any) + default = ["FAULT-DOMAIN-1", "FAULT-DOMAIN-2", "FAULT-DOMAIN-3"] +} + +variable "oci_core_vcn_cidr" { + default = "10.0.0.0/16" +} + +variable "oci_core_subnet_cidr10" { + default = "10.0.0.0/24" +} + +variable "oci_core_subnet_cidr11" { + default = "10.0.1.0/24" +} + +variable "oci_core_vcn_dns_label" { + default = "defaultvcn" +} + +variable "oci_core_subnet_dns_label10" { + default = "publicsubnet10" +} + +variable "oci_core_subnet_dns_label11" { + default = "publicsubnet11" +} + +variable "my_public_ip_cidr" { + type = string + description = "My public ip CIDR" +} + +variable "environment" { + type = string +} \ No newline at end of file