From cf0697258e14af839b4f894fd75d36f0b66e2fdf Mon Sep 17 00:00:00 2001 From: Lorenzo Garuti Date: Thu, 28 Oct 2021 14:43:43 +0200 Subject: [PATCH] First commit --- instance-pool/.terraform.lock.hcl | 36 ++++ instance-pool/README.md | 113 ++++++++++++ instance-pool/data.tf | 22 +++ instance-pool/files/oci-ubuntu-install.sh | 46 +++++ instance-pool/instancepool.tf | 23 +++ instance-pool/lb.tf | 50 ++++++ instance-pool/network.tf | 55 ++++++ instance-pool/output.tf | 10 ++ instance-pool/provider.tf | 7 + instance-pool/security.tf | 76 ++++++++ instance-pool/template.tf | 61 +++++++ instance-pool/vars.tf | 68 ++++++++ k3s-cluster/.terraform.lock.hcl | 54 ++++++ k3s-cluster/README.md | 181 ++++++++++++++++++++ k3s-cluster/data.tf | 32 ++++ k3s-cluster/files/k3s-install-agent.sh | 22 +++ k3s-cluster/files/k3s-install-server.sh | 39 +++++ k3s-cluster/k3s-agents.tf | 24 +++ k3s-cluster/k3s-server.tf | 65 +++++++ k3s-cluster/lb.tf | 82 +++++++++ k3s-cluster/network.tf | 55 ++++++ k3s-cluster/output.tf | 14 ++ k3s-cluster/provider.tf | 7 + k3s-cluster/security.tf | 76 ++++++++ k3s-cluster/template.tf | 61 +++++++ k3s-cluster/vars.tf | 88 ++++++++++ simple-instance/.terraform.lock.hcl | 36 ++++ simple-instance/README.md | 62 +++++++ simple-instance/compute.tf | 63 +++++++ simple-instance/data.tf | 9 + simple-instance/files/oci-ubuntu-install.sh | 46 +++++ simple-instance/network.tf | 54 ++++++ simple-instance/output.tf | 3 + simple-instance/provider.tf | 7 + simple-instance/security.tf | 76 ++++++++ simple-instance/vars.tf | 63 +++++++ 36 files changed, 1786 insertions(+) create mode 100644 instance-pool/.terraform.lock.hcl create mode 100644 instance-pool/README.md create mode 100644 instance-pool/data.tf create mode 100644 instance-pool/files/oci-ubuntu-install.sh create mode 100644 instance-pool/instancepool.tf create mode 100644 instance-pool/lb.tf create mode 100644 instance-pool/network.tf create mode 100644 instance-pool/output.tf create mode 100644 instance-pool/provider.tf create mode 100644 instance-pool/security.tf create mode 100644 instance-pool/template.tf create mode 100644 instance-pool/vars.tf create mode 100644 k3s-cluster/.terraform.lock.hcl create mode 100644 k3s-cluster/README.md create mode 100644 k3s-cluster/data.tf create mode 100644 k3s-cluster/files/k3s-install-agent.sh create mode 100644 k3s-cluster/files/k3s-install-server.sh create mode 100644 k3s-cluster/k3s-agents.tf create mode 100644 k3s-cluster/k3s-server.tf create mode 100644 k3s-cluster/lb.tf create mode 100644 k3s-cluster/network.tf create mode 100644 k3s-cluster/output.tf create mode 100644 k3s-cluster/provider.tf create mode 100644 k3s-cluster/security.tf create mode 100644 k3s-cluster/template.tf create mode 100644 k3s-cluster/vars.tf create mode 100644 simple-instance/.terraform.lock.hcl create mode 100644 simple-instance/README.md create mode 100644 simple-instance/compute.tf create mode 100644 simple-instance/data.tf create mode 100644 simple-instance/files/oci-ubuntu-install.sh create mode 100644 simple-instance/network.tf create mode 100644 simple-instance/output.tf create mode 100644 simple-instance/provider.tf create mode 100644 simple-instance/security.tf create mode 100644 simple-instance/vars.tf diff --git a/instance-pool/.terraform.lock.hcl b/instance-pool/.terraform.lock.hcl new file mode 100644 index 0000000..43373d9 --- /dev/null +++ b/instance-pool/.terraform.lock.hcl @@ -0,0 +1,36 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/oci" { + version = "4.49.0" + hashes = [ + "h1:m7/VNDahueBZf6EqJjxsGsOuzBVWnfrzL3ekdr0mr0k=", + "zh:2114836ae6a863da2f40917a18478e6af67d42d5e1a05ecd1297a6802fa765a1", + "zh:2f53dfff1919cf4750467c65fc658570dc99868f7524d3abeb05a9f6e174c046", + "zh:38f6b9fb5e73ea7de1ee2cefe28c83f308c96a14a69c91f4da352f27007b31d0", + "zh:3dcb0a5652113b893cf5f9af7ba3ee4fed900e000d80e045eb6e9151768ed691", + "zh:3deef7b6b30926dc817e72aa19ef700ffab1b2f4d41be136fe4253bb14c8cd9c", + "zh:49fc2e23d30677eff73dc10ae1ef316bdfe8b133f0a71c414333e7400c3a95e1", + "zh:517b962143ae8012e65086ef5d5c81e4701ffde092747b594edfaf5f664111d0", + "zh:5d3b0303f68b8196048d97b4730b0424a60db8cb13700ae1980cdd84dc211a27", + "zh:6d17bd39ba47f3c5fda7d67d9f986b872ed1cdcb72677e2f1d1eba1567200f58", + "zh:c6de06c6f0947c9315b10a723edf96eecdf3ef03947948761032f061339e5b49", + ] +} + +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} diff --git a/instance-pool/README.md b/instance-pool/README.md new file mode 100644 index 0000000..db5cb97 --- /dev/null +++ b/instance-pool/README.md @@ -0,0 +1,113 @@ +# Instance pool with network load balancer + +This example will deploy: + +* one instance configuration used by the instance pool +* one instance pool +* two Oracle compute instances launched by the instance pool +* one network load balancer, that will route the traffic from the internet to our instance pool instances + +The network load balancer is made by: + +* one listener (port 80) +* one backed set +* one backed for each of the instances in the instance pool + +### Extra variables + +In this example an extra variable is used: + +* fault_domains. This variable is a list of fault domains where our instance pool will deploy our instances +* instance_pool_size. Number of instances to launch in the instance pool + +### Deploy + +To deploy the infrastructure: + +``` +terraform init + +terraform plan + +terraform apply +``` + +wait terraform to complete the operation, when terraform successfully finished the deployment you will see in the output the public ip addresses of the instances and the public ip address of the network load balancer: + +``` +Apply complete! Resources: 14 added, 0 changed, 0 destroyed. + +Outputs: + +instances_ips = [ + "152.x.x.x", + "152.x.x.x", +] +lb_ip = tolist([ + { + "ip_address" = "152.x.x.x" + "is_public" = true + "reserved_ip" = tolist([]) + }, +]) +``` + +now you can ssh into the machine: + +``` +ssh ubuntu@152.x.x.x + +... +35 updates can be applied immediately. +25 of these updates are standard security updates. +To see these additional updates run: apt list --upgradable + + + +The programs included with the Ubuntu system are free software; +the exact distribution terms for each program are described in the +individual files in /usr/share/doc/*/copyright. + +Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by +applicable law. + +To run a command as administrator (user "root"), use "sudo ". +See "man sudo_root" for details. + +ubuntu@inst-ikudx-ubuntu-instance-pool:~$ +``` + +Test the connection to the load balancer: + +``` +curl -v 152.x.x.x +* Trying 152.x.x.x:80... +* TCP_NODELAY set +* Connected to 152.x.x.x (152.x.x.x) port 80 (#0) +> GET / HTTP/1.1 +> Host: 152.x.x.x +> User-Agent: curl/7.68.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 200 OK +< Server: nginx/1.18.0 (Ubuntu) +< Date: Wed, 27 Oct 2021 15:39:51 GMT +< Content-Type: text/html +< Content-Length: 672 +< Last-Modified: Wed, 27 Oct 2021 15:33:26 GMT +< Connection: keep-alive +< ETag: "61797146-2a0" +< Accept-Ranges: bytes +... +... +... +``` + +**NOTE** You have to wait all the backends to be in HEALTH state before reaching successfully the load balancer. + +### Cleanup + +``` +terraform destroy +``` \ No newline at end of file diff --git a/instance-pool/data.tf b/instance-pool/data.tf new file mode 100644 index 0000000..01f632f --- /dev/null +++ b/instance-pool/data.tf @@ -0,0 +1,22 @@ +data "template_cloudinit_config" "ubuntu_init" { + gzip = true + base64_encode = true + + part { + content_type = "text/x-shellscript" + content = templatefile("${path.module}/files/oci-ubuntu-install.sh", {}) + } +} + +data "oci_core_instance_pool_instances" "ubuntu_instance_pool_instances" { + depends_on = [ + oci_core_instance_pool.ubuntu_instance_pool, + ] + compartment_id = var.compartment_ocid + instance_pool_id = oci_core_instance_pool.ubuntu_instance_pool.id +} + +data "oci_core_instance" "ubuntu_instance_pool_instances_ips" { + count = var.instance_pool_size + instance_id = data.oci_core_instance_pool_instances.ubuntu_instance_pool_instances.instances[count.index].id +} \ No newline at end of file diff --git a/instance-pool/files/oci-ubuntu-install.sh b/instance-pool/files/oci-ubuntu-install.sh new file mode 100644 index 0000000..461dfb9 --- /dev/null +++ b/instance-pool/files/oci-ubuntu-install.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +apt-get update +apt-get -y upgrade +apt-get -y install nginx + +systemctl enable nginx +systemctl start nginx + +hostname=$(hostname) + +cat < /var/www/html/index.nginx-debian.html + + + +Welcome to nginx! + + + +

Welcome to nginx!

+

If you see this page, the nginx web server is successfully installed and +working. Further configuration is required.

+ +

For online documentation and support please refer to +nginx.org.
+Commercial support is available at +nginx.com.

+ +

Thank you for using nginx.

+

Hello from: $hostname

+ + +EOF + +# Disable firewall +/usr/sbin/netfilter-persistent stop +/usr/sbin/netfilter-persistent flush + +systemctl stop netfilter-persistent.service +systemctl disable netfilter-persistent.service \ No newline at end of file diff --git a/instance-pool/instancepool.tf b/instance-pool/instancepool.tf new file mode 100644 index 0000000..66ce753 --- /dev/null +++ b/instance-pool/instancepool.tf @@ -0,0 +1,23 @@ +resource "oci_core_instance_pool" "ubuntu_instance_pool" { + + lifecycle { + create_before_destroy = true + ignore_changes = [load_balancers, freeform_tags] + } + + display_name = "ubuntu-instance-pool" + compartment_id = var.compartment_ocid + instance_configuration_id = oci_core_instance_configuration.ubuntu_template.id + + placement_configurations { + availability_domain = var.availability_domain + primary_subnet_id = oci_core_subnet.default_oci_core_subnet10.id + fault_domains = var.fault_domains + } + + size = var.instance_pool_size + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} \ No newline at end of file diff --git a/instance-pool/lb.tf b/instance-pool/lb.tf new file mode 100644 index 0000000..67e966d --- /dev/null +++ b/instance-pool/lb.tf @@ -0,0 +1,50 @@ +resource "oci_network_load_balancer_network_load_balancer" "test_network_load_balancer" { + depends_on = [ + oci_core_instance_pool.ubuntu_instance_pool, + ] + + compartment_id = var.compartment_ocid + display_name = "Test Network LB" + subnet_id = oci_core_subnet.oci_core_subnet11.id + + is_private = false + is_preserve_source_destination = false + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_network_load_balancer_listener" "test_listener" { + #Required + default_backend_set_name = oci_network_load_balancer_backend_set.test_backend_set.name + name = "LB test listener" + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.test_network_load_balancer.id + port = 80 + protocol = "TCP" +} + +resource "oci_network_load_balancer_backend_set" "test_backend_set" { + health_checker { + protocol = "TCP" + port = 80 + } + + name = "Backend set test" + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.test_network_load_balancer.id + policy = "FIVE_TUPLE" + is_preserve_source = true +} + +resource "oci_network_load_balancer_backend" "test_backend" { + depends_on = [ + oci_core_instance_pool.ubuntu_instance_pool, + ] + + count = var.instance_pool_size + backend_set_name = oci_network_load_balancer_backend_set.test_backend_set.name + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.test_network_load_balancer.id + port = 80 + + target_id = data.oci_core_instance_pool_instances.ubuntu_instance_pool_instances.instances[count.index].id +} \ No newline at end of file diff --git a/instance-pool/network.tf b/instance-pool/network.tf new file mode 100644 index 0000000..38beb6a --- /dev/null +++ b/instance-pool/network.tf @@ -0,0 +1,55 @@ +resource "oci_core_vcn" "default_oci_core_vcn" { + cidr_block = var.oci_core_vcn_cidr + compartment_id = var.compartment_ocid + display_name = "Default OCI core vcn" + dns_label = "defaultvcn" + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_subnet" "default_oci_core_subnet10" { + cidr_block = var.oci_core_subnet_cidr10 + compartment_id = var.compartment_ocid + display_name = "${var.oci_core_subnet_cidr10} (default) OCI core subnet" + dns_label = "defaultsubnet10" + route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id + vcn_id = oci_core_vcn.default_oci_core_vcn.id + security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_subnet" "oci_core_subnet11" { + cidr_block = var.oci_core_subnet_cidr11 + compartment_id = var.compartment_ocid + display_name = "${var.oci_core_subnet_cidr11} OCI core subnet" + dns_label = "defaultsubnet11" + route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id + vcn_id = oci_core_vcn.default_oci_core_vcn.id + security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + + +resource "oci_core_internet_gateway" "default_oci_core_internet_gateway" { + compartment_id = var.compartment_ocid + display_name = "Internet Gateway Default OCI core vcn" + enabled = "true" + vcn_id = oci_core_vcn.default_oci_core_vcn.id + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_default_route_table" "default_oci_core_default_route_table" { + route_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + network_entity_id = oci_core_internet_gateway.default_oci_core_internet_gateway.id + } + manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id +} \ No newline at end of file diff --git a/instance-pool/output.tf b/instance-pool/output.tf new file mode 100644 index 0000000..fea9431 --- /dev/null +++ b/instance-pool/output.tf @@ -0,0 +1,10 @@ +output "instances_ips" { + depends_on = [ + data.oci_core_instance_pool_instances.ubuntu_instance_pool_instances, + ] + value = data.oci_core_instance.ubuntu_instance_pool_instances_ips.*.private_ip +} + +output "lb_ip" { + value = oci_network_load_balancer_network_load_balancer.test_network_load_balancer.ip_addresses +} \ No newline at end of file diff --git a/instance-pool/provider.tf b/instance-pool/provider.tf new file mode 100644 index 0000000..7a78460 --- /dev/null +++ b/instance-pool/provider.tf @@ -0,0 +1,7 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + private_key_path = var.private_key_path + fingerprint = var.fingerprint + region = var.region +} \ No newline at end of file diff --git a/instance-pool/security.tf b/instance-pool/security.tf new file mode 100644 index 0000000..37064fe --- /dev/null +++ b/instance-pool/security.tf @@ -0,0 +1,76 @@ +resource "oci_core_default_security_list" "default_security_list" { + compartment_id = var.compartment_ocid + manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_security_list_id + + display_name = "Default security list" + egress_security_rules { + destination = "0.0.0.0/0" + protocol = "all" + } + + ingress_security_rules { + protocol = 1 # icmp + source = var.my_public_ip_address + + description = "Allow icmp from ${var.my_public_ip_address}" + + } + + ingress_security_rules { + protocol = 6 # tcp + source = var.my_public_ip_address + + description = "Allow SSH from ${var.my_public_ip_address}" + + tcp_options { + min = 22 + max = 22 + } + } + + ingress_security_rules { + protocol = 6 # tcp + source = var.my_public_ip_address + + description = "Allow HTTP from ${var.my_public_ip_address}" + + tcp_options { + min = 80 + max = 80 + } + } + + ingress_security_rules { + protocol = "all" + source = var.oci_core_vcn_cidr + + description = "Allow all from vcn subnet" + } + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_security_list" "custom_security_list" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.default_oci_core_vcn.id + + display_name = "Custom security list" + + ingress_security_rules { + protocol = 6 # tcp + source = "0.0.0.0/0" + + description = "Allow HTTP from all" + + tcp_options { + min = 80 + max = 80 + } + } + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} \ No newline at end of file diff --git a/instance-pool/template.tf b/instance-pool/template.tf new file mode 100644 index 0000000..b8fe4f8 --- /dev/null +++ b/instance-pool/template.tf @@ -0,0 +1,61 @@ +resource "oci_core_instance_configuration" "ubuntu_template" { + + compartment_id = var.compartment_ocid + display_name = "Ubuntu 20.04 instance config" + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } + instance_details { + + instance_type = "compute" + + launch_details { + + #Optional + agent_config { + is_management_disabled = "false" + is_monitoring_disabled = "false" + + plugins_config { + desired_state = "DISABLED" + name = "Vulnerability Scanning" + } + + plugins_config { + desired_state = "ENABLED" + name = "Compute Instance Monitoring" + } + + plugins_config { + desired_state = "DISABLED" + name = "Bastion" + } + } + + availability_domain = var.availability_domain + compartment_id = var.compartment_ocid + + create_vnic_details { + assign_public_ip = true + subnet_id = oci_core_subnet.default_oci_core_subnet10.id + } + + display_name = "Ubuntu Template" + + metadata = { + "ssh_authorized_keys" = file(var.PATH_TO_PUBLIC_KEY) + "user_data" = data.template_cloudinit_config.ubuntu_init.rendered + } + + shape = "VM.Standard.A1.Flex" + shape_config { + memory_in_gbs = "6" + ocpus = "1" + } + source_details { + image_id = var.os_image_id + source_type = "image" + } + } + } +} \ No newline at end of file diff --git a/instance-pool/vars.tf b/instance-pool/vars.tf new file mode 100644 index 0000000..40263a0 --- /dev/null +++ b/instance-pool/vars.tf @@ -0,0 +1,68 @@ +variable "compartment_ocid" { + +} + +variable "tenancy_ocid" { + +} + +variable "region" { + default = "" +} + +variable "user_ocid" { + +} + +variable "fingerprint" { + +} + +variable "private_key_path" { + +} + +variable "availability_domain" { + default = "" +} + +variable "fault_domains" { + type = list(any) + default = ["FAULT-DOMAIN-1", "FAULT-DOMAIN-2", "FAULT-DOMAIN-3"] +} + +variable "PATH_TO_PUBLIC_KEY" { + default = "~/.ssh/id_rsa.pub" +} + +variable "os_image_id" { + default = "ocid1.image.oc1.eu-zurich-1.aaaaaaaam4u4w4dprotagbxx4glcmjtndbkunzs5kvz5qpkqybemlv4wds3a" # Ubuntu 20.04 +} + +variable "oci_core_vcn_cidr" { + default = "10.0.0.0/16" +} + +variable "oci_core_subnet_cidr10" { + default = "10.0.0.0/24" +} + +variable "oci_core_subnet_cidr11" { + default = "10.0.1.0/24" +} + +variable "instance_pool_size" { + default = 2 +} + +variable "tutorial_tag_key" { + default = "oracle-tutorial" +} + +variable "tutorial_tag_value" { + default = "terraform" +} + +variable "my_public_ip_address" { + default = "" +} \ No newline at end of file diff --git a/k3s-cluster/.terraform.lock.hcl b/k3s-cluster/.terraform.lock.hcl new file mode 100644 index 0000000..deb0221 --- /dev/null +++ b/k3s-cluster/.terraform.lock.hcl @@ -0,0 +1,54 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/oci" { + version = "4.49.0" + hashes = [ + "h1:m7/VNDahueBZf6EqJjxsGsOuzBVWnfrzL3ekdr0mr0k=", + "zh:2114836ae6a863da2f40917a18478e6af67d42d5e1a05ecd1297a6802fa765a1", + "zh:2f53dfff1919cf4750467c65fc658570dc99868f7524d3abeb05a9f6e174c046", + "zh:38f6b9fb5e73ea7de1ee2cefe28c83f308c96a14a69c91f4da352f27007b31d0", + "zh:3dcb0a5652113b893cf5f9af7ba3ee4fed900e000d80e045eb6e9151768ed691", + "zh:3deef7b6b30926dc817e72aa19ef700ffab1b2f4d41be136fe4253bb14c8cd9c", + "zh:49fc2e23d30677eff73dc10ae1ef316bdfe8b133f0a71c414333e7400c3a95e1", + "zh:517b962143ae8012e65086ef5d5c81e4701ffde092747b594edfaf5f664111d0", + "zh:5d3b0303f68b8196048d97b4730b0424a60db8cb13700ae1980cdd84dc211a27", + "zh:6d17bd39ba47f3c5fda7d67d9f986b872ed1cdcb72677e2f1d1eba1567200f58", + "zh:c6de06c6f0947c9315b10a723edf96eecdf3ef03947948761032f061339e5b49", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.1.0" + hashes = [ + "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=", + "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc", + "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626", + "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff", + "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2", + "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992", + "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427", + "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc", + "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f", + "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b", + "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7", + "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a", + ] +} + +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} diff --git a/k3s-cluster/README.md b/k3s-cluster/README.md new file mode 100644 index 0000000..d1b29ac --- /dev/null +++ b/k3s-cluster/README.md @@ -0,0 +1,181 @@ +# k3s cluster + +This example will deploy: + +* one Oracle compute instance, k3s-server +* one instance configuration used by the instance pool +* one instance pool +* three Oracle compute instances launched by the instance pool, k3s-agents +* one network load balancer, that will route the traffic from the internet to our instance pool instances + +The network load balancer is made by: + +* two listener (port 80, and 443) +* two backed set, one for the http listener and one for the https listener +* one backed for each of the instances in the instance pool + +The traffic is routed from the internet to the traefik ingress controller. + +### Extra variables + +In this example an extra variable is used: + +* k3s_server_private_ip, private ip address that will be associated to the k3s-server +* fault_domains, this variable is a list of fault domains where our instance pool will deploy our instances +* instance_pool_size, number of instances to launch in the instance pool. Number of k3s agents to deploy +* k3s_token, token used to install the k3s cluster +* install_longhorn, boolean value, if true (default) will install [longhorn](https://longhorn.io/) block storage +* longhorn_release, longorn release version + +### Deploy + +To deploy the infrastructure: + +``` +terraform init + +terraform plan + +terraform apply +``` + +wait terraform to complete the operation, when terraform successfully finished the deployment you will see in the output the public ip addresses of the k3s-server instance, the public ip addresses of the k3s-agents instances and the public ip address of the network load balancer: + +``` +Apply complete! Resources: 14 added, 0 changed, 0 destroyed. + +Outputs: + +k3s_server_ip = "152.x.x.x" +k3s_agents_ips = [ + "152.x.x.x", + "152.x.x.x", + "152.x.x.x", +] +lb_ip = tolist([ + { + "ip_address" = "133.x.x.x" + "is_public" = true + "reserved_ip" = tolist([]) + }, +]) +``` + +now you can ssh into the k3s-server machine: + +``` +ssh ubuntu@152.x.x.x + +... +35 updates can be applied immediately. +25 of these updates are standard security updates. +To see these additional updates run: apt list --upgradable + + + +The programs included with the Ubuntu system are free software; +the exact distribution terms for each program are described in the +individual files in /usr/share/doc/*/copyright. + +Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by +applicable law. + +To run a command as administrator (user "root"), use "sudo ". +See "man sudo_root" for details. + +ubuntu@k3s-server:~$ +``` + +Test the connection to the load balancer: + +``` +curl -v http://132.x.x.x/ +* Trying 132.x.x.x:80... +* TCP_NODELAY set +* Connected to 132.x.x.x (132.x.x.x) port 80 (#0) +> GET / HTTP/1.1 +> Host: 132.x.x.x +> User-Agent: curl/7.68.0 +> Accept: */* +> +* Mark bundle as not supporting multiuse +< HTTP/1.1 404 Not Found +< Content-Type: text/plain; charset=utf-8 +< X-Content-Type-Options: nosniff +< Date: Wed, 27 Oct 2021 13:20:05 GMT +< Content-Length: 19 +< +404 page not found +* Connection #0 to host 132.x.x.x left intact +``` + +**NOTE** You have to wait all the backends to be in HEALTH state before reaching successfully the load balancer. + +**NOTE 2** 404 is a correct response since there are no deployment yet + +### Cluster management + +To manage the cluster, open a ssh connection to the k3s-server. + +**List the nodes** + +``` +root@k3s-server:~# kubectl get nodes +NAME STATUS ROLES AGE VERSION +inst-vr4sv-k3s-agents Ready 23m v1.21.5+k3s2 +inst-zkcyl-k3s-agents Ready 23m v1.21.5+k3s2 +k3s-server Ready control-plane,master 23m v1.21.5+k3s2 +inst-fhayc-k3s-agents Ready 23m v1.21.5+k3s2 +``` + +**Get the pods running on kube-system namespace** + +``` +kubectl get pods -n kube-system +NAME READY STATUS RESTARTS AGE +coredns-7448499f4d-jwgzt 1/1 Running 0 34m +metrics-server-86cbb8457f-qjgr9 1/1 Running 0 34m +local-path-provisioner-5ff76fc89d-56c7n 1/1 Running 0 34m +helm-install-traefik-crd-9ftr8 0/1 Completed 0 34m +helm-install-traefik-2v48n 0/1 Completed 2 34m +svclb-traefik-2x9q9 2/2 Running 0 33m +svclb-traefik-d72cf 2/2 Running 0 33m +svclb-traefik-jq5wv 2/2 Running 0 33m +svclb-traefik-xnhgs 2/2 Running 0 33m +traefik-97b44b794-4dz2x 1/1 Running 0 33m +``` + +**Get the pods running on longhorn-system namespace (optional)** + +``` +root@k3s-server:~# kubectl get pods -n longhorn-system +NAME READY STATUS RESTARTS AGE +longhorn-ui-788fd8cf9d-76x84 1/1 Running 0 29m +longhorn-manager-97vzd 1/1 Running 0 29m +longhorn-driver-deployer-5dff5c7554-c7wbk 1/1 Running 0 29m +longhorn-manager-sq2xn 1/1 Running 1 29m +csi-attacher-75588bff58-xv9sn 1/1 Running 0 28m +csi-resizer-5c88bfd4cf-ngm2j 1/1 Running 0 28m +engine-image-ei-d4c780c6-ktvs7 1/1 Running 0 28m +csi-provisioner-669c8cc698-mqvjx 1/1 Running 0 28m +longhorn-csi-plugin-9x5wj 2/2 Running 0 28m +engine-image-ei-d4c780c6-r7r2t 1/1 Running 0 28m +csi-provisioner-669c8cc698-tvs9r 1/1 Running 0 28m +csi-resizer-5c88bfd4cf-h8g6w 1/1 Running 0 28m +instance-manager-e-7aca498c 1/1 Running 0 28m +instance-manager-r-98153684 1/1 Running 0 28m +longhorn-csi-plugin-wf24d 2/2 Running 0 28m +csi-snapshotter-69f8bc8dcf-n85hq 1/1 Running 0 28m +longhorn-csi-plugin-82hv5 2/2 Running 0 28m +longhorn-csi-plugin-rlcw2 2/2 Running 0 28m +longhorn-manager-rttww 1/1 Running 1 29m +instance-manager-e-e43d97f9 1/1 Running 0 28m +longhorn-manager-47zxl 1/1 Running 1 29m +instance-manager-r-de0dc83b 1/1 Running 0 28m +engine-image-ei-d4c780c6-hp4mb 1/1 Running 0 28m +engine-image-ei-d4c780c6-hcwpg 1/1 Running 0 28m +instance-manager-r-464299ad 1/1 Running 0 28m +instance-manager-e-ccb8666b 1/1 Running 0 28m +instance-manager-r-3b35070e 1/1 Running 0 28m +instance-manager-e-9d117ead 1/1 Running 0 28m +``` \ No newline at end of file diff --git a/k3s-cluster/data.tf b/k3s-cluster/data.tf new file mode 100644 index 0000000..ca5b70a --- /dev/null +++ b/k3s-cluster/data.tf @@ -0,0 +1,32 @@ +data "template_cloudinit_config" "k3s_server_tpl" { + gzip = true + base64_encode = true + + part { + content_type = "text/x-shellscript" + content = templatefile("${path.module}/files/k3s-install-server.sh", { k3s_token = var.k3s_token, is_k3s_server = true, k3s_url = var.k3s_server_private_ip, install_longhorn = var.install_longhorn, longhorn_release = var.longhorn_release }) + } +} + +data "template_cloudinit_config" "k3s_agent_tpl" { + gzip = true + base64_encode = true + + part { + content_type = "text/x-shellscript" + content = templatefile("${path.module}/files/k3s-install-agent.sh", { k3s_token = var.k3s_token, is_k3s_server = false, k3s_url = var.k3s_server_private_ip }) + } +} + +data "oci_core_instance_pool_instances" "k3s_agents_instances" { + depends_on = [ + oci_core_instance_pool.k3s_agents, + ] + compartment_id = var.compartment_ocid + instance_pool_id = oci_core_instance_pool.k3s_agents.id +} + +data "oci_core_instance" "k3s_agents_instances_ips" { + count = var.instance_pool_size + instance_id = data.oci_core_instance_pool_instances.k3s_agents_instances.instances[count.index].id +} \ No newline at end of file diff --git a/k3s-cluster/files/k3s-install-agent.sh b/k3s-cluster/files/k3s-install-agent.sh new file mode 100644 index 0000000..0a3e43d --- /dev/null +++ b/k3s-cluster/files/k3s-install-agent.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Disable firewall +/usr/sbin/netfilter-persistent stop +/usr/sbin/netfilter-persistent flush + +systemctl stop netfilter-persistent.service +systemctl disable netfilter-persistent.service + +# END Disable firewall + +apt-get update +apt-get install -y software-properties-common jq +DEBIAN_FRONTEND=noninteractive apt-get upgrade -y + +local_ip=$(curl -s -H "Authorization: Bearer Oracle" -L http://169.254.169.254/opc/v2/vnics/ | jq -r '.[0].privateIp') +flannel_iface=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)') + +until (curl -sfL https://get.k3s.io | K3S_TOKEN=${k3s_token} K3S_URL=https://${k3s_url}:6443 sh -s - --node-ip $local_ip --flannel-iface $flannel_iface); do + echo 'k3s did not install correctly' + sleep 2 +done \ No newline at end of file diff --git a/k3s-cluster/files/k3s-install-server.sh b/k3s-cluster/files/k3s-install-server.sh new file mode 100644 index 0000000..bdbdce7 --- /dev/null +++ b/k3s-cluster/files/k3s-install-server.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# Disable firewall +/usr/sbin/netfilter-persistent stop +/usr/sbin/netfilter-persistent flush + +systemctl stop netfilter-persistent.service +systemctl disable netfilter-persistent.service + +# END Disable firewall + +apt-get update +apt-get install -y software-properties-common jq +DEBIAN_FRONTEND=noninteractive apt-get upgrade -y + +local_ip=$(curl -s -H "Authorization: Bearer Oracle" -L http://169.254.169.254/opc/v2/vnics/ | jq -r '.[0].privateIp') +flannel_iface=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)') + +echo "Cluster init!" +until (curl -sfL https://get.k3s.io | K3S_TOKEN=${k3s_token} sh -s - --node-ip $local_ip --advertise-address $local_ip --flannel-iface $flannel_iface); do + echo 'k3s did not install correctly' + sleep 2 +done + +%{ if is_k3s_server } +until kubectl get pods -A | grep 'Running'; do + echo 'Waiting for k3s startup' + sleep 5 +done + +%{ if install_longhorn } +wget https://raw.githubusercontent.com/longhorn/longhorn/${longhorn_release}/deploy/longhorn.yaml +sed -i 's/#- name: KUBELET_ROOT_DIR/- name: KUBELET_ROOT_DIR/g' longhorn.yaml +sed -i 's/# value: \/var\/lib\/rancher\/k3s\/agent\/kubelet/ value: \/var\/lib\/kubelet/g' longhorn.yaml + +kubectl apply -f longhorn.yaml +%{ endif } + +%{ endif } \ No newline at end of file diff --git a/k3s-cluster/k3s-agents.tf b/k3s-cluster/k3s-agents.tf new file mode 100644 index 0000000..be22306 --- /dev/null +++ b/k3s-cluster/k3s-agents.tf @@ -0,0 +1,24 @@ +resource "oci_core_instance_pool" "k3s_agents" { + + lifecycle { + create_before_destroy = true + ignore_changes = [load_balancers, freeform_tags] + } + + display_name = "k3s-agents" + compartment_id = var.compartment_ocid + instance_configuration_id = oci_core_instance_configuration.k3s_agent_template.id + + placement_configurations { + availability_domain = var.availability_domain + primary_subnet_id = oci_core_subnet.default_oci_core_subnet10.id + fault_domains = var.fault_domains + } + + size = var.instance_pool_size + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}", + "k3s-cluster" = "agent" + } +} \ No newline at end of file diff --git a/k3s-cluster/k3s-server.tf b/k3s-cluster/k3s-server.tf new file mode 100644 index 0000000..bee9ba8 --- /dev/null +++ b/k3s-cluster/k3s-server.tf @@ -0,0 +1,65 @@ +resource "oci_core_instance" "k3s_server" { + agent_config { + is_management_disabled = "false" + is_monitoring_disabled = "false" + + plugins_config { + desired_state = "DISABLED" + name = "Vulnerability Scanning" + } + + plugins_config { + desired_state = "ENABLED" + name = "Compute Instance Monitoring" + } + + plugins_config { + desired_state = "DISABLED" + name = "Bastion" + } + } + + availability_config { + recovery_action = "RESTORE_INSTANCE" + } + + availability_domain = var.availability_domain + compartment_id = var.compartment_ocid + fault_domain = var.default_fault_domain + + create_vnic_details { + assign_private_dns_record = "true" + assign_public_ip = "true" + subnet_id = oci_core_subnet.default_oci_core_subnet10.id + private_ip = var.k3s_server_private_ip + } + + display_name = "k3s-server" + + instance_options { + are_legacy_imds_endpoints_disabled = "false" + } + + is_pv_encryption_in_transit_enabled = "true" + + metadata = { + "ssh_authorized_keys" = file(var.PATH_TO_PUBLIC_KEY) + "user_data" = data.template_cloudinit_config.k3s_server_tpl.rendered + } + + shape = "VM.Standard.A1.Flex" + shape_config { + memory_in_gbs = "6" + ocpus = "1" + } + + source_details { + source_id = var.os_image_id + source_type = "image" + } + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + "k3s-cluster" = "server" + } +} \ No newline at end of file diff --git a/k3s-cluster/lb.tf b/k3s-cluster/lb.tf new file mode 100644 index 0000000..fbe9c2b --- /dev/null +++ b/k3s-cluster/lb.tf @@ -0,0 +1,82 @@ +resource "oci_network_load_balancer_network_load_balancer" "k3s_load_balancer" { + depends_on = [ + oci_core_instance_pool.k3s_agents, + ] + + compartment_id = var.compartment_ocid + display_name = "k3s load balancer" + subnet_id = oci_core_subnet.oci_core_subnet11.id + + is_private = false + is_preserve_source_destination = false + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_network_load_balancer_listener" "k3s_http_listener" { + default_backend_set_name = oci_network_load_balancer_backend_set.k3s_http_backend_set.name + name = "k3s http listener" + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id + port = 80 + protocol = "TCP" +} + +resource "oci_network_load_balancer_listener" "k3s_https_listener" { + default_backend_set_name = oci_network_load_balancer_backend_set.k3s_https_backend_set.name + name = "k3s https listener" + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id + port = 443 + protocol = "TCP" +} + +resource "oci_network_load_balancer_backend_set" "k3s_http_backend_set" { + health_checker { + protocol = "TCP" + port = 80 + } + + name = "k3s http backend" + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id + policy = "FIVE_TUPLE" + is_preserve_source = true +} + +resource "oci_network_load_balancer_backend_set" "k3s_https_backend_set" { + health_checker { + protocol = "TCP" + port = 80 + } + + name = "k3s https backend" + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id + policy = "FIVE_TUPLE" + is_preserve_source = true +} + +resource "oci_network_load_balancer_backend" "k3s_http_backend" { + depends_on = [ + oci_core_instance_pool.k3s_agents, + ] + + count = var.instance_pool_size + backend_set_name = oci_network_load_balancer_backend_set.k3s_http_backend_set.name + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id + port = 80 + + target_id = data.oci_core_instance_pool_instances.k3s_agents_instances.instances[count.index].id +} + +resource "oci_network_load_balancer_backend" "k3s_https_backend" { + depends_on = [ + oci_core_instance_pool.k3s_agents, + ] + + count = var.instance_pool_size + backend_set_name = oci_network_load_balancer_backend_set.k3s_https_backend_set.name + network_load_balancer_id = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.id + port = 443 + + target_id = data.oci_core_instance_pool_instances.k3s_agents_instances.instances[count.index].id +} \ No newline at end of file diff --git a/k3s-cluster/network.tf b/k3s-cluster/network.tf new file mode 100644 index 0000000..38beb6a --- /dev/null +++ b/k3s-cluster/network.tf @@ -0,0 +1,55 @@ +resource "oci_core_vcn" "default_oci_core_vcn" { + cidr_block = var.oci_core_vcn_cidr + compartment_id = var.compartment_ocid + display_name = "Default OCI core vcn" + dns_label = "defaultvcn" + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_subnet" "default_oci_core_subnet10" { + cidr_block = var.oci_core_subnet_cidr10 + compartment_id = var.compartment_ocid + display_name = "${var.oci_core_subnet_cidr10} (default) OCI core subnet" + dns_label = "defaultsubnet10" + route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id + vcn_id = oci_core_vcn.default_oci_core_vcn.id + security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_subnet" "oci_core_subnet11" { + cidr_block = var.oci_core_subnet_cidr11 + compartment_id = var.compartment_ocid + display_name = "${var.oci_core_subnet_cidr11} OCI core subnet" + dns_label = "defaultsubnet11" + route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id + vcn_id = oci_core_vcn.default_oci_core_vcn.id + security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + + +resource "oci_core_internet_gateway" "default_oci_core_internet_gateway" { + compartment_id = var.compartment_ocid + display_name = "Internet Gateway Default OCI core vcn" + enabled = "true" + vcn_id = oci_core_vcn.default_oci_core_vcn.id + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_default_route_table" "default_oci_core_default_route_table" { + route_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + network_entity_id = oci_core_internet_gateway.default_oci_core_internet_gateway.id + } + manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id +} \ No newline at end of file diff --git a/k3s-cluster/output.tf b/k3s-cluster/output.tf new file mode 100644 index 0000000..5ac85cd --- /dev/null +++ b/k3s-cluster/output.tf @@ -0,0 +1,14 @@ +output "k3s_server_ip" { + value = oci_core_instance.k3s_server.public_ip +} + +output "k3s_agents_ips" { + depends_on = [ + data.oci_core_instance_pool_instances.k3s_agents_instances, + ] + value = data.oci_core_instance.k3s_agents_instances_ips.*.public_ip +} + +output "lb_ip" { + value = oci_network_load_balancer_network_load_balancer.k3s_load_balancer.ip_addresses +} \ No newline at end of file diff --git a/k3s-cluster/provider.tf b/k3s-cluster/provider.tf new file mode 100644 index 0000000..7a78460 --- /dev/null +++ b/k3s-cluster/provider.tf @@ -0,0 +1,7 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + private_key_path = var.private_key_path + fingerprint = var.fingerprint + region = var.region +} \ No newline at end of file diff --git a/k3s-cluster/security.tf b/k3s-cluster/security.tf new file mode 100644 index 0000000..3728f8c --- /dev/null +++ b/k3s-cluster/security.tf @@ -0,0 +1,76 @@ +resource "oci_core_default_security_list" "default_security_list" { + compartment_id = var.compartment_ocid + manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_security_list_id + + display_name = "Default security list" + egress_security_rules { + destination = "0.0.0.0/0" + protocol = "all" + } + + ingress_security_rules { + protocol = 1 # icmp + source = var.my_public_ip_address + + description = "Allow icmp from ${var.my_public_ip_address}" + + } + + ingress_security_rules { + protocol = 6 # tcp + source = var.my_public_ip_address + + description = "Allow SSH from ${var.my_public_ip_address}" + + tcp_options { + min = 22 + max = 22 + } + } + + ingress_security_rules { + protocol = 6 # tcp + source = var.my_public_ip_address + + description = "Allow HTTP from ${var.my_public_ip_address}" + + tcp_options { + min = 80 + max = 80 + } + } + + ingress_security_rules { + protocol = "all" + source = var.oci_core_vcn_cidr + + description = "Allow all from vcn subnet" + } + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_security_list" "custom_security_list" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.default_oci_core_vcn.id + + display_name = "Custom security list" + + ingress_security_rules { + protocol = 6 # tcp + source = "0.0.0.0/0" + + description = "Allow HTTP from all" + + tcp_options { + min = 80 + max = 80 + } + } + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} \ No newline at end of file diff --git a/k3s-cluster/template.tf b/k3s-cluster/template.tf new file mode 100644 index 0000000..dd21cbc --- /dev/null +++ b/k3s-cluster/template.tf @@ -0,0 +1,61 @@ +resource "oci_core_instance_configuration" "k3s_agent_template" { + + compartment_id = var.compartment_ocid + display_name = "Ubuntu 20.04 instance k3s agent configuration" + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } + + instance_details { + instance_type = "compute" + + launch_details { + + agent_config { + is_management_disabled = "false" + is_monitoring_disabled = "false" + + plugins_config { + desired_state = "DISABLED" + name = "Vulnerability Scanning" + } + + plugins_config { + desired_state = "ENABLED" + name = "Compute Instance Monitoring" + } + + plugins_config { + desired_state = "DISABLED" + name = "Bastion" + } + } + + availability_domain = var.availability_domain + compartment_id = var.compartment_ocid + + create_vnic_details { + assign_public_ip = true + subnet_id = oci_core_subnet.default_oci_core_subnet10.id + } + + display_name = "Ubuntu k3s agent template" + + metadata = { + "ssh_authorized_keys" = file(var.PATH_TO_PUBLIC_KEY) + "user_data" = data.template_cloudinit_config.k3s_agent_tpl.rendered + } + + shape = "VM.Standard.A1.Flex" + shape_config { + memory_in_gbs = "6" + ocpus = "1" + } + source_details { + image_id = var.os_image_id + source_type = "image" + } + } + } +} \ No newline at end of file diff --git a/k3s-cluster/vars.tf b/k3s-cluster/vars.tf new file mode 100644 index 0000000..810b8cc --- /dev/null +++ b/k3s-cluster/vars.tf @@ -0,0 +1,88 @@ +variable "compartment_ocid" { + +} + +variable "tenancy_ocid" { + +} + +variable "region" { + default = "" +} + +variable "user_ocid" { + +} + +variable "fingerprint" { + +} + +variable "private_key_path" { + +} + +variable "availability_domain" { + default = "" +} + +variable "default_fault_domain" { + default = "FAULT-DOMAIN-1" +} + +variable "fault_domains" { + type = list(any) + default = ["FAULT-DOMAIN-1", "FAULT-DOMAIN-2", "FAULT-DOMAIN-3"] +} + +variable "PATH_TO_PUBLIC_KEY" { + default = "~/.ssh/id_rsa.pub" +} + +variable "os_image_id" { + default = "ocid1.image.oc1.eu-zurich-1.aaaaaaaam4u4w4dprotagbxx4glcmjtndbkunzs5kvz5qpkqybemlv4wds3a" # Ubuntu 20.04 +} + +variable "oci_core_vcn_cidr" { + default = "10.0.0.0/16" +} + +variable "oci_core_subnet_cidr10" { + default = "10.0.0.0/24" +} + +variable "oci_core_subnet_cidr11" { + default = "10.0.1.0/24" +} + +variable "k3s_server_private_ip" { + default = "10.0.0.50" +} + +variable "instance_pool_size" { + default = 3 +} + +variable "tutorial_tag_key" { + default = "oracle-tutorial" +} + +variable "tutorial_tag_value" { + default = "k3s-terraform" +} + +variable "my_public_ip_address" { + default = "" +} + +variable "k3s_token" { + default = "2aaf122eed3409ds2c6fagfad4073-92dcdgade664d8c1c7f49z" +} + +variable "install_longhorn" { + default = true +} + +variable "longhorn_release" { + default = "v1.2.2" +} \ No newline at end of file diff --git a/simple-instance/.terraform.lock.hcl b/simple-instance/.terraform.lock.hcl new file mode 100644 index 0000000..43373d9 --- /dev/null +++ b/simple-instance/.terraform.lock.hcl @@ -0,0 +1,36 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/oci" { + version = "4.49.0" + hashes = [ + "h1:m7/VNDahueBZf6EqJjxsGsOuzBVWnfrzL3ekdr0mr0k=", + "zh:2114836ae6a863da2f40917a18478e6af67d42d5e1a05ecd1297a6802fa765a1", + "zh:2f53dfff1919cf4750467c65fc658570dc99868f7524d3abeb05a9f6e174c046", + "zh:38f6b9fb5e73ea7de1ee2cefe28c83f308c96a14a69c91f4da352f27007b31d0", + "zh:3dcb0a5652113b893cf5f9af7ba3ee4fed900e000d80e045eb6e9151768ed691", + "zh:3deef7b6b30926dc817e72aa19ef700ffab1b2f4d41be136fe4253bb14c8cd9c", + "zh:49fc2e23d30677eff73dc10ae1ef316bdfe8b133f0a71c414333e7400c3a95e1", + "zh:517b962143ae8012e65086ef5d5c81e4701ffde092747b594edfaf5f664111d0", + "zh:5d3b0303f68b8196048d97b4730b0424a60db8cb13700ae1980cdd84dc211a27", + "zh:6d17bd39ba47f3c5fda7d67d9f986b872ed1cdcb72677e2f1d1eba1567200f58", + "zh:c6de06c6f0947c9315b10a723edf96eecdf3ef03947948761032f061339e5b49", + ] +} + +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} diff --git a/simple-instance/README.md b/simple-instance/README.md new file mode 100644 index 0000000..5f47282 --- /dev/null +++ b/simple-instance/README.md @@ -0,0 +1,62 @@ +# Simple compute instance + +This example will deploy a single Oracle compute instance. + +### Extra variables + +In this example an extra variable is used: + +* fault_domain, this variable indicate in which fault domain our instance will be launched + +### Deploy + +To deploy the infrastructure: + +``` +terraform init + +terraform plan + +terraform apply +``` + +wait terraform to complete the operation, when terraform successfully finished the deployment you will see in the output the public ip address of the instance: + +``` +Apply complete! Resources: 8 added, 0 changed, 0 destroyed. + +Outputs: + +instance_ip = "152.x.x.x" +``` + +now you can ssh into the machine: + +``` +ssh ubuntu@152.x.x.x + +... +35 updates can be applied immediately. +25 of these updates are standard security updates. +To see these additional updates run: apt list --upgradable + + + +The programs included with the Ubuntu system are free software; +the exact distribution terms for each program are described in the +individual files in /usr/share/doc/*/copyright. + +Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by +applicable law. + +To run a command as administrator (user "root"), use "sudo ". +See "man sudo_root" for details. + +ubuntu@ubuntu-instance:~$ +``` + +### Cleanup + +``` +terraform destroy +``` \ No newline at end of file diff --git a/simple-instance/compute.tf b/simple-instance/compute.tf new file mode 100644 index 0000000..9c43f31 --- /dev/null +++ b/simple-instance/compute.tf @@ -0,0 +1,63 @@ +resource "oci_core_instance" "ubuntu_oci_instance" { + agent_config { + is_management_disabled = "false" + is_monitoring_disabled = "false" + + plugins_config { + desired_state = "DISABLED" + name = "Vulnerability Scanning" + } + + plugins_config { + desired_state = "ENABLED" + name = "Compute Instance Monitoring" + } + + plugins_config { + desired_state = "DISABLED" + name = "Bastion" + } + } + + availability_config { + recovery_action = "RESTORE_INSTANCE" + } + + availability_domain = var.availability_domain + compartment_id = var.compartment_ocid + fault_domain = var.default_fault_domain + + create_vnic_details { + assign_private_dns_record = "true" + assign_public_ip = "true" + subnet_id = oci_core_subnet.default_oci_core_subnet10.id + } + + display_name = "Ubuntu Instance" + + instance_options { + are_legacy_imds_endpoints_disabled = "false" + } + + is_pv_encryption_in_transit_enabled = "true" + + metadata = { + "ssh_authorized_keys" = file(var.PATH_TO_PUBLIC_KEY) + "user_data" = data.template_cloudinit_config.ubuntu_init.rendered + } + + shape = "VM.Standard.A1.Flex" + shape_config { + memory_in_gbs = "6" + ocpus = "1" + } + + source_details { + source_id = var.os_image_id + source_type = "image" + } + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} \ No newline at end of file diff --git a/simple-instance/data.tf b/simple-instance/data.tf new file mode 100644 index 0000000..5808d66 --- /dev/null +++ b/simple-instance/data.tf @@ -0,0 +1,9 @@ +data "template_cloudinit_config" "ubuntu_init" { + gzip = true + base64_encode = true + + part { + content_type = "text/x-shellscript" + content = templatefile("${path.module}/files/oci-ubuntu-install.sh", {}) + } +} \ No newline at end of file diff --git a/simple-instance/files/oci-ubuntu-install.sh b/simple-instance/files/oci-ubuntu-install.sh new file mode 100644 index 0000000..461dfb9 --- /dev/null +++ b/simple-instance/files/oci-ubuntu-install.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +apt-get update +apt-get -y upgrade +apt-get -y install nginx + +systemctl enable nginx +systemctl start nginx + +hostname=$(hostname) + +cat < /var/www/html/index.nginx-debian.html + + + +Welcome to nginx! + + + +

Welcome to nginx!

+

If you see this page, the nginx web server is successfully installed and +working. Further configuration is required.

+ +

For online documentation and support please refer to +nginx.org.
+Commercial support is available at +nginx.com.

+ +

Thank you for using nginx.

+

Hello from: $hostname

+ + +EOF + +# Disable firewall +/usr/sbin/netfilter-persistent stop +/usr/sbin/netfilter-persistent flush + +systemctl stop netfilter-persistent.service +systemctl disable netfilter-persistent.service \ No newline at end of file diff --git a/simple-instance/network.tf b/simple-instance/network.tf new file mode 100644 index 0000000..4867d1a --- /dev/null +++ b/simple-instance/network.tf @@ -0,0 +1,54 @@ +resource "oci_core_vcn" "default_oci_core_vcn" { + cidr_block = var.oci_core_vcn_cidr + compartment_id = var.compartment_ocid + display_name = "Default OCI core vcn" + dns_label = "defaultvcn" + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_subnet" "default_oci_core_subnet10" { + cidr_block = var.oci_core_subnet_cidr10 + compartment_id = var.compartment_ocid + display_name = "${var.oci_core_subnet_cidr10} (default) OCI core subnet" + dns_label = "defaultsubnet10" + route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id + vcn_id = oci_core_vcn.default_oci_core_vcn.id + security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_subnet" "oci_core_subnet11" { + cidr_block = var.oci_core_subnet_cidr11 + compartment_id = var.compartment_ocid + display_name = "${var.oci_core_subnet_cidr11} OCI core subnet" + dns_label = "defaultsubnet11" + route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id + vcn_id = oci_core_vcn.default_oci_core_vcn.id + security_list_ids = [oci_core_default_security_list.default_security_list.id, oci_core_security_list.custom_security_list.id] + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_internet_gateway" "default_oci_core_internet_gateway" { + compartment_id = var.compartment_ocid + display_name = "Internet Gateway Default OCI core vcn" + enabled = "true" + vcn_id = oci_core_vcn.default_oci_core_vcn.id + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_default_route_table" "default_oci_core_default_route_table" { + route_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + network_entity_id = oci_core_internet_gateway.default_oci_core_internet_gateway.id + } + manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id +} \ No newline at end of file diff --git a/simple-instance/output.tf b/simple-instance/output.tf new file mode 100644 index 0000000..68bd4dd --- /dev/null +++ b/simple-instance/output.tf @@ -0,0 +1,3 @@ +output "instance_ip" { + value = oci_core_instance.ubuntu_oci_instance.public_ip +} \ No newline at end of file diff --git a/simple-instance/provider.tf b/simple-instance/provider.tf new file mode 100644 index 0000000..7a78460 --- /dev/null +++ b/simple-instance/provider.tf @@ -0,0 +1,7 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + private_key_path = var.private_key_path + fingerprint = var.fingerprint + region = var.region +} \ No newline at end of file diff --git a/simple-instance/security.tf b/simple-instance/security.tf new file mode 100644 index 0000000..da4d910 --- /dev/null +++ b/simple-instance/security.tf @@ -0,0 +1,76 @@ +resource "oci_core_default_security_list" "default_security_list" { + compartment_id = var.compartment_ocid + manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_security_list_id + + display_name = "Default security list" + egress_security_rules { + destination = "0.0.0.0/0" + protocol = "all" + } + + ingress_security_rules { + protocol = 1 # icmp + source = var.my_public_ip_address + + description = "Allow icmp from ${var.my_public_ip_address}" + + } + + ingress_security_rules { + protocol = 6 # tcp + source = var.my_public_ip_address + + description = "Allow SSH from ${var.my_public_ip_address}" + + tcp_options { + min = 22 + max = 22 + } + } + + ingress_security_rules { + protocol = 6 # tcp + source = var.my_public_ip_address + + description = "Allow HTTP from ${var.my_public_ip_address}" + + tcp_options { + min = 80 + max = 80 + } + } + + ingress_security_rules { + protocol = "all" + source = var.oci_core_vcn_cidr + + description = "Allow all from vcn subnet" + } + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} + +resource "oci_core_security_list" "custom_security_list" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.default_oci_core_vcn.id + + display_name = "Custom security list" + + ingress_security_rules { + protocol = 6 # tcp + source = "0.0.0.0/0" + + description = "Allow HTTP from all" + + tcp_options { + min = 80 + max = 80 + } + } + + freeform_tags = { + "${var.tutorial_tag_key}" = "${var.tutorial_tag_value}" + } +} \ No newline at end of file diff --git a/simple-instance/vars.tf b/simple-instance/vars.tf new file mode 100644 index 0000000..7be3fa0 --- /dev/null +++ b/simple-instance/vars.tf @@ -0,0 +1,63 @@ +variable "compartment_ocid" { + +} + +variable "tenancy_ocid" { + +} + +variable "region" { + default = "" +} + +variable "user_ocid" { + +} + +variable "fingerprint" { + +} + +variable "private_key_path" { + +} + +variable "availability_domain" { + default = "" +} + +variable "default_fault_domain" { + default = "FAULT-DOMAIN-1" +} + +variable "PATH_TO_PUBLIC_KEY" { + default = "~/.ssh/id_rsa.pub" +} + +variable "os_image_id" { + default = "ocid1.image.oc1.eu-zurich-1.aaaaaaaam4u4w4dprotagbxx4glcmjtndbkunzs5kvz5qpkqybemlv4wds3a" # Ubuntu 20.04 +} + +variable "oci_core_vcn_cidr" { + default = "10.0.0.0/16" +} + +variable "oci_core_subnet_cidr10" { + default = "10.0.0.0/24" +} + +variable "oci_core_subnet_cidr11" { + default = "10.0.1.0/24" +} + +variable "tutorial_tag_key" { + default = "oracle-tutorial" +} + +variable "tutorial_tag_value" { + default = "terraform" +} + +variable "my_public_ip_address" { + default = "" +} \ No newline at end of file