Merge pull request #23 from alcampag/oke-module-update

Oke module update

Author: WSPluta

deploy/devops/tf-env/data.tf

@@ -20,3 +20,7 @@ data "oci_identity_compartment" "compartment" {
 data "oci_identity_users" "users" {
   compartment_id = var.tenancy_ocid
 }
+
+data "oci_containerengine_cluster_option" "oke" {
+  cluster_option_id = "all"
+}

deploy/devops/tf-env/oke.tf

@@ -1,28 +1,124 @@
-module "oke-quickstart" {
-  source = "github.com/oracle-quickstart/terraform-oci-oke-quickstart?ref=0.9.2"
-
+locals {
+  cluster_k8s_latest_version = reverse(sort(data.oci_containerengine_cluster_option.oke.kubernetes_versions))[0]
+  lb_subnet_cidr = "10.22.128.0/27"
+  workers_subnet_cidr = "10.22.144.0/20"
+  cp_subnet_cidr = "10.22.0.8/29"
+  vcn_cidr = "10.22.0.0/16"
+}
 
-  providers = {
-    oci             = oci
-    oci.home_region = oci.home_region
+module "oke" {
+  source  = "oracle-terraform-modules/oke/oci"
+  version = "5.1.3"
+  region = var.region
+  compartment_id = var.compartment_ocid
+  # IAM - Policies
+  create_iam_autoscaler_policy = "never"
+  create_iam_kms_policy = "never"
+  create_iam_operator_policy = "never"
+  create_iam_worker_policy = "never"
+  # Network module - VCN
+  subnets = {
+    bastion = {
+      create = "never"
+    }
+    operator = {
+      create = "never"
+    }
+    cp = {
+      create  = "always",
+      cidr = local.cp_subnet_cidr
+    }
+    pub_lb = {
+      create  = "always",
+      cidr = local.lb_subnet_cidr
+    }
+    workers = {
+      create  = "always",
+      cidr = local.workers_subnet_cidr
+    }
+    int_lb = {
+      create  = "never"
+    }
+    pods = {
+      create  = "never"
+    }
+  }
+  nsgs = {
+    bastion = {create = "never"}
+    operator = { create = "never" }
+    cp       = { create = "always"}
+    int_lb   = { create = "never" }
+    pub_lb   = { create = "never" }
+    workers  = { create = "always"}
+    pods     = { create = "never" }
+  }
+  assign_dns = true
+  create_vcn = true
+  vcn_cidrs = [local.vcn_cidr]
+  vcn_dns_label = "oke"
+  vcn_name = "oke-${random_string.deploy_id.result}-vcn"
+  lockdown_default_seclist = true
+  allow_rules_public_lb ={
+    "Allow TCP ingress to public load balancers for HTTPS traffic from anywhere" : { protocol = 6, port = 443, source="0.0.0.0/0", source_type="CIDR_BLOCK"},
+    "Allow TCP ingress to public load balancers for HTTP traffic from anywhere" : { protocol = 6, port = 80, source="0.0.0.0/0", source_type="CIDR_BLOCK"}
+  }
+  # Network module - security
+  allow_node_port_access = true
+  allow_worker_internet_access = true
+  allow_worker_ssh_access = true
+  control_plane_allowed_cidrs = ["0.0.0.0/0"]
+  control_plane_is_public = true
+  assign_public_ip_to_control_plane = true
+  enable_waf = false
+  load_balancers = "public"
+  preferred_load_balancer = "public"
+  worker_is_public = false
+  # Cluster module
+  create_cluster = true
+  cluster_name = "oke-${random_string.deploy_id.result}"
+  cluster_type = "basic"
+  cni_type = "flannel"
+  kubernetes_version = local.cluster_k8s_latest_version
+  pods_cidr          = "10.244.0.0/16"
+  services_cidr      = "10.96.0.0/16"
+  use_signed_images  = false
+  use_defined_tags = false
+  # Workers
+  worker_pool_mode = "node-pool"
+  worker_pool_size = 2
+  worker_image_type = "oke"
+  worker_pools = {
+    np1 = {
+      shape = "VM.Standard.E3.Flex",
+      ocpus = 1,
+      memory = 32,
+      boot_volume_size = 120,
+      create = true
+    }
   }
 
-  tenancy_ocid     = var.tenancy_ocid
-  compartment_ocid = var.compartment_ocid
-  region           = var.region
+  # Bastion
+  create_bastion = false
 
-  app_name = "DevOps ${random_string.deploy_id.result}"
+  # Operator
+  create_operator = false
 
-  metrics_server_enabled = false
+  providers = {
+    oci = oci
+    oci.home = oci.home_region
+  }
+}
 
-  # OKE Node Pool 1
-  node_pool_cni_type_1                 = "FLANNEL_OVERLAY"
-  node_pool_autoscaler_enabled_1       = false
-  node_pool_initial_num_worker_nodes_1 = 2
-  node_pool_max_num_worker_nodes_1     = 3
-  node_pool_instance_shape_1           = { "instanceShape" = "VM.Standard.E4.Flex", "ocpus" = 1, "memory" = 32 }
-  node_pool_boot_volume_size_in_gbs_1  = 120
+resource "null_resource" "add_sec_rules_lb" {
 
-  # VCN for OKE arguments
-  vcn_cidr_blocks = "10.22.0.0/16"
+  provisioner "local-exec" {
+    command = "chmod +x ./pub_lb_sec.sh && ./pub_lb_sec.sh"
+    environment = {
+      PUB_LB_SUBNET_ID = module.oke.pub_lb_subnet_id
+    }
+    working_dir = path.module
+  }
+
+  depends_on = [module.oke]
 }
+

deploy/devops/tf-env/output.tf

@@ -3,12 +3,12 @@ output "devops_ons_topic_ocid" {
 }
 
 output "kubeconfig" {
-  value     = module.oke-quickstart.kubeconfig
+  value     = module.oke.cluster_kubeconfig
   sensitive = true
 }
 
 output "oke_cluster_ocid" {
-  value = module.oke-quickstart.oke_cluster_ocid
+  value = module.oke.cluster_id
 }
 
 output "github_access_token_secret_ocid" {

deploy/devops/tf-env/provider.tf

@@ -1,3 +1,6 @@
+# TODO: To be modified before pushing to main
+
+
 provider "oci" {
   tenancy_ocid = var.tenancy_ocid
   region       = var.region
@@ -8,3 +11,15 @@ provider "oci" {
   tenancy_ocid = var.tenancy_ocid
   region       = lookup(data.oci_identity_regions.home_region.regions[0], "name")
 }
+
+
+/*provider "oci" {
+  config_file_profile = var.config_file_profile
+  region       = var.region
+}
+
+provider "oci" {
+  alias        = "home_region"
+  config_file_profile = var.config_file_profile
+  region       = lookup(data.oci_identity_regions.home_region.regions[0], "name")
+}*/

deploy/devops/tf-env/pub_lb_sec.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# shellcheck disable=SC2155
+export SEC_LIST_ID=$(oci network subnet get --subnet-id $PUB_LB_SUBNET_ID --query 'data."security-list-ids"[0]' --raw-output)
+
+oci network security-list update --security-list-id $SEC_LIST_ID --egress-security-rules '[{"destination": "10.22.144.0/20", "protocol": "6", "isStateless": false, "tcpOptions": {"destinationPortRange": {"max": 10256, "min": 10256}}}]' --force