oracle-devrel
diff --git a/‎app-dev/devops-and-containers/oke/oke-rm/README.md‎
Lines changed: 2 additions & 2 deletions b/‎app-dev/devops-and-containers/oke/oke-rm/README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip‎
95 Bytes b/‎app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip‎
95 Bytes
diff --git a/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf‎
Lines changed: 1 addition & 1 deletion b/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf‎
Lines changed: 15 additions & 15 deletions b/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf‎
Lines changed: 15 additions & 15 deletions
diff --git a/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf‎
Lines changed: 5 additions & 5 deletions b/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf‎
Lines changed: 20 additions & 28 deletions b/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf‎
Lines changed: 20 additions & 28 deletions
diff --git a/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf‎
Lines changed: 5 additions & 0 deletions b/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf‎
Lines changed: 7 additions & 18 deletions b/‎app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf‎
Lines changed: 7 additions & 18 deletions
@@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co
 * By default, everything is private, but there is the possibility to create public subnets
 * Be careful when modifying the default values, as inputs are not validated
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.1/infra.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/infra.zip)
 
 ## Step 2: Create the OKE control plane
 
 This stack is used to create the OKE control plane ONLY.
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.1/oke.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/oke.zip)
 
 Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI,
 you must add these policies:
 
@@ -3,7 +3,7 @@ resource "oci_core_security_list" "bastion_security_list" {
   vcn_id         = local.vcn_id
   display_name = "bastion-sec-list"
   ingress_security_rules {
-    protocol = "6"
+    protocol = local.tcp_protocol
     source_type = "CIDR_BLOCK"
     source   = "0.0.0.0/0"
     description = "Allow SSH connections to the subnet. Can be deleted if only using OCI Bastion subnet"
 
@@ -7,7 +7,7 @@ resource "oci_core_network_security_group" "cp_nsg" {
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -23,7 +23,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1"
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.cp_nsg.id
   stateless = false
@@ -39,7 +39,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2"
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "CIDR_BLOCK"
   source = var.bastion_subnet_cidr
   stateless = false
@@ -57,7 +57,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3"
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.pod_nsg.0.id
   stateless = false
@@ -74,7 +74,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4"
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.pod_nsg.0.id
   stateless = false
@@ -91,7 +91,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5"
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -107,7 +107,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6"
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_7" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "1"
+  protocol                  = local.icmp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -121,7 +121,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_7"
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "CIDR_BLOCK"
   source = var.cp_allowed_source_cidr
   stateless = false
@@ -137,7 +137,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8"
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "NETWORK_SECURITY_GROUP"
   destination = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -153,7 +153,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1" {
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_2" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "NETWORK_SECURITY_GROUP"
   destination = oci_core_network_security_group.pod_nsg.0.id
   stateless = false
@@ -165,7 +165,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_2" {
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_3" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "SERVICE_CIDR_BLOCK"
   destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
   stateless = false
@@ -176,7 +176,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_3" {
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_4" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "NETWORK_SECURITY_GROUP"
   destination = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -193,7 +193,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_4" {
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_5" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "NETWORK_SECURITY_GROUP"
   destination = oci_core_network_security_group.cp_nsg.id
   stateless = false
@@ -209,7 +209,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_5" {
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_6" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "1"
+  protocol                  = local.icmp_protocol
   destination_type = "NETWORK_SECURITY_GROUP"
   destination = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -223,7 +223,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_6" {
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_7" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.cp_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "CIDR_BLOCK"
   destination = var.cp_egress_cidr
   stateless = false
 
@@ -7,7 +7,7 @@ resource "oci_core_network_security_group" "fss_nsg" {
 resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
-  protocol                  = "17"  # UDP
+  protocol                  = local.udp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -23,7 +23,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1" {
 resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -39,7 +39,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2" {
 resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
-  protocol                  = "17"  # UDP
+  protocol                  = local.udp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -55,7 +55,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3" {
 resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -71,7 +71,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4" {
 resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_5" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.fss_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.worker_nsg.id
   stateless = false
 
@@ -7,11 +7,11 @@ resource "oci_core_network_security_group" "oke_lb_nsg" {
 resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "NETWORK_SECURITY_GROUP"
   destination = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP traffic from load balancer to worker nodes for services of type NodePort - stateless Egress"
+  stateless = false
+  description = "Allow TCP traffic from load balancer to worker nodes for services of type NodePort"
   tcp_options {
     destination_port_range {
       max = 32767
@@ -20,16 +20,17 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker
   }
 }
 
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_ingress" {
-  direction                 = "INGRESS"
+
+resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress_udp" {
+  direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
-  protocol                  = "6"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.worker_nsg.id
-  stateless = true
-  description = "Allow TCP traffic from worker nodes to load balancer for services of type NodePort - stateless Ingress"
-  tcp_options {
-    source_port_range {
+  protocol                  = local.udp_protocol
+  destination_type = "NETWORK_SECURITY_GROUP"
+  destination = oci_core_network_security_group.worker_nsg.id
+  stateless = false
+  description = "Allow UDP traffic from load balancer to worker nodes for services of type NodePort"
+  udp_options {
+    destination_port_range {
       max = 32767
       min = 30000
     }
@@ -39,7 +40,7 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker
 resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_healthcheck_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "NETWORK_SECURITY_GROUP"
   destination = oci_core_network_security_group.worker_nsg.id
   stateless = false
@@ -52,32 +53,23 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker
   }
 }
 
+
+# OCI Native Ingress does not support UDP, hence no UDP egress rule
 resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_pods_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "NETWORK_SECURITY_GROUP"
   destination = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "LB to pods, OCI Native Ingress - stateless egress"
-  count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_pods_ingress" {
-  direction                 = "INGRESS"
-  network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
-  protocol                  = "6"
-  source_type = "NETWORK_SECURITY_GROUP"
-  source = oci_core_network_security_group.pod_nsg.0.id
-  stateless = true
-  description = "LB to pods, OCI Native Ingress - stateless ingress"
+  stateless = false
+  description = "LB to pods, OCI Native Ingress"
   count = local.is_npn ? 1 : 0
 }
 
 resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker_discovery_egress" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id
-  protocol                  = "1"
+  protocol                  = local.icmp_protocol
   destination_type = "NETWORK_SECURITY_GROUP"
   destination = oci_core_network_security_group.worker_nsg.id
   stateless = false
 
@@ -10,4 +10,9 @@ locals {
   nat_gateway_id = var.create_gateways ? oci_core_nat_gateway.nat_gateway.0.id : var.nat_gateway_id
   cp_nat_mode = local.create_cp_subnet && var.cp_subnet_private && var.cp_external_nat
   create_cp_external_traffic_rule = var.allow_external_cp_traffic && (! var.create_cp_subnet || (! var.cp_subnet_private || var.cp_external_nat))
+
+
+  tcp_protocol = "6"
+  icmp_protocol = "1"
+  udp_protocol = "17"
 }
@@ -41,7 +41,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_3"
 resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_4" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "1"
+  protocol                  = local.icmp_protocol
   source_type = "CIDR_BLOCK"
   source = "0.0.0.0/0"
   stateless = false
@@ -56,11 +56,11 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_4"
 resource "oci_core_network_security_group_security_rule" "pods_nsg_rule_lb_ingress" {
   direction                 = "INGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   source_type = "NETWORK_SECURITY_GROUP"
   source = oci_core_network_security_group.oke_lb_nsg.id
-  stateless = true
-  description = "LBs to pods, - stateless ingress"
+  stateless = false
+  description = "LBs to pods"
   count = local.is_npn ? 1 : 0
 }
 
@@ -101,7 +101,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_3"
 resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "NETWORK_SECURITY_GROUP"
   destination = oci_core_network_security_group.cp_nsg.id
   stateless = false
@@ -118,7 +118,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4"
 resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_5" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "6"
+  protocol                  = local.tcp_protocol
   destination_type = "SERVICE_CIDR_BLOCK"
   destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
   stateless = false
@@ -129,7 +129,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_5"
 resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_6" {
   direction                 = "EGRESS"
   network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "1"
+  protocol                  = local.icmp_protocol
   destination_type = "CIDR_BLOCK"
   destination = "0.0.0.0/0"
   stateless = false
@@ -139,15 +139,4 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_6"
     code = 4
   }
   count = local.is_npn ? 1 : 0
-}
-
-resource "oci_core_network_security_group_security_rule" "pods_nsg_rule_lb_egress" {
-  direction                 = "EGRESS"
-  network_security_group_id = oci_core_network_security_group.pod_nsg.0.id
-  protocol                  = "6"
-  destination_type = "NETWORK_SECURITY_GROUP"
-  destination = oci_core_network_security_group.oke_lb_nsg.id
-  stateless = true
-  description = "Pods to LBs, - stateless egress"
-  count = local.is_npn ? 1 : 0
 }