Merge pull request #2127 from oracle-devrel/oke-rm

oke-rm-1.1.6

Author: martatolosa

app-dev/devops-and-containers/oke/oke-rm/README.md

@@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co
 * By default, everything is private, but there is the possibility to create public subnets
 * Be careful when modifying the default values, as inputs are not validated
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.5/infra.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.6/infra.zip)
 
 ## Step 2: Create the OKE control plane
 
 This stack is used to create the OKE control plane ONLY.
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.5/oke.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.6/oke.zip)
 
 Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI,
 you must add these policies:

app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip

@@ -2,21 +2,50 @@ resource "oci_core_security_list" "bastion_security_list" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name = "bastion-sec-list"
+
+  # Ingress rules and their corresponding egress
   ingress_security_rules {
     protocol = local.tcp_protocol
     source_type = "CIDR_BLOCK"
     source   = "0.0.0.0/0"
+    stateless = true
     description = "Allow SSH connections to the subnet. Can be deleted if only using OCI Bastion subnet"
     tcp_options {
       max = 22
       min = 22
     }
   }
+
+  egress_security_rules {
+    destination = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    protocol = local.tcp_protocol
+    stateless = true
+    description = "Allow SSH responses from the subnet"
+    tcp_options {
+      source_port_range {
+        max = 22
+        min = 22
+      }
+    }
+  }
+
+  # Egress rules and their corresponding ingress
   egress_security_rules {
     destination = var.vcn_cidr_blocks[0]
     destination_type = "CIDR_BLOCK"
     protocol    = "all"
+    stateless = true
     description = "Enable the bastion hosts to reach the entire VCN"
   }
+
+  ingress_security_rules {
+    protocol = "all"
+    source_type = "CIDR_BLOCK"
+    source = var.vcn_cidr_blocks[0]
+    stateless = true
+    description = "Allow responses from the VCN to the bastion hosts"
+  }
+
   count = var.create_bastion_subnet ? 1 : 0
-}
+}