oracle-devrel · martatolosa · Sep 17, 2025 · Sep 17, 2025
diff --git a/app-dev/devops-and-containers/oke/oke-rm/README.md b/app-dev/devops-and-containers/oke/oke-rm/README.md
@@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co
 * By default, everything is private, but there is the possibility to create public subnets
 * Be careful when modifying the default values, as inputs are not validated
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.4/infra.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.5/infra.zip)
 
 ## Step 2: Create the OKE control plane
 
 This stack is used to create the OKE control plane ONLY.
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.4/oke.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.5/oke.zip)
 
 Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI,
 you must add these policies:

diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip b/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/local.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/local.tf
@@ -1,5 +1,4 @@
 locals {
-  create_bastion = var.create_bastion_subnet && var.create_bastion
   # VCN_NATIVE_CNI internally it is mapped as npn
   cni = var.cni_type == "vcn_native" ? "npn" : var.cni_type
 }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/main.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/main.tf
@@ -53,14 +53,11 @@ module "network" {
   cp_external_nat = var.cp_external_nat
   allow_external_cp_traffic = var.allow_external_cp_traffic
   cp_egress_cidr = var.cp_egress_cidr
-}
-
-module "bastion" {
-  source = "./modules/bastion"
-  region = var.region
-  compartment_id = var.bastion_compartment_id
-  vcn_name = var.vcn_name
-  bastion_subnet_id = module.network.bastion_subnet_id
-  bastion_cidr_block_allow_list = var.bastion_cidr_block_allow_list
-  count = local.create_bastion ? 1 : 0
+  # DRG
+  enable_drg = var.enable_drg
+  create_drg = var.create_drg
+  drg_id = var.drg_id
+  drg_name = var.drg_name
+  create_drg_attachment = var.create_drg_attachment
+  peer_vcns = var.peer_vcns
 }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/bastion/bastion.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/bastion/bastion.tf
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/bastion/provider.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/bastion/provider.tf
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/bastion/variable.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/bastion/variable.tf
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/drg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/drg.tf
@@ -0,0 +1,19 @@
+resource "oci_core_drg" "vcn_drg" {
+  compartment_id = var.network_compartment_id
+  display_name = var.drg_name
+
+  count = local.create_drg ? 1 : 0
+}
+
+resource "oci_core_drg_attachment" "oke_drg_attachment" {
+  drg_id = local.drg_id
+  display_name = "${var.vcn_name}-attachment"
+
+  network_details {
+    id = local.vcn_id
+    type = "VCN"
+  }
+
+  count = local.create_drg_attachment ? 1 : 0
+}
+
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf
@@ -10,6 +10,10 @@ locals {
   nat_gateway_id = var.create_gateways ? oci_core_nat_gateway.nat_gateway.0.id : var.nat_gateway_id
   cp_nat_mode = local.create_cp_subnet && var.cp_subnet_private && var.cp_external_nat
   create_cp_external_traffic_rule = var.allow_external_cp_traffic && (! var.create_cp_subnet || (! var.cp_subnet_private || var.cp_external_nat))
+  create_drg = var.enable_drg && var.create_drg
+  create_drg_attachment = var.enable_drg && var.create_drg_attachment
+  drg_id = var.create_drg ? oci_core_drg.vcn_drg.0.id : var.drg_id
+
 
 
   tcp_protocol = "6"

diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/routing.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/routing.tf
@@ -33,6 +33,17 @@ resource "oci_core_route_table" "service_route_table" {
     destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
     description = "Route for all internal OCI services in the region"
   }
+
+  dynamic "route_rules" {
+    for_each = var.enable_drg ? var.peer_vcns : []
+    content {
+      network_entity_id = local.drg_id
+      destination_type  = "CIDR_BLOCK"
+      destination       = route_rules.value
+      description       = "Route to ${route_rules.value} through the DRG"
+    }
+  }
+
 }
 
 resource "oci_core_route_table" "nat_route_table" {
@@ -51,6 +62,17 @@ resource "oci_core_route_table" "nat_route_table" {
     destination = "0.0.0.0/0"
     description = "Route to reach external Internet through a NAT gateway"
   }
+
+  dynamic "route_rules" {
+    for_each = var.enable_drg ? var.peer_vcns : []
+    content {
+      network_entity_id = local.drg_id
+      destination_type  = "CIDR_BLOCK"
+      destination       = route_rules.value
+      description       = "Route to ${route_rules.value} through the DRG"
+    }
+  }
+
 }
 
 resource "oci_core_route_table" "internet_route_table" {

diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf
@@ -148,4 +148,26 @@ variable "nat_gateway_id" {}
 
 variable "create_internet_gateway" {
   type = bool
+}
+
+# DRG
+
+variable "enable_drg" {
+  type = bool
+}
+
+variable "create_drg" {
+  type = bool
+}
+
+variable "drg_name" {}
+
+variable "drg_id" {}
+
+variable "create_drg_attachment" {
+  type = bool
+}
+
+variable "peer_vcns" {
+  type = list(string)
 }
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/schema.yaml b/app-dev/devops-and-containers/oke/oke-rm/infra/schema.yaml
@@ -63,12 +63,14 @@ variableGroups:
       - allow_external_cp_traffic
       - cp_egress_cidr
 
-  - title: "Bastion"
-    visible: ${create_bastion_subnet}
+  - title: "DRG"
     variables:
-      - create_bastion
-      - bastion_compartment_id
-      - bastion_cidr_block_allow_list
+      - enable_drg
+      - create_drg
+      - drg_name
+      - drg_id
+      - create_drg_attachment
+      - peer_vcns
 
 variables:
 
@@ -435,25 +437,51 @@ variables:
     type: boolean
     visible: ${create_bastion_subnet}
 
-# BASTION MODULE
+# DRG
 
-  create_bastion:
-    title: "Create Bastion"
-    description: "If flagged, create an OCI Bastion instance"
+  enable_drg:
+    title: "Enable DRG"
+    description: "Enable DRG support for this VCN"
     type: boolean
 
-  bastion_compartment_id:
-    title: "Bastion Compartment"
-    description: "Compartment where to create the OCI Bastion instance"
-    type: oci:identity:compartment:id
+  create_drg:
+    title: "Create DRG"
+    description: "Create a new DRG"
+    type: boolean
+    visible: ${enable_drg}
+
+  drg_id:
+    title: "DRG ID"
+    description: "Existing DRG ID"
+    type: string
     required: true
-    visible: ${create_bastion}
+    visible:
+      and:
+        - ${enable_drg}
+        - not:
+            - ${create_drg}
 
-  bastion_cidr_block_allow_list:
-    title: "Bastion allow list"
-    description: "CIDR blocks in this list will be able to connect to the OCI Bastion instance"
+  drg_name:
+    title: "DRG name"
+    description: "Name for the DRG to be created"
+    type: string
+    required: true
+    visible:
+      and:
+        - ${enable_drg}
+        - ${create_drg}
+
+  create_drg_attachment:
+    title: "Create DRG attachment"
+    description: "Attach the DRG to this VCN"
+    type: boolean
+    visible: ${enable_drg}
+
+  peer_vcns:
+    title: "Peer VCN CIDR blocks"
+    description: "A routing rule will be created on all private subnets to route traffic directed to these CIDR blocks to the DRG"
     type: array
     items:
       type: string
-    required: true
-    visible: ${create_bastion}
+    required: false
+    visible: ${enable_drg}
diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/variable.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/variable.tf
@@ -148,7 +148,7 @@ variable "bastion_subnet_name" {
 
 variable "create_fss" {
   type = bool
-  default = false
+  default = true
 }
 
 variable "fss_subnet_cidr" {
@@ -197,19 +197,33 @@ variable "cp_egress_cidr" {
   default = "0.0.0.0/0"
 }
 
-# BASTION MODULE
+# DRG
 
-variable "create_bastion" {
+variable "enable_drg" {
   type = bool
   default = false
 }
 
-variable "bastion_compartment_id" {
+variable "create_drg" {
+  type = bool
+  default = true
+}
+
+variable "drg_id" {
   default = null
 }
 
-variable "bastion_cidr_block_allow_list" {
+variable "drg_name" {
+  default = null
+}
+
+variable "create_drg_attachment" {
+  type = bool
+  default = true
+}
+
+variable "peer_vcns" {
   type = list(string)
-  default = ["0.0.0.0/0"]
+  default = []
 }