added module for admin server. issue #21. also fixed issue #20

Signed-off-by: Ali Mukadam <[email protected]>

Author: hyder

docs/instanceprincipal.adoc

@@ -32,16 +32,16 @@ This section documents the use of {uri-oci-instance-principal}[instance_principa
 
 === Using instance_principal
 
-==== Enabling instance_principal on the bastion host
+==== Enabling instance_principal on the admin host
 {uri-oci-instance-principal}[instance_principal] is an IAM service feature that enables instances to be authorized actors (or principals) to perform actions on service resources. Each compute instance has its own identity, and it authenticates using the certificates that are added to it. These certificates are automatically created, assigned to instances and rotated, preventing the need for you to distribute credentials to your hosts and rotate them.
 
 Any user who has access to the instance (who can SSH to the instance), automatically inherits the privileges granted to the instance. Before you enable this feature, ensure that you know who can access it, and that they should be authorized with the permissions you are granting to the instance.
 
-By default, this feature is *_disabled_*.
+By default, this feature is *_enabled_*.
 
-When you enable this feature, by default, the bastion has privileges to all resources in the compartment. 
+When you enable this feature, by default, the admin host has privileges to all resources in the compartment. 
 
-You can also turn on and off the feature at any time without impact on the bastion.
+You can also turn on and off the feature at any time without impact on the admin host.
 
 To enable, set enable_instance_principal to true:
 
@@ -55,7 +55,7 @@ and verify:
 oci network vcn list --compartment-id <compartment-ocid>
 ----
 
-==== Disabling instance_principal on the bastion host
+==== Disabling instance_principal on the admin host
 
 . Set enable_instance_principal to false in terraform.tfvars
 
@@ -74,5 +74,5 @@ terraform apply
 ==== Recommendations for using instance_principal
 
 . Do not enable instance_principal if you are not using it
-. Enable instance_principal *_if and only if_* you are using the bastion host to execute oci commands e.g. modifying dynamic groups, changing policies
+. Enable instance_principal *_if and only if_* you are using the admin host to execute oci commands e.g. modifying dynamic groups, changing policies
 . Disable instance_principal once the oci operation is done

docs/notifications.adoc

@@ -32,8 +32,7 @@ The {uri-oci-notifications}[Oracle Cloud Infrastructure Notifications service] c
 Set the following parameters in the terraform.tfvars in order to enable ONS Notification for the bastion host:
 
 ----
-  enable_instance_principal = true
-  enable_notification        = true
+  notification_enabled       = true
   notification_endpoint      = "email_address"
   notification_protocol      = "EMAIL"
   notification_topic         = "bastion"
@@ -66,7 +65,7 @@ Read more on {uri-instance-principal}[instance_principal].
 Set the following parameters in the terraform.tfvars to disable ONS Notification:
 
 ----
-  enable_notification        = false
+  notification_enabled        = false
 ----
 
 and run terraform apply again:

docs/prerequisites.adoc

@@ -77,7 +77,7 @@ Open a terminal and test:
 [source,bash]
 ----
 terraform -v
-Terraform v0.12.8
+Terraform v0.12.16
 ----
 
 === OCI API Keys
@@ -113,7 +113,7 @@ To obtain the compartment OCID:
 
 === Identity and Access Management Rights
 
-If you are enabling notifications and instance_principal for the bastion, the Terraform user must have the rights to manage dynamic groups.
+If you are enabling notifications for the bastion host or instance_principal for the admin server, the Terraform user must have the rights to manage policies and dynamic groups respectively.
 
 === Using Autonomous Linux
 

docs/quickstart.adoc

@@ -60,7 +60,7 @@ cp terraform.tfvars.example terraform.tfvars
 * region
 
 4. Optional parameters to override:
-* create_bastion
+* bastion_enabled
 * ssh_private_key_path
 * ssh_public_key_path
 * vcn_dns_label

docs/terraformoptions.adoc

@@ -21,6 +21,7 @@ Configuration Terraform Options:
 . link:#general-oci[General OCI]
 . link:#oci-networking[OCI Networking]
 . link:#bastion-host[Bastion Host]
+. link:#admin-host[Admin Host]
 
 === Identity and access
 
@@ -88,12 +89,12 @@ Configuration Terraform Options:
 |Values
 |Default
 
-|create_nat_gateway
+|nat_gateway_enabled
 |Whether to create a NAT gateway. *Required* for private subnets.
 |true/false
-|false
+|true
 
-|create_service_gateway
+|service_gateway_enabled
 |Whether to create a Service Gateway to use Oracle Services.
 |true/false
 |false
@@ -141,6 +142,11 @@ Configuration Terraform Options:
 |XXX.XXX.XXX.XXX/YY
 |ANYWHERE
 
+|bastion_enabled
+|Whether to create the bastion host.
+|true/false
+|true
+
 |bastion_image_id
 |Custom image id for the bastion host
 |image id or NONE. If the value is set to NONE, an Oracle Platform image will be used instead. Set use_autonomous to _false_ if you want to use your own image.
@@ -156,16 +162,6 @@ Configuration Terraform Options:
 |true/false
 |true
 
-|create_bastion
-|Whether to create the bastion host.
-|true/false
-|false
-
-|enable_instance_principal
-|Whether to enable instance_principal on the bastion. Refer to {uri-instance-principal-note}[instance_principal].
-|true/false
-|false
-
 |enable_notification
 |Whether to enable ONS notification for the bastion host.
 |true/false
@@ -231,4 +227,70 @@ Configuration Terraform Options:
 |true/false
 |false
 
+|===
+
+== Admin Host
+
+[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] 
+|===
+|Parameter
+|Description
+|Values
+|Default
+
+|admin_enabled
+|Whether to create the admin host.
+|true/false
+|true
+
+|admin_image_id
+|Custom image id for the admin host
+|image_id or NONE. If the value is set to NONE, an Oracle Platform image will be used instead. Set use_autonomous to _false_ if you want to use your own image. For now, *do not use Autonomous for the admin host.*
+|NONE
+
+|enable_instance_principal
+|Whether to enable instance_principal on the admin server. Refer to {uri-instance-principal-note}[instance_principal][instance_principal]
+|true/false
+|true
+
+|admin_notification_enabled
+|Whether to enable ONS notification for the admin host. *Do not enable for now*.
+|true/false
+|false
+
+|admin_notification_endpoint
+|The subscription notification endpoint. Email address to be notified. Only email is currently supported although ONS can also support Slack, Pagerduty among others.
+|
+|
+
+|admin_notification_protocol
+|The notification protocol used.
+|EMAIL
+|EMAIL
+
+|admin_notification_topic
+|The name of the notification topic
+|
+|admin
+
+|admin_package_upgrade
+|Whether to also upgrade the packages for the admin host.
+|true/false
+|true
+
+|admin_shape
+|The shape of admin instance.
+|
+|VM.Standard.E2.1
+
+|admin_timezone
+|The preferred timezone for the admin host. {uri-timezones}[List of timezones]
+|
+|Australia/Sydney
+
+|admin_use_autonomous
+|Whether to use Autonomous Linux or an Oracle Linux Platform image or custom image. Set to false if you want to use your own image id or Oracle Linux Platform image. *Do not use autonomous for now*
+|true/false
+|false
+
 |===

examples/db/README.md

@@ -78,6 +78,9 @@ module "base" {
 
   # bastion parameters
   oci_base_bastion = local.oci_base_bastion
+
+  # admin server parameters
+  oci_base_admin = local.oci_base_admin
 }
 ```
 

examples/db/locals.tf

@@ -20,31 +20,49 @@ locals {
   }
 
   oci_base_vcn = {
-    create_nat_gateway     = var.create_nat_gateway
-    create_service_gateway = var.create_service_gateway
+    create_nat_gateway     = var.nat_gateway_enabled
+    create_service_gateway = var.service_gateway_enabled
     vcn_cidr               = var.vcn_cidr
     vcn_dns_label          = var.vcn_dns_label
     vcn_name               = var.vcn_name
   }
 
   oci_base_bastion = {
-    availability_domains      = var.availability_domains["bastion"]
-    bastion_access            = var.bastion_access
-    bastion_image_id          = "NONE"
-    bastion_shape             = var.bastion_shape
-    bastion_upgrade           = false
-    create_bastion            = var.create_bastion
-    enable_instance_principal = var.enable_instance_principal
-    enable_notification       = false
-    newbits                   = var.newbits["bastion"]
-    netnum                    = var.subnets["bastion"]
-    notification_endpoint     = ""
-    notification_protocol     = "EMAIL"
-    notification_topic        = "bastion"
+    availability_domains  = var.availability_domains["bastion"]
+    bastion_access        = var.bastion_access
+    bastion_image_id      = var.bastion_image_id
+    bastion_shape         = var.bastion_shape
+    bastion_upgrade       = var.bastion_package_upgrade
+    bastion_enabled       = var.bastion_enabled
+    netnum                = var.netnum["bastion"]
+    newbits               = var.newbits["bastion"]
+    notification_enabled  = var.bastion_notification_enabled
+    notification_endpoint = var.bastion_notification_endpoint
+    notification_protocol = var.bastion_notification_protocol
+    notification_topic    = var.bastion_notification_topic
+    ssh_private_key_path  = var.ssh_private_key_path
+    ssh_public_key_path   = var.ssh_public_key_path
+    timezone              = var.bastion_timezone
+    use_autonomous        = var.bastion_use_autonomous
+  }
+
+  oci_base_admin = {
+    availability_domains      = var.availability_domains["admin"]
+    admin_image_id            = "NONE"
+    admin_shape               = var.admin_shape
+    admin_upgrade             = var.admin_package_upgrade
+    admin_enabled             = var.admin_enabled
+    enable_instance_principal = var.admin_instance_principal
+    netnum                    = var.netnum["admin"]
+    newbits                   = var.newbits["admin"]
+    notification_enabled      = var.admin_notification_enabled
+    notification_endpoint     = var.admin_notification_endpoint
+    notification_protocol     = var.admin_notification_protocol
+    notification_topic        = var.admin_notification_topic
     ssh_private_key_path      = var.ssh_private_key_path
     ssh_public_key_path       = var.ssh_public_key_path
-    timezone                  = "Australia/Sydney"
-    use_autonomous            = false
+    timezone                  = var.admin_timezone
+    use_autonomous            = var.admin_use_autonomous
   }
 
   db_identity = {