List of cidr blocks for bastion access (#31)

* changed bastion access to list of cidr blocks, renamed control variables so downstream modules can distinguish between bastion host and bastion svc

* feat: changed bastion access to list of cidr blocks, renamed control variables so downstream modules can distinguish between bastion host and bastion svc

* updated Copyright

Author: hyder

.terraform.lock.hcl

@@ -10,6 +10,13 @@ The format is based on {uri-changelog}[Keep a Changelog].
 = Unreleased
 
 == New features
+* Renamed notification variables
+** create_bastion -> create_bastion_host
+** enable_notification -> create_bastion_notification
+** notification_endpoint -> bastion_notification_endpoint
+** notification_protocol -> bastion_notification_protocol
+** notification_topic -> bastion_notification_topic
+** Changed bastion access from a single CIDR to a list of CIDR blocks (#29)
 * Renamed variable bastion_upgrade --> upgrade_bastion
 * Renamed variable timezone --> bastion_timezone
 * AD lookup mechanism reimplemented to remove dependency on deprecated template_file data source

CHANGELOG.adoc

@@ -1,4 +1,4 @@
-# Copyright 2019, 2020 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright 2019, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 #cloud-config

cloudinit/autonomous.template.yaml

@@ -1,4 +1,4 @@
-# Copyright 2019, 2020 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright 2019, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 resource "oci_core_instance" "bastion" {
@@ -64,5 +64,5 @@ resource "oci_core_instance" "bastion" {
     create = "60m"
   }
 
-  count = var.create_bastion == true ? 1 : 0
+  count = var.create_bastion_host == true ? 1 : 0
 }

compute.tf

@@ -1,4 +1,4 @@
-# Copyright 2019, 2020 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright 2019, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 data "oci_identity_availability_domain" "ad" {
@@ -48,7 +48,7 @@ data "cloudinit_config" "bastion" {
       }
     )
   }
-  count = var.create_bastion == true ? 1 : 0
+  count = var.create_bastion_host == true ? 1 : 0
 }
 
 # Gets a list of VNIC attachments on the bastion instance
@@ -58,26 +58,26 @@ data "oci_core_vnic_attachments" "bastion_vnics_attachments" {
   depends_on          = [oci_core_instance.bastion]
   instance_id         = oci_core_instance.bastion[0].id
 
-  count = var.create_bastion == true ? 1 : 0
+  count = var.create_bastion_host == true ? 1 : 0
 }
 
 # Gets the OCID of the first (default) VNIC on the bastion instance
 data "oci_core_vnic" "bastion_vnic" {
   depends_on = [oci_core_instance.bastion]
   vnic_id    = lookup(data.oci_core_vnic_attachments.bastion_vnics_attachments[0].vnic_attachments[0], "vnic_id")
 
-  count = var.create_bastion == true ? 1 : 0
+  count = var.create_bastion_host == true ? 1 : 0
 }
 
 data "oci_core_instance" "bastion" {
   depends_on  = [oci_core_instance.bastion]
   instance_id = oci_core_instance.bastion[0].id
 
-  count = var.create_bastion == true ? 1 : 0
+  count = var.create_bastion_host == true ? 1 : 0
 }
 
 data "oci_ons_notification_topic" "bastion_notification" {
   topic_id = oci_ons_notification_topic.bastion_notification[0].topic_id
 
-  count = (var.create_bastion == true && var.enable_notification == true) ? 1 : 0
+  count = (var.create_bastion_host == true && var.create_bastion_notification == true) ? 1 : 0
 }

datasources.tf

@@ -93,9 +93,9 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 |1
 
 |`bastion_access`
-|CIDR block in the form of a string to which ssh access to the bastion must be restricted to. *_ANYWHERE_* is equivalent to 0.0.0.0/0 and allows ssh access from anywhere.
-|ANYWHERE or a cidr block such as XXX.XXX.XXX.XXX/YY
-|ANYWHERE
+|A list of CIDR blocks to which ssh access to the bastion must be restricted to. *anywhere* is equivalent to 0.0.0.0/0 and allows ssh access from anywhere. Updatable.
+|["anywhere"] or a list of cidr block such as [XXX.XXX.XXX.XXX/YY]
+|["anywhere"]
 
 |`ig_route_id`
 |the route id to the internet gateway of the VCN 
@@ -128,8 +128,8 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 |Values
 |Default
 
-|`create_bastion`
-|whether to create the bastion
+|`create_bastion_host`
+|whether to create the bastion host
 | true/false
 |true
 
@@ -200,22 +200,22 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 |Values
 |Default
 
-|`enable_notification`
+|`create_bastion_notification`
 |Whether to enable ONS notification for the bastion host.
 |true/false
 |false
 
-|`notification_endpoint`
+|`bastion_notification_endpoint`
 |The subscription notification endpoint. Email address to be notified. *Required if enable_notification = true* ..
 |
 |Autonomous
 
-|`notification_protocol`
+|`bastion_notification_protocol`
 |The notification protocol used.
 |
 |EMAIL
 
-|`notification_topic`
+|`bastion_notification_topic`
 |The name of the notification topic.
 |
 |bastion
@@ -237,7 +237,7 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 [source]
 ----
 tags = {
-    department  = "finance"
+    access      = "public"
     environment = "dev"
     role        = "bastion"
 }

docs/terraformoptions.adoc

@@ -1,30 +1,30 @@
-# Copyright 2019, 2020 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright 2019, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 # Protocols are specified as protocol numbers.
 # https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
 
 locals {
-  all_protocols       = "all"
-  
-  anywhere            = "0.0.0.0/0"
-  
+  all_protocols = "all"
+
+  anywhere = "0.0.0.0/0"
+
   autonomous_template = "${path.module}/cloudinit/autonomous.template.yaml"
-  
-  bastion_image_id    = var.bastion_image_id == "Autonomous" ? data.oci_core_images.autonomous_images.images.0.id : var.bastion_image_id
-  
+
+  bastion_image_id = var.bastion_image_id == "Autonomous" ? data.oci_core_images.autonomous_images.images.0.id : var.bastion_image_id
+
   notification_template = base64gzip(
     templatefile("${path.module}/scripts/notification.template.sh",
       {
-        enable_notification = var.enable_notification,
-        topic_id            = var.enable_notification == true ? oci_ons_notification_topic.bastion_notification[0].topic_id : "null"
+        create_bastion_notification = var.create_bastion_notification,
+        topic_id                    = var.create_bastion_notification == true ? oci_ons_notification_topic.bastion_notification[0].topic_id : "null"
       }
     )
   )
-  
-  ssh_port     = 22
-  
+
+  ssh_port = 22
+
   tcp_protocol = 6
-  
-  vcn_cidr     = data.oci_core_vcn.vcn.cidr_block
+
+  vcn_cidr = data.oci_core_vcn.vcn.cidr_block
 }

locals.tf

@@ -1,4 +1,4 @@
-# Copyright 2019, 2020 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright 2019, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 provider "oci" {
@@ -12,18 +12,18 @@ provider "oci" {
 
 resource "oci_ons_notification_topic" "bastion_notification" {
   compartment_id = var.compartment_id
-  name           = var.label_prefix == "none" ? var.notification_topic : "${var.label_prefix}-${var.notification_topic}"
+  name           = var.label_prefix == "none" ? var.bastion_notification_topic : "${var.label_prefix}-${var.bastion_notification_topic}"
 
-  count = (var.create_bastion == true && var.enable_notification == true) ? 1 : 0
+  count = (var.create_bastion_host == true && var.create_bastion_notification == true) ? 1 : 0
 }
 
 resource "oci_ons_subscription" "bastion_notification" {
   compartment_id = var.compartment_id
-  endpoint       = var.notification_endpoint
-  protocol       = var.notification_protocol
+  endpoint       = var.bastion_notification_endpoint
+  protocol       = var.bastion_notification_protocol
   topic_id       = oci_ons_notification_topic.bastion_notification[0].topic_id
 
-  count = (var.create_bastion == true && var.enable_notification == true) ? 1 : 0
+  count = (var.create_bastion_host == true && var.create_bastion_notification == true) ? 1 : 0
 }
 
 resource "oci_identity_dynamic_group" "bastion_notification" {
@@ -35,7 +35,7 @@ resource "oci_identity_dynamic_group" "bastion_notification" {
   matching_rule  = "ALL {instance.id = '${join(",", data.oci_core_instance.bastion.*.id)}'}"
   name           = var.label_prefix == "none" ? "bastion-notification" : "${var.label_prefix}-bastion-notification"
 
-  count = (var.create_bastion == true && var.enable_notification == true) ? 1 : 0
+  count = (var.create_bastion_host == true && var.create_bastion_notification == true) ? 1 : 0
 }
 
 resource "oci_identity_policy" "bastion_notification" {
@@ -47,5 +47,5 @@ resource "oci_identity_policy" "bastion_notification" {
   name           = var.label_prefix == "none" ? "bastion-notification" : "${var.label_prefix}-bastion-notification"
   statements     = ["Allow dynamic-group ${oci_identity_dynamic_group.bastion_notification[0].name} to use ons-topic in compartment id ${var.compartment_id} where request.permission='ONS_TOPIC_PUBLISH'"]
 
-  count = (var.create_bastion == true && var.enable_notification == true) ? 1 : 0
+  count = (var.create_bastion_host == true && var.create_bastion_notification == true) ? 1 : 0
 }

ons.tf

@@ -1,4 +1,4 @@
-# Copyright 2019, 2020 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright 2019, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 output "bastion_public_ip" {

outputs.tf

@@ -1,9 +1,9 @@
 #!/bin/bash
 
-# Copyright 2019, 2020 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright 2019, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
-if [ ${enable_notification} ]; then
+if [ ${create_bastion_notification} ]; then
   sudo al-config -T ${topic_id}
 else
   echo 'ONS notification not enabled'