diff --git a/main.tf b/main.tf index a6fb6f1..9ebdcdf 100644 --- a/main.tf +++ b/main.tf @@ -57,7 +57,7 @@ module "drg" { count = var.create_drg || var.drg_id != null ? 1 : 0 } -# additional networking for oke +# additional networking for subnets module "network" { source = "./modules/network" @@ -65,7 +65,7 @@ module "network" { compartment_id = var.compartment_id label_prefix = var.label_prefix - # oke networking parameters + # networking parameters ig_route_id = local.ig_route_id nat_route_id = local.nat_route_id subnets = var.subnets @@ -73,10 +73,10 @@ module "network" { # control plane endpoint parameters - control_plane_type = var.control_plane_type + control_plane_type = var.control_plane_type # worker network parameters - worker_type = var.worker_type + worker_type = var.worker_type # oke load balancer network parameters load_balancers = var.load_balancers @@ -85,3 +85,36 @@ module "network" { module.vcn ] } + +# nsgs for antrea cni +module "antrea" { + source = "./modules/antrea" + + # general oci parameters + compartment_id = var.compartment_id + label_prefix = var.label_prefix + + # networking parameters + subnets = var.subnets + vcn_id = local.vcn_id + + # control plane endpoint parameters + control_plane_type = "public" + control_plane_allowed_cidrs = ["0.0.0.0/0"] + + # worker network parameters + allow_node_port_access = false + allow_worker_internet_access = true + allow_worker_ssh_access = var.allow_worker_ssh_access + worker_type = var.worker_type + + # load balancer network parameters + load_balancers = var.load_balancers + + public_lb_allowed_cidrs = var.public_lb_allowed_cidrs + public_lb_allowed_ports = var.public_lb_allowed_ports + + depends_on = [ + module.network + ] +} diff --git a/modules/antrea/datasources.tf b/modules/antrea/datasources.tf new file mode 100644 index 0000000..6ebc9a1 --- /dev/null +++ b/modules/antrea/datasources.tf @@ -0,0 +1,24 @@ +# Copyright (c) 2022 Oracle Corporation and/or affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +data "oci_core_services" "all_oci_services" { + filter { + name = "name" + values = ["All .* Services In Oracle Services Network"] + regex = true + } +} + +data "oci_core_subnets" "subnets" { + compartment_id = var.compartment_id + vcn_id = var.vcn_id + + filter { + name = "state" + values = ["AVAILABLE"] + } +} + +data "oci_core_vcn" "vcn" { + vcn_id = var.vcn_id +} diff --git a/modules/antrea/locals.tf b/modules/antrea/locals.tf new file mode 100644 index 0000000..498b159 --- /dev/null +++ b/modules/antrea/locals.tf @@ -0,0 +1,287 @@ +# Copyright (c) 2022 Oracle Corporation and/or affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +locals { + + # first vcn cidr + # pick the first cidr block in the list as this is where we will create the oke subnets + vcn_cidr = element(data.oci_core_vcn.vcn.cidr_blocks, 0) + + # subnet cidrs - used by subnets + bastion-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["bastion"], "newbits"), lookup(var.subnets["bastion"], "netnum")) + + operator-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["operator"], "newbits"), lookup(var.subnets["operator"], "netnum")) + + cp-endpoint-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["cp-endpoint"], "newbits"), lookup(var.subnets["cp-endpoint"], "netnum")) + + cp-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["cp"], "newbits"), lookup(var.subnets["cp"], "netnum")) + + service-lb-int-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["service-lb-int"], "newbits"), lookup(var.subnets["service-lb-int"], "netnum")) + + service-lb-pub-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["service-lb-pub"], "newbits"), lookup(var.subnets["service-lb-pub"], "netnum")) + + workers-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["workers"], "newbits"), lookup(var.subnets["workers"], "netnum")) + + anywhere = "0.0.0.0/0" + + # port numbers + ssh_port = 22 + + # protocols + # # special OCI value for all protocols + all_protocols = "all" + + # # IANA protocol numbers + icmp_protocol = 1 + + tcp_protocol = 6 + + udp_protocol = 17 + + # oracle services network + osn = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") + + # port numbers + health_check_port = 10256 + node_port_min = 30000 + node_port_max = 32767 + + # if port = -1, allow all ports + + # control plane + cp_egress = [ + { + description = "Allow Kubernetes control plane to anywhere", + destination = local.anywhere, + destination_type = "CIDR_BLOCK", + protocol = local.all_protocols, + port = -1, + stateless = false + }, + { + description = "Allow control nodes to communicate with OCI services", + destination = local.osn, + destination_type = "SERVICE_CIDR_BLOCK", + protocol = local.tcp_protocol, + port = -1, + stateless = false + } + ] + + cp_ingress = [ + { + description = "Allow control plane API endpoint to control plane nodes" + protocol = local.tcp_protocol, + port = 6443, + source = local.cp-endpoint-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow control plane to control plane nodes (api server port)" + protocol = local.tcp_protocol, + port = 6443, + source = local.cp-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow worker nodes to control plane nodes (api server port)" + protocol = local.tcp_protocol, + port = 6443, + source = local.workers-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow control plane to control plane kubelet communication" + protocol = local.tcp_protocol, + port = 10250, + source = local.workers-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow etcd client communication" + protocol = local.tcp_protocol, + port = 2379, + source = local.cp-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow etcd peer communication" + protocol = local.tcp_protocol, + port = 2380, + source = local.cp-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow Antrea service communication from control plane" + protocol = local.tcp_protocol, + port = 10349, + source = local.cp-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow Antrea service communication from workers" + protocol = local.tcp_protocol, + port = 10349, + source = local.workers-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow Geneve service communication from control plane" + protocol = local.udp_protocol, + port = 6081, + source = local.cp-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow Geneve service communication from workers" + protocol = local.udp_protocol, + port = 6081, + source = local.workers-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow Path discovery" + protocol = local.icmp_protocol, + port = -1, + source = local.workers-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow SSH Traffic to Control Plane nodes " + protocol = local.tcp_protocol, + port = -1, + source = local.cp-subnet, + source_type = "CIDR_BLOCK", + stateless = false + } + ] + + # workers + workers_egress = [ + { + description = "Allow all egress traffic from workers", + destination = local.anywhere + destination_type = "CIDR_BLOCK", + protocol = local.all_protocols, + port = -1, + stateless = false + }, + ] + + workers_ingress = [ + { + description = "Allow incoming traffic from service load balancers (NodePort Communication)", + protocol = local.tcp_protocol, + port = 32000 - 32767, + source = local.service-lb-int-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow incoming traffic from service load balancers (NodePort Communication)", + protocol = local.tcp_protocol, + port = 32000 - 32767, + source = local.service-lb-pub-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow control plane to worker node (Kubelet Communication)", + protocol = local.tcp_protocol, + port = 10250, + source = local.cp-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow worker to worker node (Kubelet Communication)", + protocol = local.tcp_protocol, + port = 10250, + source = local.workers-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow Antrea Service communication from control plane" + protocol = local.tcp_protocol, + port = 10349, + source = local.cp-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow Antrea Service communication from workers" + protocol = local.tcp_protocol, + port = 10349, + source = local.workers-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow Geneve Service communication from control plane" + protocol = local.udp_protocol, + port = 6081, + source = local.cp-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow Geneve Service communication from workers" + protocol = local.udp_protocol, + port = 6081, + source = local.workers-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow Path discovery" + protocol = local.icmp_protocol, + port = -1, + source = local.workers-subnet, + source_type = "CIDR_BLOCK", + stateless = false + }, + { + description = "Allow SSH Traffic to worker nodes " + protocol = local.tcp_protocol, + port = 22, + source = local.workers-subnet, + source_type = "CIDR_BLOCK", + stateless = false + } + ] + + pub_lb_egress = [ + { + description = "Allow stateful egress to workers. Required for NodePorts", + destination = local.workers-subnet, + destination_type = "CIDR_BLOCK", + protocol = local.tcp_protocol, + port = "30000-32767", + stateless = false + }, + { + description = "Allow ICMP traffic for path discovery to worker nodes", + destination = local.workers-subnet, + destination_type = "CIDR_BLOCK", + protocol = local.icmp_protocol, + port = -1, + stateless = false + }, + ] + + public_lb_allowed_cidrs = var.public_lb_allowed_cidrs + public_lb_allowed_cidrs_and_ports = setproduct(local.public_lb_allowed_cidrs, var.public_lb_allowed_ports) + +} diff --git a/modules/antrea/nsgs.tf b/modules/antrea/nsgs.tf new file mode 100644 index 0000000..5f82e29 --- /dev/null +++ b/modules/antrea/nsgs.tf @@ -0,0 +1,326 @@ +# Copyright (c) 2022 Oracle Corporation and/or affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +# control plane nsg and rules +resource "oci_core_network_security_group" "cp" { + compartment_id = var.compartment_id + display_name = var.label_prefix == "none" ? "control-plane" : "${var.label_prefix}-control-plane" + vcn_id = var.vcn_id +} + +resource "oci_core_network_security_group_security_rule" "cp_egress" { + network_security_group_id = oci_core_network_security_group.cp.id + description = local.cp_egress[count.index].description + destination = local.cp_egress[count.index].destination + destination_type = local.cp_egress[count.index].destination_type + direction = "EGRESS" + protocol = local.cp_egress[count.index].protocol + + stateless = false + + dynamic "tcp_options" { + for_each = local.cp_egress[count.index].protocol == local.tcp_protocol && local.cp_egress[count.index].port != -1 ? [1] : [] + content { + destination_port_range { + min = local.cp_egress[count.index].port + max = local.cp_egress[count.index].port + } + } + } + + dynamic "icmp_options" { + for_each = local.cp_egress[count.index].protocol == local.icmp_protocol ? [1] : [] + content { + type = 3 + code = 4 + } + } + + count = length(local.cp_egress) +} + +resource "oci_core_network_security_group_security_rule" "cp_ingress" { + network_security_group_id = oci_core_network_security_group.cp.id + description = local.cp_ingress[count.index].description + direction = "INGRESS" + protocol = local.cp_ingress[count.index].protocol + source = local.cp_ingress[count.index].source + source_type = local.cp_ingress[count.index].source_type + + stateless = false + + dynamic "tcp_options" { + for_each = local.cp_ingress[count.index].protocol == local.tcp_protocol ? [1] : [] + content { + destination_port_range { + min = local.cp_ingress[count.index].port + max = local.cp_ingress[count.index].port + } + } + } + + dynamic "icmp_options" { + for_each = local.cp_ingress[count.index].protocol == local.icmp_protocol ? [1] : [] + content { + type = 3 + code = 4 + } + } + + count = length(local.cp_ingress) + +} + +resource "oci_core_network_security_group_security_rule" "cp_ingress_additional_cidrs" { + network_security_group_id = oci_core_network_security_group.cp.id + description = "Allow additional CIDR block access to control plane. Required for kubectl/helm." + direction = "INGRESS" + protocol = local.tcp_protocol + source = element(var.control_plane_allowed_cidrs, count.index) + source_type = "CIDR_BLOCK" + + stateless = false + + tcp_options { + destination_port_range { + min = 6443 + max = 6443 + } + } + + icmp_options { + type = 3 + code = 4 + } + + count = length(var.control_plane_allowed_cidrs) + +} + +# workers nsg and rules +resource "oci_core_network_security_group" "workers" { + compartment_id = var.compartment_id + display_name = var.label_prefix == "none" ? "workers" : "${var.label_prefix}-workers" + vcn_id = var.vcn_id +} + +resource "oci_core_network_security_group_security_rule" "workers_egress" { + network_security_group_id = oci_core_network_security_group.workers.id + description = local.workers_egress[count.index].description + destination = local.workers_egress[count.index].destination + destination_type = local.workers_egress[count.index].destination_type + direction = "EGRESS" + protocol = local.workers_egress[count.index].protocol + + stateless = false + + dynamic "tcp_options" { + for_each = local.workers_egress[count.index].protocol == local.tcp_protocol && local.workers_egress[count.index].port != -1 ? [1] : [] + content { + destination_port_range { + min = local.workers_egress[count.index].port + max = local.workers_egress[count.index].port + } + } + } + + dynamic "icmp_options" { + for_each = local.workers_egress[count.index].protocol == local.icmp_protocol ? [1] : [] + content { + type = 3 + code = 4 + } + } + + count = length(local.workers_egress) +} + +# add this rule separately so it can be controlled independently +resource "oci_core_network_security_group_security_rule" "workers_egress_internet" { + network_security_group_id = oci_core_network_security_group.workers.id + description = "Allow worker nodes access to Internet. Required for getting container images or using external services" + destination = local.anywhere + destination_type = "CIDR_BLOCK" + direction = "EGRESS" + protocol = local.tcp_protocol + + stateless = false + + count = var.allow_worker_internet_access == true ? 1 : 0 + +} + +resource "oci_core_network_security_group_security_rule" "workers_ingress" { + network_security_group_id = oci_core_network_security_group.workers.id + description = local.workers_ingress[count.index].description + direction = "INGRESS" + protocol = local.workers_ingress[count.index].protocol + source = local.workers_ingress[count.index].source + source_type = local.workers_ingress[count.index].source_type + + stateless = false + + dynamic "tcp_options" { + for_each = local.workers_ingress[count.index].protocol == local.tcp_protocol && local.workers_ingress[count.index].port != -1 ? [1] : [] + content { + destination_port_range { + min = local.workers_ingress[count.index].port + max = local.workers_ingress[count.index].port + } + } + } + + dynamic "icmp_options" { + for_each = local.workers_ingress[count.index].protocol == local.icmp_protocol ? [1] : [] + content { + type = 3 + code = 4 + } + } + + count = length(local.workers_ingress) + +} + +resource "oci_core_network_security_group_security_rule" "workers_ingress_from_pub_lb" { + network_security_group_id = oci_core_network_security_group.workers.id + description = "Allow public load balancers traffic to workers" + direction = "INGRESS" + protocol = local.tcp_protocol + source = local.service-lb-pub-subnet + source_type = "CIDR_BLOCK" + + stateless = false + + tcp_options { + destination_port_range { + min = local.node_port_min + max = local.node_port_max + } + } + + count = var.load_balancers == "public" || var.load_balancers == "both" ? 1 : 0 + +} + +resource "oci_core_network_security_group_security_rule" "workers_healthcheck_ingress_from_pub_lb" { + network_security_group_id = oci_core_network_security_group.workers.id + description = "Allow public load balancers health check to workers" + direction = "INGRESS" + protocol = local.tcp_protocol + source = local.service-lb-pub-subnet + source_type = "CIDR_BLOCK" + + stateless = false + + tcp_options { + destination_port_range { + min = local.health_check_port + max = local.health_check_port + } + } + + count = var.load_balancers == "public" || var.load_balancers == "both" ? 1 : 0 + +} + +resource "oci_core_network_security_group_security_rule" "workers_ssh_ingress_from_bastion" { + network_security_group_id = oci_core_network_security_group.workers.id + description = "Allow ssh access to workers via Bastion host" + direction = "INGRESS" + protocol = local.tcp_protocol + source = local.bastion-subnet + source_type = "CIDR_BLOCK" + + stateless = false + + tcp_options { + destination_port_range { + min = local.ssh_port + max = local.ssh_port + } + } + + count = var.allow_worker_ssh_access == true ? 1 : 0 + +} + +# public lb nsg and rules +resource "oci_core_network_security_group" "pub_lb" { + compartment_id = var.compartment_id + display_name = var.label_prefix == "none" ? "pub-lb" : "${var.label_prefix}-pub-lb" + vcn_id = var.vcn_id + + count = var.load_balancers == "public" || var.load_balancers == "both" ? 1 : 0 +} + +resource "oci_core_network_security_group_security_rule" "pub_lb_egress" { + network_security_group_id = oci_core_network_security_group.pub_lb[0].id + description = local.pub_lb_egress[count.index].description + destination = local.pub_lb_egress[count.index].destination + destination_type = local.pub_lb_egress[count.index].destination_type + direction = "EGRESS" + protocol = local.pub_lb_egress[count.index].protocol + + stateless = false + + dynamic "tcp_options" { + for_each = local.pub_lb_egress[count.index].protocol == local.tcp_protocol && local.pub_lb_egress[count.index].port != -1 ? [1] : [] + content { + destination_port_range { + min = length(regexall("-", local.pub_lb_egress[count.index].port)) > 0 ? tonumber(element(split("-", local.pub_lb_egress[count.index].port), 0)) : local.pub_lb_egress[count.index].port + max = length(regexall("-", local.pub_lb_egress[count.index].port)) > 0 ? tonumber(element(split("-", local.pub_lb_egress[count.index].port), 1)) : local.pub_lb_egress[count.index].port + } + } + } + + dynamic "icmp_options" { + for_each = local.pub_lb_egress[count.index].protocol == local.icmp_protocol ? [1] : [] + content { + type = 3 + code = 4 + } + } + + count = var.load_balancers == "public" || var.load_balancers == "both" ? length(local.pub_lb_egress) : 0 +} + +resource "oci_core_network_security_group_security_rule" "pub_lb_egress_health_check_to_workers" { + network_security_group_id = oci_core_network_security_group.pub_lb[0].id + description = "Allow public load balancer health checks to workers" + destination = local.workers-subnet + destination_type = "CIDR_BLOCK" + direction = "EGRESS" + protocol = local.tcp_protocol + + stateless = false + + tcp_options { + destination_port_range { + min = local.health_check_port + max = local.health_check_port + } + } + + count = var.load_balancers == "public" || var.load_balancers == "both" ? 1 : 0 +} + +resource "oci_core_network_security_group_security_rule" "pub_lb_ingress" { + network_security_group_id = oci_core_network_security_group.pub_lb[0].id + description = "Allow stateful ingress from ${element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 0)} on port ${element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1)}" + direction = "INGRESS" + protocol = local.tcp_protocol + source = element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 0) + source_type = "CIDR_BLOCK" + + stateless = false + + tcp_options { + destination_port_range { + min = length(regexall("-", element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1))) > 0 ? element(split("-", element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1)), 0) : element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1) + max = length(regexall("-", element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1))) > 0 ? element(split("-", element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1)), 1) : element(element(local.public_lb_allowed_cidrs_and_ports, count.index), 1) + } + } + + count = var.load_balancers == "public" || var.load_balancers == "both" ? length(local.public_lb_allowed_cidrs_and_ports) : 0 +} diff --git a/modules/antrea/variables.tf b/modules/antrea/variables.tf new file mode 100644 index 0000000..683d036 --- /dev/null +++ b/modules/antrea/variables.tf @@ -0,0 +1,53 @@ +# Copyright (c) 2022 Oracle Corporation and/or affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +# general oci parameters +variable "compartment_id" {} + +variable "label_prefix" {} + +# networking parameters +variable "subnets" { + type = map(any) +} + +variable "vcn_id" {} + +# cluster endpoint +variable "control_plane_type" { + type = string +} + +variable "control_plane_allowed_cidrs" { + type = list(string) +} + +# workers + +variable "allow_node_port_access" { + type = bool +} + +variable "allow_worker_internet_access" { + type = bool +} + +variable "allow_worker_ssh_access" { + type = bool +} + +variable "worker_type" {} + +# load balancers +variable "load_balancers" { + type = string +} + +# public load balancers +variable "public_lb_allowed_cidrs" { + type = list(any) +} + +variable "public_lb_allowed_ports" { + type = list(any) +} diff --git a/modules/antrea/versions.tf b/modules/antrea/versions.tf new file mode 100644 index 0000000..b69cd72 --- /dev/null +++ b/modules/antrea/versions.tf @@ -0,0 +1,13 @@ +# Copyright (c) 2022 Oracle Corporation and/or affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +terraform { + required_providers { + oci = { + source = "oracle/oci" + # pass oci home region provider explicitly for identity operations + version = ">= 4.67.3" + } + } + required_version = ">= 1.0.0" +} \ No newline at end of file diff --git a/modules/network/locals.tf b/modules/network/locals.tf index d470e7f..c4b7221 100644 --- a/modules/network/locals.tf +++ b/modules/network/locals.tf @@ -8,17 +8,19 @@ locals { vcn_cidr = element(data.oci_core_vcn.vcn.cidr_blocks, 0) # subnet cidrs - used by subnets - bastion_subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["bastion"], "newbits"), lookup(var.subnets["bastion"], "netnum")) + bastion-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["bastion"], "newbits"), lookup(var.subnets["bastion"], "netnum")) - cp_subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["cp"], "newbits"), lookup(var.subnets["cp"], "netnum")) + operator-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["operator"], "newbits"), lookup(var.subnets["operator"], "netnum")) - int_lb_subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["int_lb"], "newbits"), lookup(var.subnets["int_lb"], "netnum")) + cp-endpoint-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["cp-endpoint"], "newbits"), lookup(var.subnets["cp-endpoint"], "netnum")) - operator_subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["operator"], "newbits"), lookup(var.subnets["operator"], "netnum")) + cp-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["cp"], "newbits"), lookup(var.subnets["cp"], "netnum")) - pub_lb_subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["pub_lb"], "newbits"), lookup(var.subnets["pub_lb"], "netnum")) + service-lb-int-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["service-lb-int"], "newbits"), lookup(var.subnets["service-lb-int"], "netnum")) - workers_subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["workers"], "newbits"), lookup(var.subnets["workers"], "netnum")) + service-lb-pub-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["service-lb-pub"], "newbits"), lookup(var.subnets["service-lb-pub"], "netnum")) + + workers-subnet = cidrsubnet(local.vcn_cidr, lookup(var.subnets["workers"], "newbits"), lookup(var.subnets["workers"], "netnum")) anywhere = "0.0.0.0/0" diff --git a/modules/network/outputs.tf b/modules/network/outputs.tf index e96d6b0..b7d9516 100644 --- a/modules/network/outputs.tf +++ b/modules/network/outputs.tf @@ -3,9 +3,10 @@ output "subnet_ids" { value = { - "cp" = join(",", oci_core_subnet.cp[*].id) - "workers" = join(",", oci_core_subnet.workers[*].id) - "int_lb" = join(",", oci_core_subnet.int_lb[*].id) - "pub_lb" = join(",", oci_core_subnet.pub_lb[*].id) + "cp" = join(",", oci_core_subnet.cp[*].id) + "cp-endpoint" = join(",", oci_core_subnet.cp-endpoint[*].id) + "workers" = join(",", oci_core_subnet.workers[*].id) + "service-lb-int-subnet" = join(",", oci_core_subnet.service-lb-int-subnet[*].id) + "service-lb-pub-subnet" = join(",", oci_core_subnet.service-lb-pub-subnet[*].id) } } diff --git a/modules/network/seclist.tf b/modules/network/seclist.tf index 893e7ba..d7fdbad 100644 --- a/modules/network/seclist.tf +++ b/modules/network/seclist.tf @@ -1,14 +1,14 @@ # Copyright (c) 2022 Oracle Corporation and/or affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -resource "oci_core_security_list" "control_plane_seclist" { +resource "oci_core_security_list" "cp-endpoint" { compartment_id = var.compartment_id - display_name = var.label_prefix == "none" ? "control-plane" : "${var.label_prefix}-control-plane" + display_name = var.label_prefix == "none" ? "cp-endpoint" : "${var.label_prefix}-cp-endpoint" vcn_id = var.vcn_id egress_security_rules { - description = "Allow Bastion service to communicate to the control plane endpoint. Required for when using OCI Bastion service." - destination = local.cp_subnet + description = "Allow egress to anywhere." + destination = local.anywhere destination_type = "CIDR_BLOCK" protocol = local.tcp_protocol stateless = false @@ -20,9 +20,9 @@ resource "oci_core_security_list" "control_plane_seclist" { } ingress_security_rules { - description = "Allow Bastion service to communicate to the control plane endpoint. Required for when using OCI Bastion service." + description = "Allow ingress from anywhere." protocol = local.tcp_protocol - source = local.cp_subnet + source = local.anywhere source_type = "CIDR_BLOCK" stateless = false diff --git a/modules/network/subnets.tf b/modules/network/subnets.tf index 2002d33..403ab98 100644 --- a/modules/network/subnets.tf +++ b/modules/network/subnets.tf @@ -2,18 +2,28 @@ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl resource "oci_core_subnet" "cp" { - cidr_block = local.cp_subnet + cidr_block = local.cp-subnet compartment_id = var.compartment_id display_name = var.label_prefix == "none" ? "control-plane" : "${var.label_prefix}-control-plane" dns_label = "cp" prohibit_public_ip_on_vnic = var.control_plane_type == "private" ? true : false route_table_id = var.control_plane_type == "private" ? var.nat_route_id : var.ig_route_id - security_list_ids = [oci_core_security_list.control_plane_seclist.id] + vcn_id = var.vcn_id +} + +resource "oci_core_subnet" "cp-endpoint" { + cidr_block = local.cp-endpoint-subnet + compartment_id = var.compartment_id + display_name = var.label_prefix == "none" ? "control-plane-endpoint" : "${var.label_prefix}-control-plane-endpoint" + dns_label = "cpendpoint" + prohibit_public_ip_on_vnic = var.control_plane_type == "private" ? true : false + route_table_id = var.control_plane_type == "private" ? var.nat_route_id : var.ig_route_id + security_list_ids = [oci_core_security_list.cp-endpoint.id] vcn_id = var.vcn_id } resource "oci_core_subnet" "workers" { - cidr_block = local.workers_subnet + cidr_block = local.workers-subnet compartment_id = var.compartment_id display_name = var.label_prefix == "none" ? "workers" : "${var.label_prefix}-workers" dns_label = "workers" @@ -22,10 +32,10 @@ resource "oci_core_subnet" "workers" { vcn_id = var.vcn_id } -resource "oci_core_subnet" "int_lb" { - cidr_block = local.int_lb_subnet +resource "oci_core_subnet" "service-lb-int-subnet" { + cidr_block = local.service-lb-int-subnet compartment_id = var.compartment_id - display_name = var.label_prefix == "none" ? "int-lb" : "${var.label_prefix}-int-lb" + display_name = var.label_prefix == "none" ? "svc-lb-int" : "${var.label_prefix}-svc-lb-int" dns_label = "intlb" prohibit_public_ip_on_vnic = true route_table_id = var.nat_route_id @@ -34,10 +44,10 @@ resource "oci_core_subnet" "int_lb" { count = var.load_balancers == "internal" || var.load_balancers == "both" ? 1 : 0 } -resource "oci_core_subnet" "pub_lb" { - cidr_block = local.pub_lb_subnet +resource "oci_core_subnet" "service-lb-pub-subnet" { + cidr_block = local.service-lb-pub-subnet compartment_id = var.compartment_id - display_name = var.label_prefix == "none" ? "pub-lb" : "${var.label_prefix}-pub-lb" + display_name = var.label_prefix == "none" ? "svc-lb-pub" : "${var.label_prefix}-svc-lb-pub" dns_label = "publb" prohibit_public_ip_on_vnic = false route_table_id = var.ig_route_id diff --git a/terraform.tfvars.example b/terraform.tfvars.example index d6a9daf..ab357d4 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -63,13 +63,13 @@ nat_gateway_route_rules = [ nat_gateway_public_ip_id = "none" subnets = { - bastion = { netnum = 0, newbits = 13 } - operator = { netnum = 1, newbits = 13 } - cp = { netnum = 2, newbits = 13 } - int_lb = { netnum = 16, newbits = 11 } - pub_lb = { netnum = 17, newbits = 11 } - workers = { netnum = 1, newbits = 2 } - fss = { netnum = 18, newbits = 11 } + bastion = { netnum = 0, newbits = 14 } + operator = { netnum = 1, newbits = 14 } + cp-endpoint = { netnum = 1, newbits = 13 } + cp = { netnum = 2, newbits = 13 } + service-lb-int = { netnum = 1, newbits = 11 } + service-lb-pub = { netnum = 2, newbits = 11 } + workers = { netnum = 1, newbits = 6 } } create_vcn = true diff --git a/variables.tf b/variables.tf index f481f98..f8008bb 100644 --- a/variables.tf +++ b/variables.tf @@ -147,10 +147,10 @@ variable "drg_display_name" { default = "drg" } -variable "drg_id"{ +variable "drg_id" { description = "ID of an external created Dynamic Routing Gateway to be attached to the VCN" - type = string - default = null + type = string + default = null } variable "internet_gateway_route_rules" { @@ -186,12 +186,13 @@ variable "nat_gateway_public_ip_id" { variable "subnets" { description = "parameters to cidrsubnet function to calculate subnet masks within the VCN." default = { - bastion = { netnum = 0, newbits = 13 } - operator = { netnum = 1, newbits = 13 } - cp = { netnum = 2, newbits = 13 } - int_lb = { netnum = 16, newbits = 11 } - pub_lb = { netnum = 17, newbits = 11 } - workers = { netnum = 1, newbits = 2 } + bastion = { netnum = 0, newbits = 14 } + operator = { netnum = 1, newbits = 14 } + cp-endpoint = { netnum = 1, newbits = 13 } + cp = { netnum = 2, newbits = 13 } + service-lb-int = { netnum = 1, newbits = 11 } + service-lb-pub = { netnum = 2, newbits = 11 } + workers = { netnum = 1, newbits = 6 } } type = map(any) } @@ -238,6 +239,28 @@ variable "load_balancers" { } } +variable "public_lb_allowed_cidrs" { + default = ["0.0.0.0/0"] + description = "The list of CIDR blocks from which the public load balancer can be accessed." + type = list(string) + + validation { + condition = length(var.public_lb_allowed_cidrs) > 0 + error_message = "At least 1 CIDR block is required." + } +} + +variable "public_lb_allowed_ports" { + default = [443] + description = "List of allowed ports for public load balancers." + type = list(any) + + validation { + condition = length(var.public_lb_allowed_ports) > 0 + error_message = "At least 1 port is required." + } +} + # workers variable "worker_type" { default = "private" @@ -249,6 +272,12 @@ variable "worker_type" { } } +variable "allow_worker_ssh_access" { + default = false + description = "Whether to allow ssh access to worker nodes." + type = bool +} + # tagging variable "freeform_tags" { default = { @@ -260,6 +289,6 @@ variable "freeform_tags" { } description = "Tags to apply to different resources." type = object({ - vcn = map(any), + vcn = map(any), }) }