feat: added 1 egress rule to operator subnet (#48)

* feat: added 1 egress rule to operator subnet so users can use OCI bastion service to ssh to operator

Signed-off-by: Ali Mukadam <[email protected]>

* feat: added 1 egress rule to operator subnet so users can use OCI bastion service to ssh to operator (#46)

Signed-off-by: Ali Mukadam <[email protected]>

* Added security list to operator subnet

* renamed operator_tags to freeform_tags, updated docs

Signed-off-by: Ali Mukadam <[email protected]>

* formatting on options table

Signed-off-by: Ali Mukadam <[email protected]>

* formatting on options table

Signed-off-by: Ali Mukadam <[email protected]>

Author: hyder

CHANGELOG.adoc

@@ -11,6 +11,7 @@ The format is based on {uri-changelog}[Keep a Changelog].
 
 == New features
 * Changed default tag values
+* Renamed operator_tags --> freeform_tags
 * Renamed notification variables
 * Renamed variable operating_system_version --> operator_os_version
 * Renamed variable operator_upgrade --> upgrade_operator

compute.tf

@@ -17,14 +17,15 @@ resource "oci_core_instance" "operator" {
   }
 
   compartment_id = var.compartment_id
-  freeform_tags  = var.tags
+
+  freeform_tags  = var.freeform_tags
 
   create_vnic_details {
     assign_public_ip = false
     display_name     = var.label_prefix == "none" ? "operator-vnic" : "${var.label_prefix}-operator-vnic"
     hostname_label   = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
-    nsg_ids          = concat(var.nsg_ids, [oci_core_network_security_group.operator[0].id])
-    subnet_id        = oci_core_subnet.operator[0].id
+    nsg_ids          = concat(var.nsg_ids, [oci_core_network_security_group.operator.id])
+    subnet_id        = oci_core_subnet.operator.id
   }
 
   display_name = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
@@ -40,8 +41,8 @@ resource "oci_core_instance" "operator" {
   }
 
   metadata = {
-    ssh_authorized_keys = var.ssh_public_key != "" ? var.ssh_public_key : file(var.ssh_public_key_path)
-    user_data           = data.cloudinit_config.operator[0].rendered
+    ssh_authorized_keys = (var.ssh_public_key != "") ? var.ssh_public_key : (var.ssh_public_key_path != "none") ? file(var.ssh_public_key_path) : ""
+    user_data           = data.cloudinit_config.operator.rendered
   }
 
   shape = lookup(var.operator_shape, "shape", "VM.Standard.E4.Flex")
@@ -64,6 +65,4 @@ resource "oci_core_instance" "operator" {
   timeouts {
     create = "60m"
   }
-
-  count = var.create_operator == true ? 1 : 0
 }

datasources.tf

@@ -30,7 +30,7 @@ data "oci_core_images" "oracle_images" {
   shape                    = lookup(var.operator_shape, "shape", "VM.Standard.E4.Flex")
   sort_by                  = "TIMECREATED"
 
-  count = (var.create_operator == true && var.operator_image_id == "Oracle") ? 1 : 0
+  count = var.operator_image_id == "Oracle" ? 1 : 0
 }
 
 # cloud init for operator
@@ -49,30 +49,23 @@ data "cloudinit_config" "operator" {
       }
     )
   }
-  count = var.create_operator == true ? 1 : 0
 }
 
 # Gets a list of VNIC attachments on the operator instance
 data "oci_core_vnic_attachments" "operator_vnics_attachments" {
   availability_domain = data.oci_identity_availability_domain.ad.name
   compartment_id      = var.compartment_id
   depends_on          = [oci_core_instance.operator]
-  instance_id         = oci_core_instance.operator[0].id
-
-  count = var.create_operator == true ? 1 : 0
+  instance_id         = oci_core_instance.operator.id
 }
 
 # Gets the OCID of the first (default) VNIC on the operator instance
 data "oci_core_vnic" "operator_vnic" {
   depends_on = [oci_core_instance.operator]
-  vnic_id    = lookup(data.oci_core_vnic_attachments.operator_vnics_attachments[0].vnic_attachments[0], "vnic_id")
-
-  count = var.create_operator == true ? 1 : 0
+  vnic_id    = lookup(data.oci_core_vnic_attachments.operator_vnics_attachments.vnic_attachments[0], "vnic_id")
 }
 
 data "oci_core_instance" "operator" {
   depends_on  = [oci_core_instance.operator]
-  instance_id = oci_core_instance.operator[0].id
-
-  count = var.create_operator == true ? 1 : 0
+  instance_id = oci_core_instance.operator.id
 }

docs/prerequisites.adoc

@@ -97,7 +97,7 @@ Open a terminal and test:
 [source,bash]
 ----
 terraform -v
-Terraform v0.12.24
+Terraform v1.0.3
 ----
 
 === Generate and upload your OCI API keys

docs/terraformoptions.adoc

@@ -22,7 +22,7 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 
 == Provider and Identity
 
-[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] 
+[stripes=odd,cols="2,5,1,1", options=header,width="100%"] 
 |===
 |Parameter
 |Description
@@ -38,7 +38,7 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 
 == General OCI
 
-[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] 
+[stripes=odd,cols="2,5,1,1", options=header,width="100%"] 
 |===
 |Parameter
 |Description
@@ -53,27 +53,27 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 |`label_prefix`
 |a string to be prepended to the name of resources. *Required*.
 |
-|None
+|none
 
 
 |===
 
 == Network Parameters
 
-[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] 
+[stripes=odd,cols="2,5,1,1", options=header,width="100%"] 
 |===
 |Parameter
 |Description
 |Values
 |Default
 
 |`availability_domain`
-|the AD to place the operator host
+|The AD to place the operator host
 | 1
 | 1
 
 |`nat_route_id`
-|the route id to the NAT gateway of the VCN 
+|The route id to the NAT gateway of the VCN 
 |
 |
 
@@ -101,23 +101,37 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 
 == Operator Host Parameters
 
-[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] 
+[stripes=odd,cols="2,5,1,1", options=header,width="100%"] 
 |===
 |Parameter
 |Description
 |Values
 |Default
 
-|`create_operator`
-|whether to create the operator
-| true/false
-|true
+|`freeform_tags`
+|Freeform tags for operator.
+|
+|`freeform_tags = {
+    access      = "restricted"
+    environment = "dev"
+    role        = "operator"
+}`
 
 |`operator_image_id`
 |Provide a custom image id for the operator host or leave as Oracle.
 |imageid/Oracle
 |Oracle
 
+|`operator_instance_principal`
+|Whether to enable instance_principal on the operator.
+|true/false
+|false
+
+|`operator_os_version`
+|The version of the Oracle Linux to use.
+|
+|8
+
 |`operator_shape`
 |The shape of operator instance. This is now specified as a map and supports E3.Flex. If a non-Flex shape is specified, then the other parameters are ignored.
 |e.g. `operator_shape = {
@@ -135,18 +149,13 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 
 |`operator_state`
 |The target state for the instance. Could be set to RUNNING or STOPPED. (Updatable)
-|RUNNING|STOPPED
+|RUNNING/STOPPED
 |RUNNING
 
-|`operator_upgrade`
-|Whether to upgrade the operator host packages after provisioning. It's useful to set this to false during development/testing so the operator is provisioned faster.
-|true/false
-|true
-
-|`operator_os_version`
-|The version of the Oracle Linux to use.
-|
-|8
+|`operator_timezone`
+|The preferred timezone for the operator host. {uri-timezones}[List of timezones]
+|e.g. Australia/Sydney
+|The preferred timezone for the operator host. {uri-timezones}[List of timezones]
 
 |`ssh_public_key`
 |the content of the ssh public key used to access the operator. set this or the ssh_public_key_path
@@ -158,17 +167,17 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 |""
 |
 
-|`operator_timezone`
-|The preferred timezone for the operator host. {uri-timezones}[List of timezones]
-|e.g. Australia/Sydney
-|The preferred timezone for the operator host. {uri-timezones}[List of timezones]
+|`upgrade_operator`
+|Whether to upgrade the operator host packages after provisioning. It's useful to set this to false during development/testing so the operator is provisioned faster.
+|true/false
+|true
 
 |===
 
 
 == Notification Parameters
 
-[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] 
+[stripes=odd,cols="2,5,1,1", options=header,width="100%"] 
 |===
 |Parameter
 |Description
@@ -194,26 +203,3 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 |The name of the notification topic.
 |
 |operator
-|===
-
-== Tagging Parameters
-
-[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] 
-|===
-|Parameter
-|Description
-|Values
-|Default
-
-|`operator_tags`
-|Freeform tags for operator.
-|
-|
-[source]
-----
-operator_tags = {
-    access      = "restricted"
-    environment = "dev"
-    role        = "operator"
-}
-----

instance_principal.tf

@@ -14,7 +14,7 @@ resource "oci_identity_dynamic_group" "operator_instance_principal" {
   matching_rule = "ALL {instance.id = '${join(",", data.oci_core_instance.operator.*.id)}'}"
   name          = "operator-instance-principal-${substr(uuid(), 0, 8)}"
 
-  count = var.create_operator == true && var.operator_instance_principal == true ? 1 : 0
+  count = var.operator_instance_principal == true ? 1 : 0
 }
 
 resource "oci_identity_policy" "operator_instance_principal" {
@@ -25,5 +25,5 @@ resource "oci_identity_policy" "operator_instance_principal" {
   name           = var.label_prefix == "none" ? "operator-instance-principal" : "${var.label_prefix}-operator-instance-principal"
   statements     = ["Allow dynamic-group ${oci_identity_dynamic_group.operator_instance_principal[0].name} to manage all-resources in compartment id ${var.compartment_id}"]
 
-  count = var.create_operator == true && var.operator_instance_principal == true ? 1 : 0
+  count = var.operator_instance_principal == true ? 1 : 0
 }

locals.tf

@@ -11,6 +11,7 @@ locals {
 
   operator_image_id = var.operator_image_id == "Oracle" ? data.oci_core_images.oracle_images[0].images.0.id : var.operator_image_id
 
+  operator_subnet = cidrsubnet(local.vcn_cidr, var.newbits, var.netnum) 
   operator_template = "${path.module}/cloudinit/operator.template.yaml"
 
   operator_script_template = base64gzip(

outputs.tf

@@ -6,7 +6,7 @@ output "operator_private_ip" {
 }
 
 output "operator_instance_principal_group_name" {
-  value = var.create_operator == true && var.operator_instance_principal == true ? oci_identity_dynamic_group.operator_instance_principal[0].name : null
+  value = var.operator_instance_principal == true ? oci_identity_dynamic_group.operator_instance_principal[0].name : null
 }
 
 output "operator_subnet_id" {

security.tf

@@ -6,12 +6,10 @@ resource "oci_core_network_security_group" "operator" {
   compartment_id = var.compartment_id
   display_name   = "${var.label_prefix}-operator"
   vcn_id         = var.vcn_id
-
-  count = var.create_operator == true ? 1 : 0
 }
 
 resource "oci_core_network_security_group_security_rule" "operator_egress_anywhere" {
-  network_security_group_id = oci_core_network_security_group.operator[0].id
+  network_security_group_id = oci_core_network_security_group.operator.id
   description               = "allow operator to egress to anywhere"
   destination               = local.anywhere
   destination_type          = "CIDR_BLOCK"
@@ -22,12 +20,10 @@ resource "oci_core_network_security_group_security_rule" "operator_egress_anywhe
   lifecycle {
     ignore_changes = [direction, protocol, source, source_type, tcp_options]
   }
-
-  count = var.create_operator == true ? 1 : 0
 }
 
 resource "oci_core_network_security_group_security_rule" "operator_egress_osn" {
-  network_security_group_id = oci_core_network_security_group.operator[0].id
+  network_security_group_id = oci_core_network_security_group.operator.id
   description               = "allow operator to egress to osn"
   destination               = local.osn
   destination_type          = "SERVICE_CIDR_BLOCK"
@@ -38,12 +34,10 @@ resource "oci_core_network_security_group_security_rule" "operator_egress_osn" {
   lifecycle {
     ignore_changes = [direction, protocol, source, source_type, tcp_options]
   }
-
-  count = var.create_operator == true ? 1 : 0
 }
 
 resource "oci_core_network_security_group_security_rule" "operator_ingress" {
-  network_security_group_id = oci_core_network_security_group.operator[0].id
+  network_security_group_id = oci_core_network_security_group.operator.id
   description               = "allow ssh access to operator from within vcn"
   direction                 = "INGRESS"
   protocol                  = local.tcp_protocol
@@ -61,6 +55,23 @@ resource "oci_core_network_security_group_security_rule" "operator_ingress" {
   lifecycle {
     ignore_changes = [direction, protocol, source, source_type, tcp_options]
   }
+}
+
+resource "oci_core_security_list" "operator" {
+  compartment_id = var.compartment_id
+  display_name   = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
+  freeform_tags  = var.freeform_tags
+
+  # egress rule to the same subnet to allow users to use OCI Bastion service to connect to the operator
+  egress_security_rules {
+    protocol    = local.tcp_protocol
+    destination = local.operator_subnet
+
+    tcp_options {
+      min = local.ssh_port
+      max = local.ssh_port
+    }
+  }
 
-  count = var.create_operator == true ? 1 : 0
+  vcn_id = var.vcn_id
 }

subnets.tf

@@ -2,14 +2,13 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 resource "oci_core_subnet" "operator" {
-  cidr_block                 = cidrsubnet(local.vcn_cidr, var.newbits, var.netnum)
+  cidr_block                 = local.operator_subnet
   compartment_id             = var.compartment_id
   display_name               = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
   dns_label                  = "operator"
-  freeform_tags              = var.tags
+  freeform_tags              = var.freeform_tags
   prohibit_public_ip_on_vnic = true
   route_table_id             = var.nat_route_id
+  security_list_ids          = [oci_core_security_list.operator.id]
   vcn_id                     = var.vcn_id
-
-  count = var.create_operator == true ? 1 : 0
 }