Skip to content

Commit 83a3c19

Browse files
hyderhyder
authored
feat: added 1 egress rule to operator subnet so users can use OCI bastion service to ssh to operator (#46)
Signed-off-by: Ali Mukadam <[email protected]>
1 parent c492346 commit 83a3c19

File tree

8 files changed

+33
-38
lines changed

8 files changed

+33
-38
lines changed

compute.tf

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,8 @@ resource "oci_core_instance" "operator" {
2323
assign_public_ip = false
2424
display_name = var.label_prefix == "none" ? "operator-vnic" : "${var.label_prefix}-operator-vnic"
2525
hostname_label = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
26-
nsg_ids = concat(var.nsg_ids, [oci_core_network_security_group.operator[0].id])
27-
subnet_id = oci_core_subnet.operator[0].id
26+
nsg_ids = concat(var.nsg_ids, [oci_core_network_security_group.operator.id])
27+
subnet_id = oci_core_subnet.operator.id
2828
}
2929

3030
display_name = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
@@ -41,7 +41,7 @@ resource "oci_core_instance" "operator" {
4141

4242
metadata = {
4343
ssh_authorized_keys = var.ssh_public_key != "" ? var.ssh_public_key : file(var.ssh_public_key_path)
44-
user_data = data.cloudinit_config.operator[0].rendered
44+
user_data = data.cloudinit_config.operator.rendered
4545
}
4646

4747
shape = lookup(var.operator_shape, "shape", "VM.Standard.E4.Flex")
@@ -64,6 +64,4 @@ resource "oci_core_instance" "operator" {
6464
timeouts {
6565
create = "60m"
6666
}
67-
68-
count = var.create_operator == true ? 1 : 0
6967
}

datasources.tf

Lines changed: 4 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ data "oci_core_images" "oracle_images" {
3030
shape = lookup(var.operator_shape, "shape", "VM.Standard.E4.Flex")
3131
sort_by = "TIMECREATED"
3232

33-
count = (var.create_operator == true && var.operator_image_id == "Oracle") ? 1 : 0
33+
count = var.operator_image_id == "Oracle" ? 1 : 0
3434
}
3535

3636
# cloud init for operator
@@ -49,30 +49,23 @@ data "cloudinit_config" "operator" {
4949
}
5050
)
5151
}
52-
count = var.create_operator == true ? 1 : 0
5352
}
5453

5554
# Gets a list of VNIC attachments on the operator instance
5655
data "oci_core_vnic_attachments" "operator_vnics_attachments" {
5756
availability_domain = data.oci_identity_availability_domain.ad.name
5857
compartment_id = var.compartment_id
5958
depends_on = [oci_core_instance.operator]
60-
instance_id = oci_core_instance.operator[0].id
61-
62-
count = var.create_operator == true ? 1 : 0
59+
instance_id = oci_core_instance.operator.id
6360
}
6461

6562
# Gets the OCID of the first (default) VNIC on the operator instance
6663
data "oci_core_vnic" "operator_vnic" {
6764
depends_on = [oci_core_instance.operator]
68-
vnic_id = lookup(data.oci_core_vnic_attachments.operator_vnics_attachments[0].vnic_attachments[0], "vnic_id")
69-
70-
count = var.create_operator == true ? 1 : 0
65+
vnic_id = lookup(data.oci_core_vnic_attachments.operator_vnics_attachments.vnic_attachments[0], "vnic_id")
7166
}
7267

7368
data "oci_core_instance" "operator" {
7469
depends_on = [oci_core_instance.operator]
75-
instance_id = oci_core_instance.operator[0].id
76-
77-
count = var.create_operator == true ? 1 : 0
70+
instance_id = oci_core_instance.operator.id
7871
}

instance_principal.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ resource "oci_identity_dynamic_group" "operator_instance_principal" {
1414
matching_rule = "ALL {instance.id = '${join(",", data.oci_core_instance.operator.*.id)}'}"
1515
name = "operator-instance-principal-${substr(uuid(), 0, 8)}"
1616

17-
count = var.create_operator == true && var.operator_instance_principal == true ? 1 : 0
17+
count = var.operator_instance_principal == true ? 1 : 0
1818
}
1919

2020
resource "oci_identity_policy" "operator_instance_principal" {
@@ -25,5 +25,5 @@ resource "oci_identity_policy" "operator_instance_principal" {
2525
name = var.label_prefix == "none" ? "operator-instance-principal" : "${var.label_prefix}-operator-instance-principal"
2626
statements = ["Allow dynamic-group ${oci_identity_dynamic_group.operator_instance_principal[0].name} to manage all-resources in compartment id ${var.compartment_id}"]
2727

28-
count = var.create_operator == true && var.operator_instance_principal == true ? 1 : 0
28+
count = var.operator_instance_principal == true ? 1 : 0
2929
}

locals.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ locals {
1111

1212
operator_image_id = var.operator_image_id == "Oracle" ? data.oci_core_images.oracle_images[0].images.0.id : var.operator_image_id
1313

14+
operator_subnet = cidrsubnet(local.vcn_cidr, var.newbits, var.netnum)
1415
operator_template = "${path.module}/cloudinit/operator.template.yaml"
1516

1617
operator_script_template = base64gzip(

outputs.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,5 +6,5 @@ output "operator_private_ip" {
66
}
77

88
output "operator_instance_principal_group_name" {
9-
value = var.create_operator == true && var.operator_instance_principal == true ? oci_identity_dynamic_group.operator_instance_principal[0].name : null
9+
value = var.operator_instance_principal == true ? oci_identity_dynamic_group.operator_instance_principal[0].name : null
1010
}

security.tf

Lines changed: 21 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,10 @@ resource "oci_core_network_security_group" "operator" {
66
compartment_id = var.compartment_id
77
display_name = "${var.label_prefix}-operator"
88
vcn_id = var.vcn_id
9-
10-
count = var.create_operator == true ? 1 : 0
119
}
1210

1311
resource "oci_core_network_security_group_security_rule" "operator_egress_anywhere" {
14-
network_security_group_id = oci_core_network_security_group.operator[0].id
12+
network_security_group_id = oci_core_network_security_group.operator.id
1513
description = "allow operator to egress to anywhere"
1614
destination = local.anywhere
1715
destination_type = "CIDR_BLOCK"
@@ -22,12 +20,10 @@ resource "oci_core_network_security_group_security_rule" "operator_egress_anywhe
2220
lifecycle {
2321
ignore_changes = [direction, protocol, source, source_type, tcp_options]
2422
}
25-
26-
count = var.create_operator == true ? 1 : 0
2723
}
2824

2925
resource "oci_core_network_security_group_security_rule" "operator_egress_osn" {
30-
network_security_group_id = oci_core_network_security_group.operator[0].id
26+
network_security_group_id = oci_core_network_security_group.operator.id
3127
description = "allow operator to egress to osn"
3228
destination = local.osn
3329
destination_type = "SERVICE_CIDR_BLOCK"
@@ -38,12 +34,10 @@ resource "oci_core_network_security_group_security_rule" "operator_egress_osn" {
3834
lifecycle {
3935
ignore_changes = [direction, protocol, source, source_type, tcp_options]
4036
}
41-
42-
count = var.create_operator == true ? 1 : 0
4337
}
4438

4539
resource "oci_core_network_security_group_security_rule" "operator_ingress" {
46-
network_security_group_id = oci_core_network_security_group.operator[0].id
40+
network_security_group_id = oci_core_network_security_group.operator.id
4741
description = "allow ssh access to operator from within vcn"
4842
direction = "INGRESS"
4943
protocol = local.tcp_protocol
@@ -61,6 +55,23 @@ resource "oci_core_network_security_group_security_rule" "operator_ingress" {
6155
lifecycle {
6256
ignore_changes = [direction, protocol, source, source_type, tcp_options]
6357
}
58+
}
59+
60+
resource "oci_core_security_list" "operator" {
61+
compartment_id = var.compartment_id
62+
display_name = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
63+
freeform_tags = var.tags
64+
65+
# egress rule to the same subnet to allow users to use OCI Bastion service to connect to the operator
66+
egress_security_rules {
67+
protocol = local.tcp_protocol
68+
destination = local.operator_subnet
69+
70+
tcp_options {
71+
min = local.ssh_port
72+
max = local.ssh_port
73+
}
74+
}
6475

65-
count = var.create_operator == true ? 1 : 0
76+
vcn_id = var.vcn_id
6677
}

subnets.tf

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,12 @@
22
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
33

44
resource "oci_core_subnet" "operator" {
5-
cidr_block = cidrsubnet(local.vcn_cidr, var.newbits, var.netnum)
5+
cidr_block = local.operator_subnet
66
compartment_id = var.compartment_id
77
display_name = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
88
dns_label = "operator"
99
freeform_tags = var.tags
1010
prohibit_public_ip_on_vnic = true
1111
route_table_id = var.nat_route_id
1212
vcn_id = var.vcn_id
13-
14-
count = var.create_operator == true ? 1 : 0
1513
}

variables.tf

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -60,12 +60,6 @@ variable "vcn_id" {
6060

6161
# operator host parameters
6262

63-
variable "create_operator" {
64-
description = "whether to create the operator"
65-
default = false
66-
type = bool
67-
}
68-
6963
variable "operator_image_id" {
7064
description = "Provide a custom image id for the operator host or leave as Oracle."
7165
default = "Oracle"

0 commit comments

Comments
 (0)