Use updated data sources definition to look up VCN cidr. Also removed create_operator variable (#50)

hyder · web-flow · commit ee7601cf28d8 · 2021-09-06T20:12:27.000+10:00
Signed-off-by: Ali Mukadam &lt;ali.mukadam@oracle.com&gt;
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
@@ -20,13 +20,15 @@ The format is based on {uri-changelog}[Keep a Changelog].
 * AD lookup mechanism reimplemented to remove dependency on deprecated template_file data source
 * Replaced deprecated template_file data source with templatefile function
 * Set minimum Terraform version to 1.0.0
-* Renamed var.operator_enabled --> var.create_operator
 * New variable (`operator_state`) to specify state of operator host
 * Removed security list and using NSG instead
 
 == Changes
 * Set default shape to E4.Flex
 
+== Deletion
+* * Deleted var.operator_enabled. This can now be controlled using higher level modules.
+
 == Deprecation notice
 
 The following variables will be renamed at the next major release of this module:
diff --git a/compute.tf b/compute.tf
@@ -1,68 +1,67 @@
-# Copyright 2017, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
-# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
-
-resource "oci_core_instance" "operator" {
-  availability_domain = data.oci_identity_availability_domain.ad.name
-
-  agent_config {
-
-    are_all_plugins_disabled = false
-    is_management_disabled   = false
-    is_monitoring_disabled   = false
-
-    plugins_config {
-      desired_state = "ENABLED"
-      name          = "Bastion"
-    }
-  }
-  
-  compartment_id = var.compartment_id
-
-  freeform_tags  = var.freeform_tags
-
-  create_vnic_details {
-    assign_public_ip = false
-    display_name     = var.label_prefix == "none" ? "operator-vnic" : "${var.label_prefix}-operator-vnic"
-    hostname_label   = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
-    nsg_ids          = concat(var.nsg_ids, [oci_core_network_security_group.operator.id])
-    subnet_id        = oci_core_subnet.operator.id
-  }
-
-  display_name = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
-
-  launch_options {
-    boot_volume_type = "PARAVIRTUALIZED"
-    network_type     = "PARAVIRTUALIZED"
-  }
-
-  # prevent the operator from destroying and recreating itself if the image ocid changes 
-  lifecycle {
-    ignore_changes = [source_details[0].source_id]
-  }
-
-  metadata = {
-    ssh_authorized_keys = (var.ssh_public_key != "") ? var.ssh_public_key : (var.ssh_public_key_path != "none") ? file(var.ssh_public_key_path) : ""
-    user_data           = data.cloudinit_config.operator.rendered
-  }
-
-  shape = lookup(var.operator_shape, "shape", "VM.Standard.E4.Flex")
-
-  dynamic "shape_config" {
-    for_each = length(regexall("Flex", lookup(var.operator_shape, "shape", "VM.Standard.E4.Flex"))) > 0 ? [1] : []
-    content {
-      ocpus         = max(1, lookup(var.operator_shape, "ocpus", 1))
-      memory_in_gbs = (lookup(var.operator_shape, "memory", 4) / lookup(var.operator_shape, "ocpus", 1)) > 64 ? (lookup(var.operator_shape, "ocpus", 1) * 4) : lookup(var.operator_shape, "memory", 4)
-    }
-  }
-
-  source_details {
-    source_type = "image"
-    source_id   = local.operator_image_id
-  }
-
-  state = var.operator_state
-
-  timeouts {
-    create = "60m"
-  }
-}
+# Copyright 2017, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+
+resource "oci_core_instance" "operator" {
+  availability_domain = data.oci_identity_availability_domain.ad.name
+
+  agent_config {
+
+    are_all_plugins_disabled = false
+    is_management_disabled   = false
+    is_monitoring_disabled   = false
+
+    plugins_config {
+      desired_state = "ENABLED"
+      name          = "Bastion"
+    }
+  }
+  
+  compartment_id = var.compartment_id
+  freeform_tags  = var.freeform_tags
+
+  create_vnic_details {
+    assign_public_ip = false
+    display_name     = var.label_prefix == "none" ? "operator-vnic" : "${var.label_prefix}-operator-vnic"
+    hostname_label   = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
+    nsg_ids          = concat(var.nsg_ids, [oci_core_network_security_group.operator.id])
+    subnet_id        = oci_core_subnet.operator.id
+  }
+
+  display_name = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
+
+  launch_options {
+    boot_volume_type = "PARAVIRTUALIZED"
+    network_type     = "PARAVIRTUALIZED"
+  }
+
+  # prevent the operator from destroying and recreating itself if the image ocid changes 
+  lifecycle {
+    ignore_changes = [source_details[0].source_id]
+  }
+
+  metadata = {
+    ssh_authorized_keys = (var.ssh_public_key != "") ? var.ssh_public_key : (var.ssh_public_key_path != "none") ? file(var.ssh_public_key_path) : ""
+    user_data           = data.cloudinit_config.operator.rendered
+  }
+
+  shape = lookup(var.operator_shape, "shape", "VM.Standard.E4.Flex")
+
+  dynamic "shape_config" {
+    for_each = length(regexall("Flex", lookup(var.operator_shape, "shape", "VM.Standard.E4.Flex"))) > 0 ? [1] : []
+    content {
+      ocpus         = max(1, lookup(var.operator_shape, "ocpus", 1))
+      memory_in_gbs = (lookup(var.operator_shape, "memory", 4) / lookup(var.operator_shape, "ocpus", 1)) > 64 ? (lookup(var.operator_shape, "ocpus", 1) * 4) : lookup(var.operator_shape, "memory", 4)
+    }
+  }
+
+  source_details {
+    source_type = "image"
+    source_id   = local.operator_image_id
+  }
+
+  state = var.operator_state
+
+  timeouts {
+    create = "60m"
+  }
+}
diff --git a/docs/instanceprincipal.adoc b/docs/instanceprincipal.adoc
@@ -43,11 +43,11 @@ When you enable this feature, by default, the operator host has privileges to ma
 
 You can also turn on and off the feature at any time without impact on the operator host.
 
-To enable, set enable_instance_principal to true:
+To enable, set operator_instance_principal to true:
 
 [source,hcl]
 ----
-enable_instance_principal = true
+operator_instance_principal = true
 ----
 
 and verify:
@@ -60,11 +60,11 @@ You should be able to see a list of VCNs created in the compartment.
 
 ==== Disabling instance_principal on the operator host
 
-To disable, set enable_instance_principal to false:
+To disable, set operator_instance_principal to false:
 
 [source, hcl]
 ----
-enable_instance_principal = false
+operator_instance_principal = false
 ----
 
 . Run terraform apply again:
diff --git a/docs/quickstart.adoc b/docs/quickstart.adoc
@@ -31,7 +31,7 @@
 
 1. git is installed
 2. ssh client is installed
-3. Terraform 0.12.24+ is installed
+3. Terraform 1.0.0 is installed
 
 === Provisioning using this git repo
 
diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc
@@ -203,3 +203,4 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].
 |The name of the notification topic.
 |
 |operator
+|===
diff --git a/locals.tf b/locals.tf
@@ -28,5 +28,6 @@ locals {
 
   tcp_protocol = 6
 
-  vcn_cidr = data.oci_core_vcn.vcn.cidr_block
+  # we expect the operator to be in the first cidr block in the list of cidr blocks
+  vcn_cidr = element(data.oci_core_vcn.vcn.cidr_blocks, 0)
 }
diff --git a/security.tf b/security.tf
@@ -1,77 +1,77 @@
-# Copyright 2017, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
-# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
-
-# operator nsg and rule
-resource "oci_core_network_security_group" "operator" {
-  compartment_id = var.compartment_id
-  display_name   = "${var.label_prefix}-operator"
-  vcn_id         = var.vcn_id
-}
-
-resource "oci_core_network_security_group_security_rule" "operator_egress_anywhere" {
-  network_security_group_id = oci_core_network_security_group.operator.id
-  description               = "allow operator to egress to anywhere"
-  destination               = local.anywhere
-  destination_type          = "CIDR_BLOCK"
-  direction                 = "EGRESS"
-  protocol                  = local.all_protocols
-  stateless                 = false
-
-  lifecycle {
-    ignore_changes = [direction, protocol, source, source_type, tcp_options]
-  }
-}
-
-resource "oci_core_network_security_group_security_rule" "operator_egress_osn" {
-  network_security_group_id = oci_core_network_security_group.operator.id
-  description               = "allow operator to egress to osn"
-  destination               = local.osn
-  destination_type          = "SERVICE_CIDR_BLOCK"
-  direction                 = "EGRESS"
-  protocol                  = local.all_protocols
-  stateless                 = false
-
-  lifecycle {
-    ignore_changes = [direction, protocol, source, source_type, tcp_options]
-  }
-}
-
-resource "oci_core_network_security_group_security_rule" "operator_ingress" {
-  network_security_group_id = oci_core_network_security_group.operator.id
-  description               = "allow ssh access to operator from within vcn"
-  direction                 = "INGRESS"
-  protocol                  = local.tcp_protocol
-  source                    = local.vcn_cidr
-  source_type               = "CIDR_BLOCK"
-  stateless                 = false
-
-  tcp_options {
-    destination_port_range {
-      min = local.ssh_port
-      max = local.ssh_port
-    }
-  }
-
-  lifecycle {
-    ignore_changes = [direction, protocol, source, source_type, tcp_options]
-  }
-}
-
-resource "oci_core_security_list" "operator" {
-  compartment_id = var.compartment_id
-  display_name   = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
-  freeform_tags  = var.freeform_tags
-
-  # egress rule to the same subnet to allow users to use OCI Bastion service to connect to the operator
-  egress_security_rules {
-    protocol    = local.tcp_protocol
-    destination = local.operator_subnet
-
-    tcp_options {
-      min = local.ssh_port
-      max = local.ssh_port
-    }
-  }
-
-  vcn_id = var.vcn_id
-}
+# Copyright 2017, 2021 Oracle Corporation and/or affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+
+# operator nsg and rule
+resource "oci_core_network_security_group" "operator" {
+  compartment_id = var.compartment_id
+  display_name   = "${var.label_prefix}-operator"
+  vcn_id         = var.vcn_id
+}
+
+resource "oci_core_network_security_group_security_rule" "operator_egress_anywhere" {
+  network_security_group_id = oci_core_network_security_group.operator.id
+  description               = "allow operator to egress to anywhere"
+  destination               = local.anywhere
+  destination_type          = "CIDR_BLOCK"
+  direction                 = "EGRESS"
+  protocol                  = local.all_protocols
+  stateless                 = false
+
+  lifecycle {
+    ignore_changes = [direction, protocol, source, source_type, tcp_options]
+  }
+}
+
+resource "oci_core_network_security_group_security_rule" "operator_egress_osn" {
+  network_security_group_id = oci_core_network_security_group.operator.id
+  description               = "allow operator to egress to osn"
+  destination               = local.osn
+  destination_type          = "SERVICE_CIDR_BLOCK"
+  direction                 = "EGRESS"
+  protocol                  = local.all_protocols
+  stateless                 = false
+
+  lifecycle {
+    ignore_changes = [direction, protocol, source, source_type, tcp_options]
+  }
+}
+
+resource "oci_core_network_security_group_security_rule" "operator_ingress" {
+  network_security_group_id = oci_core_network_security_group.operator.id
+  description               = "allow ssh access to operator from within vcn"
+  direction                 = "INGRESS"
+  protocol                  = local.tcp_protocol
+  source                    = local.vcn_cidr
+  source_type               = "CIDR_BLOCK"
+  stateless                 = false
+
+  tcp_options {
+    destination_port_range {
+      min = local.ssh_port
+      max = local.ssh_port
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [direction, protocol, source, source_type, tcp_options]
+  }
+}
+
+resource "oci_core_security_list" "operator" {
+  compartment_id = var.compartment_id
+  display_name   = var.label_prefix == "none" ? "operator" : "${var.label_prefix}-operator"
+  freeform_tags  = var.freeform_tags
+
+  # egress rule to the same subnet to allow users to use OCI Bastion service to connect to the operator
+  egress_security_rules {
+    protocol    = local.tcp_protocol
+    destination = local.operator_subnet
+
+    tcp_options {
+      min = local.ssh_port
+      max = local.ssh_port
+    }
+  }
+
+  vcn_id = var.vcn_id
+}
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
@@ -30,6 +30,8 @@ freeform_tags = {
     role        = "operator"
 }
 
+operating_system_version = "8"
+
 operator_image_id = "Oracle"
 
 operator_instance_principal = true

Original file line number	Diff line number	Diff line change
`@@ -203,3 +203,4 @@ Ensure you review the {uri-terraform-dependencies}[dependencies].`
`203`	`203`	`\|The name of the notification topic.`
`204`	`204`	`\|`
`205`	`205`	`\|operator`
	`206`	`+\|===`
Original file line number	Diff line number	Diff line change
`@@ -28,5 +28,6 @@ locals {`
`28`	`28`
`29`	`29`	`tcp_protocol = 6`
`30`	`30`
`31`		`- vcn_cidr = data.oci_core_vcn.vcn.cidr_block`
	`31`	`+ # we expect the operator to be in the first cidr block in the list of cidr blocks`
	`32`	`+ vcn_cidr = element(data.oci_core_vcn.vcn.cidr_blocks, 0)`
`32`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,8 @@ freeform_tags = {`
`30`	`30`	`role = "operator"`
`31`	`31`	`}`
`32`	`32`
	`33`	`+operating_system_version = "8"`
	`34`	`+`
`33`	`35`	`operator_image_id = "Oracle"`
`34`	`36`
`35`	`37`	`operator_instance_principal = true`