ability to create bastion instances for sod.

Author: srirg

k8s-oci.tf

@@ -56,6 +56,13 @@ module "vcn" {
   nat_instance_ad3_enabled                = "${var.nat_instance_ad3_enabled}"
   nat_instance_ssh_public_key_openssh     = "${module.k8s-tls.ssh_public_key_openssh}"
   dedicated_nat_subnets                   = "${var.dedicated_nat_subnets}"
+  bastion_instance_oracle_linux_image_name = "${var.bastion_ol_image_name}"
+  bastion_instance_shape                  = "${var.bastionInstanceShape}"
+  bastion_instance_ad1_enabled            = "${var.bastion_instance_ad1_enabled}"
+  bastion_instance_ad2_enabled            = "${var.bastion_instance_ad2_enabled}"
+  bastion_instance_ad3_enabled            = "${var.bastion_instance_ad3_enabled}"
+  bastion_instance_ssh_public_key_openssh = "${module.k8s-tls.ssh_public_key_openssh}"
+  dedicated_bastion_subnets               = "${var.dedicated_bastion_subnets}"
   worker_ssh_ingress                      = "${var.worker_ssh_ingress}"
   worker_nodeport_ingress                 = "${var.worker_nodeport_ingress}"
   master_nodeport_ingress                 = "${var.master_nodeport_ingress}"

network/vcn/bastioninstance.tf

@@ -0,0 +1,66 @@
+/**
+ * The Bastion instances will be used by instances in private subnets for network security best practices.
+ */
+
+resource "oci_core_instance" "BastionInstanceAD1" {
+  count               = "${(var.control_plane_subnet_access == "private") && (var.bastion_instance_ad1_enabled == "true") ? "1" : "0"}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[0],"name")}"
+  compartment_id      = "${(var.bastion_compartment_ocid != "")  ? var.bastion_compartment_ocid : var.compartment_ocid}"
+  display_name        = "${var.label_prefix}bastion-ad1"
+  image               = "${lookup(data.oci_core_images.ImageOCID.images[0], "id")}"
+  shape               = "${var.bastion_instance_shape}"
+
+  create_vnic_details {
+    subnet_id = "${(var.control_plane_subnet_access == "private") && (var.dedicated_bastion_subnets == "true") ? "${element(concat(oci_core_subnet.BastionSubnetAD1.*.id,list("")),0)}" : "${oci_core_subnet.PublicSubnetAD1.id}"}"
+  }
+
+  metadata {
+    ssh_authorized_keys = "${var.bastion_instance_ssh_public_key_openssh}"
+  }
+
+  timeouts {
+    create = "10m"
+  }
+}
+
+resource "oci_core_instance" "BastionInstanceAD2" {
+  count               = "${(var.control_plane_subnet_access == "private") && (var.bastion_instance_ad2_enabled == "true") ? "1" : "0"}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[1],"name")}"
+  compartment_id      = "${(var.bastion_compartment_ocid != "")  ? var.bastion_compartment_ocid : var.compartment_ocid}"
+  display_name        = "${var.label_prefix}bastion-ad2"
+  image               = "${lookup(data.oci_core_images.ImageOCID.images[0], "id")}"
+  shape               = "${var.bastion_instance_shape}"
+
+  create_vnic_details {
+    subnet_id = "${(var.control_plane_subnet_access == "private") && (var.dedicated_bastion_subnets == "true") ? "${element(concat(oci_core_subnet.BastionSubnetAD2.*.id,list("")),0)}" : "${oci_core_subnet.PublicSubnetAD2.id}"}"
+  }
+
+  metadata {
+    ssh_authorized_keys = "${var.bastion_instance_ssh_public_key_openssh}"
+  }
+
+  timeouts {
+    create = "10m"
+  }
+}
+
+resource "oci_core_instance" "BastionInstanceAD3" {
+  count               = "${(var.control_plane_subnet_access == "private") && (var.bastion_instance_ad3_enabled == "true") ? "1" : "0"}"
+  availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[2],"name")}"
+  compartment_id      = "${(var.bastion_compartment_ocid != "")  ? var.bastion_compartment_ocid : var.compartment_ocid}"
+  display_name        = "${var.label_prefix}bastion-ad3"
+  image               = "${lookup(data.oci_core_images.ImageOCID.images[0], "id")}"
+  shape               = "${var.bastion_instance_shape}"
+
+  create_vnic_details {
+    subnet_id = "${(var.control_plane_subnet_access == "private") && (var.dedicated_bastion_subnets == "true") ? "${element(concat(oci_core_subnet.BastionSubnetAD3.*.id,list("")),0)}" : "${element(concat(oci_core_subnet.PublicSubnetAD3.*.id,list("")),0)}"}"
+  }
+
+  metadata {
+    ssh_authorized_keys = "${var.bastion_instance_ssh_public_key_openssh}"
+  }
+
+  timeouts {
+    create = "10m"
+  }
+}

network/vcn/outputs.tf

@@ -100,6 +100,42 @@ output "nat_instance_ad3_public_ips" {
   value = ["${oci_core_instance.NATInstanceAD3.*.public_ip}"]
 }
 
+output "bastion_subnet_ad1_id" {
+  value = "${oci_core_subnet.BastionSubnetAD1.*.id}"
+}
+
+output "bastion_subnet_ad2_id" {
+  value = "${oci_core_subnet.BastionSubnetAD2.*.id}"
+}
+
+output "bastion_subnet_ad3_id" {
+  value = "${oci_core_subnet.BastionSubnetAD3.*.id}"
+}
+
+output "bastion_instance_ad1_private_ips" {
+  value = ["${oci_core_instance.BastionInstanceAD1.*.private_ip}"]
+}
+
+output "bastion_instance_ad1_public_ips" {
+  value = ["${oci_core_instance.BastionInstanceAD1.*.public_ip}"]
+}
+
+output "bastion_instance_ad2_private_ips" {
+  value = ["${oci_core_instance.BastionInstanceAD2.*.private_ip}"]
+}
+
+output "bastion_instance_ad2_public_ips" {
+  value = ["${oci_core_instance.BastionInstanceAD2.*.public_ip}"]
+}
+
+output "bastion_instance_ad3_private_ips" {
+  value = ["${oci_core_instance.BastionInstanceAD3.*.private_ip}"]
+}
+
+output "bastion_instance_ad3_public_ips" {
+  value = ["${oci_core_instance.BastionInstanceAD3.*.public_ip}"]
+}
+
 output "control_plane_subnet_access" {
   value = "${var.control_plane_subnet_access}"
 }

network/vcn/securitylists.tf

@@ -66,7 +66,6 @@ resource "oci_core_security_list" "EtcdSubnet" {
     command = "sleep 5"
   }
 }
-
 resource "oci_core_security_list" "K8SMasterSubnet" {
   compartment_id = "${var.compartment_ocid}"
   display_name   = "${var.label_prefix}k8sMaster_security_list"
@@ -405,3 +404,163 @@ resource "oci_core_security_list" "K8SCCMLBSubnet" {
   ingress_security_rules = [
   ]
 }
+
+resource "oci_core_security_list" "BastionSecurityList" {
+  count          = "${(var.control_plane_subnet_access == "private") && (var.dedicated_bastion_subnets == "true") ? "1" : "0"}"
+  compartment_id = "${var.compartment_ocid}"
+  display_name   = "bastion_security_list"
+  vcn_id         = "${oci_core_virtual_network.CompleteVCN.id}"
+  egress_security_rules = [{
+    protocol    = "all"
+    destination = "0.0.0.0/0"
+  }]
+  ingress_security_rules = [
+  ]
+
+  ingress_security_rules = [
+    {
+      protocol = "1"
+      source   = "${var.external_icmp_ingress}"
+
+      icmp_options {
+        "type" = 3
+        "code" = 4
+      }
+    },
+    {
+      protocol = "1"
+      source   = "${var.internal_icmp_ingress}"
+
+      icmp_options {
+        "type" = 3
+        "code" = 4
+      }
+    },
+    {
+      # Allow LBaaS
+      protocol = "6"
+      source   = "${lookup(var.bmc_ingress_cidrs, "LBAAS-PHOENIX-1-CIDR")}"
+    },
+    {
+      protocol = "6"
+      source   = "${lookup(var.bmc_ingress_cidrs, "LBAAS-ASHBURN-1-CIDR")}"
+    },
+    {
+      # Allow internal VCN traffic
+      protocol = "all"
+      source   = "${lookup(var.bmc_ingress_cidrs, "VCN-CIDR")}"
+    },
+    {
+      # Access to SSH port to instances on the public network (like the NAT instance or a user-defined LB)
+      protocol = "6"
+      source   = "${var.public_subnet_ssh_ingress}"
+
+      tcp_options {
+        "min" = 22
+        "max" = 22
+      }
+    },
+    {
+      # Access to port 80 and 443 to instances on the public network (like the NAT instance or a user-defined LB)
+      protocol = "6"
+      source   = "${var.public_subnet_http_ingress}"
+
+      tcp_options {
+        "min" = 80
+        "max" = 80
+      }
+    },
+    {
+      protocol = "6"
+      source   = "${var.public_subnet_https_ingress}"
+
+      tcp_options {
+        "min" = 443
+        "max" = 443
+      }
+    },
+    {
+      protocol = "6"
+      source   = "${var.etcd_cluster_ingress}"
+      
+      tcp_options {
+        "min" = 2379
+        "max" = 2380
+      }
+    },
+  ]
+}
+
+resource "oci_core_security_list" "GlobalSecurityList" {
+  compartment_id = "${(var.network_compartment_ocid != "")  ? var.network_compartment_ocid : var.compartment_ocid}"
+  display_name   = "${var.label_prefix}global_security_list"
+  vcn_id         = "${oci_core_virtual_network.CompleteVCN.id}"
+
+  egress_security_rules = [
+    {
+      destination = "0.0.0.0/0"
+      protocol    = "all"
+    },
+  ]
+
+  ingress_security_rules = [
+    {
+      tcp_options {
+        "max" = 22
+        "min" = 22
+      }
+
+      protocol = "6"
+      source   = "10.0.16.0/24"
+    },
+    {
+      tcp_options {
+        "max" = 22
+        "min" = 22
+      }
+
+      protocol = "6"
+      source   = "10.0.17.0/24"
+    },
+    {
+      tcp_options {
+        "max" = 22
+        "min" = 22
+      }
+
+      protocol = "6"
+      source   = "10.0.18.0/24"
+    },
+    {
+      protocol = "1"
+      source   = "10.0.16.0/24"
+
+      icmp_options {
+        "type" = 3
+        "code" = 4
+      }
+    },
+    {
+      protocol = "1"
+      source   = "10.0.17.0/24"
+
+      icmp_options {
+        "type" = 3
+        "code" = 4
+      }
+    },
+    {
+      protocol = "1"
+      source   = "10.0.18.0/24"
+
+      icmp_options {
+        "type" = 3
+        "code" = 4
+      }
+    },
+  ]
+
+  provisioner "local-exec" {
+    command = "sleep 5"
+  }
+}