Skip to content

Commit 6313196

Browse files
rcohenmabriangustafson
rcohenma
authored and
briangustafson
committed
Adding support for Remote VCN Peering
1 parent 91fea09 commit 6313196

15 files changed

+1545
-68
lines changed

docs/core/peer_region_for_remote_peerings.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
2+
# oci_core_peer_region_for_remote_peerings
3+
4+
## PeerRegionForRemotePeering DataSource
5+
6+
Gets a list of peer_region_for_remote_peerings.
7+
8+
### List Operation
9+
Lists the regions that support remote VCN peering (which is peering across regions).
10+
For more information, see [VCN Peering](https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Tasks/VCNpeering.htm).
11+
12+
The following arguments are supported:
13+
14+
15+
16+
The following attributes are exported:
17+
18+
* `peer_region_for_remote_peerings` - The list of peer_region_for_remote_peerings.
19+
20+
### Example Usage
21+
22+
```
23+
data "oci_core_peer_region_for_remote_peerings" "test_peer_region_for_remote_peerings" {
24+
}
25+
```
26+
### PeerRegionForRemotePeering Reference
27+
28+
The following attributes are exported:
29+
30+
* `name` - The region's name. Example: `us-phoenix-1`

docs/core/remote_peering_connections.md

Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
# oci_core_remote_peering_connection
2+
3+
## RemotePeeringConnection Resource
4+
5+
### RemotePeeringConnection Reference
6+
7+
The following attributes are exported:
8+
9+
* `compartment_id` - The OCID of the compartment that contains the RPC.
10+
* `display_name` - A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information.
11+
* `drg_id` - The OCID of the DRG that this RPC belongs to.
12+
* `id` - The OCID of the RPC.
13+
* `is_cross_tenancy_peering` - Whether the VCN at the other end of the peering is in a different tenancy. Example: `false`
14+
* `peer_id` - If this RPC is peered, this value is the OCID of the other RPC.
15+
* `peer_region_name` - If this RPC is peered, this value is the region that contains the other RPC. Example: `us-ashburn-1`
16+
* `peer_tenancy_id` - If this RPC is peered, this value is the OCID of the other RPC's tenancy.
17+
* `peering_status` - Whether the RPC is peered with another RPC. `NEW` means the RPC has not yet been peered. `PENDING` means the peering is being established. `REVOKED` means the RPC at the other end of the peering has been deleted.
18+
* `state` - The RPC's current lifecycle state.
19+
* `time_created` - The date and time the RPC was created, in the format defined by RFC3339. Example: `2016-08-25T21:10:29.600Z`
20+
21+
22+
23+
### Create Operation
24+
Creates a new remote peering connection (RPC) for the specified DRG.
25+
26+
* Specifying a `peer_id` and a `peer_region_name` creates a connection to the specified RPC ID. Both `peer_id` and `peer_region_name` are required for the connection to succeed.
27+
* If the specified peer_id is also a resource in the terraform config you will have do a `terraform refresh` after the `terraform apply` in order to get the latest connection information on that resource.
28+
* To disconnect the peering connection at least one of the RPC resources in the connection will have to be destroyed, however in terraform we recommend that when one RPC is destroyed the peer should also be destroyed. If one of them is not destroyed it will have a `REVOKED` peering_status. If another RPC resource tries to connect to this RPC resource the peering_status on the requestor will be `INVALID`. To solve this you will have to run `terraform taint oci_core_remote_peering_connection.test_remote_peering_connection` on the acceptor resource or target delete it `terraform destroy -target="oci_core_remote_peering_connection.test_remote_peering_connection"`.
29+
30+
The following arguments are supported:
31+
32+
* `compartment_id` - (Required) The OCID of the compartment to contain the RPC.
33+
* `display_name` - (Optional) A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information.
34+
* `drg_id` - (Required) The OCID of the DRG the RPC belongs to.
35+
* `peer_id` - (Optional) The OCID of the RPC you want to peer with.
36+
* `peer_region_name` - (Optional) The name of the region that contains the RPC you want to peer with. Example: `us-ashburn-1`
37+
38+
### Update Operation
39+
Updates the specified remote peering connection (RPC).
40+
41+
42+
The following arguments support updates:
43+
* `display_name` - A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information.
44+
45+
46+
** IMPORTANT **
47+
Any change to a property that does not support update will force the destruction and recreation of the resource with the new property values
48+
49+
### Example Usage
50+
51+
```
52+
resource "oci_core_remote_peering_connection" "test_remote_peering_connection" {
53+
#Required
54+
compartment_id = "${var.compartment_id}"
55+
drg_id = "${oci_core_drg.test_drg.id}"
56+
57+
#Optional
58+
display_name = "${var.remote_peering_connection_display_name}"
59+
peer_id = "${oci_core_remote_peering_connection.test_remote_peering_connection2.id}"
60+
peer_region_name = "${var.remote_peering_connection_peer_region_name}"
61+
}
62+
```
63+
64+
# oci_core_remote_peering_connections
65+
66+
## RemotePeeringConnection DataSource
67+
68+
Gets a list of remote_peering_connections.
69+
70+
### List Operation
71+
Lists the remote peering connections (RPCs) for the specified DRG and compartment
72+
(the RPC's compartment).
73+
74+
The following arguments are supported:
75+
76+
* `compartment_id` - (Required) The OCID of the compartment.
77+
* `drg_id` - (Optional) The OCID of the DRG.
78+
79+
80+
The following attributes are exported:
81+
82+
* `remote_peering_connections` - The list of remote_peering_connections.
83+
84+
### Example Usage
85+
86+
```
87+
data "oci_core_remote_peering_connections" "test_remote_peering_connections" {
88+
#Required
89+
compartment_id = "${var.compartment_id}"
90+
91+
#Optional
92+
drg_id = "${oci_core_drg.test_drg.id}"
93+
}
94+
```

docs/examples/networking/remote_vcn_peering_full/README.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
# Remote VCN Peering Example
2+
3+
This example demonstrates how to do a VCN remote peering connection using Remote Peering Connection (RPC) resources when you have different administrators of the VCNs in the connection.
4+
5+
** IMPORTANT **
6+
You would not want to use this example the way it is written as it uses multiple users. This example is there to demonstrate the workflow of establishing a remote peering connection when the 2 VCNs are administered by different users.
7+
8+
This example creates policies so it should be run in the home region of your tenancy.
9+
10+
One of the users will have the `requestor` RPC that will request a remote peering connection to the `acceptor` RPC that is managed by a different user. See [Remote VCN Peering](https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Tasks/remoteVCNpeering.htm) for more details.
11+
12+
* policies.tf show the policies that are needed for each of the users.
13+
* requestor.tf shows what the requestor config would look like, including the RPC, the Route Table and the Security List.
14+
* acceptor.tf shows what the acceptor config would look like, including the RPC, the Route Table and the Security List.
15+
16+
An instance is created on the requestor side and the acceptor side so that you can test the connection.
17+
You can SSH to one of the instances using its public IP and try to PING from there the other instance using its Private IP.

docs/examples/networking/remote_vcn_peering_full/acceptor.tf

Lines changed: 141 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,141 @@
1+
variable "user_acceptor" {}
2+
variable "compartment_ocid_acceptor" {}
3+
variable "compartment_name_acceptor" {}
4+
variable "fingerprint_acceptor" {}
5+
variable "private_key_path_acceptor" {}
6+
7+
variable "acceptor_region" { default = "us-ashburn-1"}
8+
9+
variable "acceptor_cidr" {
10+
default = "10.1.0.0/16"
11+
}
12+
13+
provider "oci" {
14+
alias = "acceptor"
15+
region = "${var.acceptor_region}"
16+
tenancy_ocid = "${var.tenancy_ocid}"
17+
user_ocid = "${var.user_acceptor}"
18+
fingerprint = "${var.fingerprint_acceptor}"
19+
private_key_path = "${var.private_key_path_acceptor}"
20+
}
21+
22+
resource "oci_core_vcn" "acceptor_vcn" {
23+
depends_on = ["oci_identity_policy.acceptor_policy", "oci_identity_user_group_membership.acceptor_user_group_membership"]
24+
provider = "oci.acceptor"
25+
display_name = "acceptor_vcn"
26+
dns_label = "acceptorvcn"
27+
cidr_block = "${var.acceptor_cidr}"
28+
compartment_id = "${var.compartment_ocid_acceptor}"
29+
}
30+
31+
resource "oci_core_drg" "acceptor_drg" {
32+
depends_on = ["oci_identity_policy.acceptor_policy", "oci_identity_user_group_membership.acceptor_user_group_membership"]
33+
provider = "oci.acceptor"
34+
compartment_id = "${var.compartment_ocid_acceptor}"
35+
}
36+
37+
resource "oci_core_drg_attachment" "acceptor_drg_attachment" {
38+
depends_on = ["oci_identity_policy.acceptor_policy", "oci_identity_user_group_membership.acceptor_user_group_membership"]
39+
provider = "oci.acceptor"
40+
drg_id = "${oci_core_drg.acceptor_drg.id}"
41+
vcn_id = "${oci_core_vcn.acceptor_vcn.id}"
42+
}
43+
44+
resource "oci_core_remote_peering_connection" "acceptor" {
45+
depends_on = ["oci_identity_policy.acceptor_policy", "oci_identity_user_group_membership.acceptor_user_group_membership"]
46+
provider = "oci.acceptor"
47+
compartment_id = "${var.compartment_ocid_acceptor}"
48+
drg_id = "${oci_core_drg.acceptor_drg.id}"
49+
display_name = "remotePeeringConnectionAcceptor"
50+
}
51+
52+
resource "oci_core_internet_gateway" "acceptor_internet_gateway" {
53+
depends_on = ["oci_identity_policy.acceptor_policy", "oci_identity_user_group_membership.acceptor_user_group_membership"]
54+
provider = "oci.acceptor"
55+
compartment_id = "${var.compartment_ocid_acceptor}"
56+
display_name = "acceptor_internet_gateway"
57+
vcn_id = "${oci_core_vcn.acceptor_vcn.id}"
58+
}
59+
60+
resource "oci_core_route_table" "acceptor_route_table" {
61+
depends_on = ["oci_identity_policy.acceptor_policy", "oci_identity_user_group_membership.acceptor_user_group_membership"]
62+
provider = "oci.acceptor"
63+
compartment_id = "${var.compartment_ocid_acceptor}"
64+
vcn_id = "${oci_core_vcn.acceptor_vcn.id}"
65+
display_name = "acceptorRouteTable"
66+
route_rules {
67+
cidr_block = "${var.requestor_cidr}"
68+
network_entity_id = "${oci_core_drg.acceptor_drg.id}"
69+
}
70+
route_rules {
71+
cidr_block = "0.0.0.0/0"
72+
network_entity_id = "${oci_core_internet_gateway.acceptor_internet_gateway.id}"
73+
}
74+
}
75+
76+
resource "oci_core_security_list" "acceptor_security_list" {
77+
depends_on = ["oci_identity_policy.acceptor_policy", "oci_identity_user_group_membership.acceptor_user_group_membership"]
78+
provider = "oci.acceptor"
79+
compartment_id = "${var.compartment_ocid_acceptor}"
80+
vcn_id = "${oci_core_vcn.acceptor_vcn.id}"
81+
display_name = "AcceptorSecurityList"
82+
83+
egress_security_rules {
84+
destination = "${var.requestor_cidr}"
85+
protocol = "all"
86+
}
87+
88+
ingress_security_rules {
89+
protocol = "all"
90+
source = "${var.requestor_cidr}"
91+
}
92+
93+
ingress_security_rules {
94+
protocol = "${var.tcp_protocol}"
95+
source = "0.0.0.0/0"
96+
tcp_options {
97+
max = "${var.ssh_port}"
98+
min = "${var.ssh_port}"
99+
}
100+
}
101+
}
102+
103+
data "oci_identity_availability_domains" "acceptor_ads" {
104+
provider = "oci.acceptor"
105+
compartment_id = "${var.tenancy_ocid}"
106+
}
107+
108+
resource "oci_core_subnet" "acceptor_subnet" {
109+
depends_on = ["oci_identity_policy.acceptor_policy", "oci_identity_user_group_membership.acceptor_user_group_membership"]
110+
provider = "oci.acceptor"
111+
availability_domain = "${lookup(data.oci_identity_availability_domains.acceptor_ads.availability_domains[0],"name")}"
112+
cidr_block = "${cidrsubnet("${var.acceptor_cidr}", 4, 0)}"
113+
display_name = "AcceptorSubnet"
114+
dns_label = "acceptorsubnet"
115+
compartment_id = "${var.compartment_ocid_acceptor}"
116+
vcn_id = "${oci_core_vcn.acceptor_vcn.id}"
117+
security_list_ids = ["${oci_core_security_list.acceptor_security_list.id}"]
118+
route_table_id = "${oci_core_route_table.acceptor_route_table.id}"
119+
dhcp_options_id = "${oci_core_vcn.acceptor_vcn.default_dhcp_options_id}"
120+
}
121+
122+
resource "oci_core_instance" "acceptor_instance" {
123+
depends_on = ["oci_identity_policy.acceptor_policy", "oci_identity_user_group_membership.acceptor_user_group_membership"]
124+
provider = "oci.acceptor"
125+
availability_domain = "${lookup(data.oci_identity_availability_domains.acceptor_ads.availability_domains[0],"name")}"
126+
compartment_id = "${var.compartment_ocid_acceptor}"
127+
display_name = "acceptorInstance"
128+
image = "${var.InstanceImageOCID[var.acceptor_region]}"
129+
shape = "${var.InstanceShape}"
130+
131+
create_vnic_details {
132+
subnet_id = "${oci_core_subnet.acceptor_subnet.id}"
133+
display_name = "primaryvnic"
134+
assign_public_ip = true
135+
hostname_label = "acceptorinstance"
136+
},
137+
138+
metadata {
139+
ssh_authorized_keys = "${var.ssh_public_key}"
140+
}
141+
}

docs/examples/networking/remote_vcn_peering_full/common.tf

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
variable "ssh_public_key" {}
2+
3+
variable "InstanceShape" {
4+
default = "VM.Standard1.2"
5+
}
6+
7+
variable "InstanceImageOCID" {
8+
type = "map"
9+
default = {
10+
// See https://docs.us-phoenix-1.oraclecloud.com/images/
11+
// Oracle-provided image "Oracle-Linux-7.4-2018.02.21-1"
12+
us-phoenix-1 = "ocid1.image.oc1.phx.aaaaaaaaupbfz5f5hdvejulmalhyb6goieolullgkpumorbvxlwkaowglslq"
13+
us-ashburn-1 = "ocid1.image.oc1.iad.aaaaaaaajlw3xfie2t5t52uegyhiq2npx7bqyu4uvi2zyu3w3mqayc2bxmaa"
14+
eu-frankfurt-1 = "ocid1.image.oc1.eu-frankfurt-1.aaaaaaaa7d3fsb6272srnftyi4dphdgfjf6gurxqhmv6ileds7ba3m2gltxq"
15+
uk-london-1 = "ocid1.image.oc1.uk-london-1.aaaaaaaaa6h6gj6v4n56mqrbgnosskq63blyv2752g36zerymy63cfkojiiq"
16+
}
17+
}
18+
19+
variable "tcp_protocol" {
20+
default = "6"
21+
}
22+
23+
variable "ssh_port" {
24+
default = "22"
25+
}
26+
27+
data "oci_identity_availability_domains" "ADs" {
28+
provider = "oci.admin"
29+
compartment_id = "${var.tenancy_ocid}"
30+
}
31+

docs/examples/networking/remote_vcn_peering_full/output.tf

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# You can test the peering connection by ssh-ing into an instance (using the public_ip) and doing a ping command to the private IP address of the other instance"]
2+
3+
output "requestorInstancePublicIP" {
4+
value = ["${oci_core_instance.requestor_instance.public_ip}"]
5+
}
6+
7+
output "requestorInstancePrivateIP" {
8+
value = ["${oci_core_instance.requestor_instance.private_ip}"]
9+
}
10+
11+
output "acceptorInstancePublicIP" {
12+
value = ["${oci_core_instance.acceptor_instance.public_ip}"]
13+
}
14+
15+
output "acceptorInstancePrivateIP" {
16+
value = ["${oci_core_instance.acceptor_instance.private_ip}"]
17+
}
18+

docs/examples/networking/remote_vcn_peering_full/policies.tf

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
variable "fingerprint" {}
2+
variable "private_key_path" {}
3+
variable "region" {}
4+
variable "tenancy_ocid" {}
5+
variable "user_ocid" {}
6+
7+
provider "oci" {
8+
alias = "admin"
9+
region = "${var.region}"
10+
tenancy_ocid = "${var.tenancy_ocid}"
11+
user_ocid = "${var.user_ocid}"
12+
fingerprint = "${var.fingerprint}"
13+
private_key_path = "${var.private_key_path}"
14+
}
15+
16+
resource "oci_identity_group" "requestor_group" {
17+
provider = "oci.admin"
18+
name = "requestorGroup"
19+
description = "automated test group"
20+
}
21+
22+
resource "oci_identity_user_group_membership" "requestor_user_group_membership" {
23+
provider = "oci.admin"
24+
group_id = "${oci_identity_group.requestor_group.id}"
25+
user_id = "${var.user_requestor}"
26+
}
27+
28+
resource "oci_identity_policy" "requestor_policy" {
29+
provider = "oci.admin"
30+
name = "requestorPolicy"
31+
description = "automated test policy"
32+
compartment_id = "${var.tenancy_ocid}"
33+
statements = ["Allow group ${oci_identity_group.requestor_group.name} to manage virtual-network-family in compartment ${var.compartment_name_requestor}",
34+
"Allow group ${oci_identity_group.requestor_group.name} to manage instance-family in compartment ${var.compartment_name_requestor}",
35+
"Allow group ${oci_identity_group.requestor_group.name} to manage remote-peering-from in compartment ${var.compartment_name_requestor}"]
36+
}
37+
38+
resource "oci_identity_group" "acceptor_group" {
39+
provider = "oci.admin"
40+
name = "acceptorGroup"
41+
description = "automated test group"
42+
}
43+
44+
resource "oci_identity_user_group_membership" "acceptor_user_group_membership" {
45+
provider = "oci.admin"
46+
group_id = "${oci_identity_group.acceptor_group.id}"
47+
user_id = "${var.user_acceptor}"
48+
}
49+
50+
resource "oci_identity_policy" "acceptor_policy" {
51+
provider = "oci.admin"
52+
name = "acceptorPolicy"
53+
description = "automated test policy"
54+
compartment_id = "${var.tenancy_ocid}"
55+
statements = ["Allow group ${oci_identity_group.requestor_group.name} to manage remote-peering-to in compartment ${var.compartment_name_acceptor}",
56+
"Allow group ${oci_identity_group.acceptor_group.name} to manage virtual-network-family in compartment ${var.compartment_name_acceptor}",
57+
"Allow group ${oci_identity_group.acceptor_group.name} to manage instance-family in compartment ${var.compartment_name_acceptor}"]
58+
}

0 commit comments

Comments
 (0)