Add a new template to configure regionally highly-available private loadbalancer. Change hybrid_dns template to update default DHCP options with custom DNS servers (#439)

* Update default DHCP options to use the custom DNS servers

* New example to demonstrate regionally HA setup of private loadbalancers

* Update image in Readme

* Minor change for better organization

* Minor changes for better organization

* Fixed review comments.

* Moved regional_private_lb to solutions/

Author: sivaedupuganti-oracle

docs/examples/networking/hybrid_dns/dns.tf

@@ -75,6 +75,7 @@ resource "oci_core_virtual_network" "CoreVCN" {
     cidr_block = "${var.vcn_cidr}"
     compartment_id = "${var.compartment_ocid}"
     display_name = "mgmt-vcn"
+    dns_label = "mgmtvcn"
 }
 
 resource "oci_core_internet_gateway" "MgmtIG" {
@@ -172,6 +173,7 @@ resource "oci_core_subnet" "MgmtSubnet" {
     availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD1 - 1],"name")}"
     cidr_block = "${var.mgmt_subnet_cidr1}"
     display_name = "MgmtSubnet"
+    dns_label = "mgmtsubnet"
     compartment_id = "${var.compartment_ocid}"
     vcn_id = "${oci_core_virtual_network.CoreVCN.id}"
     route_table_id = "${oci_core_route_table.MgmtRouteTable.id}"
@@ -183,6 +185,7 @@ resource "oci_core_subnet" "MgmtSubnet2" {
     availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD2 - 1],"name")}"
     cidr_block = "${var.mgmt_subnet_cidr2}"
     display_name = "MgmtSubnet2"
+    dns_label = "mgmtsubnet2"
     compartment_id = "${var.compartment_ocid}"
     vcn_id = "${oci_core_virtual_network.CoreVCN.id}"
     route_table_id = "${oci_core_route_table.MgmtRouteTable.id}"
@@ -246,12 +249,23 @@ data "oci_core_vnic" "DnsVMVnic2" {
     vnic_id = "${lookup(data.oci_core_vnic_attachments.DnsVMVnics2.vnic_attachments[0],"vnic_id")}"
 }
 
-output "DefaultDHCPOptions" {
-    value = ["${oci_core_virtual_network.CoreVCN.default_dhcp_options_id}"]
-}
+# Update the default DHCP options to use custom DNS servers
+resource "oci_core_default_dhcp_options" "default-dhcp-options" {
+    manage_default_resource_id = "${oci_core_virtual_network.CoreVCN.default_dhcp_options_id}"
 
-output "VcnId" {
-    value = ["${oci_core_virtual_network.CoreVCN.id}"]
+    // required
+    options {
+        type = "DomainNameServer"
+        server_type = "CustomDnsServer"
+        custom_dns_servers = [  "${data.oci_core_vnic.DnsVMVnic.private_ip_address}",
+                                "${data.oci_core_vnic.DnsVMVnic2.private_ip_address}" ]
+    }
+
+  // optional
+  options {
+    type = "SearchDomain"
+    search_domain_names = [ "${oci_core_virtual_network.CoreVCN.dns_label}.oraclevcn.com" ]
+  }
 }
 
 output "DnsServer1" {

docs/solutions/regional_private_lb/README.md

@@ -0,0 +1,55 @@
+    #     ___  ____     _    ____ _     _____
+    #    / _ \|  _ \   / \  / ___| |   | ____|
+    #   | | | | |_) | / _ \| |   | |   |  _|
+    #   | |_| |  _ < / ___ | |___| |___| |___
+    #    \___/|_| \_/_/   \_\____|_____|_____|
+***
+This example configures a regionally highly-available private load balancer using custom DNS servers.
+
+It creates a VCN with the required subnets and other components, and it creates two private load balancers in two availability domains with the same set of backend instances.
+
+It then creates two VMs (in the same ADs but different subnets) and configures them to perform DNS forwarding. It creates a custom domain and adds a round-robin DNS entry which resolves to the two private load balancer IP addresses. It also updates the default DHCP options of the VCN to use the DNS VMs as the custom DNS resolvers. With this setup, all instances in subnets that uses the default DHCP options (or the custom DNS servers explicitly) will be able to use the FQDN as the endpoint (instead of any one private load balancer's IP address). 
+
+It configures [monit](https://mmonit.com/monit/) (an open-source utility to monitor unix systems) on the DNS VMs to check the availability of the private load balancer's listener endpoint. In case the endpoint becomes unavailable, the monitoring service updates the DNS records to remove the private load balancer's IP. 
+
+In case of an AD-level failure or when a private load balancer is down, 'monit' will detect that endpoint is down and remove it from round-robin DNS entries. When clients query for the FQDN, it resolves to the IP address of the other private load balancer which is available. 
+
+![Architecture diagram](images/regional_ha_private_lb.png)
+
+
+### Using this example
+* Update env-vars with the required information. Most examples use the same set of environment variables so you only need to do this once.
+* Source env-vars
+  * `$ . env-vars`
+
+Once the environment is built, the DNS VMs will be able to query the DNS hostnames within the VCN. You can run 'nslookup <fqdn-of-the-app>' from any instance in the VCN (that uses default DHCP options) to verify this. 
+
+### Files in the configuration
+
+#### `env-vars`
+Is used to export the environmental variables used in the configuration. These are usually authentication related, be sure to exclude this file from your version control system. It's typical to keep this file outside of the configuration.
+
+Before you plan, apply, or destroy the configuration source the file -  
+`$ . env-vars`
+
+### `provider.tf`
+Defines the provider configuration
+
+#### `variables.tf`
+Defines the variables
+
+#### `network.tf`
+Defines the network resources - VCN, subnets and other related resources
+
+### `lb_private.tf`
+Defines the private load balancer configuration
+
+### `lb_backends.tf`
+Defines the backend VMs to be included into the load balancer backendsets
+
+### `dns_instances.tf`
+Defines the DNS VMs and the configuration to be performned on these instances
+
+### `outputs.tf`
+Shows the IP addresses of the DNS VMs and the private load balancers 
+

docs/solutions/regional_private_lb/datasources.tf

@@ -0,0 +1,16 @@
+# Gets a list of Availability Domains
+data "oci_identity_availability_domains" "ADs" {
+    compartment_id = "${var.tenancy_ocid}"
+}
+
+# Gets a list of vNIC attachments of the instance
+data "oci_core_vnic_attachments" "Instance1Vnics" {
+    compartment_id = "${var.compartment_ocid}"
+    availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD1 - 1],"name")}"
+    instance_id = "${oci_core_instance.instance1.id}"
+} 
+
+# Gets the OCID of the first (default) vNIC
+data "oci_core_vnic" "Instance1Vnic" {
+    vnic_id = "${lookup(data.oci_core_vnic_attachments.Instance1Vnics.vnic_attachments[0],"vnic_id")}"
+}

docs/solutions/regional_private_lb/db.zone.tmpl

@@ -0,0 +1,17 @@
+;
+; Named file for custom entries in ha.oraclevcn.com
+;
+$TTL    5S
+@       IN      SOA     ha.oraclevcn.com. root.ha.oraclevcn.com. (
+                 2018012810         ; Serial
+                     604800         ; Refresh
+                      86400         ; Retry
+                    2419200         ; Expire
+                     604800 )       ; Negative Cache TTL
+;
+	NS		ha.oraclevcn.com.
+	A		${dns_server_ip}
+
+;; Round robin entry for the private loadbalancer
+${app}  IN      A       ${lb_ip1}
+${app}  IN      A       ${lb_ip2}

docs/solutions/regional_private_lb/dns_instances.tf

@@ -0,0 +1,228 @@
+
+# Launch and configure DNS VMs
+
+resource "oci_core_instance" "DnsVM1" {
+    availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD1 - 1],"name")}"
+    compartment_id = "${var.compartment_ocid}"
+    display_name = "DnsVM1"
+    image = "${var.InstanceImageOCID[var.region]}"
+    shape = "${var.InstanceShape}"
+    create_vnic_details {
+        subnet_id = "${oci_core_subnet.MgmtSubnet1.id}"
+    }
+    metadata {
+        ssh_authorized_keys = "${var.ssh_public_key}"
+    }
+    timeouts {
+        create = "10m"
+    }
+}
+
+resource "oci_core_instance" "DnsVM2" {
+    availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD2 - 1],"name")}"
+    compartment_id = "${var.compartment_ocid}"
+    display_name = "DnsVM2"
+    image = "${var.InstanceImageOCID[var.region]}"
+    shape = "${var.InstanceShape}"
+    create_vnic_details {
+        subnet_id = "${oci_core_subnet.MgmtSubnet2.id}"
+    }
+    metadata {
+        ssh_authorized_keys = "${var.ssh_public_key}"
+    }
+    timeouts {
+        create = "10m"
+    }
+}
+
+# Gets a list of VNIC attachments on the DNS instance
+data "oci_core_vnic_attachments" "DnsVM1Vnics" {
+    compartment_id = "${var.compartment_ocid}"
+    availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD1 - 1],"name")}"
+    instance_id = "${oci_core_instance.DnsVM1.id}"
+}
+
+data "oci_core_vnic_attachments" "DnsVM2Vnics" {
+    compartment_id = "${var.compartment_ocid}"
+    availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.AD2 - 1],"name")}"
+    instance_id = "${oci_core_instance.DnsVM2.id}"
+}
+
+# Gets the OCID of the first (default) vNIC
+data "oci_core_vnic" "DnsVMVnic" {
+    vnic_id = "${lookup(data.oci_core_vnic_attachments.DnsVM1Vnics.vnic_attachments[0],"vnic_id")}"
+}
+
+data "oci_core_vnic" "DnsVMVnic2" {
+    vnic_id = "${lookup(data.oci_core_vnic_attachments.DnsVM2Vnics.vnic_attachments[0],"vnic_id")}"
+}
+
+# Update the default DHCP options to use custom DNS servers
+resource "oci_core_default_dhcp_options" "default-dhcp-options" {
+    manage_default_resource_id = "${oci_core_virtual_network.MgmtVcn.default_dhcp_options_id}"
+
+    options {
+        type = "DomainNameServer"
+        server_type = "CustomDnsServer"
+        custom_dns_servers = [  "${data.oci_core_vnic.DnsVMVnic.private_ip_address}",
+                                "${data.oci_core_vnic.DnsVMVnic2.private_ip_address}" ]
+    }
+
+    options {
+        type = "SearchDomain"
+        search_domain_names = [ "${oci_core_virtual_network.MgmtVcn.dns_label}.oraclevcn.com" ]
+    }
+}
+
+data "template_file" "generate_named_conf" {
+    template = "${file("named.conf.tpl")}"
+ 
+    vars {
+      vcn_cidr           = "${var.vcn_cidr}"
+      zone               = "${var.ha_app_domain}"
+      onprem_cidr        = "${var.onprem_cidr}"
+      onprem_domain      = "${var.onprem_domain}"
+      onprem_dns_server1 = "${var.onprem_dns_server1}"
+      onprem_dns_server2 = "${var.onprem_dns_server2}"
+    }
+}
+
+data "template_file" "generate_db_zone_vm1" {
+    template = "${file("db.zone.tmpl")}"
+ 
+    vars {
+      dns_server_ip = "${data.oci_core_vnic.DnsVMVnic.private_ip_address}"
+      app           = "${var.ha_app_name}"
+      lb_ip1        = "${oci_load_balancer.lb1.ip_addresses[0]}"
+      lb_ip2        = "${oci_load_balancer.lb2.ip_addresses[0]}"
+    }
+}
+
+data "template_file" "generate_db_zone_vm2" {
+    template = "${file("db.zone.tmpl")}"
+ 
+    vars {
+      dns_server_ip = "${data.oci_core_vnic.DnsVMVnic2.private_ip_address}"
+      app           = "${var.ha_app_name}"
+      lb_ip1        = "${oci_load_balancer.lb1.ip_addresses[0]}"
+      lb_ip2        = "${oci_load_balancer.lb2.ip_addresses[0]}"
+    }
+}
+
+data "template_file" "generate_monitrc" {
+    template = "${file("monitrc.tmpl")}"
+ 
+    vars {
+      lb_ip1      = "${oci_load_balancer.lb1.ip_addresses[0]}"
+      lb_ip2      = "${oci_load_balancer.lb2.ip_addresses[0]}"
+      lb_port     = "${var.ha_app_port}"
+      lb_protocol = "${var.ha_app_protocol}"
+      app         = "${var.ha_app_name}"
+      zone_file   = "/etc/named/db.${var.ha_app_domain}"
+    }
+}
+
+resource "null_resource" "configure-bind-vm1" {
+  connection {
+    type        = "ssh"
+    user        = "opc"
+    private_key = "${var.ssh_private_key}"
+    host        = "${data.oci_core_vnic.DnsVMVnic.public_ip_address}"
+    timeout     = "30m"
+  }
+
+  provisioner "file" {
+    content     = "${data.template_file.generate_named_conf.rendered}"
+    destination = "~/named.conf"
+  }
+
+  provisioner "file" {
+    content     = "${data.template_file.generate_db_zone_vm1.rendered}"
+    destination = "~/db.${var.ha_app_domain}"
+  }
+
+  provisioner "file" {
+    content     = "${data.template_file.generate_monitrc.rendered}"
+    destination = "~/monitrc"
+  }
+
+  provisioner "file" {
+    source      = "dnsops"
+    destination = "~/dnsops"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "sudo yum update -y",
+
+      "sudo yum install bind -y",
+      "sudo cp ~/named.conf /etc/named.conf",
+      "sudo cp ~/db.${var.ha_app_domain} /etc/named/db.${var.ha_app_domain}",
+      "sudo systemctl enable named",
+      "sudo systemctl restart named",
+
+      "sudo firewall-offline-cmd --add-port=53/udp",
+      "sudo firewall-offline-cmd --add-port=53/tcp",
+      "sudo /bin/systemctl restart firewalld",
+
+      "sudo yum install monit -y",
+      "sudo cp ~/monitrc /etc/monitrc",
+      "sudo chmod +x ~/dnsops/*",
+      "sudo systemctl enable monit",
+      "sudo systemctl restart monit"
+    ]
+  }
+}
+
+resource "null_resource" "configure-bind-vm2" {
+  connection {
+    type        = "ssh"
+    user        = "opc"
+    private_key = "${var.ssh_private_key}"
+    host        = "${data.oci_core_vnic.DnsVMVnic2.public_ip_address}"
+    timeout     = "30m"
+  }
+
+  provisioner "file" {
+    content     = "${data.template_file.generate_named_conf.rendered}"
+    destination = "~/named.conf"
+  }
+
+  provisioner "file" {
+    content     = "${data.template_file.generate_db_zone_vm2.rendered}"
+    destination = "~/db.${var.ha_app_domain}"
+  }
+
+  provisioner "file" {
+    content     = "${data.template_file.generate_monitrc.rendered}"
+    destination = "~/monitrc"
+  }
+
+  provisioner "file" {
+    source      = "dnsops"
+    destination = "~/dnsops"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "sudo yum update -y",
+
+      "sudo yum install bind -y",
+      "sudo cp ~/named.conf /etc/named.conf",
+      "sudo cp ~/db.${var.ha_app_domain} /etc/named/db.${var.ha_app_domain}",
+      "sudo systemctl enable named",
+      "sudo systemctl restart named",
+
+      "sudo firewall-offline-cmd --add-port=53/udp",
+      "sudo firewall-offline-cmd --add-port=53/tcp",
+      "sudo /bin/systemctl restart firewalld",
+
+      "sudo yum install monit -y",
+      "sudo cp ~/monitrc /etc/monitrc",
+      "sudo chmod +x ~/dnsops/*",
+      "sudo systemctl enable monit",
+      "sudo systemctl restart monit"
+    ]
+  }
+}
+

docs/solutions/regional_private_lb/dnsops/addserver

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+zonefile=$1
+ip=$2
+name=$3
+
+if [ $(grep ^$name $zonefile | grep -qs $ip ; echo $?) != 0 ]
+then
+    echo "$name  IN      A       $ip" >> $zonefile
+fi
+
+systemctl reload named