diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/README.md b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/README.md new file mode 100644 index 0000000..512704b --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/README.md @@ -0,0 +1,104 @@ + + + # ___ ____ _ ____ _ _____ + # / _ \| _ \ / \ / ___| | | ____| + # | | | | |_) | / _ \| | | | | _| + # | |_| | _ < / ___ | |___| |___| |___ + # \___/|_| \_/_/ \_\____|_____|_____| +*** +### Full VCN with Service Gateway, NAT Gateway and One Tier Web App with 1 Load Balancer & 2 static instances running on OCI + +### Using this example +* Update env-vars with the required information. Most examples use the same set of environment variables so you only need to do this once. + +Follow the directions from this page to create an ssl certificate: +https://docs.cloud.oracle.com/iaas/Content/Balance/Tasks/managingcertificates.htm + +Under the certs folder you will update the following files with the following certificates: +cacert.pem - Certificate of the issuing certificate authority +cert.pem - The SSL certificate issued for this workloa +privkey.pem - Private key of the certificate +* Execute env-vars script + + +* You can locate the tenancy and user OCID, as well as learn how to create API signing keys by using this reference: https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm + +### Authentication details +* export TF_VAR_tenancy_ocid="" + +* export TF_VAR_user_ocid="" + +* export TF_VAR_fingerprint="" + +* export TF_VAR_private_key_path="" + +export TF_VAR_private_key_password="$(cat )" + +### Compartment +* export TF_VAR_compartment_ocid="" + +### Public/private keys used on the instance +*export TF_VAR_ssh_public_key=$(cat ) + + + * `$ . env-vars` +* Update `terraform.tfvars` with your instance options. + +* These are the default values + +instance_shape = "VM.Standard2.1" +availability_domain = "3" +region = "us-ashburn-1" +admin_subnet = "10.0.0.0/8" +assign_public_ip_instance = "false" +hostname = "hostname pointing to your load balancer ip" +* run the command: terraform init +* * This command will download the oci provider and the template_file data source used to import the user-data script for the oci instances + +* run the command: terraform plan + +* run the command: terraform apply +* * You will be prompted to accept the changes type yes and press enter + +* To remove all changes run the command: terraform destroy +* * You will be prompted to accept the changes type yes and press enter + +### Files in the configuration + +#### `env-vars` +Is used to export the environmental variables used in the configuration. These are usually authentication related, be sure to exclude this file from your version control system. It's typical to keep this file outside of the configuration. + +Before you plan, apply, or destroy the configuration source the file - +`$ . env-vars` + +#### `terraform.tfvars` +Defines stack specific variables to define workload specific definitions + +#### `compute.tf` +Defines the compute resources + +#### `security.tf` +Defines the security lists for the subnets + +#### `lb.tf` +Defines the loadbalancer resources + +#### `networking.tf` +Defines the virtual cloud network resources used in the configuration + +#### `variables.tf` +Defines the variables used in the configuration + +#### `datasources.tf` +Defines the datasources used in the configuration + +#### `provider.tf` +Specifies and passes authentication details to the OCI TF provider + +#### `./userdata.tpl` +The script gets injected into an instance on launch. +The script configures a test webserver for displaying the backend server private ip. + +#### `./outputs.tf` +Returns vaules necessary for use of the workload +lb_public_ip is the Public IP address of the load balancer and can accessed as http://:80/sample/hello.jsp diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/certs/cacert.pem b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/certs/cacert.pem new file mode 100644 index 0000000..0e7a4f9 --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/certs/cacert.pem @@ -0,0 +1,4 @@ +-----BEGIN CERTIFICATE----- + + +-----END CERTIFICATE----- \ No newline at end of file diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/certs/cert.pem b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/certs/cert.pem new file mode 100644 index 0000000..80bdd5b --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/certs/cert.pem @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- + +-----END CERTIFICATE----- \ No newline at end of file diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/certs/privkey.pem b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/certs/privkey.pem new file mode 100644 index 0000000..ceddfd9 --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/certs/privkey.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- + + +-----END PRIVATE KEY----- \ No newline at end of file diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/compute.tf b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/compute.tf new file mode 100644 index 0000000..b33b430 --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/compute.tf @@ -0,0 +1,117 @@ +// Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. +/* Instances */ + +resource "oci_core_instance" "vcn1-instance1" { + availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.availability_domain -1],"name")}" + compartment_id = "${var.compartment_ocid}" + display_name = "vcn1-instance1" + shape = "${var.instance_shape}" + hostname_label = "vcn1-instance1" + + create_vnic_details { + subnet_id = "${oci_core_subnet.private_subnet1.id}" + assign_public_ip = "${var.assign_public_ip_instance}" + } + + metadata { + user_data = "${base64encode(data.template_file.init.rendered)}" + ssh_authorized_keys = "${file(var.ssh_public_key_path)}" + } + + source_details { + source_type = "image" + source_id = "${var.instance_image_ocid[var.region]}" + } +} + +resource "oci_core_instance" "vcn1-instance2" { + availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.availability_domain -1],"name")}" + compartment_id = "${var.compartment_ocid}" + display_name = "vcn1-instance2" + shape = "${var.instance_shape}" + hostname_label = "vcn1-instance2" + + create_vnic_details { + subnet_id = "${oci_core_subnet.private_subnet1.id}" + assign_public_ip = "${var.assign_public_ip_instance}" + } + + metadata { + user_data = "${base64encode(data.template_file.init.rendered)}" + ssh_authorized_keys = "${file(var.ssh_public_key_path)}" + } + + source_details { + source_type = "image" + source_id = "${var.instance_image_ocid[var.region]}" + } +} + +resource "oci_core_instance" "vcn2-instance1" { + availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.availability_domain -1],"name")}" + compartment_id = "${var.compartment_ocid}" + display_name = "vcn2-instance1" + shape = "${var.instance_shape}" + hostname_label = "vcn2-instance1" + + create_vnic_details { + subnet_id = "${oci_core_subnet.private_subnet2.id}" + assign_public_ip = "${var.assign_public_ip_instance}" + } + + metadata { + user_data = "${base64encode(data.template_file.init.rendered)}" + ssh_authorized_keys = "${file(var.ssh_public_key_path)}" + } + + source_details { + source_type = "image" + source_id = "${var.instance_image_ocid[var.region]}" + } +} + +resource "oci_core_instance_configuration" "vcn1-instance_configuration" { + compartment_id = "${var.compartment_ocid}" + display_name = "vcn1-instance" + + instance_details { + instance_type = "compute" + + launch_details { + source_details { + source_type = "image" + image_id = "${var.instance_image_ocid[var.region]}" + } + + create_vnic_details { + skip_source_dest_check = true + } + + compartment_id = "${var.compartment_ocid}" + display_name = "vcn1-instance" + shape = "${var.instance_shape}" + + metadata { + user_data = "${base64encode(data.template_file.init.rendered)}" + ssh_authorized_keys = "${file(var.ssh_public_key_path)}" + } + + timeouts { + create = "10m" + } + } + } +} + +resource "oci_core_instance_pool" "vcn1-instance_pool" { + display_name = "vcn1_loadbalanced_pool" + compartment_id = "${var.compartment_ocid}" + instance_configuration_id = "${oci_core_instance_configuration.vcn1-instance_configuration.id}" + + placement_configurations { + availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.availability_domain -1],"name")}" + primary_subnet_id = "${oci_core_subnet.private_subnet1.id}" + } + + size = "${var.instance_count}" +} diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/datasources.tf b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/datasources.tf new file mode 100644 index 0000000..bf4d933 --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/datasources.tf @@ -0,0 +1,33 @@ +// Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. + +data "oci_identity_availability_domains" "ADs" { + compartment_id = "${var.tenancy_ocid}" +} + +data "template_file" "init" { + template = "${file("userdata.tpl")}" + + vars = { + port = "8080" + } +} + +data "template_file" "privkey" { + template = "${file("certs/privkey.pem")}" +} + +data "template_file" "cert" { + template = "${file("certs/cert.pem")}" +} + +data "template_file" "cacert" { + template = "${file("certs/cacert.pem")}" +} + +data "oci_core_services" "test_services" { + filter { + name = "name" + values = [".*Object.*Storage"] + regex = true + } +} diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/env-vars b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/env-vars new file mode 100644 index 0000000..52c0da9 --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/env-vars @@ -0,0 +1,13 @@ +### Authentication details +export TF_VAR_tenancy_ocid="" +export TF_VAR_user_ocid="" +export TF_VAR_fingerprint="" +export TF_VAR_private_key_path="" +export TF_VAR_private_key_password="$(cat )" + +### Compartment +export TF_VAR_compartment_ocid="" + +### Public/private keys used on the instance +export TF_VAR_ssh_public_key=$(cat ) + diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/lb.tf b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/lb.tf new file mode 100644 index 0000000..99bb7b4 --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/lb.tf @@ -0,0 +1,114 @@ +// Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. +/* Load Balancer */ +resource "oci_load_balancer" "web-lb1" { + shape = "100Mbps" + compartment_id = "${var.compartment_ocid}" + + subnet_ids = [ + "${oci_core_subnet.public_subnet1.id}", + ] + + #"${oci_core_subnet.public_subnet2.id}" + + display_name = "web-lb1" +} + +resource "oci_load_balancer_backend_set" "web-lb-bes1" { + name = "web-lb-bes1" + load_balancer_id = "${oci_load_balancer.web-lb1.id}" + policy = "ROUND_ROBIN" + + session_persistence_configuration { + #Required + cookie_name = "JSESSIONID" + } + + health_checker { + port = "8080" + protocol = "HTTP" + response_body_regex = ".*" + url_path = "/" + } +} + +/* resource "oci_load_balancer_certificate" "lb-cert1" { + load_balancer_id = "${oci_load_balancer.web-lb1.id}" + private_key = "${data.template_file.privkey.rendered}" + certificate_name = "${var.hostname}" + ca_certificate = "${data.template_file.cacert.rendered}" + public_certificate = "${data.template_file.cert.rendered}" + + lifecycle { + create_before_destroy = true + } +} + */ +resource "oci_load_balancer_hostname" "test_hostname1" { + #Required + hostname = "${var.hostname}" + load_balancer_id = "${oci_load_balancer.web-lb1.id}" + name = "hostname1" +} + +resource "oci_load_balancer_listener" "lb-listener1" { + load_balancer_id = "${oci_load_balancer.web-lb1.id}" + name = "http80" + default_backend_set_name = "${oci_load_balancer_backend_set.web-lb-bes1.name}" + hostname_names = ["${oci_load_balancer_hostname.test_hostname1.name}"] + port = 80 + protocol = "HTTP" + + connection_configuration { + idle_timeout_in_seconds = "2" + } +} + +resource "oci_load_balancer_backend" "web-lb-be1" { + load_balancer_id = "${oci_load_balancer.web-lb1.id}" + backendset_name = "${oci_load_balancer_backend_set.web-lb-bes1.name}" + ip_address = "${oci_core_instance.vcn1-instance1.private_ip}" + port = 8080 + backup = false + drain = false + offline = false + weight = 1 +} + +resource "oci_load_balancer_backend" "web-lb-be2" { + load_balancer_id = "${oci_load_balancer.web-lb1.id}" + backendset_name = "${oci_load_balancer_backend_set.web-lb-bes1.name}" + ip_address = "${oci_core_instance.vcn1-instance2.private_ip}" + port = 8080 + backup = false + drain = false + offline = false + weight = 1 +} + +resource "oci_load_balancer_path_route_set" "test_path_route_set" { + #Required + load_balancer_id = "${oci_load_balancer.web-lb1.id}" + name = "pr-set1" + + path_routes { + #Required + backend_set_name = "${oci_load_balancer_backend_set.web-lb-bes1.name}" + path = "/sample" + + path_match_type { + #Required + match_type = "PREFIX_MATCH" + } + } +} + +resource "oci_load_balancer_rule_set" "test_rule_set" { + items { + action = "ADD_HTTP_REQUEST_HEADER" + header = "WL-Proxy-SSL" + value = "true" + } + + load_balancer_id = "${oci_load_balancer.web-lb1.id}" + name = "example_rule_set_name" +} diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/network.tf b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/network.tf new file mode 100644 index 0000000..631181c --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/network.tf @@ -0,0 +1,143 @@ +// Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. + +/* Network */ + +resource "oci_core_vcn" "vcn1" { + cidr_block = "10.1.0.0/16" + compartment_id = "${var.compartment_ocid}" + display_name = "vcn1" + dns_label = "vcn1" +} + +resource "oci_core_vcn" "vcn2" { + cidr_block = "10.2.0.0/16" + compartment_id = "${var.compartment_ocid}" + display_name = "vcn2" + dns_label = "vcn2" +} + +resource "oci_core_subnet" "public_subnet1" { + depends_on = ["oci_core_security_list.public-securitylist"] + + #availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.availability_domain -1],"name")}" + cidr_block = "10.1.20.0/24" + display_name = "public_subnet1" + dns_label = "publicsubnet1" + security_list_ids = ["${oci_core_security_list.public-securitylist.id}"] + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_vcn.vcn1.id}" + route_table_id = "${oci_core_route_table.public_routetable1.id}" + dhcp_options_id = "${oci_core_vcn.vcn1.default_dhcp_options_id}" +} + +resource "oci_core_subnet" "private_subnet1" { + depends_on = ["oci_core_security_list.public-securitylist"] + + #availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.availability_domain -1],"name")}" + cidr_block = "10.1.22.0/24" + display_name = "private_subnet1" + dns_label = "privatesubnet1" + security_list_ids = ["${oci_core_security_list.private-securitylist.id}"] + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_vcn.vcn1.id}" + route_table_id = "${oci_core_route_table.private_routetable1.id}" + dhcp_options_id = "${oci_core_vcn.vcn1.default_dhcp_options_id}" +} + +resource "oci_core_subnet" "private_subnet2" { + depends_on = ["oci_core_security_list.private-securitylist2"] + availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[var.availability_domain -1],"name")}" + cidr_block = "10.2.22.0/24" + display_name = "private_subnet2" + dns_label = "privatesubnet2" + security_list_ids = ["${oci_core_security_list.private-securitylist2.id}"] + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_vcn.vcn2.id}" + route_table_id = "${oci_core_route_table.private_routetable2.id}" + dhcp_options_id = "${oci_core_vcn.vcn2.default_dhcp_options_id}" +} + +resource "oci_core_internet_gateway" "internetgateway1" { + compartment_id = "${var.compartment_ocid}" + display_name = "internetgateway1" + vcn_id = "${oci_core_vcn.vcn1.id}" +} + +resource "oci_core_nat_gateway" "natgateway1" { + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_vcn.vcn1.id}" + display_name = "natgateway1" +} + +resource "oci_core_service_gateway" "service_gateway" { + compartment_id = "${var.compartment_ocid}" + + services { + service_id = "${lookup(data.oci_core_services.test_services.services[0], "id")}" + } + + vcn_id = "${oci_core_vcn.vcn1.id}" +} + +resource "oci_core_local_peering_gateway" "vcn1_lpg" { + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_vcn.vcn1.id}" + display_name = "vcn1-lpg" +} + +resource "oci_core_local_peering_gateway" "vcn2_lpg" { + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_vcn.vcn2.id}" + display_name = "vcn2-lpg" + peer_id = "${oci_core_local_peering_gateway.vcn1_lpg.id}" +} + +resource "oci_core_route_table" "public_routetable1" { + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_vcn.vcn1.id}" + display_name = "public_routetable1" + + route_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + network_entity_id = "${oci_core_internet_gateway.internetgateway1.id}" + } +} + +resource "oci_core_route_table" "private_routetable1" { + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_vcn.vcn1.id}" + display_name = "private_routetable1" + + route_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + network_entity_id = "${oci_core_nat_gateway.natgateway1.id}" + + #network_entity_id = "${oci_core_internet_gateway.internetgateway1.id}" + } + + route_rules { + destination = "${oci_core_vcn.vcn2.cidr_block}" + destination_type = "CIDR_BLOCK" + network_entity_id = "${oci_core_local_peering_gateway.vcn1_lpg.id}" + } + + route_rules { + destination = "${lookup(data.oci_core_services.test_services.services[0], "cidr_block")}" + destination_type = "SERVICE_CIDR_BLOCK" + network_entity_id = "${oci_core_service_gateway.service_gateway.id}" + } +} + +resource "oci_core_route_table" "private_routetable2" { + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_vcn.vcn2.id}" + display_name = "private_routetable1" + + route_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + network_entity_id = "${oci_core_local_peering_gateway.vcn2_lpg.id}" + } +} diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/outputs.tf b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/outputs.tf new file mode 100644 index 0000000..d3ac57a --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/outputs.tf @@ -0,0 +1,4 @@ +// Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. +output "lb_public_ip" { + value = ["${oci_load_balancer.web-lb1.ip_addresses}"] +} diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/provider.tf b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/provider.tf new file mode 100644 index 0000000..67fc3ea --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/provider.tf @@ -0,0 +1,18 @@ +// Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. +provider "oci" { + version = ">= 3.2" + tenancy_ocid = "${var.tenancy_ocid}" + user_ocid = "${var.user_ocid}" + fingerprint = "${var.fingerprint}" + private_key_path = "${var.private_key_path}" + private_key_password = "${var.private_key_password}" + region = "${var.region}" +} + +# Optional: Oracle Cloud Infrastructure provider to use Instance Principal based authentication +#provider "oci" { +# version = ">= 3.0.0" +# auth = "InstancePrincipal" +# region = "${var.region}" +#} + diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/security.tf b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/security.tf new file mode 100644 index 0000000..bb55b5b --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/security.tf @@ -0,0 +1,177 @@ +/* Security List */ +resource "oci_core_security_list" "public-securitylist" { + display_name = "public" + compartment_id = "${oci_core_vcn.vcn1.compartment_id}" + vcn_id = "${oci_core_vcn.vcn1.id}" + + egress_security_rules = [{ + protocol = "all" + destination = "0.0.0.0/0" + }] + + ingress_security_rules = [ + { + protocol = "6" + source = "0.0.0.0/0" + + tcp_options { + "min" = 80 + "max" = 80 + } + }, + { + protocol = "6" + source = "0.0.0.0/0" + + tcp_options { + "min" = 443 + "max" = 443 + } + }, + { + protocol = "6" + source = "0.0.0.0/0" + + tcp_options { + "min" = 88 + "max" = 88 + } + }, + { + protocol = "6" + source = "0.0.0.0/0" + + tcp_options { + "min" = 99 + "max" = 99 + } + }, + { + protocol = "6" + source = "${var.admin_subnet}" + + tcp_options { + "min" = 22 + "max" = 22 + } + }, + ] +} + +resource "oci_core_security_list" "private-securitylist" { + display_name = "private" + compartment_id = "${oci_core_vcn.vcn1.compartment_id}" + vcn_id = "${oci_core_vcn.vcn1.id}" + + egress_security_rules = [{ + protocol = "all" + destination = "0.0.0.0/0" + }] + + ingress_security_rules = [ + { + protocol = "6" + source = "0.0.0.0/0" + + tcp_options { + "min" = 22 + "max" = 22 + } + }, + { + protocol = "6" + source = "${oci_core_subnet.public_subnet1.cidr_block}" + + tcp_options { + "min" = 80 + "max" = 80 + } + }, + { + protocol = "6" + source = "${oci_core_subnet.public_subnet1.cidr_block}" + + tcp_options { + "min" = 443 + "max" = 443 + } + }, + { + protocol = "6" + source = "${oci_core_subnet.public_subnet1.cidr_block}" + + tcp_options { + "min" = 8080 + "max" = 8080 + } + }, + { + protocol = "6" + source = "0.0.0.0/0" + + tcp_options { + "min" = 8009 + "max" = 8009 + } + }, + { + protocol = "6" + source = "0.0.0.0/0" + + tcp_options { + "min" = 8008 + "max" = 8008 + } + }, + { + protocol = "6" + source = "${var.admin_subnet}" + + tcp_options { + "min" = 22 + "max" = 22 + } + }, + ] +} + +## Lockdown default security list +resource "oci_core_default_security_list" "default-securitylist" { + manage_default_resource_id = "${oci_core_vcn.vcn1.default_security_list_id}" + display_name = "default" + + egress_security_rules = [{ + protocol = "all" + destination = "${var.admin_subnet}" + }] + + ingress_security_rules = [ + { + protocol = "6" + source = "${var.admin_subnet}" + + tcp_options { + "min" = 22 + "max" = 22 + } + }, + ] +} + +resource "oci_core_security_list" "private-securitylist2" { + display_name = "private" + compartment_id = "${oci_core_vcn.vcn2.compartment_id}" + vcn_id = "${oci_core_vcn.vcn2.id}" + + egress_security_rules = [{ + protocol = "all" + destination = "0.0.0.0/0" + }] + + ingress_security_rules = [ + { + protocol = "all" + source = "${oci_core_vcn.vcn1.cidr_block}" + }, + ] +} diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/userdata.tpl b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/userdata.tpl new file mode 100644 index 0000000..1d8c7ce --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/userdata.tpl @@ -0,0 +1,21 @@ +# Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. +#!/bin/bash -x +echo '################### webserver userdata begins #####################' +touch ~opc/userdata.`date +%s`.start +# echo '########## yum update all ###############' +# yum update -y +echo '########## basic webserver ##############' +yum install -y tomcat +yum install -y tomcat-webapps tomcat-admin-webapps tomcat-docs-webapp tomcat-javadoc +echo "
Host:" >> /usr/share/tomcat/webapps/sample/hello.jsp +sed -i -e "s/8080/${port}/g" /usr/share/tomcat/conf/server.xml +hostname >> /usr/share/tomcat/webapps/sample/hello.jsp +firewall-offline-cmd --add-port=${port}/tcp +systemctl enable firewalld +systemctl restart firewalld +systemctl start tomcat +systemctl enable tomcat + +touch ~opc/userdata.`date +%s`.finish +echo '################### webserver userdata ends #######################' + diff --git a/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/variables.tf b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/variables.tf new file mode 100644 index 0000000..4b040c4 --- /dev/null +++ b/examples/oci/full-vcn-regional-subnet-lb-with-session-persistence/variables.tf @@ -0,0 +1,34 @@ +// Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. +variable "tenancy_ocid" {} + +variable "user_ocid" {} +variable "fingerprint" {} +variable "private_key_path" {} +variable "private_key_password" {} +variable "compartment_ocid" {} +variable "region" {} +variable "instance_shape" {} +variable "availability_domain" {} + +variable "instance_image_ocid" { + type = "map" + + default = { + // See https://docs.us-phoenix-1.oraclecloud.com/images/ + // Oracle-provided image "Oracle-Linux-7.4-2018.02.21-1" + us-phoenix-1 = "ocid1.image.oc1.phx.aaaaaaaaupbfz5f5hdvejulmalhyb6goieolullgkpumorbvxlwkaowglslq" + + ca-toronto-1 = "ocid1.image.oc1.ca-toronto-1.aaaaaaaasbx5hzms4eyrs6e3woez6zxxnfd7yuqtc6bg53jiqevoe52ob4qq" + us-ashburn-1 = "ocid1.image.oc1.iad.aaaaaaaajlw3xfie2t5t52uegyhiq2npx7bqyu4uvi2zyu3w3mqayc2bxmaa" + eu-frankfurt-1 = "ocid1.image.oc1.eu-frankfurt-1.aaaaaaaa7d3fsb6272srnftyi4dphdgfjf6gurxqhmv6ileds7ba3m2gltxq" + uk-london-1 = "ocid1.image.oc1.uk-london-1.aaaaaaaaa6h6gj6v4n56mqrbgnosskq63blyv2752g36zerymy63cfkojiiq" + } +} + +variable "hostname" {} +variable "admin_subnet" {} +variable "assign_public_ip_instance" {} + +variable "ssh_public_key_path" {} + +variable "instance_count" {} diff --git a/examples/oci/hybrid_dns/Hybrid-DNS-configuration-using-DNS-VM-in-VCN.md b/examples/oci/hybrid_dns/Hybrid-DNS-configuration-using-DNS-VM-in-VCN.md new file mode 100644 index 0000000..9404aaa --- /dev/null +++ b/examples/oci/hybrid_dns/Hybrid-DNS-configuration-using-DNS-VM-in-VCN.md @@ -0,0 +1,80 @@ +# Hybrid DNS Configuration + +Oracle Cloud Infrastructure (OCI) customers can configure DNS names for their instances in the Virtual Cloud Network (VCN) as described in [DNS in Your Virtual Cloud Network](https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Concepts/dns.htm). The DNS names are resolvable only within the VCN using the VCN DNS resolver available at 169.254.169.254. This IP address is only reachable from instances in the VCN. + +This document describes the process to enable resolution of DNS names of instances in the VCN from on-premises clients and vice-versa, when the on-premises datacenter is connected with the VCN (through VPN or FastConnect). + +## Setup Overview + + +### Case1 – DNS resolution from on-premises to VCN + +![On-premises to VCN](images/architecture-onprem-to-vcn.png) + +When an on-premises client is trying to connecting to cloud VCN resources: + +1. Client machine initiates a DNS query (for db1.exaclient.custvcn.oraclevcn.com) to on-prem DNS server (172.16.0.5) +2. On-prem DNS server forwards the request to DNS VM in the VCN (10.0.10.15) over private connectivity (VPN or FastConnect) +3. DNS query forwarded to VCN DNS resolver (169.254.169.254) +4. DNS VM gets the IP address of the FQDN and send it back to on-prem DNS server +5. On-prem DNS server gets the IP address and responds to the client machine + + +#### Case2 – DNS resolution from VCN to on-premises + +![VCN to on-premises](images/architecture-vcn-to-onprem.png) + +When an instance in the VCN is trying to connect to an on-premises instance: + +1. Instance in the VCN initiates a DNS query (say app1.customer.net) +2. The DNS server configured in the DHCP options used by the instance's subnet will receive the DNS request. In this case, the request will be received by DNS VM in the VCN +3. DNS query forwarded to on-premises DNS server (172.16.0.5) over private connectivity (VPN of Fastconnect) +4. DNS VM gets the response and sends it back to client + + +## Configuration Steps + +Below are the steps to achieve this configuration + +1. Create a DNS VM in the VCN + 1. Create a security list with following rules: + * allow udp 53 (for DNS queries) from clients (VCN address space + On-prem address space) + * allow tcp 22 (for ssh access) from Internet or on-prem address space + * allow ICMP type3 from same sources as rule above (for ssh access) + + 2. Create a DHCP options set: + * Set DNS type as "Internet and VCN resolver" + + +2. Create a subnet, which uses the security list and DHCP options set created above. +3. Launch a VM with latest 'Oracle Linux 7.4' image into this subnet +4. Install & Configure named +``` + $ sudo yum install bind + $ sudo firewall-cmd --permanent --add-port=53/udp + $ sudo firewall-cmd --permanent --add-port=53/tcp + $ sudo /bin/systemctl restart firewalld + $ cat > /etc/named.conf +options { + listen-on port 53 { any; }; + allow-query { localhost; 10.0.0.0/16; 172.16.0.0/16; }; + forward only; + forwarders { 169.254.169.254; }; + recursion yes; +}; + +zone "customer.net" { + type forward; + forward only; + forwarders { 172.16.0.5; 172.16.31.5; }; +}; + + + + * $ sudo service named restart +``` + +5. Configure forwarding on the on-prem DNS servers for 'VCN domain' (custvcn.oraclevcn.com) to be forwarded to DNS VM in the VCN. + Below is a snapshot of the setup in an AD/DNS server. + ![AD conditional forwarding setup](images/ad-cond-forwarding-setup.png) + diff --git a/examples/oci/hybrid_dns/README.md b/examples/oci/hybrid_dns/README.md new file mode 100644 index 0000000..cc45e30 --- /dev/null +++ b/examples/oci/hybrid_dns/README.md @@ -0,0 +1,28 @@ + # ___ ____ _ ____ _ _____ + # / _ \| _ \ / \ / ___| | | ____| + # | | | | |_) | / _ \| | | | | _| + # | |_| | _ < / ___ | |___| |___| |___ + # \___/|_| \_/_/ \_\____|_____|_____| +*** +This example creates a VCN with two management subnets, in two different availability domains. It then launches an instance in each of these management subnets and configures them to perform DNS forwarding for DNS hostnames in the VCN, and the DNS hostnames in the on-premises network. See ![Hybrid DNS configuration using DNS VMs in VCN.md](Hybrid-DNS-configuration-using-DNS-VM-in-VCN.md) for more details on the setup. + +To enable resolution of DNS hostnames from on-premises, you will need to update the default DHCP options of the VCN to use the DNS VMs as the DNS resolvers. + +### Using this example +* Update env-vars with the required information. Most examples use the same set of environment variables so you only need to do this once. +* Source env-vars + * `$ . env-vars` + +Once the environment is built, the DNS VMs will be able to query the DNS hostnames within the VCN. You can run 'nslookup ' from any instance in the VCN to verify this. By specifying an IP address at the end of the 'nslookup' command, the DNS query is sent to the DNS service at that IP address. + +### Files in the configuration + +#### `env-vars` +Is used to export the environmental variables used in the configuration. These are usually authentication related, be sure to exclude this file from your version control system. It's typical to keep this file outside of the configuration. + +Before you plan, apply, or destroy the configuration source the file - +`$ . env-vars` + +#### `dns.tf` +Defines the resources. + diff --git a/examples/oci/hybrid_dns/dns.tf b/examples/oci/hybrid_dns/dns.tf new file mode 100644 index 0000000..002e569 --- /dev/null +++ b/examples/oci/hybrid_dns/dns.tf @@ -0,0 +1,370 @@ +// Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved. + +variable "tenancy_ocid" {} +variable "user_ocid" {} +variable "fingerprint" {} +variable "private_key_path" {} +variable "compartment_ocid" {} +variable "region" {} +variable "ssh_public_key" {} +variable "ssh_private_key" {} + +variable "instance_shape" { + default = "VM.Standard2.1" +} + +variable "instance_image_ocid" { + type = "map" + + default = { + // See https://docs.us-phoenix-1.oraclecloud.com/images/ + // Oracle-provided image "Oracle-Linux-7.5-2018.10.16-0" + us-phoenix-1 = "ocid1.image.oc1.phx.aaaaaaaaoqj42sokaoh42l76wsyhn3k2beuntrh5maj3gmgmzeyr55zzrwwa" + + us-ashburn-1 = "ocid1.image.oc1.iad.aaaaaaaageeenzyuxgia726xur4ztaoxbxyjlxogdhreu3ngfj2gji3bayda" + eu-frankfurt-1 = "ocid1.image.oc1.eu-frankfurt-1.aaaaaaaaitzn6tdyjer7jl34h2ujz74jwy5nkbukbh55ekp6oyzwrtfa4zma" + uk-london-1 = "ocid1.image.oc1.uk-london-1.aaaaaaaa32voyikkkzfxyo4xbdmadc2dmvorfxxgdhpnk6dw64fa3l4jh7wa" + } +} + +variable "vcn_cidr" { + default = "10.0.0.0/16" +} + +variable "mgmt_subnet_cidr1" { + default = "10.0.0.0/24" +} + +variable "mgmt_subnet_cidr2" { + default = "10.0.1.0/24" +} + +variable "onprem_cidr" { + default = "172.16.0.0/16" +} + +variable "onprem_dns_zone" { + default = "customer.net" +} + +variable "onprem_dns_server1" { + default = "172.16.0.5" +} + +variable "onprem_dns_server2" { + default = "172.16.31.5" +} + +provider "oci" { + tenancy_ocid = "${var.tenancy_ocid}" + user_ocid = "${var.user_ocid}" + fingerprint = "${var.fingerprint}" + private_key_path = "${var.private_key_path}" + region = "${var.region}" +} + +data "oci_identity_availability_domain" "ad1" { + compartment_id = "${var.tenancy_ocid}" + ad_number = 1 +} + +data "oci_identity_availability_domain" "ad2" { + compartment_id = "${var.tenancy_ocid}" + ad_number = 2 +} + +resource "oci_core_virtual_network" "CoreVCN" { + cidr_block = "${var.vcn_cidr}" + compartment_id = "${var.compartment_ocid}" + display_name = "mgmt-vcn" + dns_label = "mgmtvcn" +} + +resource "oci_core_internet_gateway" "MgmtIG" { + compartment_id = "${var.compartment_ocid}" + display_name = "MgmtIG" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" +} + +resource "oci_core_route_table" "MgmtRouteTable" { + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + display_name = "MgmtRouteTable" + + route_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + network_entity_id = "${oci_core_internet_gateway.MgmtIG.id}" + } +} + +resource "oci_core_security_list" "MgmtSecurityList" { + compartment_id = "${var.compartment_ocid}" + display_name = "MgmtSecurityList" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + + egress_security_rules = [{ + protocol = "all" + destination = "0.0.0.0/0" + }] + + ingress_security_rules = [{ + tcp_options { + "max" = 53 + "min" = 53 + } + + protocol = "6" + source = "${var.vcn_cidr}" + }, + { + udp_options { + "max" = 53 + "min" = 53 + } + + protocol = "17" + source = "${var.vcn_cidr}" + }, + { + tcp_options { + "max" = 53 + "min" = 53 + } + + protocol = "6" + source = "${var.onprem_cidr}" + }, + { + udp_options { + "max" = 53 + "min" = 53 + } + + protocol = "17" + source = "${var.onprem_cidr}" + }, + { + protocol = "all" + source = "${var.vcn_cidr}" + }, + { + protocol = "6" + source = "0.0.0.0/0" + + tcp_options { + "min" = 22 + "max" = 22 + } + }, + { + protocol = "1" + source = "0.0.0.0/0" + + icmp_options { + "type" = 3 + "code" = 4 + } + }, + ] +} + +resource "oci_core_dhcp_options" "MgmtDhcpOptions" { + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + display_name = "MgmtDhcpOptions" + + options { + type = "DomainNameServer" + server_type = "VcnLocalPlusInternet" + } +} + +resource "oci_core_subnet" "MgmtSubnet" { + availability_domain = "${data.oci_identity_availability_domain.ad1.name}" + cidr_block = "${var.mgmt_subnet_cidr1}" + display_name = "MgmtSubnet" + dns_label = "mgmtsubnet" + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + route_table_id = "${oci_core_route_table.MgmtRouteTable.id}" + security_list_ids = ["${oci_core_security_list.MgmtSecurityList.id}"] + dhcp_options_id = "${oci_core_dhcp_options.MgmtDhcpOptions.id}" +} + +resource "oci_core_subnet" "MgmtSubnet2" { + availability_domain = "${data.oci_identity_availability_domain.ad2.name}" + cidr_block = "${var.mgmt_subnet_cidr2}" + display_name = "MgmtSubnet2" + dns_label = "mgmtsubnet2" + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + route_table_id = "${oci_core_route_table.MgmtRouteTable.id}" + security_list_ids = ["${oci_core_security_list.MgmtSecurityList.id}"] + dhcp_options_id = "${oci_core_dhcp_options.MgmtDhcpOptions.id}" +} + +resource "oci_core_instance" "DnsVM" { + availability_domain = "${data.oci_identity_availability_domain.ad1.name}" + compartment_id = "${var.compartment_ocid}" + display_name = "DnsVM" + shape = "${var.instance_shape}" + + create_vnic_details { + subnet_id = "${oci_core_subnet.MgmtSubnet.id}" + } + + metadata { + ssh_authorized_keys = "${var.ssh_public_key}" + } + + source_details { + source_type = "image" + source_id = "${var.instance_image_ocid[var.region]}" + } + + timeouts { + create = "10m" + } +} + +resource "oci_core_instance" "DnsVM2" { + availability_domain = "${data.oci_identity_availability_domain.ad2.name}" + compartment_id = "${var.compartment_ocid}" + display_name = "DnsVM2" + shape = "${var.instance_shape}" + + create_vnic_details { + subnet_id = "${oci_core_subnet.MgmtSubnet2.id}" + } + + metadata { + ssh_authorized_keys = "${var.ssh_public_key}" + } + + source_details { + source_type = "image" + source_id = "${var.instance_image_ocid[var.region]}" + } + + timeouts { + create = "10m" + } +} + +# Gets a list of VNIC attachments on the DNS instance +data "oci_core_vnic_attachments" "DnsVMVnics" { + compartment_id = "${var.compartment_ocid}" + availability_domain = "${data.oci_identity_availability_domain.ad1.name}" + instance_id = "${oci_core_instance.DnsVM.id}" +} + +data "oci_core_vnic_attachments" "DnsVMVnics2" { + compartment_id = "${var.compartment_ocid}" + availability_domain = "${data.oci_identity_availability_domain.ad2.name}" + instance_id = "${oci_core_instance.DnsVM2.id}" +} + +# Gets the OCID of the first (default) vNIC +data "oci_core_vnic" "DnsVMVnic" { + vnic_id = "${lookup(data.oci_core_vnic_attachments.DnsVMVnics.vnic_attachments[0],"vnic_id")}" +} + +data "oci_core_vnic" "DnsVMVnic2" { + vnic_id = "${lookup(data.oci_core_vnic_attachments.DnsVMVnics2.vnic_attachments[0],"vnic_id")}" +} + +# Update the default DHCP options to use custom DNS servers +resource "oci_core_default_dhcp_options" "default-dhcp-options" { + manage_default_resource_id = "${oci_core_virtual_network.CoreVCN.default_dhcp_options_id}" + + // required + options { + type = "DomainNameServer" + server_type = "CustomDnsServer" + + custom_dns_servers = ["${data.oci_core_vnic.DnsVMVnic.private_ip_address}", + "${data.oci_core_vnic.DnsVMVnic2.private_ip_address}", + ] + } + + // optional + options { + type = "SearchDomain" + search_domain_names = ["${oci_core_virtual_network.CoreVCN.dns_label}.oraclevcn.com"] + } +} + +output "DnsServer1" { + value = ["${data.oci_core_vnic.DnsVMVnic.private_ip_address}"] +} + +output "DnsServer2" { + value = ["${data.oci_core_vnic.DnsVMVnic2.private_ip_address}"] +} + +data "template_file" "generate_named_conf" { + template = "${file("named.conf.tpl")}" + + vars { + vcn_cidr = "${var.vcn_cidr}" + onprem_cidr = "${var.onprem_cidr}" + onprem_dns_zone = "${var.onprem_dns_zone}" + onprem_dns_server1 = "${var.onprem_dns_server1}" + onprem_dns_server2 = "${var.onprem_dns_server2}" + } +} + +resource "null_resource" "configure-bind-vm1" { + connection { + type = "ssh" + user = "opc" + private_key = "${var.ssh_private_key}" + host = "${data.oci_core_vnic.DnsVMVnic.public_ip_address}" + timeout = "30m" + } + + provisioner "file" { + content = "${data.template_file.generate_named_conf.rendered}" + destination = "~/named.conf" + } + + provisioner "remote-exec" { + inline = [ + "sudo yum update -y", + "sudo yum install bind -y", + "sudo firewall-offline-cmd --add-port=53/udp", + "sudo firewall-offline-cmd --add-port=53/tcp", + "sudo /bin/systemctl restart firewalld", + "sudo cp ~/named.conf /etc/named.conf", + "sudo service named restart", + ] + } +} + +resource "null_resource" "configure-bind-vm2" { + connection { + type = "ssh" + user = "opc" + private_key = "${var.ssh_private_key}" + host = "${data.oci_core_vnic.DnsVMVnic2.public_ip_address}" + timeout = "30m" + } + + provisioner "file" { + content = "${data.template_file.generate_named_conf.rendered}" + destination = "~/named.conf" + } + + provisioner "remote-exec" { + inline = [ + "sudo yum update -y", + "sudo yum install bind -y", + "sudo firewall-offline-cmd --add-port=53/udp", + "sudo firewall-offline-cmd --add-port=53/tcp", + "sudo /bin/systemctl restart firewalld", + "sudo cp ~/named.conf /etc/named.conf", + "sudo service named restart", + ] + } +} diff --git a/examples/oci/hybrid_dns/env-vars b/examples/oci/hybrid_dns/env-vars new file mode 100644 index 0000000..893142b --- /dev/null +++ b/examples/oci/hybrid_dns/env-vars @@ -0,0 +1,34 @@ +### Provider credentials +export TF_VAR_tenancy_ocid="" +export TF_VAR_user_ocid="" +export TF_VAR_fingerprint="" +export TF_VAR_private_key_path="" + +### Region +export TF_VAR_region="" + +### AD +export TF_VAR_AD="" + +### Compartment +export TF_VAR_compartment_ocid="" + +### VCN configuration +export TF_VAR_vcn_cidr="" +export TF_VAR_mgmt_subnet_cidr="" +export TF_VAR_private_subnet_cidr="" + +### Instance configuration +export TF_VAR_instance_shape="" +export TF_VAR_instance_image_ocid="" + +### Instance credentials +export TF_VAR_ssh_public_key=$(cat .../id_rsa.pub) +export TF_VAR_ssh_private_key=$(cat .../id_rsa) + +### On-prem configuration +export TF_VAR_onprem_cidr="" +export TF_VAR_onprem_dns_zone="" +export TF_VAR_onprem_dns_server1="" +export TF_VAR_onprem_dns_server2="" + diff --git a/examples/oci/hybrid_dns/images/ad-cond-forwarding-setup.png b/examples/oci/hybrid_dns/images/ad-cond-forwarding-setup.png new file mode 100644 index 0000000..9896b14 Binary files /dev/null and b/examples/oci/hybrid_dns/images/ad-cond-forwarding-setup.png differ diff --git a/examples/oci/hybrid_dns/images/architecture-onprem-to-vcn.png b/examples/oci/hybrid_dns/images/architecture-onprem-to-vcn.png new file mode 100644 index 0000000..0929f15 Binary files /dev/null and b/examples/oci/hybrid_dns/images/architecture-onprem-to-vcn.png differ diff --git a/examples/oci/hybrid_dns/images/architecture-vcn-to-onprem.png b/examples/oci/hybrid_dns/images/architecture-vcn-to-onprem.png new file mode 100644 index 0000000..6a25978 Binary files /dev/null and b/examples/oci/hybrid_dns/images/architecture-vcn-to-onprem.png differ diff --git a/examples/oci/hybrid_dns/named.conf.tpl b/examples/oci/hybrid_dns/named.conf.tpl new file mode 100644 index 0000000..15e29ad --- /dev/null +++ b/examples/oci/hybrid_dns/named.conf.tpl @@ -0,0 +1,15 @@ + +options { + listen-on port 53 { any; }; + allow-query { localhost; ${vcn_cidr}; ${onprem_cidr}; }; + forward only; + forwarders { 169.254.169.254; }; + recursion yes; +}; + +zone "${onprem_dns_zone}" { + type forward; + forward only; + forwarders { ${onprem_dns_server1}; ${onprem_dns_server2}; }; +}; + diff --git a/examples/oci/nat/README.md b/examples/oci/nat/README.md new file mode 100644 index 0000000..2bfbd3b --- /dev/null +++ b/examples/oci/nat/README.md @@ -0,0 +1,29 @@ + # ___ ____ _ ____ _ _____ + # / _ \| _ \ / \ / ___| | | ____| + # | | | | |_) | / _ \| | | | | _| + # | |_| | _ < / ___ | |___| |___| |___ + # \___/|_| \_/_/ \_\____|_____|_____| +*** +This example creates a VCN with a public subnet and a private subnet. Each subnet is created with a separate security list and route table. The template then launches a private instance in the private subnet, and a public instance in the public subnet. +The public instance is configured as a NAT instance (by enabling forwarding and configuring firewall to do forwarding/masquerading). +The private subnet's route table is configured to use the NAT instance's private IP address as the default route target. See [Using a Private IP as a Route Target](https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Tasks/managingroutetables.htm#privateip) for more details on this feature. + +### Using this example +* Update env-vars with the required information. Most examples use the same set of environment variables so you only need to do this once. +* Source env-vars + * `$ . env-vars` +* Update variables in vcn.tf as applicable to your target environment. + +Once the environment is built, the private instance has Internet connectivity even when it doesn't have a public IP address and it's subnet's route table doesn't contain Internet gateway. You can login into the private instance (from the nat instance) and then run a command like 'ping oracle.com' to verify connectivity. + +### Files in the configuration + +#### `env-vars` +Is used to export the environmental variables used in the configuration. These are usually authentication related, be sure to exclude this file from your version control system. It's typical to keep this file outside of the configuration. + +Before you plan, apply, or destroy the configuration source the file - +`$ . env-vars` + +#### `nat.tf` +Defines the resources. + diff --git a/examples/oci/nat/env-vars b/examples/oci/nat/env-vars new file mode 100644 index 0000000..e8fc865 --- /dev/null +++ b/examples/oci/nat/env-vars @@ -0,0 +1,27 @@ +### Provider credentials +export TF_VAR_tenancy_ocid="" +export TF_VAR_user_ocid="" +export TF_VAR_fingerprint="" +export TF_VAR_private_key_path="" + +### Region +export TF_VAR_region="" + +### AD +export TF_VAR_AD="" + +### Compartment +export TF_VAR_compartment_ocid="" + +### VCN configuration +export TF_VAR_vcn_cidr="" +export TF_VAR_mgmt_subnet_cidr="" +export TF_VAR_private_subnet_cidr="" + +### Instance configuration +export TF_VAR_instance_shape="" +export TF_VAR_InstanceOS="" +export TF_VAR_InstanceOSVersion="" + +### Instance credentials +export TF_VAR_ssh_public_key=$(cat .../id_rsa.pub) diff --git a/examples/oci/nat/nat.tf b/examples/oci/nat/nat.tf new file mode 100644 index 0000000..6a24bcb --- /dev/null +++ b/examples/oci/nat/nat.tf @@ -0,0 +1,249 @@ +// Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved. + +variable "tenancy_ocid" {} +variable "user_ocid" {} +variable "fingerprint" {} +variable "private_key_path" {} +variable "compartment_ocid" {} +variable "region" {} +variable "ssh_public_key" {} + +variable "instance_shape" { + default = "VM.Standard2.1" +} + +variable "instance_image_ocid" { + type = "map" + + default = { + // See https://docs.us-phoenix-1.oraclecloud.com/images/ + // Oracle-provided image "Oracle-Linux-7.5-2018.10.16-0" + us-phoenix-1 = "ocid1.image.oc1.phx.aaaaaaaaoqj42sokaoh42l76wsyhn3k2beuntrh5maj3gmgmzeyr55zzrwwa" + + us-ashburn-1 = "ocid1.image.oc1.iad.aaaaaaaageeenzyuxgia726xur4ztaoxbxyjlxogdhreu3ngfj2gji3bayda" + eu-frankfurt-1 = "ocid1.image.oc1.eu-frankfurt-1.aaaaaaaaitzn6tdyjer7jl34h2ujz74jwy5nkbukbh55ekp6oyzwrtfa4zma" + uk-london-1 = "ocid1.image.oc1.uk-london-1.aaaaaaaa32voyikkkzfxyo4xbdmadc2dmvorfxxgdhpnk6dw64fa3l4jh7wa" + } +} + +variable "vcn_cidr" { + default = "10.0.0.0/16" +} + +variable "mgmt_subnet_cidr" { + default = "10.0.0.0/24" +} + +variable "private_subnet_cidr" { + default = "10.0.1.0/24" +} + +provider "oci" { + tenancy_ocid = "${var.tenancy_ocid}" + user_ocid = "${var.user_ocid}" + fingerprint = "${var.fingerprint}" + private_key_path = "${var.private_key_path}" + region = "${var.region}" +} + +data "oci_identity_availability_domain" "ad" { + compartment_id = "${var.tenancy_ocid}" + ad_number = 1 +} + +resource "oci_core_virtual_network" "CoreVCN" { + cidr_block = "${var.vcn_cidr}" + compartment_id = "${var.compartment_ocid}" + display_name = "mgmt-vcn" +} + +resource "oci_core_internet_gateway" "MgmtIG" { + compartment_id = "${var.compartment_ocid}" + display_name = "MgmtIG" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" +} + +resource "oci_core_route_table" "MgmtRouteTable" { + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + display_name = "MgmtRouteTable" + + route_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + network_entity_id = "${oci_core_internet_gateway.MgmtIG.id}" + } +} + +resource "oci_core_security_list" "MgmtSecurityList" { + compartment_id = "${var.compartment_ocid}" + display_name = "MgmtSecurityList" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + + egress_security_rules = [{ + protocol = "all" + destination = "0.0.0.0/0" + }] + + ingress_security_rules = [{ + tcp_options { + "max" = 80 + "min" = 80 + } + + protocol = "6" + source = "0.0.0.0/0" + }, + { + tcp_options { + "max" = 443 + "min" = 443 + } + + protocol = "6" + source = "0.0.0.0/0" + }, + { + protocol = "all" + source = "${var.vcn_cidr}" + }, + { + protocol = "6" + source = "0.0.0.0/0" + + tcp_options { + "min" = 22 + "max" = 22 + } + }, + { + protocol = "1" + source = "0.0.0.0/0" + + icmp_options { + "type" = 3 + "code" = 4 + } + }, + ] +} + +resource "oci_core_subnet" "MgmtSubnet" { + availability_domain = "${data.oci_identity_availability_domain.ad.name}" + cidr_block = "${var.mgmt_subnet_cidr}" + display_name = "MgmtSubnet" + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + route_table_id = "${oci_core_route_table.MgmtRouteTable.id}" + security_list_ids = ["${oci_core_security_list.MgmtSecurityList.id}"] + dhcp_options_id = "${oci_core_virtual_network.CoreVCN.default_dhcp_options_id}" +} + +resource "oci_core_instance" "NatInstance" { + availability_domain = "${data.oci_identity_availability_domain.ad.name}" + compartment_id = "${var.compartment_ocid}" + display_name = "NatInstance" + shape = "${var.instance_shape}" + + create_vnic_details { + subnet_id = "${oci_core_subnet.MgmtSubnet.id}" + skip_source_dest_check = true + } + + metadata { + ssh_authorized_keys = "${var.ssh_public_key}" + user_data = "${base64encode(file("user_data.tpl"))}" + } + + source_details { + source_type = "image" + source_id = "${var.instance_image_ocid[var.region]}" + } + + timeouts { + create = "10m" + } +} + +# Gets a list of VNIC attachments on the instance +data "oci_core_vnic_attachments" "NatInstanceVnics" { + compartment_id = "${var.compartment_ocid}" + availability_domain = "${data.oci_identity_availability_domain.ad.name}" + instance_id = "${oci_core_instance.NatInstance.id}" +} + +# Create PrivateIP +resource "oci_core_private_ip" "NatInstancePrivateIP" { + vnic_id = "${lookup(data.oci_core_vnic_attachments.NatInstanceVnics.vnic_attachments[0],"vnic_id")}" + display_name = "NatInstancePrivateIP" +} + +resource "oci_core_security_list" "PrivateSecurityList" { + compartment_id = "${var.compartment_ocid}" + display_name = "PrivateSecurityList" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + + egress_security_rules = [{ + protocol = "all" + destination = "0.0.0.0/0" + }] + + ingress_security_rules = [{ + protocol = "6" + + tcp_options { + "max" = 22 + "min" = 22 + } + + source = "${var.vcn_cidr}" + }] +} + +resource "oci_core_route_table" "PrivateRouteTable" { + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + display_name = "PrivateRouteTable" + + route_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + network_entity_id = "${oci_core_private_ip.NatInstancePrivateIP.id}" + } +} + +resource "oci_core_subnet" "PrivateSubnet" { + cidr_block = "${var.private_subnet_cidr}" + display_name = "PrivateSubnet" + compartment_id = "${var.compartment_ocid}" + vcn_id = "${oci_core_virtual_network.CoreVCN.id}" + route_table_id = "${oci_core_route_table.PrivateRouteTable.id}" + security_list_ids = ["${oci_core_security_list.PrivateSecurityList.id}"] + dhcp_options_id = "${oci_core_virtual_network.CoreVCN.default_dhcp_options_id}" + prohibit_public_ip_on_vnic = "true" +} + +resource "oci_core_instance" "PrivateInstance" { + availability_domain = "${data.oci_identity_availability_domain.ad.name}" + compartment_id = "${var.compartment_ocid}" + display_name = "PrivateInstance" + shape = "${var.instance_shape}" + + create_vnic_details { + subnet_id = "${oci_core_subnet.PrivateSubnet.id}" + assign_public_ip = false + } + + metadata { + ssh_authorized_keys = "${var.ssh_public_key}" + } + + source_details { + source_type = "image" + source_id = "${var.instance_image_ocid[var.region]}" + } + + timeouts { + create = "10m" + } +} diff --git a/examples/oci/nat/user_data.tpl b/examples/oci/nat/user_data.tpl new file mode 100644 index 0000000..8a98e20 --- /dev/null +++ b/examples/oci/nat/user_data.tpl @@ -0,0 +1,16 @@ +#cloud-config + +write_files: + # Create file to be used when enabling ip forwarding + - path: /etc/sysctl.d/98-ip-forward.conf + content: | + net.ipv4.ip_forward = 1 + +runcmd: + # Run firewall commands to enable masquerading and port forwarding + # Enable ip forwarding by setting sysctl kernel parameter + - firewall-offline-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ens3 -j MASQUERADE + - firewall-offline-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens3 -j ACCEPT + - /bin/systemctl restart firewalld + - sysctl -p /etc/sysctl.d/98-ip-forward.conf +