diff --git a/app-dev/devops-and-containers/oke/oke-rm/README.md b/app-dev/devops-and-containers/oke/oke-rm/README.md index 6abdf872c..bec1af4f7 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/README.md +++ b/app-dev/devops-and-containers/oke/oke-rm/README.md @@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co * By default, everything is private, but there is the possibility to create public subnets * Be careful when modifying the default values, as inputs are not validated -[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.1/infra.zip) +[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/infra.zip) ## Step 2: Create the OKE control plane This stack is used to create the OKE control plane ONLY. -[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.1/oke.zip) +[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.2/oke.zip) Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI, you must add these policies: diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip b/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip index 1b8da7479..3c70bb932 100644 Binary files a/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip and b/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip differ diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf index 080e97d7e..deea888ab 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf @@ -3,7 +3,7 @@ resource "oci_core_security_list" "bastion_security_list" { vcn_id = local.vcn_id display_name = "bastion-sec-list" ingress_security_rules { - protocol = "6" + protocol = local.tcp_protocol source_type = "CIDR_BLOCK" source = "0.0.0.0/0" description = "Allow SSH connections to the subnet. Can be deleted if only using OCI Bastion subnet" diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf index d395bab2f..cddb24a6f 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf @@ -7,7 +7,7 @@ resource "oci_core_network_security_group" "cp_nsg" { resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.worker_nsg.id stateless = false @@ -23,7 +23,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1" resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.cp_nsg.id stateless = false @@ -39,7 +39,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2" resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "CIDR_BLOCK" source = var.bastion_subnet_cidr stateless = false @@ -57,7 +57,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3" resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.pod_nsg.0.id stateless = false @@ -74,7 +74,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4" resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.pod_nsg.0.id stateless = false @@ -91,7 +91,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5" resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.worker_nsg.id stateless = false @@ -107,7 +107,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6" resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_7" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "1" + protocol = local.icmp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.worker_nsg.id stateless = false @@ -121,7 +121,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_7" resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "CIDR_BLOCK" source = var.cp_allowed_source_cidr stateless = false @@ -137,7 +137,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8" resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.worker_nsg.id stateless = false @@ -153,7 +153,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1" { resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_2" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.pod_nsg.0.id stateless = false @@ -165,7 +165,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_2" { resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_3" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "SERVICE_CIDR_BLOCK" destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") stateless = false @@ -176,7 +176,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_3" { resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_4" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.worker_nsg.id stateless = false @@ -193,7 +193,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_4" { resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_5" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.cp_nsg.id stateless = false @@ -209,7 +209,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_5" { resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_6" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "1" + protocol = local.icmp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.worker_nsg.id stateless = false @@ -223,7 +223,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_6" { resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_7" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "CIDR_BLOCK" destination = var.cp_egress_cidr stateless = false diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf index b50b31ff2..c1c0d14c3 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf @@ -7,7 +7,7 @@ resource "oci_core_network_security_group" "fss_nsg" { resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id - protocol = "17" # UDP + protocol = local.udp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.worker_nsg.id stateless = false @@ -23,7 +23,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1" { resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.worker_nsg.id stateless = false @@ -39,7 +39,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2" { resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id - protocol = "17" # UDP + protocol = local.udp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.worker_nsg.id stateless = false @@ -55,7 +55,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3" { resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.worker_nsg.id stateless = false @@ -71,7 +71,7 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4" { resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_5" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.worker_nsg.id stateless = false diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf index c2756f3ab..52a44fe36 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf @@ -7,11 +7,11 @@ resource "oci_core_network_security_group" "oke_lb_nsg" { resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP traffic from load balancer to worker nodes for services of type NodePort - stateless Egress" + stateless = false + description = "Allow TCP traffic from load balancer to worker nodes for services of type NodePort" tcp_options { destination_port_range { max = 32767 @@ -20,16 +20,17 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker } } -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_ingress" { - direction = "INGRESS" + +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress_udp" { + direction = "EGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id - protocol = "6" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP traffic from worker nodes to load balancer for services of type NodePort - stateless Ingress" - tcp_options { - source_port_range { + protocol = local.udp_protocol + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = false + description = "Allow UDP traffic from load balancer to worker nodes for services of type NodePort" + udp_options { + destination_port_range { max = 32767 min = 30000 } @@ -39,7 +40,7 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_healthcheck_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.worker_nsg.id stateless = false @@ -52,32 +53,23 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker } } + +# OCI Native Ingress does not support UDP, hence no UDP egress rule resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_pods_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "LB to pods, OCI Native Ingress - stateless egress" - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_pods_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id - protocol = "6" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "LB to pods, OCI Native Ingress - stateless ingress" + stateless = false + description = "LB to pods, OCI Native Ingress" count = local.is_npn ? 1 : 0 } resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker_discovery_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id - protocol = "1" + protocol = local.icmp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.worker_nsg.id stateless = false diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf index a5576cb4a..7ca530cd9 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf @@ -10,4 +10,9 @@ locals { nat_gateway_id = var.create_gateways ? oci_core_nat_gateway.nat_gateway.0.id : var.nat_gateway_id cp_nat_mode = local.create_cp_subnet && var.cp_subnet_private && var.cp_external_nat create_cp_external_traffic_rule = var.allow_external_cp_traffic && (! var.create_cp_subnet || (! var.cp_subnet_private || var.cp_external_nat)) + + + tcp_protocol = "6" + icmp_protocol = "1" + udp_protocol = "17" } diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf index a1534c804..1e0322b51 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf @@ -41,7 +41,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_3" resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_4" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "1" + protocol = local.icmp_protocol source_type = "CIDR_BLOCK" source = "0.0.0.0/0" stateless = false @@ -56,11 +56,11 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_4" resource "oci_core_network_security_group_security_rule" "pods_nsg_rule_lb_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.oke_lb_nsg.id - stateless = true - description = "LBs to pods, - stateless ingress" + stateless = false + description = "LBs to pods" count = local.is_npn ? 1 : 0 } @@ -101,7 +101,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_3" resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.cp_nsg.id stateless = false @@ -118,7 +118,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4" resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_5" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "SERVICE_CIDR_BLOCK" destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") stateless = false @@ -129,7 +129,7 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_5" resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_6" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "1" + protocol = local.icmp_protocol destination_type = "CIDR_BLOCK" destination = "0.0.0.0/0" stateless = false @@ -139,15 +139,4 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_6" code = 4 } count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "pods_nsg_rule_lb_egress" { - direction = "EGRESS" - network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "6" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.oke_lb_nsg.id - stateless = true - description = "Pods to LBs, - stateless egress" - count = local.is_npn ? 1 : 0 } \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf index d13ab814f..4c750bb33 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf @@ -38,7 +38,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_4" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.oke_lb_nsg.id stateless = false @@ -54,11 +54,11 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_5" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "NETWORK_SECURITY_GROUP" source = oci_core_network_security_group.oke_lb_nsg.id stateless = false - description = "Allow TCP ingress to workers from internal load balancers" + description = "Allow TCP ingress to workers from load balancers" tcp_options { destination_port_range { max = 32767 @@ -67,10 +67,26 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress } } +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_udp" { + direction = "INGRESS" + network_security_group_id = oci_core_network_security_group.worker_nsg.id + protocol = local.udp_protocol + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.oke_lb_nsg.id + stateless = false + description = "Allow UDP ingress to workers from load balancers" + udp_options { + destination_port_range { + max = 32767 + min = 30000 + } + } +} + resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_6" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "1" + protocol = local.icmp_protocol source_type = "CIDR_BLOCK" source = "0.0.0.0/0" stateless = false @@ -84,7 +100,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_7" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "6" + protocol = local.tcp_protocol source_type = "CIDR_BLOCK" source = var.bastion_subnet_cidr stateless = false @@ -132,7 +148,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_4" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.cp_nsg.id stateless = false @@ -148,7 +164,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_5" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "SERVICE_CIDR_BLOCK" destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") stateless = false @@ -158,7 +174,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_6" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.cp_nsg.id stateless = false @@ -174,7 +190,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_7" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.cp_nsg.id stateless = false @@ -190,7 +206,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_8" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "1" + protocol = local.icmp_protocol destination_type = "CIDR_BLOCK" destination = "0.0.0.0/0" stateless = false @@ -204,7 +220,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_9" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "17" # UDP + protocol = local.udp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.fss_nsg.id stateless = false @@ -220,7 +236,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_10" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.fss_nsg.id stateless = false @@ -236,7 +252,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_11" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.fss_nsg.id stateless = false @@ -252,7 +268,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_12" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "17" # UDP + protocol = local.udp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.fss_nsg.id stateless = false @@ -268,7 +284,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_13" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "6" + protocol = local.tcp_protocol destination_type = "NETWORK_SECURITY_GROUP" destination = oci_core_network_security_group.fss_nsg.id stateless = false diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip index 98324784d..026c45bb8 100644 Binary files a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip and b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip differ diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf index 2e4a93277..d2d690a12 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf @@ -6,6 +6,10 @@ terraform { version = "7.4.0" configuration_aliases = [oci.home] } + helm = { + source = "hashicorp/helm" + version = "~> 2.9.0" + } } }