diff --git a/app-dev/devops-and-containers/oke/oke-rm/README.md b/app-dev/devops-and-containers/oke/oke-rm/README.md index a67e8ec3f..57e397dc4 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/README.md +++ b/app-dev/devops-and-containers/oke/oke-rm/README.md @@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co * By default, everything is private, but there is the possibility to create public subnets * Be careful when modifying the default values, as inputs are not validated -[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.7/infra.zip) +[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.8/infra.zip) ## Step 2: Create the OKE control plane This stack is used to create the OKE control plane ONLY. -[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.7/oke.zip) +[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.8/oke.zip) Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI, you must add these policies: diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip b/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip index 263a7e621..6bf90d212 100644 Binary files a/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip and b/app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip differ diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/local.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/local.tf index 10e83d69a..aa2b8390b 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/local.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/local.tf @@ -1,4 +1,25 @@ locals { # VCN_NATIVE_CNI internally it is mapped as npn cni = var.cni_type == "vcn_native" ? "npn" : var.cni_type + vcn_cidr_blocks = [var.vcn_cidr_block] + subnets = { + cidr = { + pod = cidrsubnet(var.vcn_cidr_block, 1, 0) # e.g., "10.1.0.0/17" + worker = cidrsubnet(var.vcn_cidr_block, 3, 4) # e.g., "10.1.128.0/19" + lb_external = cidrsubnet(var.vcn_cidr_block, 8, 160) # e.g., "10.1.160.0/24" + lb_internal = cidrsubnet(var.vcn_cidr_block, 8, 161) # e.g., "10.1.161.0/24" + fss = cidrsubnet(var.vcn_cidr_block, 8, 162) # e.g., "10.1.162.0/24" + bastion = cidrsubnet(var.vcn_cidr_block, 13, 5216) # e.g., "10.1.163.0/29" + cp = cidrsubnet(var.vcn_cidr_block, 13, 5217) # e.g., "10.1.163.8/29" + } + dns = { + pod = "pod" + worker = "worker" + lb_external = "lbext" + lb_internal = "lbint" + fss = "fss" + bastion = "bastion" + cp = "cp" + } + } } diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/main.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/main.tf index e0be02ada..0df41e12f 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/main.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/main.tf @@ -8,41 +8,44 @@ module "network" { create_vcn = var.create_vcn vcn_id = var.vcn_id vcn_name = var.vcn_name - vcn_cidr_blocks = var.vcn_cidr_blocks + vcn_cidr_blocks = local.vcn_cidr_blocks vcn_dns_label = var.vcn_dns_label # CP SUBNET create_cp_subnet = var.create_cp_subnet - cp_subnet_cidr = var.cp_subnet_cidr - cp_subnet_dns_label = var.cp_subnet_dns_label + cp_subnet_cidr = local.subnets.cidr.cp + cp_subnet_dns_label = local.subnets.dns.cp cp_subnet_name = var.cp_subnet_name cp_subnet_private = var.cp_subnet_private cp_allowed_source_cidr = var.cp_allowed_source_cidr - # SERVICE SUBNET - create_service_subnet = var.create_service_subnet - service_subnet_cidr = var.service_subnet_cidr - service_subnet_dns_label = var.service_subnet_dns_label - service_subnet_name = var.service_subnet_name - service_subnet_private = var.service_subnet_private + # LB SUBNETS + create_external_lb_subnet = var.create_external_lb_subnet + external_lb_cidr = local.subnets.cidr.lb_external + external_lb_subnet_dns_label = local.subnets.dns.lb_external + external_lb_subnet_name = var.external_lb_subnet_name + create_internal_lb_subnet = var.create_internal_lb_subnet + internal_lb_cidr = local.subnets.cidr.lb_internal + internal_lb_subnet_dns_label = local.subnets.dns.lb_internal + internal_lb_subnet_name = var.internal_lb_subnet_name # WORKER SUBNET create_worker_subnet = var.create_worker_subnet - worker_subnet_cidr = var.worker_subnet_cidr - worker_subnet_dns_label = var.worker_subnet_dns_label + worker_subnet_cidr = local.subnets.cidr.worker + worker_subnet_dns_label = local.subnets.dns.worker worker_subnet_name = var.worker_subnet_name # POD SUBNET create_pod_subnet = var.create_pod_subnet - pod_subnet_cidr = var.pod_subnet_cidr - pod_subnet_dns_label = var.pod_subnet_dns_label + pod_subnet_cidr = local.subnets.cidr.pod + pod_subnet_dns_label = local.subnets.dns.pod pod_subnet_name = var.pod_subnet_name # BASTION SUBNET create_bastion_subnet = var.create_bastion_subnet - bastion_subnet_cidr = var.bastion_subnet_cidr - bastion_subnet_dns_label = var.bastion_subnet_dns_label + bastion_subnet_cidr = local.subnets.cidr.bastion + bastion_subnet_dns_label = local.subnets.dns.bastion bastion_subnet_name = var.bastion_subnet_name bastion_subnet_private = var.bastion_subnet_private # FSS SUBNET create_fss = var.create_fss - fss_subnet_cidr = var.fss_subnet_cidr - fss_subnet_dns_label = var.fss_subnet_dns_label + fss_subnet_cidr = local.subnets.cidr.fss + fss_subnet_dns_label = local.subnets.dns.fss fss_subnet_name = var.fss_subnet_name # GATEWAYS create_gateways = var.create_gateways diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf deleted file mode 100644 index 9bfdee565..000000000 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/bastion-sl.tf +++ /dev/null @@ -1,51 +0,0 @@ -resource "oci_core_security_list" "bastion_security_list" { - compartment_id = var.network_compartment_id - vcn_id = local.vcn_id - display_name = "bastion-sec-list" - - # Ingress rules and their corresponding egress - ingress_security_rules { - protocol = local.tcp_protocol - source_type = "CIDR_BLOCK" - source = "0.0.0.0/0" - stateless = true - description = "Allow SSH connections to the subnet. Can be deleted if only using OCI Bastion subnet" - tcp_options { - max = 22 - min = 22 - } - } - - egress_security_rules { - destination = "0.0.0.0/0" - destination_type = "CIDR_BLOCK" - protocol = local.tcp_protocol - stateless = true - description = "Allow SSH responses from the subnet" - tcp_options { - source_port_range { - max = 22 - min = 22 - } - } - } - - # Egress rules and their corresponding ingress - egress_security_rules { - destination = var.vcn_cidr_blocks[0] - destination_type = "CIDR_BLOCK" - protocol = "all" - stateless = true - description = "Enable the bastion hosts to reach the entire VCN" - } - - ingress_security_rules { - protocol = "all" - source_type = "CIDR_BLOCK" - source = var.vcn_cidr_blocks[0] - stateless = true - description = "Allow responses from the VCN to the bastion hosts" - } - - count = var.create_bastion_subnet ? 1 : 0 -} diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf index 942cf722e..31f0a9a84 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf @@ -1,17 +1,18 @@ resource "oci_core_network_security_group" "cp_nsg" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "cp-nsg" + display_name = "cp" } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1" { +# Worker nodes to control plane - Kubelet communication (port 12250) +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_kubelet_12250_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP ingress to OKE control plane from worker nodes" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP ingress to OKE control plane from worker nodes on port 12250" tcp_options { destination_port_range { max = 12250 @@ -20,14 +21,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1" } } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_kubelet_12250_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP egress to worker nodes from control plane" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP egress to worker nodes from control plane on port 12250" tcp_options { source_port_range { max = 12250 @@ -36,14 +37,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_1_s } } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2" { +# Control plane inter-communication (port 6443) +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_cp_internal_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP ingress for Kubernetes control plane inter-communication" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow TCP ingress for Kubernetes control plane inter-communication on port 6443" tcp_options { source_port_range { max = 6443 @@ -52,14 +54,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2" } } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2_stateless" { +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_cp_internal_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP egress for Kubernetes control plane inter-communication" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow TCP egress for Kubernetes control plane inter-communication on port 6443" tcp_options { destination_port_range { max = 6443 @@ -68,14 +70,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_2_s } } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3" { +# Bastion subnet to control plane - API server (port 6443) +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_bastion_apiserver_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "CIDR_BLOCK" - source = var.bastion_subnet_cidr - stateless = true - description = "Allow TCP ingress to kube-apiserver from the bastion subnet" + source_type = "CIDR_BLOCK" + source = var.bastion_subnet_cidr + stateless = true + description = "Allow TCP ingress to kube-apiserver from the bastion subnet on port 6443" tcp_options { destination_port_range { max = 6443 @@ -85,14 +88,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3" count = var.create_bastion_subnet ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_bastion_apiserver_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - destination_type = "CIDR_BLOCK" - destination = var.bastion_subnet_cidr - stateless = true - description = "Allow TCP egress to bastion subnet from control plane" + destination_type = "CIDR_BLOCK" + destination = var.bastion_subnet_cidr + stateless = true + description = "Allow TCP egress to bastion subnet from control plane on port 6443" tcp_options { source_port_range { max = 6443 @@ -102,14 +105,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_3_s count = var.create_bastion_subnet ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4" { +# Pods to control plane - Kubelet communication (port 12250) +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_kubelet_12250_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow TCP ingress to OKE control plane from pods" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow TCP ingress to OKE control plane from pods on port 12250" tcp_options { destination_port_range { max = 12250 @@ -119,14 +123,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4" count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_kubelet_12250_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow TCP egress to pods from control plane" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow TCP egress to pods from control plane on port 12250" tcp_options { source_port_range { max = 12250 @@ -136,14 +140,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_4_s count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5" { +# Pods to control plane - API server (port 6443) +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_apiserver_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow TCP ingress to kube-apiserver from pods" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow TCP ingress to kube-apiserver from pods on port 6443" tcp_options { destination_port_range { max = 6443 @@ -153,14 +158,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5" count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_apiserver_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow TCP egress to pods from control plane" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow TCP egress to pods from control plane on port 6443" tcp_options { source_port_range { max = 6443 @@ -170,14 +175,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_5_s count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6" { +# Worker nodes to control plane - API server (port 6443) +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_apiserver_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP ingress to kube-apiserver from worker nodes" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP ingress to kube-apiserver from worker nodes on port 6443" tcp_options { destination_port_range { max = 6443 @@ -186,14 +192,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6" } } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_apiserver_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP egress to worker nodes from control plane" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP egress to worker nodes from control plane on port 6443" tcp_options { source_port_range { max = 6443 @@ -202,28 +208,15 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_6_s } } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_7" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = local.icmp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ICMP ingress for path discovery from worker nodes" - icmp_options { - type = 3 - code = 4 - } -} - -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8" { +# External sources to control plane - API server (port 6443) +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_external_apiserver_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "CIDR_BLOCK" - source = var.cp_allowed_source_cidr - stateless = true - description = "Allow ingress traffic from specified sources" + source_type = "CIDR_BLOCK" + source = var.cp_allowed_source_cidr + stateless = true + description = "Allow TCP ingress traffic from specified sources to kube-apiserver on port 6443" tcp_options { destination_port_range { max = 6443 @@ -232,14 +225,14 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8" } } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_external_apiserver_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - destination_type = "CIDR_BLOCK" - destination = var.cp_allowed_source_cidr - stateless = true - description = "Allow TCP egress to specified sources from control plane" + destination_type = "CIDR_BLOCK" + destination = var.cp_allowed_source_cidr + stateless = true + description = "Allow TCP egress to specified sources from control plane on port 6443" tcp_options { source_port_range { max = 6443 @@ -248,30 +241,31 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_ingress_8_s } } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1_stateless_ingress" { +# Control plane to worker nodes - Kubelet (port 10250) +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_kubelet_10250_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP ingress to OKE control plane from worker nodes for Kubelet responses" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP ingress to control plane from worker nodes for Kubelet responses on port 10250" tcp_options { - destination_port_range { + source_port_range { max = 10250 min = 10250 } } } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1" { +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_worker_kubelet_10250_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP egress from OKE control plane to Kubelet on worker nodes" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP egress from control plane to Kubelet on worker nodes on port 10250" tcp_options { destination_port_range { max = 10250 @@ -280,158 +274,58 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_1" { } } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_2_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow TCP ingress from pods to control plane for responses" - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_2" { - direction = "EGRESS" - network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow TCP egress from OKE control plane to pods" - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_3_stateless_ingress" { +# Control plane to pods - general communication +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "SERVICE_CIDR_BLOCK" - source = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") - stateless = true - description = "Allow TCP ingress from OCI services to control plane for responses" -} - -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_3" { - direction = "EGRESS" - network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = local.tcp_protocol - destination_type = "SERVICE_CIDR_BLOCK" - destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") - stateless = true - description = "Allow TCP egress from OKE control plane to OCI services" -} - -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_4_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP ingress from worker nodes to control plane for responses" - tcp_options { - destination_port_range { - max = 12250 - min = 12250 - } - } + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow TCP ingress from pods to control plane for responses" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_4" { +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_pods_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP egress from OKE control plane to worker nodes" - tcp_options { - destination_port_range { - max = 12250 - min = 12250 - } - } + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow TCP egress from control plane to pods" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_5_stateless_ingress" { +# Control plane to OCI services +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_services_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP ingress from control plane to control plane for responses" - tcp_options { - destination_port_range { - max = 6443 - min = 6443 - } - } -} - -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_5" { - direction = "EGRESS" - network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP egress for Kubernetes control plane inter-communication" - tcp_options { - destination_port_range { - max = 6443 - min = 6443 - } - } + source_type = "SERVICE_CIDR_BLOCK" + source = local.service_cidr_block + stateless = true + description = "Allow TCP ingress from OCI services to control plane for responses" } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_6_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = local.icmp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ICMP ingress from worker nodes to control plane for responses" - icmp_options { - type = 3 - code = 4 - } -} - -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_6" { +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_services_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id - protocol = local.icmp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ICMP egress for path discovery to worker nodes" - icmp_options { - type = 3 - code = 4 - } -} - -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_7_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - source_type = "CIDR_BLOCK" - source = var.cp_egress_cidr - stateless = true - description = "Allow TCP ingress from external sources to control plane for responses" - count = local.create_cp_external_traffic_rule ? 1 : 0 + destination_type = "SERVICE_CIDR_BLOCK" + destination = local.service_cidr_block + stateless = true + description = "Allow TCP egress from control plane to OCI services" } -resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_egress_7" { +# External traffic communication +resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_external_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.cp_nsg.id protocol = local.tcp_protocol - destination_type = "CIDR_BLOCK" - destination = var.cp_egress_cidr - stateless = true - description = "Allow external traffic communication" - count = local.create_cp_external_traffic_rule ? 1 : 0 + destination_type = "CIDR_BLOCK" + destination = var.cp_egress_cidr + stateless = false + description = "Allow external traffic communication" + count = local.create_cp_external_traffic_rule ? 1 : 0 } diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/dhcp.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/dhcp.tf new file mode 100644 index 000000000..b545c9209 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/dhcp.tf @@ -0,0 +1,76 @@ +resource "oci_core_dhcp_options" "external_lb_dhcp" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.external_lb_subnet_name + options { + type = "DomainNameServer" + server_type = "VcnLocalPlusInternet" + } + count = local.create_external_lb_subnet ? 1 : 0 +} + +resource "oci_core_dhcp_options" "internal_lb_dhcp" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.internal_lb_subnet_name + options { + type = "DomainNameServer" + server_type = "VcnLocalPlusInternet" + } + count = local.create_internal_lb_subnet ? 1 : 0 +} + +resource "oci_core_dhcp_options" "oke_cp_dhcp" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.cp_subnet_name + options { + type = "DomainNameServer" + server_type = "VcnLocalPlusInternet" + } + count = local.create_cp_subnet ? 1 : 0 +} + +resource "oci_core_dhcp_options" "worker_dhcp" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.worker_subnet_name + options { + type = "DomainNameServer" + server_type = "VcnLocalPlusInternet" + } + count = local.create_worker_subnet ? 1 : 0 +} + +resource "oci_core_dhcp_options" "pods_dhcp" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.pod_subnet_name + options { + type = "DomainNameServer" + server_type = "VcnLocalPlusInternet" + } + count = local.create_pod_subnet ? 1 : 0 +} + +resource "oci_core_dhcp_options" "bastion_dhcp" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.bastion_subnet_name + options { + type = "DomainNameServer" + server_type = "VcnLocalPlusInternet" + } + count = local.create_bastion_subnet ? 1 : 0 +} + +resource "oci_core_dhcp_options" "fss_dhcp" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.fss_subnet_name + options { + type = "DomainNameServer" + server_type = "VcnLocalPlusInternet" + } + count = local.create_fss_subnet ? 1 : 0 +} diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/drg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/drg.tf index ef7dd1596..f991d33d4 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/drg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/drg.tf @@ -7,7 +7,7 @@ resource "oci_core_drg" "vcn_drg" { resource "oci_core_drg_attachment" "oke_drg_attachment" { drg_id = local.drg_id - display_name = "${var.vcn_name}-attachment" + display_name = var.vcn_name network_details { id = local.vcn_id diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf index 44e7584d9..5c1101f22 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/fss-nsg.tf @@ -1,18 +1,18 @@ resource "oci_core_network_security_group" "fss_nsg" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "fss-nsg" + display_name = "fss" } -# Ingress rules and their corresponding egress -resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1" { +# NFS Portmapper - UDP (port 111) +resource "oci_core_network_security_group_security_rule" "fss_workers_portmapper_udp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id protocol = local.udp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow UDP ingress for NFS portmapper from workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow UDP ingress for NFS portmapper from workers on port 111" udp_options { destination_port_range { max = 111 @@ -21,14 +21,14 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1" { } } -resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "fss_workers_portmapper_udp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id protocol = local.udp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow UDP egress for NFS portmapper to workers" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow UDP egress for NFS portmapper to workers on port 111" udp_options { source_port_range { max = 111 @@ -37,14 +37,15 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_1_sta } } -resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2" { +# NFS Portmapper - TCP (port 111) +resource "oci_core_network_security_group_security_rule" "fss_workers_portmapper_tcp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP ingress for NFS portmapper from workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP ingress for NFS portmapper from workers on port 111" tcp_options { destination_port_range { max = 111 @@ -53,14 +54,14 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2" { } } -resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "fss_workers_portmapper_tcp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP egress for NFS portmapper to workers" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP egress for NFS portmapper to workers on port 111" tcp_options { source_port_range { max = 111 @@ -69,14 +70,15 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_2_sta } } -resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3" { +# NFS - UDP (port 2048) +resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_udp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id protocol = local.udp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow UDP ingress for NFS from workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow UDP ingress for NFS from workers on port 2048" udp_options { destination_port_range { max = 2048 @@ -85,14 +87,14 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3" { } } -resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_udp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id protocol = local.udp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow UDP egress for NFS to workers" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow UDP egress for NFS to workers on port 2048" udp_options { source_port_range { max = 2048 @@ -101,14 +103,15 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_3_sta } } -resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4" { +# NFS - TCP (ports 2048-2050) +resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_tcp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP ingress for NFS from workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP ingress for NFS from workers on ports 2048-2050" tcp_options { destination_port_range { max = 2050 @@ -117,14 +120,14 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4" { } } -resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_tcp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP egress for NFS to workers" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP egress for NFS to workers on ports 2048-2050" tcp_options { source_port_range { max = 2050 @@ -133,14 +136,15 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_4_sta } } -resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_5" { +# NFS Encrypted - TCP (port 2051) +resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_encrypted_tcp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP ingress when using in-transit encryption for OCI FSS" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP ingress for NFS with in-transit encryption from workers on port 2051" tcp_options { destination_port_range { max = 2051 @@ -149,14 +153,14 @@ resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_5" { } } -resource "oci_core_network_security_group_security_rule" "fss_ingress_rule_5_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "fss_workers_nfs_encrypted_tcp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.fss_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP egress when using in-transit encryption to workers" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP egress for NFS with in-transit encryption to workers on port 2051" tcp_options { source_port_range { max = 2051 diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/gateways.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/gateways.tf new file mode 100644 index 000000000..852d83da2 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/gateways.tf @@ -0,0 +1,23 @@ +resource "oci_core_service_gateway" "service_gateway" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = "SG" + services { + service_id = lookup(data.oci_core_services.all_oci_services.services[0], "id") + } + count = var.create_gateways ? 1 : 0 +} + +resource "oci_core_nat_gateway" "nat_gateway" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = "NAT" + count = var.create_gateways ? 1 : 0 +} + +resource "oci_core_internet_gateway" "internet_gateway" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = "IG" + count = local.all_subnet_private && ! local.create_internet_gateway ? 0 : 1 +} \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg-frontend.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg-frontend.tf new file mode 100644 index 000000000..d473b7414 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg-frontend.tf @@ -0,0 +1,71 @@ +resource "oci_core_network_security_group" "oke_lb_nsg_frontend" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = "oke-lb-frontend" +} + +# HTTP traffic (port 80) +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_frontend_http_ingress" { + direction = "INGRESS" + network_security_group_id = oci_core_network_security_group.oke_lb_nsg_frontend.id + protocol = local.tcp_protocol + source_type = "CIDR_BLOCK" + source = "0.0.0.0/0" + stateless = true + description = "Allow HTTP ingress traffic from anywhere on port 80" + tcp_options { + destination_port_range { + max = 80 + min = 80 + } + } +} + +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_frontend_http_egress" { + direction = "EGRESS" + network_security_group_id = oci_core_network_security_group.oke_lb_nsg_frontend.id + protocol = local.tcp_protocol + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + stateless = true + description = "Allow HTTP egress traffic to anywhere on port 80" + tcp_options { + source_port_range { + max = 80 + min = 80 + } + } +} + +# HTTPS traffic (port 443) +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_frontend_https_ingress" { + direction = "INGRESS" + network_security_group_id = oci_core_network_security_group.oke_lb_nsg_frontend.id + protocol = local.tcp_protocol + source_type = "CIDR_BLOCK" + source = "0.0.0.0/0" + stateless = true + description = "Allow HTTPS ingress traffic from anywhere on port 443" + tcp_options { + destination_port_range { + max = 443 + min = 443 + } + } +} + +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_frontend_https_egress" { + direction = "EGRESS" + network_security_group_id = oci_core_network_security_group.oke_lb_nsg_frontend.id + protocol = local.tcp_protocol + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + stateless = true + description = "Allow HTTPS egress traffic to anywhere on port 443" + tcp_options { + source_port_range { + max = 443 + min = 443 + } + } +} diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf index db9a215f5..170087571 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/lb-nsg.tf @@ -1,18 +1,18 @@ resource "oci_core_network_security_group" "oke_lb_nsg" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "oke-lb-nsg" + display_name = "oke-lb-backend" } -# Egress rules and their corresponding ingress -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress" { +# Worker nodes - Service ports TCP (30000-32767) +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_service_tcp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP traffic from load balancer to worker nodes for services of type NodePort" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP egress from load balancer to worker nodes for services of type NodePort on ports 30000-32767" tcp_options { destination_port_range { max = 32767 @@ -21,30 +21,31 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker } } -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_service_tcp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP ingress from worker nodes to load balancer for responses" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP ingress from worker nodes to load balancer for service responses on ports 30000-32767" tcp_options { - destination_port_range { + source_port_range { max = 32767 min = 30000 } } } -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress_udp" { +# Worker nodes - Service ports UDP (30000-32767) +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_service_udp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id protocol = local.udp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow UDP traffic from load balancer to worker nodes for services of type NodePort" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow UDP egress from load balancer to worker nodes for services of type NodePort on ports 30000-32767" udp_options { destination_port_range { max = 32767 @@ -53,30 +54,31 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker } } -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_egress_udp_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_service_udp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id protocol = local.udp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow UDP ingress from worker nodes to load balancer for responses" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow UDP ingress from worker nodes to load balancer for service responses on ports 30000-32767" udp_options { - destination_port_range { + source_port_range { max = 32767 min = 30000 } } } -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_healthcheck_egress" { +# Worker nodes - Health check (TCP 10256) +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_healthcheck_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP egress from load balancers to worker nodes for health check" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP egress from load balancers to worker nodes for health check on port 10256" tcp_options { destination_port_range { max = 10256 @@ -85,69 +87,64 @@ resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker } } -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_workers_healthcheck_egress_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_workers_healthcheck_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow TCP ingress from worker nodes to load balancer for health check responses" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow TCP ingress from worker nodes to load balancer for health check responses on port 10256" tcp_options { - destination_port_range { + source_port_range { max = 10256 min = 10256 } } } -# OCI Native Ingress does not support UDP, hence no UDP egress rule -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_pods_egress" { +# Pods - TCP (when NPN enabled) +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_pods_tcp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "LB to pods, OCI Native Ingress" - count = local.is_npn ? 1 : 0 + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow TCP egress from load balancer to pods for OCI Native Ingress and Pods as Backends" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_pods_egress_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_pods_tcp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow TCP ingress from pods to load balancer for responses" - count = local.is_npn ? 1 : 0 + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow TCP ingress from pods to load balancer for responses" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker_discovery_egress" { +# Pods - UDP (when NPN enabled) +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_pods_udp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id - protocol = local.icmp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow LB to discover workers" - icmp_options { - type = 3 - code = 4 - } + protocol = local.udp_protocol + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow UDP egress from load balancer to pods for OCI Native Ingress and Pods as Backends" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_rule_worker_discovery_egress_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_lb_nsg_pods_udp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.oke_lb_nsg.id - protocol = local.icmp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ICMP ingress from worker nodes to load balancer for responses" - icmp_options { - type = 3 - code = 4 - } + protocol = local.udp_protocol + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow UDP ingress from pods to load balancer for responses" + count = local.is_npn ? 1 : 0 } diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf index 94b12c870..298b0efb9 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf @@ -2,21 +2,27 @@ locals { is_npn = var.cni_type == "npn" create_pod_subnet = var.create_pod_subnet && local.is_npn create_cp_subnet = var.create_cp_subnet + create_bastion_subnet = var.create_bastion_subnet + create_fss_subnet = var.create_fss create_worker_subnet = var.create_worker_subnet - create_service_subnet = var.create_service_subnet - all_subnet_private = (var.cp_subnet_private || ! local.create_cp_subnet) && (var.service_subnet_private || ! local.create_service_subnet) && (var.bastion_subnet_private || ! var.create_bastion_subnet) + create_external_lb_subnet = var.create_external_lb_subnet + create_internal_lb_subnet = var.create_internal_lb_subnet + all_subnet_private = (var.cp_subnet_private || ! local.create_cp_subnet) && (! local.create_external_lb_subnet) && (var.bastion_subnet_private || ! var.create_bastion_subnet) vcn_id = var.create_vcn ? oci_core_vcn.spoke_vcn.0.id : var.vcn_id service_gateway_id = var.create_gateways ? oci_core_service_gateway.service_gateway.0.id : var.service_gateway_id nat_gateway_id = var.create_gateways ? oci_core_nat_gateway.nat_gateway.0.id : var.nat_gateway_id cp_nat_mode = local.create_cp_subnet && var.cp_subnet_private && var.cp_external_nat create_cp_external_traffic_rule = var.allow_external_cp_traffic && (! var.create_cp_subnet || (! var.cp_subnet_private || var.cp_external_nat)) + + create_internet_gateway = (! var.create_vcn) && var.create_gateways && var.create_internet_gateway + create_drg = var.enable_drg && var.create_drg create_drg_attachment = var.enable_drg && var.create_drg_attachment drg_id = var.create_drg ? try(oci_core_drg.vcn_drg.0.id, null) : var.drg_id - tcp_protocol = "6" icmp_protocol = "1" udp_protocol = "17" + service_cidr_block = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") } diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/output.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/output.tf index 9bd04fd8e..579b1260d 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/output.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/output.tf @@ -16,8 +16,12 @@ output "worker_subnet_id" { value = local.create_worker_subnet ? oci_core_subnet.worker_subnet.0.id : null } -output "service_subnet_id" { - value = local.create_service_subnet ? oci_core_subnet.service_subnet.0.id : null +output "external_lb_subnet_id" { + value = local.create_external_lb_subnet ? oci_core_subnet.external_lb_subnet.0.id : null +} + +output "internal_lb_subnet_id" { + value = local.create_internal_lb_subnet ? oci_core_subnet.internal_lb_subnet.0.id : null } output "bastion_subnet_id" { diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf index f7518c468..4f9fe8cc8 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/pod-nsg.tf @@ -1,193 +1,146 @@ resource "oci_core_network_security_group" "pod_nsg" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "pod-nsg" - count = local.is_npn ? 1 : 0 + display_name = "pod" + count = local.is_npn ? 1 : 0 } -# Ingress rules and their corresponding egress -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_1" { +# Pod intercommunication - ALL protocols +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_pods_all_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = "all" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow ALL ingress to pods from other pods" - count = local.is_npn ? 1 : 0 + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow ALL ingress to pods from other pods" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_1_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_pods_all_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = "all" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow ALL egress to other pods from pods" - count = local.is_npn ? 1 : 0 + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow ALL egress to other pods from pods" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_2" { +# Cross-node communication - ALL protocols +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_workers_all_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = "all" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ALL ingress to pods for cross-node pod communication when using NodePorts or hostNetwork: true" - count = local.is_npn ? 1 : 0 + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow ALL ingress to pods for cross-node pod communication when using NodePorts or hostNetwork: true" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_2_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_workers_all_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = "all" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ALL egress to workers from pods" - count = local.is_npn ? 1 : 0 + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow ALL egress to workers from pods" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_3" { +# Control plane webhooks - ALL protocols +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_cp_all_ingress_webhooks" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = "all" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow ALL ingress to pods from Kubernetes control plane for webhooks served by pods" - count = local.is_npn ? 1 : 0 + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow ALL ingress to pods from Kubernetes control plane for webhooks served by pods" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_3_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_cp_all_egress_webhooks" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = "all" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow ALL egress to control plane from pods" - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_4" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = local.icmp_protocol - source_type = "CIDR_BLOCK" - source = "0.0.0.0/0" - stateless = true - description = "Allow ICMP ingress to pods for path discovery" - icmp_options { - type = 3 - code = 4 - } - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_ingress_4_stateless_egress" { - direction = "EGRESS" - network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = local.icmp_protocol - destination_type = "CIDR_BLOCK" - destination = "0.0.0.0/0" - stateless = true - description = "Allow ICMP egress to internet from pods" - icmp_options { - type = 3 - code = 4 - } - count = local.is_npn ? 1 : 0 + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow ALL egress to control plane from pods for webhooks served by pods" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "pods_nsg_rule_lb_ingress" { +# Load balancer - TCP +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_lb_tcp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.oke_lb_nsg.id - stateless = true - description = "LBs to pods" - count = local.is_npn ? 1 : 0 + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.oke_lb_nsg.id + stateless = true + description = "Allow TCP ingress to pods from load balancers" + count = local.is_npn ? 1 : 0 } -# Egress rules and their corresponding ingress -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_1" { +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_lb_tcp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "all" - destination_type = "CIDR_BLOCK" - destination = "0.0.0.0/0" - stateless = true - description = "Allow ALL egress from pods to internet" - count = local.is_npn ? 1 : 0 + protocol = local.tcp_protocol + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.oke_lb_nsg.id + stateless = true + description = "Allow TCP egress to load balancers from pods" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_1_stateless_ingress" { +# Load balancer - UDP +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_lb_udp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "all" - source_type = "CIDR_BLOCK" - source = "0.0.0.0/0" - stateless = true - description = "Allow ALL ingress from internet to pods" - count = local.is_npn ? 1 : 0 + protocol = local.udp_protocol + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.oke_lb_nsg.id + stateless = true + description = "Allow UDP ingress to pods from load balancers" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_2" { +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_lb_udp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "all" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ALL egress from pods for cross-node pod communication when using NodePorts or hostNetwork: true" - count = local.is_npn ? 1 : 0 + protocol = local.udp_protocol + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.oke_lb_nsg.id + stateless = true + description = "Allow UDP egress to load balancers from pods" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_2_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "all" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ALL ingress from workers to pods" - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_3" { +# Internet - ALL protocols +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_internet_all_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = "all" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow ALL egress from pods to other pods" - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_3_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = "all" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow ALL ingress from other pods to pods" - count = local.is_npn ? 1 : 0 + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + stateless = false + description = "Allow ALL egress from pods to internet" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4" { +# Control plane - API server (TCP 6443) +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_cp_apiserver_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP egress from pods to Kubernetes API server" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow TCP egress from pods to Kubernetes API server on port 6443" tcp_options { destination_port_range { max = 6443 @@ -197,16 +150,16 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4" count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_cp_apiserver_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP ingress from control plane to pods" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow TCP ingress from control plane to pods on port 6443" tcp_options { - destination_port_range { + source_port_range { max = 6443 min = 6443 } @@ -214,54 +167,25 @@ resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_4_s count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_5" { +# OCI services - TCP +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_services_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = local.tcp_protocol - destination_type = "SERVICE_CIDR_BLOCK" - destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") - stateless = true - description = "Allow TCP egress from pods to OCI Services" - count = local.is_npn ? 1 : 0 + destination_type = "SERVICE_CIDR_BLOCK" + destination = local.service_cidr_block + stateless = true + description = "Allow TCP egress from pods to OCI Services" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_5_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_services_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.pod_nsg.0.id protocol = local.tcp_protocol - source_type = "SERVICE_CIDR_BLOCK" - source = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") - stateless = true - description = "Allow TCP ingress from OCI services to pods" - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_6" { - direction = "EGRESS" - network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = local.icmp_protocol - destination_type = "CIDR_BLOCK" - destination = "0.0.0.0/0" - stateless = true - description = "Allow ICMP egress from pods for path discovery" - icmp_options { - type = 3 - code = 4 - } - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_pod_nsg_egress_6_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.pod_nsg.0.id - protocol = local.icmp_protocol - source_type = "CIDR_BLOCK" - source = "0.0.0.0/0" - stateless = true - description = "Allow ICMP ingress from internet to pods" - icmp_options { - type = 3 - code = 4 - } - count = local.is_npn ? 1 : 0 + source_type = "SERVICE_CIDR_BLOCK" + source = local.service_cidr_block + stateless = true + description = "Allow TCP ingress from OCI services to pods" + count = local.is_npn ? 1 : 0 } diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/routing.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/routing.tf index 3f170a471..29e337319 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/routing.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/routing.tf @@ -1,39 +1,121 @@ - -resource "oci_core_service_gateway" "service_gateway" { +resource "oci_core_route_table" "bastion_route_table" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "SG" - services { - service_id = lookup(data.oci_core_services.all_oci_services.services[0], "id") + display_name = var.bastion_subnet_name + dynamic "route_rules" { + for_each = var.bastion_subnet_private ? [0] : [] + content { + network_entity_id = local.service_gateway_id + destination_type = "SERVICE_CIDR_BLOCK" + destination = local.service_cidr_block + description = "Route for all internal OCI services in the region" + } + } + dynamic "route_rules" { + for_each = var.bastion_subnet_private ? [] : [0] + content { + network_entity_id = oci_core_internet_gateway.internet_gateway[0].id + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + description = "Route to reach external Internet through the Internet gateway" + } + } + dynamic "route_rules" { + for_each = var.bastion_subnet_private ? [0] : [] + content { + network_entity_id = local.nat_gateway_id + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + description = "Route to reach external Internet through a NAT gateway" + } } - count = var.create_gateways ? 1 : 0 + dynamic "route_rules" { + for_each = var.enable_drg ? var.peer_vcns : [] + content { + network_entity_id = local.drg_id + destination_type = "CIDR_BLOCK" + destination = route_rules.value + description = "Route to ${route_rules.value} through the DRG" + } + } + count = local.create_bastion_subnet ? 1 : 0 } -resource "oci_core_nat_gateway" "nat_gateway" { +resource "oci_core_route_table" "cp_route_table" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "NAT" - count = var.create_gateways ? 1 : 0 + display_name = var.cp_subnet_name + dynamic "route_rules" { + for_each = var.cp_subnet_private ? [0] : [] + content { + network_entity_id = local.service_gateway_id + destination_type = "SERVICE_CIDR_BLOCK" + destination = local.service_cidr_block + description = "Route for all internal OCI services in the region" + } + } + dynamic "route_rules" { + for_each = var.cp_subnet_private ? [] : [0] + content { + network_entity_id = oci_core_internet_gateway.internet_gateway[0].id + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + description = "Route to reach external Internet through the Internet gateway" + } + } + dynamic "route_rules" { + for_each = local.cp_nat_mode ? [0] : [] + content { + network_entity_id = local.nat_gateway_id + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + description = "Route to reach external Internet through a NAT gateway" + } + } + dynamic "route_rules" { + for_each = var.enable_drg ? var.peer_vcns : [] + content { + network_entity_id = local.drg_id + destination_type = "CIDR_BLOCK" + destination = route_rules.value + description = "Route to ${route_rules.value} through the DRG" + } + } + count = local.create_cp_subnet ? 1 : 0 } -resource "oci_core_internet_gateway" "internet_gateway" { +resource "oci_core_route_table" "lb_ext_route_table" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "IG" - count = local.all_subnet_private && ! var.create_internet_gateway ? 0 : 1 + display_name = var.external_lb_subnet_name + route_rules { + network_entity_id = oci_core_internet_gateway.internet_gateway[0].id + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + description = "Route to reach external Internet through the Internet gateway" + } + dynamic "route_rules" { + for_each = var.enable_drg ? var.peer_vcns : [] + content { + network_entity_id = local.drg_id + destination_type = "CIDR_BLOCK" + destination = route_rules.value + description = "Route to ${route_rules.value} through the DRG" + } + } + count = local.create_external_lb_subnet ? 1 : 0 } -resource "oci_core_route_table" "service_route_table" { +resource "oci_core_route_table" "lb_int_route_table" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "service-gateway-rt" + display_name = var.internal_lb_subnet_name route_rules { network_entity_id = local.service_gateway_id destination_type = "SERVICE_CIDR_BLOCK" - destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") + destination = local.service_cidr_block description = "Route for all internal OCI services in the region" } - dynamic "route_rules" { for_each = var.enable_drg ? var.peer_vcns : [] content { @@ -43,17 +125,17 @@ resource "oci_core_route_table" "service_route_table" { description = "Route to ${route_rules.value} through the DRG" } } - + count = local.create_internal_lb_subnet ? 1 : 0 } -resource "oci_core_route_table" "nat_route_table" { +resource "oci_core_route_table" "worker_route_table" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "nat-gateway-rt" + display_name = var.worker_subnet_name route_rules { network_entity_id = local.service_gateway_id destination_type = "SERVICE_CIDR_BLOCK" - destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") + destination = local.service_cidr_block description = "Route for all internal OCI services in the region" } route_rules { @@ -62,7 +144,6 @@ resource "oci_core_route_table" "nat_route_table" { destination = "0.0.0.0/0" description = "Route to reach external Internet through a NAT gateway" } - dynamic "route_rules" { for_each = var.enable_drg ? var.peer_vcns : [] content { @@ -72,18 +153,46 @@ resource "oci_core_route_table" "nat_route_table" { description = "Route to ${route_rules.value} through the DRG" } } - + count = local.create_worker_subnet ? 1 : 0 } -resource "oci_core_route_table" "internet_route_table" { +resource "oci_core_route_table" "pod_route_table" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "internet-gateway-rt" + display_name = var.pod_subnet_name route_rules { - network_entity_id = oci_core_internet_gateway.internet_gateway[0].id + network_entity_id = local.service_gateway_id + destination_type = "SERVICE_CIDR_BLOCK" + destination = local.service_cidr_block + description = "Route for all internal OCI services in the region" + } + route_rules { + network_entity_id = local.nat_gateway_id destination_type = "CIDR_BLOCK" destination = "0.0.0.0/0" - description = "Route to reach external Internet through the Internet gateway" + description = "Route to reach external Internet through a NAT gateway" + } + dynamic "route_rules" { + for_each = var.enable_drg ? var.peer_vcns : [] + content { + network_entity_id = local.drg_id + destination_type = "CIDR_BLOCK" + destination = route_rules.value + description = "Route to ${route_rules.value} through the DRG" + } + } + count = local.create_pod_subnet ? 1 : 0 +} + +resource "oci_core_route_table" "fss_route_table" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.fss_subnet_name + route_rules { + network_entity_id = local.service_gateway_id + destination_type = "SERVICE_CIDR_BLOCK" + destination = local.service_cidr_block + description = "Route for all internal OCI services in the region" } - count = local.all_subnet_private && ! var.create_internet_gateway ? 0 : 1 + count = local.create_fss_subnet ? 1 : 0 } \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/security-list.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/security-list.tf new file mode 100644 index 000000000..824fb09d9 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/security-list.tf @@ -0,0 +1,393 @@ +resource "oci_core_security_list" "cp_sl" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.cp_subnet_name + + # Ingress rules and their corresponding egress + ingress_security_rules { + description = "Required to enable Path MTU Discovery to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + source = "0.0.0.0/0" + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + ingress_security_rules { + description = "Required to allow application within VCN to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + source = oci_core_vcn.spoke_vcn[0].cidr_block + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to allow application within VCN responses to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + destination = oci_core_vcn.spoke_vcn[0].cidr_block + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + count = local.create_cp_subnet ? 1 : 0 +} + +resource "oci_core_security_list" "external_lb_sl" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.external_lb_subnet_name + + # Ingress rules and their corresponding egress + ingress_security_rules { + description = "Required to enable Path MTU Discovery to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + source = "0.0.0.0/0" + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + ingress_security_rules { + description = "Required to allow application within VCN to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + source = oci_core_vcn.spoke_vcn[0].cidr_block + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to allow application within VCN responses to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + destination = oci_core_vcn.spoke_vcn[0].cidr_block + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + count = local.create_external_lb_subnet ? 1 : 0 +} + + + +resource "oci_core_security_list" "internal_lb_sl" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.internal_lb_subnet_name + + # Ingress rules and their corresponding egress + ingress_security_rules { + description = "Required to enable Path MTU Discovery to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + source = "0.0.0.0/0" + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + ingress_security_rules { + description = "Required to allow application within VCN to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + source = oci_core_vcn.spoke_vcn[0].cidr_block + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to allow application within VCN responses to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + destination = oci_core_vcn.spoke_vcn[0].cidr_block + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + count = local.create_internal_lb_subnet ? 1 : 0 +} + + +resource "oci_core_security_list" "worker_sl" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.worker_subnet_name + + # Ingress rules and their corresponding egress + ingress_security_rules { + description = "Required to enable Path MTU Discovery to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + source = "0.0.0.0/0" + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + ingress_security_rules { + description = "Required to allow application within VCN to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + source = oci_core_vcn.spoke_vcn[0].cidr_block + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to allow application within VCN responses to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + destination = oci_core_vcn.spoke_vcn[0].cidr_block + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + count = local.create_worker_subnet ? 1 : 0 +} + +resource "oci_core_security_list" "pod_sl" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.pod_subnet_name + + # Ingress rules and their corresponding egress + ingress_security_rules { + description = "Required to enable Path MTU Discovery to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + source = "0.0.0.0/0" + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + ingress_security_rules { + description = "Required to allow application within VCN to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + source = oci_core_vcn.spoke_vcn[0].cidr_block + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to allow application within VCN responses to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + destination = oci_core_vcn.spoke_vcn[0].cidr_block + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + count = local.create_pod_subnet ? 1 : 0 +} + + +resource "oci_core_security_list" "fss_sl" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.fss_subnet_name + + # Ingress rules and their corresponding egress + ingress_security_rules { + description = "Required to enable Path MTU Discovery to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + source = "0.0.0.0/0" + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication" + icmp_options { + code = "4" + type = "3" + } + protocol = local.icmp_protocol + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + ingress_security_rules { + description = "Required to allow application within VCN to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + source = oci_core_vcn.spoke_vcn[0].cidr_block + source_type = "CIDR_BLOCK" + stateless = "true" + } + + egress_security_rules { + description = "Required to allow application within VCN responses to fail fast" + icmp_options { + type = "3" + } + protocol = local.icmp_protocol + destination = oci_core_vcn.spoke_vcn[0].cidr_block + destination_type = "CIDR_BLOCK" + stateless = "true" + } + + count = local.create_fss_subnet ? 1 : 0 +} + +resource "oci_core_security_list" "bastion_security_list" { + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + display_name = var.bastion_subnet_name + + # Ingress rules and their corresponding egress + ingress_security_rules { + protocol = local.tcp_protocol + source_type = "CIDR_BLOCK" + source = "0.0.0.0/0" + stateless = true + description = "Allow SSH connections to the subnet. Can be deleted if only using OCI Bastion subnet" + tcp_options { + max = 22 + min = 22 + } + } + + egress_security_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + protocol = local.tcp_protocol + stateless = true + description = "Allow SSH responses from the subnet" + tcp_options { + source_port_range { + max = 22 + min = 22 + } + } + } + + # Egress rules and their corresponding ingress + egress_security_rules { + destination = var.vcn_cidr_blocks[0] + destination_type = "CIDR_BLOCK" + protocol = "all" + stateless = true + description = "Enable the bastion hosts to reach the entire VCN" + } + + egress_security_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + protocol = "all" + stateless = false + description = "Let bastion instances connect to Internet" + } + + ingress_security_rules { + protocol = "all" + source_type = "CIDR_BLOCK" + source = var.vcn_cidr_blocks[0] + stateless = true + description = "Allow responses from the VCN to the bastion hosts" + } + + count = local.create_bastion_subnet ? 1 : 0 +} diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/subnet.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/subnet.tf index 0244b5ff2..cf8c69d3f 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/subnet.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/subnet.tf @@ -1,13 +1,28 @@ -resource "oci_core_subnet" "service_subnet" { - cidr_block = var.service_subnet_cidr +resource "oci_core_subnet" "external_lb_subnet" { + cidr_block = var.external_lb_cidr compartment_id = var.network_compartment_id vcn_id = local.vcn_id - prohibit_public_ip_on_vnic = var.service_subnet_private - dns_label = var.service_subnet_dns_label - display_name = var.service_subnet_name - route_table_id = var.service_subnet_private ? oci_core_route_table.service_route_table.id : oci_core_route_table.internet_route_table[0].id - count = local.create_service_subnet ? 1 : 0 + prohibit_public_ip_on_vnic = false + dns_label = var.external_lb_subnet_dns_label + display_name = var.external_lb_subnet_name + route_table_id = oci_core_route_table.lb_ext_route_table.0.id + security_list_ids = [oci_core_security_list.external_lb_sl.0.id] + dhcp_options_id = oci_core_dhcp_options.external_lb_dhcp[0].id + count = local.create_external_lb_subnet ? 1 : 0 +} + +resource "oci_core_subnet" "internal_lb_subnet" { + cidr_block = var.internal_lb_cidr + compartment_id = var.network_compartment_id + vcn_id = local.vcn_id + prohibit_public_ip_on_vnic = true + dns_label = var.internal_lb_subnet_dns_label + display_name = var.internal_lb_subnet_name + route_table_id = oci_core_route_table.lb_int_route_table.0.id + security_list_ids = [oci_core_security_list.internal_lb_sl.0.id] + dhcp_options_id = oci_core_dhcp_options.internal_lb_dhcp[0].id + count = local.create_internal_lb_subnet ? 1 : 0 } resource "oci_core_subnet" "oke_cp_subnet" { @@ -17,7 +32,9 @@ resource "oci_core_subnet" "oke_cp_subnet" { dns_label = var.cp_subnet_dns_label display_name = var.cp_subnet_name prohibit_public_ip_on_vnic = var.cp_subnet_private - route_table_id = var.cp_subnet_private ? local.cp_nat_mode ? oci_core_route_table.nat_route_table.id : oci_core_route_table.service_route_table.id : oci_core_route_table.internet_route_table[0].id + route_table_id = oci_core_route_table.cp_route_table.0.id + security_list_ids = [oci_core_security_list.cp_sl.0.id] + dhcp_options_id = oci_core_dhcp_options.oke_cp_dhcp[0].id count = local.create_cp_subnet ? 1 : 0 } @@ -28,7 +45,9 @@ resource "oci_core_subnet" "worker_subnet" { dns_label = var.worker_subnet_dns_label display_name = var.worker_subnet_name prohibit_public_ip_on_vnic = true - route_table_id = oci_core_route_table.nat_route_table.id + route_table_id = oci_core_route_table.worker_route_table.0.id + security_list_ids = [oci_core_security_list.worker_sl.0.id] + dhcp_options_id = oci_core_dhcp_options.worker_dhcp[0].id count = local.create_worker_subnet ? 1 : 0 } @@ -39,7 +58,9 @@ resource "oci_core_subnet" "pods_subnet" { dns_label = var.pod_subnet_dns_label display_name = var.pod_subnet_name prohibit_public_ip_on_vnic = true - route_table_id = oci_core_route_table.nat_route_table.id + route_table_id = oci_core_route_table.pod_route_table.0.id + security_list_ids = [oci_core_security_list.pod_sl.0.id] + dhcp_options_id = oci_core_dhcp_options.pods_dhcp[0].id count = local.create_pod_subnet ? 1 : 0 } @@ -50,9 +71,10 @@ resource "oci_core_subnet" "bastion_subnet" { dns_label = var.bastion_subnet_dns_label display_name = var.bastion_subnet_name prohibit_public_ip_on_vnic = var.bastion_subnet_private - route_table_id = var.bastion_subnet_private ? oci_core_route_table.service_route_table.id : oci_core_route_table.internet_route_table[0].id + route_table_id = oci_core_route_table.bastion_route_table.0.id security_list_ids = [oci_core_security_list.bastion_security_list.0.id] - count = var.create_bastion_subnet ? 1 : 0 + dhcp_options_id = oci_core_dhcp_options.bastion_dhcp[0].id + count = local.create_bastion_subnet? 1 : 0 } resource "oci_core_subnet" "fss_subnet" { @@ -62,7 +84,8 @@ resource "oci_core_subnet" "fss_subnet" { dns_label = var.fss_subnet_dns_label display_name = var.fss_subnet_name prohibit_public_ip_on_vnic = true - route_table_id = oci_core_route_table.service_route_table.id - count = var.create_fss ? 1 : 0 + route_table_id = oci_core_route_table.fss_route_table.0.id + security_list_ids = [oci_core_security_list.fss_sl.0.id] + dhcp_options_id = oci_core_dhcp_options.fss_dhcp[0].id + count = local.create_fss_subnet ? 1 : 0 } - diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf index 174fec1e7..bd4c457c4 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf @@ -85,23 +85,32 @@ variable "pod_subnet_dns_label" { variable "pod_subnet_name" { } -# SERVICE SUBNET +# LB SUBNETS -variable "create_service_subnet" { +variable "create_external_lb_subnet" { type = bool } -variable "service_subnet_cidr" { +variable "external_lb_cidr" { } -variable "service_subnet_private" { +variable "external_lb_subnet_dns_label" { +} + +variable "external_lb_subnet_name" { +} + +variable "create_internal_lb_subnet" { type = bool } -variable "service_subnet_dns_label" { +variable "internal_lb_cidr" { +} + +variable "internal_lb_subnet_dns_label" { } -variable "service_subnet_name" { +variable "internal_lb_subnet_name" { } diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/vcn.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/vcn.tf index b6160460c..b29a9533c 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/vcn.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/vcn.tf @@ -9,53 +9,6 @@ resource "oci_core_vcn" "spoke_vcn" { resource "oci_core_default_security_list" "lockdown" { manage_default_resource_id = oci_core_vcn.spoke_vcn.0.default_security_list_id - # Ingress rules and their corresponding egress - ingress_security_rules { - description = "Required to enable Path MTU Discovery to work, and non-OCI communication" - icmp_options { - code = "4" - type = "3" - } - protocol = "1" - source = "0.0.0.0/0" - source_type = "CIDR_BLOCK" - stateless = "true" - } - - egress_security_rules { - description = "Required to enable Path MTU Discovery responses to work, and non-OCI communication" - icmp_options { - code = "4" - type = "3" - } - protocol = "1" - destination = "0.0.0.0/0" - destination_type = "CIDR_BLOCK" - stateless = "true" - } - - ingress_security_rules { - description = "Required to allow application within VCN to fail fast" - icmp_options { - type = "3" - } - protocol = "1" - source = oci_core_vcn.spoke_vcn[0].cidr_block - source_type = "CIDR_BLOCK" - stateless = "true" - } - - egress_security_rules { - description = "Required to allow application within VCN responses to fail fast" - icmp_options { - type = "3" - } - protocol = "1" - destination = oci_core_vcn.spoke_vcn[0].cidr_block - destination_type = "CIDR_BLOCK" - stateless = "true" - } - lifecycle { ignore_changes = [defined_tags] } diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf index 00d047711..06dc39dc3 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/worker-nsg.tf @@ -1,80 +1,83 @@ resource "oci_core_network_security_group" "worker_nsg" { compartment_id = var.network_compartment_id vcn_id = local.vcn_id - display_name = "worker-nsg" + display_name = "worker" } -# Ingress rules and their corresponding egress -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_1" { +# Control plane - ALL protocols (webhooks) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_all_ingress_webhooks" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = "all" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow ALL ingress to workers from Kubernetes control plane for webhooks served by workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow ALL ingress to workers from Kubernetes control plane for webhooks served by workers" } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_1_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_all_egress_webhooks" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = "all" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow ALL egress to control plane from workers" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow ALL egress to control plane from workers for webhooks served by workers" } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_2" { +# Pods - ALL protocols +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_pods_all_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = "all" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow ALL ingress to workers from pods" - count = local.is_npn ? 1 : 0 + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow ALL ingress to workers from pods" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_2_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_pods_all_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = "all" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow ALL egress to pods from workers" - count = local.is_npn ? 1 : 0 + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.pod_nsg.0.id + stateless = true + description = "Allow ALL egress to pods from workers" + count = local.is_npn ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_3" { +# Worker intercommunication - ALL protocols +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_workers_all_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = "all" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ALL ingress to workers from other workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow ALL ingress to workers from other workers" } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_3_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_workers_all_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = "all" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ALL egress to other workers from workers" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.worker_nsg.id + stateless = true + description = "Allow ALL egress to other workers from workers" } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_4" { +# Load balancer - Health check (TCP 10256) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_healthcheck_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.oke_lb_nsg.id - stateless = true - description = "Allow TCP ingress to workers for health check from public load balancers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.oke_lb_nsg.id + stateless = true + description = "Allow TCP ingress to workers for health check from public load balancers on port 10256" tcp_options { destination_port_range { max = 10256 @@ -83,14 +86,14 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_4_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_healthcheck_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.oke_lb_nsg.id - stateless = true - description = "Allow TCP egress to load balancers from workers" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.oke_lb_nsg.id + stateless = true + description = "Allow TCP egress to load balancers from workers on port 10256" tcp_options { source_port_range { max = 10256 @@ -99,14 +102,15 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_5" { +# Load balancer - Service ports TCP (30000-32767) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_service_tcp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.oke_lb_nsg.id - stateless = true - description = "Allow TCP ingress to workers from load balancers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.oke_lb_nsg.id + stateless = true + description = "Allow TCP ingress to workers from load balancers on service ports 30000-32767" tcp_options { destination_port_range { max = 32767 @@ -115,14 +119,14 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_5_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_service_tcp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.oke_lb_nsg.id - stateless = true - description = "Allow TCP egress to load balancers from workers" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.oke_lb_nsg.id + stateless = true + description = "Allow TCP egress to load balancers from workers on service ports 30000-32767" tcp_options { source_port_range { max = 32767 @@ -131,14 +135,15 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_udp" { +# Load balancer - Service ports UDP (30000-32767) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_service_udp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.udp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.oke_lb_nsg.id - stateless = true - description = "Allow UDP ingress to workers from load balancers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.oke_lb_nsg.id + stateless = true + description = "Allow UDP ingress to workers from load balancers on service ports 30000-32767" udp_options { destination_port_range { max = 32767 @@ -147,14 +152,14 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_udp_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_lb_service_udp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.udp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.oke_lb_nsg.id - stateless = true - description = "Allow UDP egress to load balancers from workers" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.oke_lb_nsg.id + stateless = true + description = "Allow UDP egress to load balancers from workers on service ports 30000-32767" udp_options { source_port_range { max = 32767 @@ -163,42 +168,15 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_6" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = local.icmp_protocol - source_type = "CIDR_BLOCK" - source = "0.0.0.0/0" - stateless = true - description = "Allow ICMP ingress to workers for path discovery" - icmp_options { - type = 3 - code = 4 - } -} - -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_6_stateless_egress" { - direction = "EGRESS" - network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = local.icmp_protocol - destination_type = "CIDR_BLOCK" - destination = "0.0.0.0/0" - stateless = true - description = "Allow ICMP egress to internet from workers" - icmp_options { - type = 3 - code = 4 - } -} - -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_7" { +# Bastion - SSH access (TCP 22) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_bastion_ssh_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - source_type = "CIDR_BLOCK" - source = var.bastion_subnet_cidr - stateless = true - description = "Allow SSH access from bastion subnet" + source_type = "CIDR_BLOCK" + source = var.bastion_subnet_cidr + stateless = true + description = "Allow SSH access from bastion subnet on port 22" tcp_options { destination_port_range { max = 22 @@ -208,14 +186,14 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress count = var.create_bastion_subnet ? 1 : 0 } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress_7_stateless_egress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_bastion_ssh_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - destination_type = "CIDR_BLOCK" - destination = var.bastion_subnet_cidr - stateless = true - description = "Allow TCP egress to bastion from workers" + destination_type = "CIDR_BLOCK" + destination = var.bastion_subnet_cidr + stateless = true + description = "Allow TCP egress to bastion from workers on port 22" tcp_options { source_port_range { max = 22 @@ -225,77 +203,26 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_ingress count = var.create_bastion_subnet ? 1 : 0 } -# Egress rules and their corresponding ingress -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_1" { +# Internet - ALL protocols +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_internet_all_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = "all" - destination_type = "CIDR_BLOCK" - destination = "0.0.0.0/0" - stateless = true - description = "Allow ALL egress from workers to internet" -} - -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_1_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "all" - source_type = "CIDR_BLOCK" - source = "0.0.0.0/0" - stateless = true - description = "Allow ALL ingress from internet to workers" + destination_type = "CIDR_BLOCK" + destination = "0.0.0.0/0" + stateless = false + description = "Allow ALL egress from workers to internet" } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_2" { - direction = "EGRESS" - network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "all" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ALL egress from workers to other workers" -} - -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_2_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "all" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.worker_nsg.id - stateless = true - description = "Allow ALL ingress from other workers to workers" -} - -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_3" { - direction = "EGRESS" - network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "all" - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow ALL egress from workers to pods" - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_3_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = "all" - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.pod_nsg.0.id - stateless = true - description = "Allow ALL ingress from pods to workers" - count = local.is_npn ? 1 : 0 -} - -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_4" { +# Control plane - API server (TCP 6443) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_apiserver_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP egress from workers to Kubernetes API server" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow TCP egress from workers to Kubernetes API server on port 6443" tcp_options { destination_port_range { max = 6443 @@ -304,50 +231,52 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_4_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_apiserver_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP ingress from control plane to workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow TCP ingress from control plane to workers on port 6443" tcp_options { - destination_port_range { + source_port_range { max = 6443 min = 6443 } } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_5" { +# OCI services - TCP +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_services_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - destination_type = "SERVICE_CIDR_BLOCK" - destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") - stateless = true - description = "Allow TCP egress from workers to OCI Services" + destination_type = "SERVICE_CIDR_BLOCK" + destination = local.service_cidr_block + stateless = true + description = "Allow TCP egress from workers to OCI Services" } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_5_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_services_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - source_type = "SERVICE_CIDR_BLOCK" - source = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block") - stateless = true - description = "Allow TCP ingress from OCI services to workers" + source_type = "SERVICE_CIDR_BLOCK" + source = local.service_cidr_block + stateless = true + description = "Allow TCP ingress from OCI services to workers" } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_6" { +# Control plane - Kubelet health check (TCP 10250) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_kubelet_health_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP egress to OKE control plane from workers for health check" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow TCP egress to control plane from workers for health check on port 10250" tcp_options { destination_port_range { max = 10250 @@ -356,30 +285,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_6_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_kubelet_health_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP ingress from control plane to workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow TCP ingress from control plane to workers on port 10250" tcp_options { - destination_port_range { + source_port_range { max = 10250 min = 10250 } } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_7" { +# Control plane - Kubelet (TCP 12250) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_kubelet_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP egress from workers to OKE control plane" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow TCP egress from workers to control plane on port 12250" tcp_options { destination_port_range { max = 12250 @@ -388,58 +318,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_7_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_cp_kubelet_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.cp_nsg.id - stateless = true - description = "Allow TCP ingress from control plane to workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.cp_nsg.id + stateless = true + description = "Allow TCP ingress from control plane to workers on port 12250" tcp_options { - destination_port_range { + source_port_range { max = 12250 min = 12250 } } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_8" { - direction = "EGRESS" - network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = local.icmp_protocol - destination_type = "CIDR_BLOCK" - destination = "0.0.0.0/0" - stateless = true - description = "Allow ICMP egress from workers for path discovery" - icmp_options { - type = 3 - code = 4 - } -} - -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_8_stateless_ingress" { - direction = "INGRESS" - network_security_group_id = oci_core_network_security_group.worker_nsg.id - protocol = local.icmp_protocol - source_type = "CIDR_BLOCK" - source = "0.0.0.0/0" - stateless = true - description = "Allow ICMP ingress from internet to workers" - icmp_options { - type = 3 - code = 4 - } -} - -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_9" { +# FSS - NFS portmapper UDP (111) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_portmapper_udp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.udp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.fss_nsg.id - stateless = true - description = "Allow UDP egress from workers for NFS portmapper to FSS mounts" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.fss_nsg.id + stateless = true + description = "Allow UDP egress from workers for NFS portmapper to FSS mounts on port 111" udp_options { destination_port_range { max = 111 @@ -448,30 +351,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_9_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_portmapper_udp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.udp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.fss_nsg.id - stateless = true - description = "Allow UDP ingress from FSS to workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.fss_nsg.id + stateless = true + description = "Allow UDP ingress from FSS to workers on port 111" udp_options { - destination_port_range { + source_port_range { max = 111 min = 111 } } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_10" { +# FSS - NFS portmapper TCP (111) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_portmapper_tcp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.fss_nsg.id - stateless = true - description = "Allow TCP egress from workers for NFS portmapper to FSS mounts" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.fss_nsg.id + stateless = true + description = "Allow TCP egress from workers for NFS portmapper to FSS mounts on port 111" tcp_options { destination_port_range { max = 111 @@ -480,30 +384,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_10_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_portmapper_tcp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.fss_nsg.id - stateless = true - description = "Allow TCP ingress from FSS to workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.fss_nsg.id + stateless = true + description = "Allow TCP ingress from FSS to workers on port 111" tcp_options { - destination_port_range { + source_port_range { max = 111 min = 111 } } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_11" { +# FSS - NFS TCP (2048-2050) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_tcp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.fss_nsg.id - stateless = true - description = "Allow TCP egress from workers for NFS to FSS mounts" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.fss_nsg.id + stateless = true + description = "Allow TCP egress from workers for NFS to FSS mounts on ports 2048-2050" tcp_options { destination_port_range { max = 2050 @@ -512,30 +417,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_11_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_tcp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.fss_nsg.id - stateless = true - description = "Allow TCP ingress from FSS to workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.fss_nsg.id + stateless = true + description = "Allow TCP ingress from FSS to workers on ports 2048-2050" tcp_options { - destination_port_range { + source_port_range { max = 2050 min = 2048 } } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_12" { +# FSS - NFS UDP (2048) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_udp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.udp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.fss_nsg.id - stateless = true - description = "Allow UDP egress from workers for NFS to FSS mounts" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.fss_nsg.id + stateless = true + description = "Allow UDP egress from workers for NFS to FSS mounts on port 2048" udp_options { destination_port_range { max = 2048 @@ -544,30 +450,31 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_12_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_udp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.udp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.fss_nsg.id - stateless = true - description = "Allow UDP ingress from FSS to workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.fss_nsg.id + stateless = true + description = "Allow UDP ingress from FSS to workers on port 2048" udp_options { - destination_port_range { + source_port_range { max = 2048 min = 2048 } } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_13" { +# FSS - NFS encrypted TCP (2051) +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_encrypted_tcp_egress" { direction = "EGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - destination_type = "NETWORK_SECURITY_GROUP" - destination = oci_core_network_security_group.fss_nsg.id - stateless = true - description = "Allow TCP egress from workers for NFS to FSS mounts when using in-transit encryption" + destination_type = "NETWORK_SECURITY_GROUP" + destination = oci_core_network_security_group.fss_nsg.id + stateless = true + description = "Allow TCP egress from workers for NFS to FSS mounts when using in-transit encryption on port 2051" tcp_options { destination_port_range { max = 2051 @@ -576,16 +483,16 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_ } } -resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_egress_13_stateless_ingress" { +resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_fss_nfs_encrypted_tcp_ingress" { direction = "INGRESS" network_security_group_id = oci_core_network_security_group.worker_nsg.id protocol = local.tcp_protocol - source_type = "NETWORK_SECURITY_GROUP" - source = oci_core_network_security_group.fss_nsg.id - stateless = true - description = "Allow TCP ingress from FSS to workers" + source_type = "NETWORK_SECURITY_GROUP" + source = oci_core_network_security_group.fss_nsg.id + stateless = true + description = "Allow TCP ingress from FSS to workers on port 2051" tcp_options { - destination_port_range { + source_port_range { max = 2051 min = 2051 } diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf index c19cf34b9..a31bb57c7 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/provider.tf @@ -3,7 +3,7 @@ terraform { required_providers { oci = { source = "oracle/oci" - version = "7.7.0" + version = "7.22.0" } null = { source = "hashicorp/null" diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/schema.yaml b/app-dev/devops-and-containers/oke/oke-rm/infra/schema.yaml index fa5cbac24..4d15b4b98 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/schema.yaml +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/schema.yaml @@ -20,45 +20,34 @@ variableGroups: - create_vcn - vcn_id - vcn_name - - vcn_cidr_blocks + - vcn_cidr_block - vcn_dns_label - cni_type - create_cp_subnet - cp_subnet_name - - cp_subnet_cidr - - cp_subnet_dns_label - - cp_subnet_private - - cp_allowed_source_cidr - create_worker_subnet - worker_subnet_name - - worker_subnet_cidr - - worker_subnet_dns_label - create_pod_subnet - pod_subnet_name - - pod_subnet_cidr - - pod_subnet_dns_label - - create_service_subnet - - service_subnet_name - - service_subnet_cidr - - service_subnet_dns_label - - service_subnet_private + - create_external_lb_subnet + - external_lb_subnet_name + - create_internal_lb_subnet + - internal_lb_subnet_name - create_fss - fss_subnet_name - - fss_subnet_cidr - - fss_subnet_dns_label - create_bastion_subnet - bastion_subnet_name - - bastion_subnet_cidr - - bastion_subnet_dns_label - bastion_subnet_private - create_gateways - nat_gateway_id - service_gateway_id - create_internet_gateway - - title: "Control Plane External Connection" + - title: "Control Plane Connectivity" variables: - cp_connection_notice + - cp_subnet_private + - cp_allowed_source_cidr - cp_external_nat - allow_external_cp_traffic - cp_egress_cidr @@ -83,6 +72,7 @@ variables: title: "Network Compartment" description: "All resources in this section will be created within the compartment chosen" type: oci:identity:compartment:id + default: ${compartment_ocid} required: true cni_type: @@ -118,20 +108,20 @@ variables: required: true visible: ${create_vcn} - vcn_cidr_blocks: - title: "VCN CIDR blocks" - description: "CIDR blocks to be allocated for the VCN" - type: array - items: - type: string + vcn_cidr_block: + title: "VCN CIDR block" + description: "CIDR blocks to be allocated for the VCN. MUST BE A /16 VCN" + type: string required: true + pattern: "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){2}0.0\/16$" visible: ${create_vcn} vcn_dns_label: title: "VCN DNS name" - description: "This dns label will be present by default whenever a new instance is created in the VCN" + description: "DNS label fot the VCN. MUST BE UNIQUE across all the VCNs" type: string required: true + pattern: "^[a-zA-Z][a-zA-Z0-9]{0,14}$" visible: ${create_vcn} # CP SUBNET @@ -141,20 +131,6 @@ variables: description: "If flagged, this Terraform module will create the Kubernetes Control Plane subnet" type: boolean - cp_subnet_cidr: - title: "Kubernetes Control Plane Subnet CIDR" - description: "CIDR block to allocate for Kubernetes Control Plane API Server. As it is just one endpoint, it can be small" - type: string - required: true - visible: ${create_cp_subnet} - - cp_subnet_dns_label: - title: "Kubernetes Control Plane DNS label" - description: "DNS label for the Kubernetes Control Plane subnet" - type: string - required: true - visible: ${create_cp_subnet} - cp_subnet_name: title: "Kubernetes Control Plane subnet name" description: "Name of the subnet containing the Kubernetes Control Plane API Server" @@ -182,20 +158,6 @@ variables: description: "If flagged, this Terraform module will create the Kubernetes Worker subnet" type: boolean - worker_subnet_cidr: - title: "Worker subnet CIDR" - description: "CIDR block for OKE worker nodes and other VM or workload like functions" - type: string - required: true - visible: ${create_worker_subnet} - - worker_subnet_dns_label: - title: "Worker subnet DNS label" - description: "DNS label for the Worker subnet" - type: string - required: true - visible: ${create_worker_subnet} - worker_subnet_name: title: "Worker subnet name" description: "Name of the Worker subnet" @@ -214,30 +176,6 @@ variables: - ${cni_type} - vcn_native - pod_subnet_cidr: - title: "Pod subnet CIDR" - description: "CIDR block for OKE pods" - type: string - required: true - visible: - and: - - ${create_pod_subnet} - - eq: - - ${cni_type} - - vcn_native - - pod_subnet_dns_label: - title: "Pod subnet DNS label" - description: "DNS label for the Pod subnet" - type: string - required: true - visible: - and: - - ${create_pod_subnet} - - eq: - - ${cni_type} - - vcn_native - pod_subnet_name: title: "Pod subnet name" description: "OKE pods will have an IP address assigned from this subnet" @@ -250,39 +188,31 @@ variables: - ${cni_type} - vcn_native -# SERVICE SUBNET +# LB SUBNETS - create_service_subnet: - title: "Create Service subnet" - description: "If flagged, this Terraform module will create the Kubernetes Service subnet" + create_external_lb_subnet: + title: "Create external LB subnet" + description: "If flagged, create a LB subnet to host publicly exposed services" type: boolean - service_subnet_cidr: - title: "Service subnet CIDR" - description: "CIDR block for the Service subnet" + external_lb_subnet_name: + title: "Service subnet name" + description: "Name of the external LB subnet" type: string required: true - visible: ${create_service_subnet} + visible: ${create_external_lb_subnet} - service_subnet_dns_label: - title: "Service subnet DNS label" - description: "DNS label for the Service subnet" - type: string - required: true - visible: ${create_service_subnet} + create_internal_lb_subnet: + title: "Create internal LB subnet" + description: "If flagged, create a LB subnet to host internally exposed services" + type: boolean - service_subnet_name: + internal_lb_subnet_name: title: "Service subnet name" - description: "The Service subnet will host all the network appliances necessary to expose services, so Load Balancers and API Gateways" + description: "Name of the internal LB subnet" type: string required: true - visible: ${create_service_subnet} - - service_subnet_private: - title: "Service Subnet is private" - description: "If flagged, the service subnet will be a private one, otherwise it's a public subnet" - type: boolean - visible: ${create_service_subnet} + visible: ${create_internal_lb_subnet} # FSS SUBNET @@ -297,18 +227,6 @@ variables: required: true visible: ${create_fss} - fss_subnet_cidr: - title: "FSS subnet CIDR" - description: "CIDR block for the FSS subnet" - required: true - visible: ${create_fss} - - fss_subnet_dns_label: - title: "FSS subnet DNS label" - description: "DNS label for the FSS subnet" - required: true - visible: ${create_fss} - # VCN GATEWAYS create_gateways: @@ -391,7 +309,7 @@ variables: - ${cp_external_nat} cp_egress_cidr: - title: "Egress CIDR block" + title: "Control Plane allowed egress cidr" description: "Allowed egress IP range that the Control Plane is allowed to call" type: string required: true @@ -417,20 +335,6 @@ variables: required: true visible: ${create_bastion_subnet} - bastion_subnet_cidr: - title: "Bastion subnet CIDR" - description: "CIDR block to allocate for the Bastion subnet" - type: string - required: true - visible: ${create_bastion_subnet} - - bastion_subnet_dns_label: - title: "Bastion subnet DNS label" - description: "DNS label for the Bastion subnet" - type: string - required: true - visible: ${create_bastion_subnet} - bastion_subnet_private: title: "Bastion subnet is private" description: "Note that if you use the OCI Bastion, the bastion subnet can also be private" diff --git a/app-dev/devops-and-containers/oke/oke-rm/infra/variable.tf b/app-dev/devops-and-containers/oke/oke-rm/infra/variable.tf index fb7b148dc..0bd472c11 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/infra/variable.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/infra/variable.tf @@ -21,9 +21,9 @@ variable "vcn_name" { default = "vcn-oke-1" } -variable "vcn_cidr_blocks" { - type = list(string) - default = ["10.1.0.0/16"] +variable "vcn_cidr_block" { + type = string + default = "10.0.0.0/16" } variable "vcn_dns_label" { @@ -37,16 +37,8 @@ variable "create_cp_subnet" { default = true } -variable "cp_subnet_cidr" { - default = "10.1.0.0/29" -} - -variable "cp_subnet_dns_label" { - default = "cp" -} - variable "cp_subnet_name" { - default = "cp-subnet" + default = "cp" } variable "cp_subnet_private" { @@ -65,16 +57,8 @@ variable "create_worker_subnet" { default = true } -variable "worker_subnet_cidr" { - default = "10.1.8.0/21" -} - -variable "worker_subnet_dns_label" { - default = "worker" -} - variable "worker_subnet_name" { - default = "worker-subnet" + default = "worker" } # POD SUBNET @@ -84,40 +68,28 @@ variable "create_pod_subnet" { default = true } -variable "pod_subnet_cidr" { - default = "10.1.128.0/18" -} - -variable "pod_subnet_dns_label" { - default = "pod" -} - variable "pod_subnet_name" { - default = "pod-subnet" + default = "pod" } -# SERVICE SUBNET +# LB SUBNETS -variable "create_service_subnet" { +variable "create_external_lb_subnet" { type = bool - default = true + default = false } -variable "service_subnet_cidr" { - default = "10.1.0.32/27" +variable "external_lb_subnet_name" { + default = "lb-ext" } -variable "service_subnet_private" { +variable "create_internal_lb_subnet" { type = bool default = true } -variable "service_subnet_dns_label" { - default = "service" -} - -variable "service_subnet_name" { - default = "service-subnet" +variable "internal_lb_subnet_name" { + default = "lb-int" } # BASTION SUBNET @@ -127,21 +99,13 @@ variable "create_bastion_subnet" { default = true } -variable "bastion_subnet_cidr" { - default = "10.1.0.8/29" -} - variable "bastion_subnet_private" { type = bool default = false } -variable "bastion_subnet_dns_label" { - default = "bastion" -} - variable "bastion_subnet_name" { - default = "bastion-subnet" + default = "bastion" } # FSS SUBNET @@ -151,16 +115,8 @@ variable "create_fss" { default = true } -variable "fss_subnet_cidr" { - default = "10.1.0.64/26" -} - -variable "fss_subnet_dns_label" { - default = "fss" -} - variable "fss_subnet_name" { - default = "fss-subnet" + default = "fss" } variable "create_gateways" { diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf index cd12fb702..33c5ff456 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.tf @@ -22,7 +22,7 @@ locals { module "oke" { source = "oracle-terraform-modules/oke/oci" - version = "5.3.2" + version = "5.3.3" compartment_id = var.oke_compartment_id # IAM - Policies create_iam_autoscaler_policy = "never" diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip index e548a54da..0abe8e103 100644 Binary files a/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip and b/app-dev/devops-and-containers/oke/oke-rm/oke/oke.zip differ diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf b/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf index 91532e10c..389c8440f 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/provider.tf @@ -3,7 +3,7 @@ terraform { required_providers { oci = { source = "oracle/oci" - version = "7.7.0" + version = "7.22.0" configuration_aliases = [oci.home] } } diff --git a/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml b/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml index 29c5fa692..7857d751e 100644 --- a/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml +++ b/app-dev/devops-and-containers/oke/oke-rm/oke/schema.yaml @@ -105,7 +105,7 @@ variables: required: true lb_subnet_id: - title: "Load Balancer Subnet" + title: "Default Load Balancer Subnet" description: "Existing Subnet where all Load Balancer services will be created by default" type: oci:core:subnet:id dependsOn: