diff --git a/.gitignore b/.gitignore index 809e1ff2..2c902c1b 100644 --- a/.gitignore +++ b/.gitignore @@ -9,7 +9,6 @@ *.tfvars generated/** -scripts/tesseract.sh # visual code **/.vscode/* \ No newline at end of file diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc index 583e9b9f..bad7c414 100644 --- a/CHANGELOG.adoc +++ b/CHANGELOG.adoc @@ -7,6 +7,21 @@ All notable changes to this project are documented in this file. The format is based on {uri-changelog}[Keep a Changelog]. +== v2.0.0-beta.2 (November 21, 2019) +* Helm upgraded to version 3.0.0 #100 +* incubator and jetstack helm repos removed as they can now be searched from helm hub #100 +* tiller disabled and option to enable it is removed #100 +* Fixed bug for empty tuple in data.oci_core_images.oracle_images when use_autonomous=true #103 +* Set minimum version of Terraform to 0.12.16 + +== v2.0.0-beta.1 (November 14, 2019) +* Added admin host for operations instead of using the bastion server #91 +* Installed Python3, oci-cli #91 +* Switched from kubeconfig v1 to v2, generated by oci-cli instead of uploading #98 +* Switched all operations from bastion to admin host #91 +* Use compartment id instead of compartment name for policies #86 +* Updated available list of Kubernetes versions in Terraform options #90 + == v1.0.0 (September 27,2019) === Changes diff --git a/docs/configuration.adoc b/docs/configuration.adoc index 53b81137..69637ac2 100644 --- a/docs/configuration.adoc +++ b/docs/configuration.adoc @@ -17,8 +17,6 @@ :uri-contribute: {uri-rel-file-base}/CONTRIBUTING.adoc :uri-contributors: {uri-rel-file-base}/CONTRIBUTORS.adoc :uri-helm: https://helm.sh/ -:uri-helm-incubator: https://kubernetes-charts-incubator.storage.googleapis.com/ -:uri-helm-jetstack: https://charts.jetstack.io :uri-instructions: {uri-docs}/instructions.adoc :uri-license: {uri-rel-file-base}/LICENSE.txt :uri-kubernetes: https://kubernetes.io/ @@ -52,6 +50,7 @@ . link:#configure-oci-parameters[Configure OCI parameters] . link:#configure-oci-networking-parameters[Configure OCI Networking parameters] . link:#configure-bastion-host-parameters[Configure Bastion Host parameters] +. link:#configure-admin-host-parameters[Configure Admin Host parameters] . link:#configure-oke-parameters[Configure OKE parameters] . link:#configure-oke-load-balancer-parameters[Configure OKE Load Balancer parameters] . link:#configure-ocir-parameters[Configure OCIR parameters] @@ -143,9 +142,13 @@ If you need to change the default VCN's CIDR, note the following: === Configure bastion host parameters -The bastion host parameters concern whether you want to enable the bastion. 1 parameter to keep in mind here is the enable_instance_principal. Be aware that if this is enabled, it gives API access to the bastion host without authentication. +The bastion host parameters concern whether you want to enable the bastion. -Read {uri-instructions}#enabling-instance_principal-on-the-bastion-host[more] about {uri-oci-instance-principal}[instance_principal]. +=== Configure admin host parameters + +The admin host parameters concern whether you want to enable the bastion. 1 parameter to keep in mind here is the admin_instance_principal. Be aware that if this is enabled, it gives API access to the admin host without authentication. + +Read {uri-instructions}#enabling-instance_principal-on-the-admin-host[more] about {uri-oci-instance-principal}[instance_principal]. {uri-terraform-options}#bastion-host[Reference] @@ -197,10 +200,7 @@ kubectl --namespace=kube-system get secret ocirsecret --export -o yaml | kubectl === Configure helm parameters -The {uri-helm}[helm] parameters control the installation and the version of the helm client as well as optional helm repos to add and initialize on the bastion host. Additional helm repos include the following: - -. {uri-helm-incubator}[incubator] -. {uri-helm-jetstack}[jetstack] +The {uri-helm}[helm] parameters control the installation and the version of the helm client as well as optional helm repos to add and initialize on the bastion host. {uri-terraform-options}#helm[Reference] @@ -221,8 +221,9 @@ The Kubernetes Metrics Server parameter controls the installation of {uri-metric The KMS integration parameters control whether {uri-oci-kms}[OCI Key Management Service] will be used for encrypting Kubernetes secrets. Additionally, the bastion host must be enabled as well as instance_principal on the bastion. ---- -create_bastion = true -enable_instance_principal = true +bastion_enabled = true +admin_enabled = true +admin_instance_principal = true use_encryption = true existing_key_id = ---- diff --git a/docs/images/bastion.png b/docs/images/bastion.png index 19d97ddc..ac986fe7 100644 Binary files a/docs/images/bastion.png and b/docs/images/bastion.png differ diff --git a/docs/images/defaultmad.png b/docs/images/defaultmad.png index 89d9ed21..f8989149 100644 Binary files a/docs/images/defaultmad.png and b/docs/images/defaultmad.png differ diff --git a/docs/images/defaultsad.png b/docs/images/defaultsad.png index 1f1230d9..609e1809 100644 Binary files a/docs/images/defaultsad.png and b/docs/images/defaultsad.png differ diff --git a/docs/images/networking.png b/docs/images/networking.png index a28925ec..dcc7573a 100644 Binary files a/docs/images/networking.png and b/docs/images/networking.png differ diff --git a/docs/images/privatelbs.png b/docs/images/privatelbs.png index 4a33a0c1..4e1679f4 100644 Binary files a/docs/images/privatelbs.png and b/docs/images/privatelbs.png differ diff --git a/docs/images/public.png b/docs/images/public.png index fc07b882..f85f6442 100644 Binary files a/docs/images/public.png and b/docs/images/public.png differ diff --git a/docs/instructions.adoc b/docs/instructions.adoc index a54d6b40..0f12bd56 100644 --- a/docs/instructions.adoc +++ b/docs/instructions.adoc @@ -101,18 +101,15 @@ Use the parameter *cluster_name* to change the name of the cluster as per your n === Adding the bastion host -If you want to use bastion host, set the parameter *create_bastion* to *true* in terraform.tfvars. Refer to {uri-terraform-options}#bastion-host[Bastion Host] for other available bastion related parameters. +If you want to use bastion host, set the parameter *bastion_enabled* to *true* in terraform.tfvars. Refer to {uri-terraform-options}#bastion-host[Bastion Host] for other available bastion related parameters. -==== package_update and package_upgrade +==== bastion_package_upgrade -There are 2 additional parameters for the bastion: +There is 1 additional parameter for the bastion: -* bastion_package_update * bastion_package_upgrade -_bastion_package_update_ will update the apt database *if* you choose Ubuntu as the Linux distribution for the bastion host. - -_bastion_package_upgrade_ will upgrade the bastion compute instance on first boot. If you choose Ubuntu for bastion host and you set _bastion_package_upgrade_ to *true*, you should also set the _bastion_package_update_ to *true*. +_bastion_package_upgrade_ will upgrade the bastion compute instance on first boot. **** N.B. It is good and recommended practice to upgrade your bastion host to the latest packages to minimize the possibility of vulnerabilities. However, it will also take slightly longer before the bastion host is available. @@ -121,7 +118,7 @@ N.B. It is good and recommended practice to upgrade your bastion host to the lat === Using the bastion host **** -*Assumption: you have set the create_bastion parameter to true in terraform.tfvars* +*Assumption: you have set the bastion_enabled parameter to true in terraform.tfvars* **** Once the terraform apply is successful you will get the bastion_public_ip as output and also a ssh command .You can also run the below command to get the output: @@ -136,21 +133,51 @@ A utility script is also generated that contains the command to ssh to the basti scripts/tesseract.sh ---- -==== Enabling instance_principal on the bastion host +=== Adding the admin host + +The admin host is used to minimize local dependencies such as oci-cli, kubectl and so on. + +If you want to use the admin host, set the parameter *admin_enabled* to *true* in terraform.tfvars. Refer to {uri-terraform-options}#admin-host[Admin Host] for other available bastion related parameters. + +==== admin_package_upgrade + +There is 1 additional parameter for the admin: + +* admin_package_upgrade + +_admin_package_upgrade_ will upgrade the admin compute packages on first boot. + +**** +N.B. It is good and recommended practice to upgrade your package host to the latest packages to minimize the possibility of vulnerabilities. However, it will also take slightly longer before the package host is available. +**** + +=== Using the admin host + +**** +*Assumption: you have set the admin_enabled parameter to true in terraform.tfvars* +**** + +Once the terraform apply is successful you will get the admin_private_ip as output and also a ssh command .You can also run the below command to get the output: + +---- +terraform output +---- + +==== Enabling instance_principal on the admin host {uri-oci-instance-principal}[instance_principal] is an IAM service feature that enables instances to be authorized actors (or principals) to perform actions on service resources. Each compute instance has its own identity, and it authenticates using the certificates that are added to it. These certificates are automatically created, assigned to instances and rotated, preventing the need for you to distribute credentials to your hosts and rotate them. Any user who has access to the instance (who can SSH to the instance), automatically inherits the privileges granted to the instance. Before you enable this feature, ensure that you know who can access it, and that they should be authorized with the permissions you are granting to the instance. -By default, this feature is *_disabled_*. However, it is *_required_* at the time of cluster creation *_if_* you wish to enable link:#kms-integration[KMS Integration]. +By default, this feature is *_disabled_*. However, it is *_required_* at the time of cluster creation *_if_* you wish to enable link:#kms-integration[KMS Integration], calico, metricserver, helm or creating the OCIR secret. -When you enable this feature, by default, the bastion has privileges to all resources in the compartment. If you are enabling it for link:#kms-integration[KMS Integration], the bastion host will also have rights to create policies in the root tenancy. +When you enable this feature, by default, the admin host will have privileges to all resources in the compartment. If you are enabling it for link:#kms-integration[KMS Integration], the admin host will also have rights to create policies in the root tenancy. -You can also turn on and off the feature at any time without impact on the bastion or the cluster. +You can also turn on and off the feature at any time without impact on the admin or the cluster. -To enable, set enable_instance_principal to true: +To enable, set admin_instance_principal to true: ---- -enable_instance_principal = "true" +admin_instance_principal = "true" ---- and verify: @@ -159,13 +186,13 @@ and verify: oci network vcn list --compartment-id ---- -==== Disabling instance_principal on the bastion host +==== Disabling instance_principal on the admin host -. Set enable_instance_principal to false in terraform.tfvars +. Set admin_instance_principal to false in terraform.tfvars + ---- -enable_instance_principal = false +admin_instance_principal = false ---- . Run terraform apply again: @@ -177,8 +204,8 @@ terraform apply ==== Recommendations for using instance_principal -. Do not enable instance_principal if you are not using link:#kms-integration[KMS Integration] -. Enable instance_principal *_if and only if_* you are using link:#kms-integration[KMS Integration] +. Do not enable instance_principal if you are not using link:#kms-integration[KMS Integration] or calico +. Enable instance_principal *_if and only if_* you are using link:#kms-integration[KMS Integration], calico, metricserver, helm or creating the OCIR secret. . Disable instance_principal once the cluster is created === Interacting with the OKE Cluster locally diff --git a/docs/quickstart.adoc b/docs/quickstart.adoc index f8375311..1067df55 100644 --- a/docs/quickstart.adoc +++ b/docs/quickstart.adoc @@ -64,7 +64,7 @@ cp terraform.tfvars.example terraform.tfvars * ssh_public_key_path * vcn_dns_label * vcn_name -* create_bastion +* bastion_enabled * cluster_name * worker_mode diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc index 563f4566..7c69bed0 100644 --- a/docs/terraformoptions.adoc +++ b/docs/terraformoptions.adoc @@ -12,8 +12,6 @@ :uri-cert-manager: https://cert-manager.readthedocs.io/en/latest/ :uri-docs: {uri-rel-file-base}/docs :uri-helm: https://helm.sh/ -:uri-helm-incubator: https://kubernetes-charts-incubator.storage.googleapis.com/ -:uri-helm-jetstack: https://charts.jetstack.io :uri-kubernetes-hpa: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ :uri-metrics-server: https://github.com/kubernetes-incubator/metrics-server :uri-oci-images: https://docs.cloud.oracle.com/iaas/images/ @@ -21,6 +19,7 @@ :uri-oci-loadbalancer-annotations: https://github.com/oracle/oci-cloud-controller-manager/blob/master/docs/load-balancer-annotations.md :uri-oci-region: https://docs.cloud.oracle.com/iaas/Content/General/Concepts/regions.htm :uri-terraform-cidrsubnet: https://www.terraform.io/docs/configuration/functions/cidrsubnet.html +:uri-timezones: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones :uri-topology: {uri-docs}/topology.adoc Configuration Terraform Options: @@ -30,6 +29,7 @@ Configuration Terraform Options: . link:#general-oci[General OCI] . link:#oci-networking[OCI Networking] . link:#bastion-host[Bastion Host] +. link:#admin-host[Admin Host] . link:#oke[OKE] . link:#oke-load-balancers[OKE Load Balancers] . link:#ocir[OCIR] @@ -57,11 +57,6 @@ Configuration Terraform Options: | |None -|compartment_name -|Compartment name where the OKE Cluster will be provisioned. *Required* -| -|None - |compartment_id |Compartment id where the OKE Cluster will be provisioned. *Required* | @@ -131,86 +126,77 @@ Configuration Terraform Options: |Values |Default - -|vcn_name -|The name of the VCN that will be appended to the label_prefix. -| -|oke vcn - -|vcn_cidr -|The VCN's CIDR block. The CIDR block specified for the VCN must not overlap with the CIDR block specified for the Kubernetes services (specified with _services_cidr_ parameter). -| -|10.0.0.0/16 - -|vcn_dns_label -|The internal DNS domain for resources created and prepended to "oraclevcn.com" which is the VCN-internal domain name. -| -|oke - -|create_nat_gateway +|nat_gateway_enabled |Whether to create a NAT gateway. *Required* for private worker mode. |true/false |true -|nat_gateway_name -|The NAT gateway name. Appended to the label_prefix. -| -|nat - -|create_service_gateway -|Whether to create a Service Gateway to use Oracle Services. -|true/false -|true - -|service_gateway_name -|The Service gateway name. Appended to the label_prefix -| -|sg - -|newbits -|The difference between the VCN's netmask and the desired subnets' masks specified in the form of a map. The values of the map are used as the newbits parameter in the {uri-terraform-cidrsubnet}[cidrsubnet] Terraform function to calculate each subnet's mask. CIDR blocks for workers and load balancer subnets must not overlap with the CIDR blocks for Kubernetes pods (specified with _pods_cidr_ parameter). +|netnum +|0-based index of the subnets when the VCN's CIDR is masked with the corresponding newbit value and specified in the form of a map. Used to define the boundaries of the subnets. The values of the map are used as the netnum parameter in the {uri-terraform-cidrsubnet}[cidrsubnet] Terraform function. CIDR blocks for workers and load balancer subnets must not overlap with the CIDR blocks for Kubernetes pods (specified with _pods_cidr_ parameter). |e.g. [source] ---- -newbits = { - "bastion" = 13 - "lb" = 11 - "workers" = 2 +netnum = { + admin = 33 + bastion = 32 + int_lb = 16 + pub_lb = 17 + workers = 1 } ---- | [source] ---- -newbits = { - "bastion" = 13 - "lb" = 11 - "workers" = 2 -} +netnum = { + bastion = 32 + admin = 33 + int_lb = 16 + pub_lb = 17 + workers = 1} ---- -|subnets -|0-based index of the subnets when the VCN's CIDR is masked with the corresponding newbit value and specified in the form of a map. Used to define the boundaries of the subnets. The values of the map are used as the netnum parameter in the {uri-terraform-cidrsubnet}[cidrsubnet] Terraform function. CIDR blocks for workers and load balancer subnets must not overlap with the CIDR blocks for Kubernetes pods (specified with _pods_cidr_ parameter). +|newbits +|The difference between the VCN's netmask and the desired subnets' masks specified in the form of a map. The values of the map are used as the newbits parameter in the {uri-terraform-cidrsubnet}[cidrsubnet] Terraform function to calculate each subnet's mask. CIDR blocks for workers and load balancer subnets must not overlap with the CIDR blocks for Kubernetes pods (specified with _pods_cidr_ parameter). |e.g. [source] ---- -subnets = { - "bastion" = 32 - "int_lb" = 16 - "pub_lb" = 17 - "workers" = 1 +newbits = { + admin = 13 + bastion = 13 + lb = 11 + workers = 2 } ---- | [source] ---- -subnets = { - "bastion" = 32 - "int_lb" = 16 - "pub_lb" = 17 - "workers" = 1 +newbits = { + admin = 13 + bastion = 13 + lb = 11 + workers = 2 } ---- +|service_gateway_enabled +|Whether to create a Service Gateway to use Oracle Services. +|true/false +|true + +|vcn_cidr +|The VCN's CIDR block. The CIDR block specified for the VCN must not overlap with the CIDR block specified for the Kubernetes services (specified with _services_cidr_ parameter). +| +|10.0.0.0/16 + +|vcn_dns_label +|The internal DNS domain for resources created and prepended to "oraclevcn.com" which is the VCN-internal domain name. +| +|oke + +|vcn_name +|The name of the VCN that will be appended to the label_prefix. +| +|oke vcn |=== @@ -223,25 +209,137 @@ subnets = { |Values |Default -|create_bastion +|bastion_access +|CIDR block in the form of a string to which ssh access to the bastion must be restricted to. *_ANYWHERE_* is equivalent to 0.0.0.0/0 and allows ssh access from anywhere. +|XXX.XXX.XXX.XXX/YY +|ANYWHERE + +|bastion_enabled |Whether to create the bastion host. |true/false |true +|bastion_image_id +|Custom image id for the bastion host +|image_id or NONE. If the value is set to NONE, an Oracle Platform image will be used instead. Set use_autonomous to _false_ if you want to use your own image. +|NONE + +|bastion_notification_enabled +|Whether to enable ONS notification for the bastion host. +|true/false +|true + +|bastion_notification_endpoint +|The subscription notification endpoint. Email address to be notified. Only email is currently supported although ONS can also support Slack, Pagerduty among others. *Required* +| +| + +|bastion_notification_protocol +|The notification protocol used. +|EMAIL +|EMAIL + +|bastion_notification_topic +|The name of the notification topic +| +|bastion + +|bastion_package_upgrade +|Whether to also upgrade the packages on the bastion host. +|true/false +|true + |bastion_shape |The shape of bastion instance. | |VM.Standard.E2.1 -|bastion_access -|CIDR block in the form of a string to which ssh access to the bastion must be restricted to. *_ANYWHERE_* is equivalent to 0.0.0.0/0 and allows ssh access from anywhere. -|XXX.XXX.XXX.XXX/YY -|ANYWHERE +|bastion_timezone +|The preferred timezone for the bastion host. {uri-timezones}[List of timezones] +| +|Australia/Sydney + +|bastion_use_autonomous +|Whether to use Autonomous Linux or an Oracle Linux Platform image or custom image. Set to false if you want to use your own image id or Oracle Linux Platform image. +|true/false +|true + +|=== + +== Admin Host + +[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default + +|admin_enabled +|Whether to create the admin host. +|true/false +|true + +|admin_image_id +|Custom image id for the admin host +|image_id or NONE. If the value is set to NONE, an Oracle Platform image will be used instead. Set use_autonomous to _false_ if you want to use your own image. For now, *do not use Autonomous for the admin host.* +|NONE + +|admin_instance_principal +|Whether to enable instance_principal on the admin server. Refer to {uri-docs}/instructions.adoc/#enabling-instance_principal-on-the-admin-host[instance_principal] +|true/false +|true -|enable_instance_principal -|Whether to enable instance_principal on the bastion. Refer to {uri-docs}/instructions.adoc/#enabling-instance_principal-on-the-bastion-host[instance_principal] +|admin_notification_enabled +|Whether to enable ONS notification for the admin host. *Do not enable for now*. +|true/false +|false + +|admin_notification_endpoint +|The subscription notification endpoint. Email address to be notified. Only email is currently supported although ONS can also support Slack, Pagerduty among others. +| +| + +|admin_notification_protocol +|The notification protocol used. +|EMAIL +|EMAIL + +|admin_notification_topic +|The name of the notification topic +| +|admin + +|admin_package_upgrade +|Whether to also upgrade the packages for the admin host. +|true/false +|true + +|admin_shape +|The shape of admin instance. | +|VM.Standard.E2.1 + +|admin_timezone +|The preferred timezone for the admin host. {uri-timezones}[List of timezones] | +|Australia/Sydney + +|admin_use_autonomous +|Whether to use Autonomous Linux or an Oracle Linux Platform image or custom image. Set to false if you want to use your own image id or Oracle Linux Platform image. *Do not use autonomous for now* +|true/false +|false + +|=== + +== Availability Domain + +[stripes=odd,cols="1d,4d,3a,3a", options=header,width="100%"] +|=== +|Parameter +|Description +|Values +|Default |availability_domains |The Availability Domain where to provision non-OKE resources e.g. bastion host. This is specified in the form of a map. @@ -249,20 +347,17 @@ subnets = { [source] ---- availability_domains = { - "bastion" = 1 + bastion = 1 + admin = 1 } ---- | [source] ---- - "bastion" = 1 + bastion = 1 + admin = 1 ---- -|bastion_package_upgrade -|Whether to upgrade the instance on first boot. If you choose Ubuntu for the bastion and you set this to true, also set the package_update to true as well. -|true/false -|true - |=== == OKE @@ -274,16 +369,6 @@ availability_domains = { |Values |Default -|cluster_name -|The name of the OKE cluster. This will be appended to the label_prefix. -| -|oke - -|worker_mode -|Whether the worker nodes should be public or private. Private requires NAT gateway. -|private/public -|private - |allow_node_port_access |Whether to allow access to NodePort services when worker nodes are deployed in public mode. |true/false @@ -295,6 +380,11 @@ availability_domains = { |true/false |false +|cluster_name +|The name of the OKE cluster. This will be appended to the label_prefix. +| +|oke + |dashboard_enabled |Whether to create the default Kubernetes dashboard. |true/false @@ -302,7 +392,7 @@ availability_domains = { |kubernetes_version |The version of Kubernetes to provision. This is based on the available versions in OKE. By default, the available versions will be queries and the latest version selected. To provision a specific version, choose from available versions and override the 'LATEST' value. -|LATEST,v1.11.9, v1.12.7 +|LATEST, v1.12.7, 1.13.5 |LATEST |node_pools @@ -338,7 +428,7 @@ node_pools = { |node_pool_os_version |The corresponding version of the Operating System image to use to provision the worker nodes. | -|7.6 +|7.7 |pods_cidr |The CIDR for the Kubernetes POD network for flannel networking. CIDR blocks for pods must not overlap with the CIDR blocks for workers and load balancer subnets (calculated using vcn_cidr, newbits and subnets parameters). @@ -350,10 +440,11 @@ node_pools = { | |10.96.0.0/16 -|tiller_enabled -|Whether to install the server side of Helm in the OKE cluster. -|true/false -|true +|worker_mode +|Whether the worker nodes should be public or private. Private requires NAT gateway. +|private/public +|private + |=== @@ -413,7 +504,6 @@ Refer to {uri-topology}[topology] for more thorough examples. |username |The username that can login to the selected tenancy. This is different from tenancy_id. *Required* if create_auth_token is set to true. - | |None @@ -428,20 +518,10 @@ Refer to {uri-topology}[topology] for more thorough examples. |Values |Default -|add_incubator_repo -|Whether to add the {uri-helm-incubator}[incubator] repo to the bastion's local helm repo. -|true/false -|false - -|add_jetstack_repo -|Whether to add the {uri-helm-jetstack}[jetstack] repo to the bastion's local helm repo. *Required* for {uri-cert-manager}[cert-manager]. -|true/false -|false - |helm_version -|The version of the {uri-helm}[helm] client to install on the bastion. A subsequent upgrade of tiller (server-side helm) will then be automatically performed. +|The version of the {uri-helm}[helm] client to install on the bastion. | -|2.14.3 +|3.0.0 |install_helm |Whether to install {uri-helm}[helm] on the bastion instance. diff --git a/docs/topology.adoc b/docs/topology.adoc index f7567022..43443bf8 100644 --- a/docs/topology.adoc +++ b/docs/topology.adoc @@ -117,7 +117,7 @@ image::images/bastion.png[align="center"] {bl} -The bastion host is created in a public regional subnet. You can create or destroy it anytime with no effect on the Kubernetes cluster by setting the *create_bastion* = true in your variable file. +The bastion host is created in a public regional subnet. You can create or destroy it anytime with no effect on the Kubernetes cluster by setting the *bastion_enabled* = true in your variable file. By default, the bastion host can be accessed from anywhere. However, you can restrict its access to a particular CIDR block using the *bastion_access* parameter. diff --git a/locals.tf b/locals.tf index c032b562..9271ff62 100644 --- a/locals.tf +++ b/locals.tf @@ -1,12 +1,11 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl locals { oci_base_identity = { api_fingerprint = var.api_fingerprint api_private_key_path = var.api_private_key_path - compartment_name = var.compartment_name compartment_id = var.compartment_id tenancy_id = var.tenancy_id user_id = var.user_id @@ -18,31 +17,55 @@ locals { } oci_base_general = { - disable_auto_retries = var.disable_auto_retries label_prefix = var.label_prefix region = var.region + disable_auto_retries = var.disable_auto_retries } oci_base_vcn = { - vcn_cidr = var.vcn_cidr + nat_gateway_enabled = var.nat_gateway_enabled + service_gateway_enabled = var.service_gateway_enabled + vcn_cidr = var.vcn_cidr vcn_dns_label = var.vcn_dns_label - vcn_name = var.vcn_name - create_nat_gateway = var.create_nat_gateway - nat_gateway_name = var.nat_gateway_name - create_service_gateway = var.create_service_gateway - service_gateway_name = var.service_gateway_name + vcn_name = var.vcn_name } oci_base_bastion = { - newbits = var.newbits["bastion"] - subnets = var.subnets["bastion"] - bastion_shape = var.bastion_shape - create_bastion = var.create_bastion - bastion_access = var.bastion_access - enable_instance_principal = var.enable_instance_principal - image_id = var.image_id - availability_domains = var.availability_domains["bastion"] - package_upgrade = var.bastion_package_upgrade + availability_domains = var.availability_domains["bastion"] + bastion_access = var.bastion_access + bastion_enabled = var.bastion_enabled + bastion_image_id = var.bastion_image_id + bastion_shape = var.bastion_shape + bastion_upgrade = var.bastion_package_upgrade + netnum = var.netnum["bastion"] + newbits = var.newbits["bastion"] + notification_enabled = var.bastion_notification_enabled + notification_endpoint = var.bastion_notification_endpoint + notification_protocol = var.bastion_notification_protocol + notification_topic = var.bastion_notification_topic + ssh_private_key_path = var.ssh_private_key_path + ssh_public_key_path = var.ssh_public_key_path + timezone = var.bastion_timezone + use_autonomous = var.bastion_use_autonomous + } + + oci_base_admin = { + availability_domains = var.availability_domains["admin"] + admin_enabled = var.admin_enabled + admin_image_id = "NONE" + admin_shape = var.admin_shape + admin_upgrade = var.admin_package_upgrade + enable_instance_principal = var.admin_instance_principal + netnum = var.netnum["admin"] + newbits = var.newbits["admin"] + notification_enabled = var.admin_notification_enabled + notification_endpoint = var.admin_notification_endpoint + notification_protocol = var.admin_notification_protocol + notification_topic = var.admin_notification_topic + ssh_private_key_path = var.ssh_private_key_path + ssh_public_key_path = var.ssh_public_key_path + timezone = var.admin_timezone + use_autonomous = var.admin_use_autonomous } ocir = { @@ -63,10 +86,10 @@ locals { oke_network_vcn = { ig_route_id = module.base.ig_route_id - is_service_gateway_enabled = var.create_service_gateway + is_service_gateway_enabled = var.service_gateway_enabled nat_route_id = module.base.nat_route_id + netnum = var.netnum newbits = var.newbits - subnets = var.subnets vcn_cidr = var.vcn_cidr vcn_id = module.base.vcn_id } @@ -82,24 +105,24 @@ locals { user_id = var.user_id } - oke_bastion = { - bastion_public_ip = module.base.bastion_public_ip - create_bastion = var.create_bastion - enable_instance_principal = var.enable_instance_principal + oke_admin = { + bastion_public_ip = module.base.bastion_public_ip + admin_private_ip = module.base.admin_private_ip + bastion_enabled = var.bastion_enabled + admin_enabled = var.admin_enabled + admin_instance_principal = var.admin_instance_principal } oke_cluster = { cluster_kubernetes_version = var.kubernetes_version cluster_name = var.cluster_name cluster_options_add_ons_is_kubernetes_dashboard_enabled = var.dashboard_enabled - cluster_options_add_ons_is_tiller_enabled = var.tiller_enabled cluster_options_kubernetes_network_config_pods_cidr = var.pods_cidr cluster_options_kubernetes_network_config_services_cidr = var.services_cidr cluster_subnets = module.network.subnet_ids vcn_id = module.base.vcn_id use_encryption = var.use_encryption kms_key_id = var.existing_key_id - } node_pools = { @@ -125,8 +148,6 @@ locals { } helm = { - add_incubator_repo = var.add_incubator_repo - add_jetstack_repo = var.add_incubator_repo helm_version = var.helm_version install_helm = var.install_helm } diff --git a/main.tf b/main.tf index 8c4868b0..5e75cf49 100644 --- a/main.tf +++ b/main.tf @@ -1,8 +1,8 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl terraform { - required_version = ">= 0.12.8" + required_version = ">= 0.12.16" } module "base" { @@ -11,9 +11,6 @@ module "base" { # identity oci_base_identity = local.oci_base_identity - # ssh keys - oci_base_ssh_keys = local.oci_base_ssh_keys - # general oci parameters oci_base_general = local.oci_base_general @@ -22,6 +19,10 @@ module "base" { # bastion parameters oci_base_bastion = local.oci_base_bastion + + # admin server parameters + oci_base_admin = local.oci_base_admin + } module "policies" { @@ -34,14 +35,13 @@ module "policies" { label_prefix = var.label_prefix - bastion = local.oke_bastion + admin = local.oke_admin dynamic_group = module.base.group_name oke_kms = local.oke_kms cluster_id = module.oke.cluster_id - } module "auth" { @@ -85,7 +85,7 @@ module "oke" { oke_general = local.oke_general # bastion details - oke_bastion = local.oke_bastion + oke_admin = local.oke_admin # oke cluster parameters oke_cluster = local.oke_cluster diff --git a/modules/auth/authtoken.tf b/modules/auth/authtoken.tf index 44f43b57..4e477faa 100644 --- a/modules/auth/authtoken.tf +++ b/modules/auth/authtoken.tf @@ -1,8 +1,8 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl resource "oci_identity_auth_token" "ocirtoken" { - provider = "oci.home" + provider = oci.home description = "ocir auth token" user_id = var.ocir.user_id count = var.ocir.create_auth_token == true ? 1 : 0 diff --git a/modules/auth/outputs.tf b/modules/auth/outputs.tf index fbd44f06..6b01597a 100644 --- a/modules/auth/outputs.tf +++ b/modules/auth/outputs.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019 Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl output "ocirtoken" { value = var.ocir.create_auth_token == true ? element(oci_identity_auth_token.ocirtoken.*.token, 0) : "none" diff --git a/modules/auth/provider.tf b/modules/auth/provider.tf index cbd14b18..0df41649 100644 --- a/modules/auth/provider.tf +++ b/modules/auth/provider.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl # create a home region provider for identity operations provider "oci" { diff --git a/modules/auth/variables.tf b/modules/auth/variables.tf index 327ff02f..2d7dad7f 100644 --- a/modules/auth/variables.tf +++ b/modules/auth/variables.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl variable "ocir" { type = object({ diff --git a/modules/base/admin/cloudinit/admin.template.yaml b/modules/base/admin/cloudinit/admin.template.yaml new file mode 100644 index 00000000..d6057315 --- /dev/null +++ b/modules/base/admin/cloudinit/admin.template.yaml @@ -0,0 +1,20 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +#cloud-config +package_upgrade: ${admin_upgrade} +packages: + - python3 +timezone: ${timezone} +write_files: +# setup script + - path: "/root/admin/admin.sh" + permissions: "0700" + encoding: "gzip+base64" + content: | + ${admin_sh_content} +runcmd: + - echo "Configuring admin..." | tee /root/admin/admin.txt + - bash /root/admin/admin.sh + - echo "export OCI_CLI_AUTH=instance_principal" >> /home/opc/.bashrc + - touch /home/opc/admin.finish \ No newline at end of file diff --git a/modules/base/admin/compute.tf b/modules/base/admin/compute.tf new file mode 100644 index 00000000..a3d245a9 --- /dev/null +++ b/modules/base/admin/compute.tf @@ -0,0 +1,40 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +resource "oci_core_instance" "admin" { + availability_domain = element(var.oci_admin_network.ad_names, (var.oci_admin_network.availability_domains - 1)) + compartment_id = var.oci_admin_identity.compartment_id + + create_vnic_details { + assign_public_ip = false + subnet_id = oci_core_subnet.admin[0].id + display_name = "${var.oci_admin_general.label_prefix}-admin-vnic" + hostname_label = "admin" + } + + display_name = "${var.oci_admin_general.label_prefix}-admin" + + extended_metadata = { + ssh_authorized_keys = file(var.oci_admin.ssh_public_key_path) + user_data = data.template_cloudinit_config.admin[0].rendered + subnet_id = oci_core_subnet.admin[0].id + } + + # prevent the bastion from destroying and recreating itself if the image ocid changes + lifecycle { + ignore_changes = [source_details[0].source_id] + } + + shape = var.oci_admin.admin_shape + + source_details { + source_type = "image" + source_id = var.oci_admin.admin_image_id == "NONE" ? data.oci_core_images.admin_images.images.0.id : var.oci_admin.image_id + } + + timeouts { + create = "60m" + } + + count = var.oci_admin.admin_enabled == true ? 1 : 0 +} diff --git a/modules/base/admin/datasources.tf b/modules/base/admin/datasources.tf new file mode 100644 index 00000000..f3576533 --- /dev/null +++ b/modules/base/admin/datasources.tf @@ -0,0 +1,60 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +data "oci_core_images" "admin_images" { + compartment_id = var.oci_admin_identity.compartment_id + operating_system = "Oracle Linux" + operating_system_version = "7.7" + shape = var.oci_admin.admin_shape + sort_by = "TIMECREATED" +} + +data "template_file" "admin_template" { + template = file("${path.module}/scripts/admin.template.sh") + count = var.oci_admin.admin_enabled == true ? 1 : 0 +} + + +data "template_file" "admin_cloud_init_file" { + template = file("${path.module}/cloudinit/admin.template.yaml") + + vars = { + admin_sh_content = base64gzip(data.template_file.admin_template[0].rendered) + admin_upgrade = var.oci_admin.admin_upgrade + timezone = var.oci_admin.timezone + } + count = var.oci_admin.admin_enabled == true ? 1 : 0 +} + +# cloud init for admin +data "template_cloudinit_config" "admin" { + gzip = true + base64_encode = true + + part { + filename = "admin.yaml" + content_type = "text/cloud-config" + content = data.template_file.admin_cloud_init_file[0].rendered + } + count = var.oci_admin.admin_enabled == true ? 1 : 0 +} + +# Gets a list of VNIC attachments on the admin instance +data "oci_core_vnic_attachments" "admin_vnics_attachments" { + availability_domain = element(var.oci_admin_network.ad_names, (var.oci_admin_network.availability_domains - 1)) + compartment_id = var.oci_admin_identity.compartment_id + instance_id = oci_core_instance.admin[0].id + count = var.oci_admin.admin_enabled == true ? 1 : 0 +} + +# Gets the OCID of the first (default) VNIC on the admin instance +data "oci_core_vnic" "admin_vnic" { + vnic_id = lookup(data.oci_core_vnic_attachments.admin_vnics_attachments[0].vnic_attachments[0], "vnic_id") + count = var.oci_admin.admin_enabled == true ? 1 : 0 +} + +data "oci_core_instance" "admin" { + #Required + instance_id = oci_core_instance.admin[0].id + count = var.oci_admin.admin_enabled == true ? 1 : 0 +} diff --git a/modules/base/admin/instance_principal.tf b/modules/base/admin/instance_principal.tf new file mode 100644 index 00000000..b1924370 --- /dev/null +++ b/modules/base/admin/instance_principal.tf @@ -0,0 +1,41 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +# create a home region provider for identity operations +provider "oci" { + alias = "home" + fingerprint = var.oci_admin_identity.api_fingerprint + private_key_path = var.oci_admin_identity.api_private_key_path + region = var.oci_admin_general.home_region + tenancy_ocid = var.oci_admin_identity.tenancy_id + user_ocid = var.oci_admin_identity.user_id +} + +data "oci_identity_compartments" "compartments_id" { + access_level = "ACCESSIBLE" + compartment_id = var.oci_admin_identity.tenancy_id + compartment_id_in_subtree = "true" + + filter { + name = "id" + values = [var.oci_admin_identity.compartment_id] + } +} + +resource "oci_identity_dynamic_group" "admin_instance_principal" { + provider = oci.home + compartment_id = var.oci_admin_identity.tenancy_id + description = "dynamic group to allow instances to call services for 1 admin" + matching_rule = "ALL {instance.id = '${join(",", data.oci_core_instance.admin.*.id)}'}" + name = "${var.oci_admin_general.label_prefix}-admin_instance_principal" + count = var.oci_admin.admin_enabled == true && var.oci_admin.enable_instance_principal == true ? 1 : 0 +} + +resource "oci_identity_policy" "admin_instance_principal" { + provider = oci.home + compartment_id = var.oci_admin_identity.compartment_id + description = "policy to allow admin host to call services" + name = "${var.oci_admin_general.label_prefix}-admin_instance_principal" + statements = ["Allow dynamic-group ${oci_identity_dynamic_group.admin_instance_principal[0].name} to manage all-resources in compartment id ${data.oci_identity_compartments.compartments_id.compartments.0.id}"] + count = var.oci_admin.admin_enabled == true && var.oci_admin.enable_instance_principal == true ? 1 : 0 +} diff --git a/modules/base/admin/locals.tf b/modules/base/admin/locals.tf new file mode 100644 index 00000000..72fc41cc --- /dev/null +++ b/modules/base/admin/locals.tf @@ -0,0 +1,12 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +# Protocols are specified as protocol numbers. +# https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml + +locals { + all_protocols = "all" + anywhere = "0.0.0.0/0" + ssh_port = 22 + tcp_protocol = 6 +} diff --git a/modules/base/admin/outputs.tf b/modules/base/admin/outputs.tf new file mode 100644 index 00000000..d9a002e0 --- /dev/null +++ b/modules/base/admin/outputs.tf @@ -0,0 +1,10 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +output "admin_private_ip" { + value = join(",", data.oci_core_vnic.admin_vnic.*.private_ip_address) +} + +output "admin_instance_principal_group_name" { + value = var.oci_admin.admin_enabled == true && var.oci_admin.enable_instance_principal == true ? oci_identity_dynamic_group.admin_instance_principal[0].name : null +} diff --git a/modules/base/bastion/scripts/bastion.template.sh b/modules/base/admin/scripts/admin.template.sh similarity index 82% rename from modules/base/bastion/scripts/bastion.template.sh rename to modules/base/admin/scripts/admin.template.sh index 68e70048..381dec14 100644 --- a/modules/base/bastion/scripts/bastion.template.sh +++ b/modules/base/admin/scripts/admin.template.sh @@ -1,10 +1,12 @@ #!/bin/bash # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl yum update --security sed -i -e "s/autoinstall\s=\sno/# autoinstall = yes/g" /etc/uptrack/uptrack.conf uptrack-upgrade + +pip3 install oci-cli \ No newline at end of file diff --git a/modules/base/admin/security.tf b/modules/base/admin/security.tf new file mode 100644 index 00000000..590809fe --- /dev/null +++ b/modules/base/admin/security.tf @@ -0,0 +1,26 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +resource "oci_core_security_list" "admin" { + compartment_id = var.oci_admin_identity.compartment_id + display_name = "${var.oci_admin_general.label_prefix}-admin" + vcn_id = var.oci_admin_network.vcn_id + + egress_security_rules { + protocol = local.all_protocols + destination = local.anywhere + } + + ingress_security_rules { + # allow ssh + protocol = local.tcp_protocol + + source = var.oci_admin_network.vcn_cidr + + tcp_options { + min = local.ssh_port + max = local.ssh_port + } + } + count = var.oci_admin.admin_enabled == true ? 1 : 0 +} diff --git a/modules/base/admin/subnets.tf b/modules/base/admin/subnets.tf new file mode 100644 index 00000000..ac147d69 --- /dev/null +++ b/modules/base/admin/subnets.tf @@ -0,0 +1,15 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +resource "oci_core_subnet" "admin" { + compartment_id = var.oci_admin_identity.compartment_id + cidr_block = cidrsubnet(var.oci_admin_network.vcn_cidr, var.oci_admin_network.newbits, var.oci_admin_network.netnum) + display_name = "${var.oci_admin_general.label_prefix}-admin" + dns_label = "admin" + prohibit_public_ip_on_vnic = true + route_table_id = var.oci_admin_network.nat_route_id + security_list_ids = [oci_core_security_list.admin[0].id] + vcn_id = var.oci_admin_network.vcn_id + + count = var.oci_admin.admin_enabled == true ? 1 : 0 +} diff --git a/modules/base/admin/variables.tf b/modules/base/admin/variables.tf new file mode 100644 index 00000000..dc67eb09 --- /dev/null +++ b/modules/base/admin/variables.tf @@ -0,0 +1,57 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +# general + +variable "oci_admin_identity" { + type = object({ + api_fingerprint = string + api_private_key_path = string + compartment_id = string + tenancy_id = string + user_id = string + }) +} + +variable "oci_admin_general" { + type = object({ + home_region = string + label_prefix = string + region = string + }) +} + +# admin + +variable "oci_admin_network" { + type = object({ + ad_names = list(string) + availability_domains = number + nat_route_id = string + netnum = number + newbits = number + vcn_cidr = string + vcn_id = string + }) +} + +variable "oci_admin" { + type = object({ + admin_enabled = bool + admin_image_id = string + admin_shape = string + admin_upgrade = bool + enable_instance_principal = bool + ssh_public_key_path = string + timezone = string + }) +} + +variable "oci_admin_notification" { + type = object({ + notification_enabled = bool + notification_endpoint = string + notification_protocol = string + notification_topic = string + }) +} diff --git a/modules/base/bastion/cloudinit/autonomous.template.yaml b/modules/base/bastion/cloudinit/autonomous.template.yaml new file mode 100644 index 00000000..8a8150a0 --- /dev/null +++ b/modules/base/bastion/cloudinit/autonomous.template.yaml @@ -0,0 +1,17 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ + +#cloud-config +timezone: ${timezone} + +write_files: +# setup script + - path: "/root/bastion/notification.sh" + permissions: "0700" + encoding: "gzip+base64" + content: | + ${notification_sh_content} +runcmd: + - echo "Configuring running notification script..." + - bash /root/bastion/notification.sh + - touch /home/opc/bastion.finish \ No newline at end of file diff --git a/modules/base/bastion/cloudinit/bastion.template.yaml b/modules/base/bastion/cloudinit/oracle.template.yaml similarity index 65% rename from modules/base/bastion/cloudinit/bastion.template.yaml rename to modules/base/bastion/cloudinit/oracle.template.yaml index 0ea5624f..d86377ae 100644 --- a/modules/base/bastion/cloudinit/bastion.template.yaml +++ b/modules/base/bastion/cloudinit/oracle.template.yaml @@ -1,13 +1,9 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl #cloud-config -package_upgrade: ${package_upgrade} -packages: - - ntp - - python-pip -timezone: Australia/Sydney - +package_upgrade: ${bastion_package_upgrade} +timezone: ${timezone} write_files: # setup script - path: "/root/bastion/bastion.sh" @@ -18,6 +14,4 @@ write_files: runcmd: - echo "Configuring bastion..." | tee /root/bastion/bastion.txt - bash /root/bastion/bastion.sh - - pip install oci-cli --upgrade pip - - echo "export OCI_CLI_AUTH=instance_principal" >> /home/opc/.bashrc - touch /home/opc/bastion.finish \ No newline at end of file diff --git a/modules/base/bastion/compute.tf b/modules/base/bastion/compute.tf index 522b730e..1d4c7a1f 100644 --- a/modules/base/bastion/compute.tf +++ b/modules/base/bastion/compute.tf @@ -1,40 +1,40 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ resource "oci_core_instance" "bastion" { - availability_domain = element(var.oci_bastion_infra.ad_names, (var.oci_bastion_infra.availability_domains - 1)) + availability_domain = element(var.oci_bastion_network.ad_names, (var.oci_bastion_network.availability_domains - 1)) compartment_id = var.oci_base_identity.compartment_id create_vnic_details { - subnet_id = oci_core_subnet.bastion[0].id - display_name = "${var.oci_bastion_general.label_prefix}-bastion-vnic" - hostname_label = "bastion" + assign_public_ip = true + subnet_id = oci_core_subnet.bastion[0].id + display_name = "${var.oci_bastion_general.label_prefix}-bastion-vnic" + hostname_label = "bastion" } display_name = "${var.oci_bastion_general.label_prefix}-bastion" extended_metadata = { - ssh_authorized_keys = file(var.oci_base_ssh_keys.ssh_public_key_path) - user_data = data.template_cloudinit_config.bastion[0].rendered + ssh_authorized_keys = file(var.oci_bastion.ssh_public_key_path) subnet_id = oci_core_subnet.bastion[0].id + user_data = data.template_cloudinit_config.bastion[0].rendered + } + + # prevent the bastion from destroying and recreating itself if the image ocid changes + lifecycle { + ignore_changes = [source_details[0].source_id] } shape = var.oci_bastion.bastion_shape source_details { source_type = "image" - source_id = var.oci_bastion.image_id == "NONE" ? data.oci_core_images.bastion_images.images.0.id : var.oci_bastion.image_id + source_id = local.bastion_image_id } timeouts { create = "60m" } - count = var.oci_bastion.create_bastion == true ? 1 : 0 -} - -resource "local_file" "tesseract" { - content = data.template_file.tesseract_template[0].rendered - filename = "${path.root}/scripts/tesseract.sh" - count = var.oci_bastion.create_bastion == true ? 1 : 0 + count = var.oci_bastion.bastion_enabled == true ? 1 : 0 } diff --git a/modules/base/bastion/datasources.tf b/modules/base/bastion/datasources.tf index fb90069b..becb78ba 100644 --- a/modules/base/bastion/datasources.tf +++ b/modules/base/bastion/datasources.tf @@ -1,28 +1,70 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ -data "oci_core_images" "bastion_images" { +data "oci_core_app_catalog_listings" "autonomous_linux" { + display_name = "Oracle Autonomous Linux" + count = var.oci_bastion.use_autonomous == true ? 1 : 0 +} + +data "oci_core_app_catalog_listing_resource_versions" "autonomous_linux" { + #Required + listing_id = lookup(data.oci_core_app_catalog_listings.autonomous_linux[0].app_catalog_listings[0], "listing_id") + count = var.oci_bastion.use_autonomous == true ? 1 : 0 +} + +# Gets the Autonomous Linux image id +data "oci_core_app_catalog_subscriptions" "autonomous_linux" { + #Required + compartment_id = var.oci_base_identity.compartment_id + + #Optional + listing_id = lookup(data.oci_core_app_catalog_listing_resource_versions.autonomous_linux[0].app_catalog_listing_resource_versions[0], "listing_id") + count = var.oci_bastion.use_autonomous == true ? 1 : 0 +} + +data "template_file" "autonomous_template" { + template = file("${path.module}/scripts/notification.template.sh") + + vars = { + notification_enabled = var.oci_bastion_notification.notification_enabled + topic_id = var.oci_bastion_notification.notification_enabled == true ? oci_ons_notification_topic.bastion_notification[0].topic_id : "null" + } + count = var.oci_bastion.bastion_enabled == true && var.oci_bastion.use_autonomous == true ? 1 : 0 +} + +data "template_file" "autonomous_cloud_init_file" { + template = file("${path.module}/cloudinit/autonomous.template.yaml") + + vars = { + notification_sh_content = base64gzip(data.template_file.autonomous_template[0].rendered) + timezone = var.oci_bastion.timezone + } + count = var.oci_bastion.bastion_enabled == true && var.oci_bastion.use_autonomous == true ? 1 : 0 +} + +data "oci_core_images" "oracle_images" { compartment_id = var.oci_base_identity.compartment_id operating_system = "Oracle Linux" operating_system_version = "7.7" shape = var.oci_bastion.bastion_shape sort_by = "TIMECREATED" + count = var.oci_bastion.bastion_enabled == true && var.oci_bastion.use_autonomous == false ? 1 : 0 } -data "template_file" "bastion_template" { - template = file("${path.module}/scripts/bastion.template.sh") - - count = var.oci_bastion.create_bastion == true ? 1 : 0 +data "template_file" "oracle_template" { + template = file("${path.module}/scripts/oracle.template.sh") + count = var.oci_bastion.bastion_enabled == true && var.oci_bastion.use_autonomous == false ? 1 : 0 } -data "template_file" "bastion_cloud_init_file" { - template = file("${path.module}/cloudinit/bastion.template.yaml") +data "template_file" "oracle_cloud_init_file" { + template = file("${path.module}/cloudinit/oracle.template.yaml") vars = { - bastion_sh_content = base64gzip(data.template_file.bastion_template[0].rendered) - package_upgrade = var.oci_bastion.package_upgrade + bastion_sh_content = base64gzip(data.template_file.oracle_template[0].rendered) + bastion_package_upgrade = var.oci_bastion.bastion_upgrade + timezone = var.oci_bastion.timezone } - count = var.oci_bastion.create_bastion == true ? 1 : 0 + count = var.oci_bastion.bastion_enabled == true && var.oci_bastion.use_autonomous == false ? 1 : 0 } # cloud init for bastion @@ -33,37 +75,29 @@ data "template_cloudinit_config" "bastion" { part { filename = "bastion.yaml" content_type = "text/cloud-config" - content = data.template_file.bastion_cloud_init_file[0].rendered + content = var.oci_bastion.use_autonomous == true ? data.template_file.autonomous_cloud_init_file[0].rendered : data.template_file.oracle_cloud_init_file[0].rendered } - count = var.oci_bastion.create_bastion == true ? 1 : 0 -} - -data "template_file" "tesseract_template" { - template = file("${path.module}/scripts/tesseract.template.sh") - - vars = { - bastion_ip = join(",", data.oci_core_vnic.bastion_vnic.*.public_ip_address) - private_key_path = var.oci_base_ssh_keys.ssh_private_key_path - } - count = var.oci_bastion.create_bastion == true ? 1 : 0 + count = var.oci_bastion.bastion_enabled == true ? 1 : 0 } # Gets a list of VNIC attachments on the bastion instance data "oci_core_vnic_attachments" "bastion_vnics_attachments" { - availability_domain = element(var.oci_bastion_infra.ad_names, (var.oci_bastion_infra.availability_domains - 1)) + availability_domain = element(var.oci_bastion_network.ad_names, (var.oci_bastion_network.availability_domains - 1)) compartment_id = var.oci_base_identity.compartment_id instance_id = oci_core_instance.bastion[0].id - count = var.oci_bastion.create_bastion == true ? 1 : 0 + depends_on = [oci_core_instance.bastion] + count = var.oci_bastion.bastion_enabled == true ? 1 : 0 } # Gets the OCID of the first (default) VNIC on the bastion instance data "oci_core_vnic" "bastion_vnic" { - vnic_id = lookup(data.oci_core_vnic_attachments.bastion_vnics_attachments[0].vnic_attachments[0], "vnic_id") - count = var.oci_bastion.create_bastion == true ? 1 : 0 + vnic_id = lookup(data.oci_core_vnic_attachments.bastion_vnics_attachments[0].vnic_attachments[0], "vnic_id") + depends_on = [oci_core_instance.bastion] + count = var.oci_bastion.bastion_enabled == true ? 1 : 0 } data "oci_core_instance" "bastion" { - #Required instance_id = oci_core_instance.bastion[0].id - count = var.oci_bastion.create_bastion == true ? 1 : 0 -} \ No newline at end of file + depends_on = [oci_core_instance.bastion] + count = var.oci_bastion.bastion_enabled == true ? 1 : 0 +} diff --git a/modules/base/bastion/iam.tf b/modules/base/bastion/iam.tf deleted file mode 100644 index 021fb78d..00000000 --- a/modules/base/bastion/iam.tf +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl - -# create a home region provider for identity operations -provider "oci" { - alias = "home" - fingerprint = var.oci_base_identity.api_fingerprint - private_key_path = var.oci_base_identity.api_private_key_path - region = var.oci_bastion_general.home_region - tenancy_ocid = var.oci_base_identity.tenancy_id - user_ocid = var.oci_base_identity.user_id -} - -data "oci_identity_compartments" "compartments_name" { - access_level = "ACCESSIBLE" - compartment_id = var.oci_base_identity.tenancy_id - compartment_id_in_subtree = "true" - - filter { - name = "name" - values = [var.oci_base_identity.compartment_name] - } -} - -resource "oci_identity_dynamic_group" "bastion_instance_principal" { - provider = "oci.home" - compartment_id = var.oci_base_identity.tenancy_id - description = "dynamic group to allow instances to call services for 1 bastion" - matching_rule = "ALL {instance.id = '${join(",", data.oci_core_instance.bastion.*.id)}'}" - name = "${var.oci_bastion_general.label_prefix}-bastion_instance_principal" - count = var.oci_bastion.enable_instance_principal == true ? 1 : 0 -} - -resource "oci_identity_policy" "bastion_instance_principal" { - provider = "oci.home" - compartment_id = var.oci_base_identity.compartment_id - description = "policy to allow bastion host to call services" - name = "${var.oci_bastion_general.label_prefix}-bastion_instance_principal" - statements = ["Allow dynamic-group ${oci_identity_dynamic_group.bastion_instance_principal[0].name} to manage all-resources in compartment ${data.oci_identity_compartments.compartments_name.compartments.0.name}"] - count = var.oci_bastion.enable_instance_principal == true ? 1 : 0 -} diff --git a/modules/base/bastion/locals.tf b/modules/base/bastion/locals.tf index e8d360b4..6484e45d 100644 --- a/modules/base/bastion/locals.tf +++ b/modules/base/bastion/locals.tf @@ -1,12 +1,15 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ # Protocols are specified as protocol numbers. -# http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml +# https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml locals { - all_protocols = "all" - anywhere = "0.0.0.0/0" - ssh_port = 22 - tcp_protocol = 6 + all_protocols = "all" + anywhere = "0.0.0.0/0" + ssh_port = 22 + tcp_protocol = 6 + autonomous_image_id = var.oci_bastion.use_autonomous == true ? lookup(data.oci_core_app_catalog_subscriptions.autonomous_linux[0].app_catalog_subscriptions[0], "listing_resource_id") : null + oracle_image_id = var.oci_bastion.use_autonomous == false ? data.oci_core_images.oracle_images[0].images.0.id : null + bastion_image_id = var.oci_bastion.use_autonomous == true ? local.autonomous_image_id : (var.oci_bastion.bastion_image_id == "NONE" ? local.oracle_image_id : var.oci_bastion.bastion_image_id) } diff --git a/modules/base/bastion/ons.tf b/modules/base/bastion/ons.tf new file mode 100644 index 00000000..b79aac9a --- /dev/null +++ b/modules/base/bastion/ons.tf @@ -0,0 +1,58 @@ +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ + +provider "oci" { + alias = "home" + fingerprint = var.oci_base_identity.api_fingerprint + private_key_path = var.oci_base_identity.api_private_key_path + region = var.oci_bastion_general.home_region + tenancy_ocid = var.oci_base_identity.tenancy_id + user_ocid = var.oci_base_identity.user_id +} + +data "oci_identity_compartments" "compartments_id" { + access_level = "ACCESSIBLE" + compartment_id = var.oci_base_identity.tenancy_id + compartment_id_in_subtree = "true" + + filter { + name = "id" + values = [var.oci_base_identity.compartment_id] + } +} + +resource "oci_ons_notification_topic" "bastion_notification" { + #Required + compartment_id = var.oci_base_identity.compartment_id + name = "${var.oci_bastion_general.label_prefix}-${var.oci_bastion_notification.notification_topic}" + count = var.oci_bastion_notification.notification_enabled == true ? 1 : 0 +} + +resource "oci_ons_subscription" "bastion_notification" { + #Required + compartment_id = var.oci_base_identity.compartment_id + endpoint = var.oci_bastion_notification.notification_endpoint + protocol = var.oci_bastion_notification.notification_protocol + topic_id = oci_ons_notification_topic.bastion_notification[0].topic_id + count = var.oci_bastion_notification.notification_enabled == true ? 1 : 0 +} + +resource "oci_identity_dynamic_group" "bastion_notification" { + provider = oci.home + compartment_id = var.oci_base_identity.tenancy_id + description = "dynamic group to allow bastion to send notifications" + matching_rule = "ALL {instance.id = '${join(",", data.oci_core_instance.bastion.*.id)}'}" + name = "${var.oci_bastion_general.label_prefix}-bastion-notification" + depends_on = [oci_core_instance.bastion] + count = var.oci_bastion_notification.notification_enabled == true && var.oci_bastion.bastion_enabled == true ? 1 : 0 +} + +resource "oci_identity_policy" "bastion_notification" { + provider = oci.home + compartment_id = var.oci_base_identity.compartment_id + description = "policy to allow bastion host to publish messages" + name = "${var.oci_bastion_general.label_prefix}-bastion-notification" + statements = ["Allow dynamic-group ${oci_identity_dynamic_group.bastion_notification[0].name} to use ons-topic in compartment id ${data.oci_identity_compartments.compartments_id.compartments.0.id} where request.permission='ONS_TOPIC_PUBLISH'"] + depends_on = [oci_core_instance.bastion] + count = var.oci_bastion.bastion_enabled == true && var.oci_bastion_notification.notification_enabled == true ? 1 : 0 +} diff --git a/modules/base/bastion/outputs.tf b/modules/base/bastion/outputs.tf index d38e5c35..14fd34a8 100644 --- a/modules/base/bastion/outputs.tf +++ b/modules/base/bastion/outputs.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl output "bastion_public_ip" { value = join(",", data.oci_core_vnic.bastion_vnic.*.public_ip_address) diff --git a/modules/base/bastion/scripts/tesseract.template.sh b/modules/base/bastion/scripts/notification.template.sh similarity index 51% rename from modules/base/bastion/scripts/tesseract.template.sh rename to modules/base/bastion/scripts/notification.template.sh index 1986ff2d..7d680bb4 100644 --- a/modules/base/bastion/scripts/tesseract.template.sh +++ b/modules/base/bastion/scripts/notification.template.sh @@ -1,6 +1,10 @@ #!/bin/bash # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ -ssh -i ${private_key_path} opc@${bastion_ip} \ No newline at end of file +if [ ${notification_enabled} ]; then + sudo al-config -T ${topic_id} +else + echo 'ONS notification not enabled' +fi \ No newline at end of file diff --git a/modules/base/bastion/scripts/oracle.template.sh b/modules/base/bastion/scripts/oracle.template.sh new file mode 100644 index 00000000..52387fb9 --- /dev/null +++ b/modules/base/bastion/scripts/oracle.template.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +yum update --security + +sed -i -e "s/autoinstall\s=\sno/autoinstall = yes/g" /etc/uptrack/uptrack.conf + +uptrack-upgrade \ No newline at end of file diff --git a/modules/base/bastion/security.tf b/modules/base/bastion/security.tf index ed144a17..f1607b0f 100644 --- a/modules/base/bastion/security.tf +++ b/modules/base/bastion/security.tf @@ -1,10 +1,10 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ resource "oci_core_security_list" "bastion" { compartment_id = var.oci_base_identity.compartment_id display_name = "${var.oci_bastion_general.label_prefix}-bastion" - vcn_id = var.oci_bastion_infra.vcn_id + vcn_id = var.oci_bastion_network.vcn_id egress_security_rules { protocol = local.all_protocols @@ -21,5 +21,5 @@ resource "oci_core_security_list" "bastion" { max = local.ssh_port } } - count = var.oci_bastion.create_bastion == true ? 1 : 0 + count = var.oci_bastion.bastion_enabled == true ? 1 : 0 } diff --git a/modules/base/bastion/subnets.tf b/modules/base/bastion/subnets.tf index 26b2d1cb..0d6ea985 100644 --- a/modules/base/bastion/subnets.tf +++ b/modules/base/bastion/subnets.tf @@ -1,15 +1,15 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ resource "oci_core_subnet" "bastion" { compartment_id = var.oci_base_identity.compartment_id - cidr_block = cidrsubnet(var.oci_bastion_infra.vcn_cidr, var.oci_bastion_infra.newbits, var.oci_bastion_infra.subnets) + cidr_block = cidrsubnet(var.oci_bastion_network.vcn_cidr, var.oci_bastion_network.newbits, var.oci_bastion_network.netnum) display_name = "${var.oci_bastion_general.label_prefix}-bastion" dns_label = "bastion" - prohibit_public_ip_on_vnic = "false" - route_table_id = var.oci_bastion_infra.ig_route_id + prohibit_public_ip_on_vnic = false + route_table_id = var.oci_bastion_network.ig_route_id security_list_ids = [oci_core_security_list.bastion[0].id] - vcn_id = var.oci_bastion_infra.vcn_id + vcn_id = var.oci_bastion_network.vcn_id - count = var.oci_bastion.create_bastion == true ? 1 : 0 + count = var.oci_bastion.bastion_enabled == true ? 1 : 0 } diff --git a/modules/base/bastion/variables.tf b/modules/base/bastion/variables.tf index 0bdfe60b..65b10f89 100644 --- a/modules/base/bastion/variables.tf +++ b/modules/base/bastion/variables.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ # general @@ -8,50 +8,56 @@ variable "oci_base_identity" { api_fingerprint = string api_private_key_path = string compartment_id = string - compartment_name = string tenancy_id = string user_id = string }) + description = "parameters related to oci identity" } variable "oci_bastion_general" { type = object({ - label_prefix = string home_region = string + label_prefix = string region = string }) + description = "general oci parameters" } -# ssh +# bastion -variable "oci_base_ssh_keys" { +variable "oci_bastion_network" { type = object({ - ssh_private_key_path = string - ssh_public_key_path = string + ad_names = list(string) + availability_domains = number + ig_route_id = string + netnum = number + newbits = number + vcn_cidr = string + vcn_id = string }) + description = "bastion host networking parameters" } -# bastion - variable "oci_bastion" { type = object({ - bastion_shape = string - create_bastion = bool - bastion_access = string - enable_instance_principal = bool - image_id = string - package_upgrade = bool + bastion_access = string + bastion_enabled = bool + bastion_image_id = string + bastion_shape = string + bastion_upgrade = bool + ssh_public_key_path = string + timezone = string + use_autonomous = bool }) + description = "bastion host parameters" } -variable "oci_bastion_infra" { +variable "oci_bastion_notification" { type = object({ - ig_route_id = string - vcn_cidr = string - vcn_id = string - ad_names = list(string) - newbits = number - subnets = number - availability_domains = number + notification_enabled = bool + notification_endpoint = string + notification_protocol = string + notification_topic = string }) + description = "OCI notification parameters for bastion" } diff --git a/modules/base/datasources.tf b/modules/base/datasources.tf index 7ad3ebdc..89b36307 100644 --- a/modules/base/datasources.tf +++ b/modules/base/datasources.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "oci_identity_availability_domains" "ad_list" { compartment_id = var.oci_base_identity.tenancy_id diff --git a/modules/base/locals.tf b/modules/base/locals.tf index e2fb0b9c..8f681d6f 100644 --- a/modules/base/locals.tf +++ b/modules/base/locals.tf @@ -1,17 +1,15 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl locals { oci_base_vcn = { - compartment_id = var.oci_base_identity.compartment_id - label_prefix = var.oci_base_general.label_prefix - create_nat_gateway = var.oci_base_vcn.create_nat_gateway - nat_gateway_name = var.oci_base_vcn.nat_gateway_name - create_service_gateway = var.oci_base_vcn.create_service_gateway - service_gateway_name = var.oci_base_vcn.service_gateway_name - vcn_cidr = var.oci_base_vcn.vcn_cidr + compartment_id = var.oci_base_identity.compartment_id + label_prefix = var.oci_base_general.label_prefix + nat_gateway_enabled = var.oci_base_vcn.nat_gateway_enabled + service_gateway_enabled = var.oci_base_vcn.service_gateway_enabled + vcn_cidr = var.oci_base_vcn.vcn_cidr vcn_dns_label = var.oci_base_vcn.vcn_dns_label - vcn_name = var.oci_base_vcn.vcn_name + vcn_name = var.oci_base_vcn.vcn_name } oci_bastion_general = { @@ -20,22 +18,58 @@ locals { region = var.oci_base_general.region } - oci_bastion_infra = { + oci_bastion_network = { + ad_names = data.template_file.ad_names.*.rendered + availability_domains = var.oci_base_bastion.availability_domains ig_route_id = module.vcn.ig_route_id + netnum = var.oci_base_bastion.netnum + newbits = var.oci_base_bastion.newbits vcn_cidr = var.oci_base_vcn.vcn_cidr vcn_id = module.vcn.vcn_id - ad_names = data.template_file.ad_names.*.rendered - newbits = var.oci_base_bastion.newbits - subnets = var.oci_base_bastion.subnets - availability_domains = var.oci_base_bastion.availability_domains } oci_bastion = { - bastion_shape = var.oci_base_bastion.bastion_shape - create_bastion = var.oci_base_bastion.create_bastion - bastion_access = var.oci_base_bastion.bastion_access - enable_instance_principal = var.oci_base_bastion.enable_instance_principal - image_id = var.oci_base_bastion.image_id - package_upgrade = var.oci_base_bastion.package_upgrade + bastion_access = var.oci_base_bastion.bastion_access + bastion_enabled = var.oci_base_bastion.bastion_enabled + bastion_image_id = var.oci_base_bastion.bastion_image_id + bastion_shape = var.oci_base_bastion.bastion_shape + bastion_upgrade = var.oci_base_bastion.bastion_upgrade + ssh_public_key_path = var.oci_base_bastion.ssh_public_key_path + timezone = var.oci_base_bastion.timezone + use_autonomous = var.oci_base_bastion.use_autonomous + } + + oci_bastion_notification = { + notification_enabled = var.oci_base_bastion.notification_enabled + notification_endpoint = var.oci_base_bastion.notification_endpoint + notification_protocol = var.oci_base_bastion.notification_protocol + notification_topic = var.oci_base_bastion.notification_topic + } + + oci_admin_network = { + ad_names = data.template_file.ad_names.*.rendered + availability_domains = var.oci_base_admin.availability_domains + nat_route_id = module.vcn.nat_route_id + netnum = var.oci_base_admin.netnum + newbits = var.oci_base_admin.newbits + vcn_cidr = var.oci_base_vcn.vcn_cidr + vcn_id = module.vcn.vcn_id + } + + oci_admin = { + admin_enabled = var.oci_base_admin.admin_enabled + admin_image_id = var.oci_base_admin.admin_image_id + admin_shape = var.oci_base_admin.admin_shape + admin_upgrade = var.oci_base_admin.admin_upgrade + enable_instance_principal = var.oci_base_admin.enable_instance_principal + ssh_public_key_path = var.oci_base_admin.ssh_public_key_path + timezone = var.oci_base_admin.timezone + } + + oci_admin_notification = { + notification_enabled = var.oci_base_admin.notification_enabled + notification_endpoint = var.oci_base_admin.notification_endpoint + notification_protocol = var.oci_base_admin.notification_protocol + notification_topic = var.oci_base_admin.notification_topic } } diff --git a/modules/base/main.tf b/modules/base/main.tf index b9848443..643b3b94 100644 --- a/modules/base/main.tf +++ b/modules/base/main.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl module "vcn" { source = "./vcn" @@ -7,10 +7,19 @@ module "vcn" { } module "bastion" { - source = "./bastion" - oci_base_identity = var.oci_base_identity - oci_bastion_general = local.oci_bastion_general - oci_bastion_infra = local.oci_bastion_infra - oci_bastion = local.oci_bastion - oci_base_ssh_keys = var.oci_base_ssh_keys + source = "./bastion" + oci_base_identity = var.oci_base_identity + oci_bastion_general = local.oci_bastion_general + oci_bastion_network = local.oci_bastion_network + oci_bastion = local.oci_bastion + oci_bastion_notification = local.oci_bastion_notification +} + +module "admin" { + source = "./admin" + oci_admin_identity = var.oci_base_identity + oci_admin_general = local.oci_bastion_general + oci_admin_network = local.oci_admin_network + oci_admin = local.oci_admin + oci_admin_notification = local.oci_admin_notification } diff --git a/modules/base/outputs.tf b/modules/base/outputs.tf index 748a4bec..e2dddc18 100644 --- a/modules/base/outputs.tf +++ b/modules/base/outputs.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl # for reuse @@ -7,12 +7,16 @@ output "ad_names" { value = sort(data.template_file.ad_names.*.rendered) } +output "admin_private_ip" { + value = module.admin.admin_private_ip +} + output "bastion_public_ip" { value = module.bastion.bastion_public_ip } output "group_name" { - value = module.bastion.bastion_instance_principal_group_name + value = module.admin.admin_instance_principal_group_name } output "ig_route_id" { @@ -38,5 +42,9 @@ output "home_region" { # convenient output output "ssh_to_bastion" { - value = "ssh -i ${var.oci_base_ssh_keys.ssh_private_key_path} opc@${module.bastion.bastion_public_ip}" + value = "ssh -i ${var.oci_base_bastion.ssh_private_key_path} opc@${module.bastion.bastion_public_ip}" } + +output "ssh_to_admin" { + value = "ssh -i ${var.oci_base_bastion.ssh_private_key_path} -J opc@${module.bastion.bastion_public_ip} opc@${module.admin.admin_private_ip}" +} \ No newline at end of file diff --git a/modules/base/variables.tf b/modules/base/variables.tf index cb9ba9b7..551d5f89 100644 --- a/modules/base/variables.tf +++ b/modules/base/variables.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl # Identity and access parameters @@ -8,57 +8,126 @@ variable "oci_base_identity" { api_fingerprint = string api_private_key_path = string compartment_id = string - compartment_name = string tenancy_id = string user_id = string }) -} - -# ssh keys - -variable "oci_base_ssh_keys" { - type = object({ - ssh_private_key_path = string - ssh_public_key_path = string - }) + description = "identity and provider parameters" } # general oci parameters variable "oci_base_general" { type = object({ - disable_auto_retries = bool - label_prefix = string - region = string + label_prefix = string + region = string }) + description = "general oci parameters" + default = { + label_prefix = "base" + region = "" + } } # networking parameters variable "oci_base_vcn" { type = object({ - vcn_cidr = string + nat_gateway_enabled = bool + service_gateway_enabled = bool + vcn_cidr = string vcn_dns_label = string - vcn_name = string - create_nat_gateway = bool - nat_gateway_name = string - create_service_gateway = bool - service_gateway_name = string + vcn_name = string }) + description = "VCN basic parameters" + default = { + nat_gateway_enabled = false + service_gateway_enabled = false + vcn_cidr = "10.0.0.0/16" + vcn_dns_label = "base" + vcn_name = "base" + } } # bastion variable "oci_base_bastion" { type = object({ - newbits = number - subnets = number - bastion_shape = string - create_bastion = bool - bastion_access = string - enable_instance_principal = bool - image_id = string - availability_domains = number - package_upgrade = bool + availability_domains = number + bastion_access = string + bastion_enabled = bool + bastion_image_id = string + bastion_shape = string + bastion_upgrade = bool + netnum = number + newbits = number + notification_enabled = bool + notification_endpoint = string + notification_protocol = string + notification_topic = string + ssh_private_key_path = string + ssh_public_key_path = string + timezone = string + use_autonomous = bool + }) + description = "bastion host parameters" + default = { + availability_domains = 1 + bastion_access = "ANYWHERE" + bastion_enabled = false + bastion_image_id = "NONE" + bastion_shape = "VM.Standard.E2.1" + bastion_upgrade = true + netnum = 13 + newbits = 32 + notification_enabled = false + notification_endpoint = "" + notification_protocol = "EMAIL" + notification_topic = "bastion" + ssh_private_key_path = "" + ssh_public_key_path = "" + timezone = "" + use_autonomous = true + } +} + +# admin + +variable "oci_base_admin" { + type = object({ + availability_domains = number + admin_enabled = bool + admin_image_id = string + admin_shape = string + admin_upgrade = bool + enable_instance_principal = bool + netnum = number + newbits = number + notification_enabled = bool + notification_endpoint = string + notification_protocol = string + notification_topic = string + ssh_private_key_path = string + ssh_public_key_path = string + timezone = string + use_autonomous = bool }) + description = "admin host parameters" + default = { + availability_domains = 1 + admin_enabled = false + admin_image_id = "NONE" + admin_shape = "VM.Standard.E2.1" + admin_upgrade = true + enable_instance_principal = true + netnum = 33 + newbits = 13 + notification_enabled = false + notification_endpoint = "" + notification_protocol = "EMAIL" + notification_topic = "admin" + ssh_private_key_path = "" + ssh_public_key_path = "" + timezone = "" + use_autonomous = false + } } diff --git a/modules/base/vcn/locals.tf b/modules/base/vcn/locals.tf index 303861b1..605d859e 100644 --- a/modules/base/vcn/locals.tf +++ b/modules/base/vcn/locals.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl locals { anywhere = "0.0.0.0/0" diff --git a/modules/base/vcn/nat.tf b/modules/base/vcn/nat.tf index ae710308..d8e0704f 100644 --- a/modules/base/vcn/nat.tf +++ b/modules/base/vcn/nat.tf @@ -1,11 +1,11 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ resource "oci_core_nat_gateway" "nat_gateway" { compartment_id = var.oci_base_vcn.compartment_id - display_name = "${var.oci_base_vcn.label_prefix}-${var.oci_base_vcn.nat_gateway_name}-gw" + display_name = "${var.oci_base_vcn.label_prefix}-nat-gw" vcn_id = oci_core_vcn.vcn.id - count = var.oci_base_vcn.create_nat_gateway == true ? 1 : 0 + count = var.oci_base_vcn.nat_gateway_enabled == true ? 1 : 0 } resource "oci_core_route_table" "nat_route" { @@ -19,7 +19,7 @@ resource "oci_core_route_table" "nat_route" { } dynamic "route_rules" { - for_each = var.oci_base_vcn.create_service_gateway == true ? list(1) : [] + for_each = var.oci_base_vcn.service_gateway_enabled == true ? list(1) : [] content { destination = lookup(data.oci_core_services.all_oci_services[0].services[0], "cidr_block") @@ -29,5 +29,5 @@ resource "oci_core_route_table" "nat_route" { } vcn_id = oci_core_vcn.vcn.id - count = var.oci_base_vcn.create_nat_gateway == true ? 1 : 0 + count = var.oci_base_vcn.nat_gateway_enabled == true ? 1 : 0 } diff --git a/modules/base/vcn/outputs.tf b/modules/base/vcn/outputs.tf index 8bf615da..0032fafb 100644 --- a/modules/base/vcn/outputs.tf +++ b/modules/base/vcn/outputs.tf @@ -1,18 +1,22 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ output "vcn_id" { - value = oci_core_vcn.vcn.id + description = "id of vcn that is created" + value = oci_core_vcn.vcn.id } output "nat_gateway_id" { - value = join(",", oci_core_nat_gateway.nat_gateway.*.id) + description = "id of nat gateway if it is created" + value = join(",", oci_core_nat_gateway.nat_gateway.*.id) } output "ig_route_id" { - value = oci_core_route_table.ig_route.id + description = "id of internet gateway route table" + value = oci_core_route_table.ig_route.id } output "nat_route_id" { - value = join(",", oci_core_route_table.nat_route.*.id) + description = "id of VCN NAT gateway route table" + value = join(",", oci_core_route_table.nat_route.*.id) } diff --git a/modules/base/vcn/servicegateway.tf b/modules/base/vcn/servicegateway.tf index ff36a28d..3d9b7c6c 100644 --- a/modules/base/vcn/servicegateway.tf +++ b/modules/base/vcn/servicegateway.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ data "oci_core_services" "all_oci_services" { filter { @@ -7,18 +7,18 @@ data "oci_core_services" "all_oci_services" { values = ["All .* Services In Oracle Services Network"] regex = true } - count = var.oci_base_vcn.create_service_gateway == true ? 1 : 0 + count = var.oci_base_vcn.service_gateway_enabled == true ? 1 : 0 } resource "oci_core_service_gateway" "service_gateway" { compartment_id = var.oci_base_vcn.compartment_id - display_name = "${var.oci_base_vcn.label_prefix}-${var.oci_base_vcn.service_gateway_name}-gw" - depends_on = ["oci_core_nat_gateway.nat_gateway"] + display_name = "${var.oci_base_vcn.label_prefix}-sg-gw" + depends_on = [oci_core_nat_gateway.nat_gateway] services { service_id = lookup(data.oci_core_services.all_oci_services[0].services[0], "id") } vcn_id = oci_core_vcn.vcn.id - count = var.oci_base_vcn.create_service_gateway == true ? 1 : 0 + count = var.oci_base_vcn.service_gateway_enabled == true ? 1 : 0 } diff --git a/modules/base/vcn/variables.tf b/modules/base/vcn/variables.tf index a6995309..d4c95404 100644 --- a/modules/base/vcn/variables.tf +++ b/modules/base/vcn/variables.tf @@ -1,16 +1,15 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ variable "oci_base_vcn" { type = object({ - compartment_id = string - label_prefix = string - create_nat_gateway = bool - nat_gateway_name = string - create_service_gateway = bool - service_gateway_name = string - vcn_cidr = string + compartment_id = string + label_prefix = string + nat_gateway_enabled = bool + service_gateway_enabled = bool + vcn_cidr = string vcn_dns_label = string - vcn_name = string + vcn_name = string }) + description = "vcn basic parameters" } diff --git a/modules/base/vcn/vcn.tf b/modules/base/vcn/vcn.tf index aaef4d96..df95510d 100644 --- a/modules/base/vcn/vcn.tf +++ b/modules/base/vcn/vcn.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ resource "oci_core_vcn" "vcn" { cidr_block = var.oci_base_vcn.vcn_cidr @@ -24,7 +24,7 @@ resource "oci_core_route_table" "ig_route" { } dynamic "route_rules" { - for_each = (var.oci_base_vcn.create_service_gateway == true && var.oci_base_vcn.create_nat_gateway == false) ? list(1) : [] + for_each = (var.oci_base_vcn.service_gateway_enabled == true && var.oci_base_vcn.nat_gateway_enabled == false) ? list(1) : [] content { destination = lookup(data.oci_core_services.all_oci_services[0].services[0], "cidr_block") @@ -34,4 +34,4 @@ resource "oci_core_route_table" "ig_route" { } vcn_id = oci_core_vcn.vcn.id -} +} \ No newline at end of file diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf index 01216e43..e124fe45 100644 --- a/modules/kms/variables.tf +++ b/modules/kms/variables.tf @@ -1,2 +1,2 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl diff --git a/modules/oke/activeworker.tf b/modules/oke/activeworker.tf index 0ca36110..2e2e3925 100644 --- a/modules/oke/activeworker.tf +++ b/modules/oke/activeworker.tf @@ -1,40 +1,43 @@ -# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl - -data "template_file" "check_worker_node_status" { - template = file("${path.module}/scripts/is_worker_active.py") - - vars = { - cluster_id = oci_containerengine_cluster.k8s_cluster.id - compartment_id = var.oke_identity.compartment_id - region = var.oke_general.region - } - - count = var.oke_bastion.create_bastion == true && var.oke_bastion.enable_instance_principal == true ? 1 : 0 -} - -resource null_resource "is_worker_active" { - connection { - host = var.oke_bastion.bastion_public_ip - private_key = file(var.oke_ssh_keys.ssh_private_key_path) - timeout = "40m" - type = "ssh" - user = "opc" - } - - depends_on = ["oci_containerengine_cluster.k8s_cluster"] - - provisioner "file" { - content = data.template_file.check_worker_node_status[0].rendered - destination = "~/is_worker_active.py" - } - - provisioner "remote-exec" { - inline = [ - "chmod +x $HOME/is_worker_active.py", - "while [ ! -f $HOME/node.active ]; do $HOME/is_worker_active.py; sleep 10; done", - ] - } - - count = var.oke_bastion.create_bastion == true && var.oke_bastion.enable_instance_principal == true ? 1 : 0 -} +# # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +# data "template_file" "check_worker_node_status" { +# template = file("${path.module}/scripts/is_worker_active.py") + +# vars = { +# cluster_id = oci_containerengine_cluster.k8s_cluster.id +# compartment_id = var.oke_identity.compartment_id +# region = var.oke_general.region +# } +# count = var.oke_admin.admin_enabled == true ? 1 : 0 +# } + +# resource null_resource "is_worker_active" { +# connection { +# host = var.oke_admin.admin_private_ip +# private_key = file(var.oke_ssh_keys.ssh_private_key_path) +# timeout = "40m" +# type = "ssh" +# user = "opc" + +# bastion_host = var.oke_admin.bastion_public_ip +# bastion_user = "opc" +# bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) +# } + +# depends_on = [oci_containerengine_node_pool.nodepools] + +# provisioner "file" { +# content = data.template_file.check_worker_node_status[0].rendered +# destination = "~/is_worker_active.py" +# } + +# provisioner "remote-exec" { +# inline = [ +# "chmod +x $HOME/is_worker_active.py", +# "while [ ! -f $HOME/node.active ]; do $HOME/is_worker_active.py; sleep 10; done", +# ] +# } + +# count = var.oke_admin.admin_enabled == true ? 1 : 0 +# } diff --git a/modules/oke/calico.tf b/modules/oke/calico.tf index 08a4d077..7ee29134 100644 --- a/modules/oke/calico.tf +++ b/modules/oke/calico.tf @@ -1,5 +1,5 @@ ## Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -## Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +## Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "template_file" "install_calico" { template = file("${path.module}/scripts/install_calico.template.sh") @@ -16,14 +16,18 @@ data "template_file" "install_calico" { resource null_resource "install_calico" { connection { - host = var.oke_bastion.bastion_public_ip + host = var.oke_admin.admin_private_ip private_key = file(var.oke_ssh_keys.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" + + bastion_host = var.oke_admin.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) } - depends_on = ["null_resource.install_kubectl_bastion", "null_resource.write_kubeconfig_bastion"] + depends_on = [null_resource.install_kubectl_admin, null_resource.write_kubeconfig_on_admin] provisioner "file" { content = data.template_file.install_calico[0].rendered @@ -38,5 +42,5 @@ resource null_resource "install_calico" { ] } - count = var.oke_bastion.create_bastion == true && var.calico.install_calico == true ? 1 : 0 + count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true && var.calico.install_calico == true ? 1 : 0 } diff --git a/modules/oke/cluster.tf b/modules/oke/cluster.tf index 3fe5a9b0..1ad3a093 100644 --- a/modules/oke/cluster.tf +++ b/modules/oke/cluster.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl resource "oci_containerengine_cluster" "k8s_cluster" { compartment_id = var.oke_identity.compartment_id @@ -10,7 +10,7 @@ resource "oci_containerengine_cluster" "k8s_cluster" { options { add_ons { is_kubernetes_dashboard_enabled = var.oke_cluster.cluster_options_add_ons_is_kubernetes_dashboard_enabled - is_tiller_enabled = var.oke_cluster.cluster_options_add_ons_is_tiller_enabled + is_tiller_enabled = false } kubernetes_network_config { diff --git a/modules/oke/datasources.tf b/modules/oke/datasources.tf index 66ac01d4..49f3d552 100644 --- a/modules/oke/datasources.tf +++ b/modules/oke/datasources.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "oci_core_images" "latest_images" { compartment_id = var.oke_identity.compartment_id @@ -18,5 +18,5 @@ data "oci_containerengine_cluster_option" "k8s_cluster_option" { data "oci_containerengine_node_pools" "all_node_pools" { compartment_id = var.oke_identity.compartment_id cluster_id = oci_containerengine_cluster.k8s_cluster.id - depends_on = ["oci_containerengine_node_pool.nodepools"] + depends_on = [oci_containerengine_node_pool.nodepools] } diff --git a/modules/oke/helm.tf b/modules/oke/helm.tf index f2cf06b5..f3ffdaf7 100644 --- a/modules/oke/helm.tf +++ b/modules/oke/helm.tf @@ -1,28 +1,30 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "template_file" "install_helm" { template = file("${path.module}/scripts/install_helm.template.sh") vars = { - add_incubator_repo = var.helm.add_incubator_repo - add_jetstack_repo = var.helm.add_jetstack_repo helm_version = var.helm.helm_version } - count = var.oke_bastion.create_bastion == true && var.helm.install_helm == true ? 1 : 0 + count = var.oke_admin.admin_enabled == true && var.helm.install_helm == true ? 1 : 0 } -resource null_resource "install_helm_bastion" { +resource null_resource "install_helm_admin" { connection { - host = var.oke_bastion.bastion_public_ip + host = var.oke_admin.admin_private_ip private_key = file(var.oke_ssh_keys.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" + + bastion_host = var.oke_admin.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) } - depends_on = ["null_resource.install_kubectl_bastion", "null_resource.write_kubeconfig_bastion"] + depends_on = [null_resource.install_kubectl_admin, null_resource.write_kubeconfig_on_admin] provisioner "file" { content = data.template_file.install_helm[0].rendered @@ -37,5 +39,5 @@ resource null_resource "install_helm_bastion" { ] } - count = var.oke_bastion.create_bastion == true && var.helm.install_helm == true ? 1 : 0 + count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true && var.helm.install_helm == true ? 1 : 0 } diff --git a/modules/oke/kubeconfig.tf b/modules/oke/kubeconfig.tf index 24a67c0f..925a6082 100644 --- a/modules/oke/kubeconfig.tf +++ b/modules/oke/kubeconfig.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "oci_containerengine_cluster_kube_config" "kube_config" { cluster_id = oci_containerengine_cluster.k8s_cluster.id @@ -23,7 +23,7 @@ resource "null_resource" "create_local_kubeconfig" { resource "local_file" "kube_config_file" { content = data.oci_containerengine_cluster_kube_config.kube_config.content - depends_on = ["null_resource.create_local_kubeconfig", "oci_containerengine_cluster.k8s_cluster"] + depends_on = [null_resource.create_local_kubeconfig, oci_containerengine_cluster.k8s_cluster] filename = "${path.root}/generated/kubeconfig" } @@ -31,13 +31,17 @@ data "template_file" "install_kubectl" { template = file("${path.module}/scripts/install_kubectl.template.sh") } -resource "null_resource" "install_kubectl_bastion" { +resource "null_resource" "install_kubectl_admin" { connection { - host = var.oke_bastion.bastion_public_ip + host = var.oke_admin.admin_private_ip private_key = file(var.oke_ssh_keys.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" + + bastion_host = var.oke_admin.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) } provisioner "file" { @@ -53,30 +57,47 @@ resource "null_resource" "install_kubectl_bastion" { ] } - count = var.oke_bastion.create_bastion == true ? 1 : 0 + count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true ? 1 : 0 } -resource "null_resource" "write_kubeconfig_bastion" { +data "template_file" "generate_kubeconfig" { + template = file("${path.module}/scripts/generate_kubeconfig.template.sh") + + vars = { + cluster-id = oci_containerengine_cluster.k8s_cluster.id + region = var.oke_general.region + } + + count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true ? 1 : 0 +} + +resource "null_resource" "write_kubeconfig_on_admin" { connection { - host = var.oke_bastion.bastion_public_ip + host = var.oke_admin.admin_private_ip private_key = file(var.oke_ssh_keys.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" + + bastion_host = var.oke_admin.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) } - depends_on = ["local_file.kube_config_file", "null_resource.install_kubectl_bastion"] + depends_on = [oci_containerengine_cluster.k8s_cluster] + + provisioner "file" { + content = data.template_file.generate_kubeconfig[0].rendered + destination = "~/generate_kubeconfig.sh" + } provisioner "remote-exec" { inline = [ - "mkdir -p $HOME/.kube", + "chmod +x $HOME/generate_kubeconfig.sh", + "$HOME/generate_kubeconfig.sh", + "rm -f $HOME/generate_kubeconfig.sh" ] } - provisioner "file" { - source = "generated/kubeconfig" - destination = "~/.kube/config" - } - - count = var.oke_bastion.create_bastion == true ? 1 : 0 + count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true ? 1 : 0 } diff --git a/modules/oke/locals.tf b/modules/oke/locals.tf index 68a34882..5ca049cb 100644 --- a/modules/oke/locals.tf +++ b/modules/oke/locals.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl locals { # used by cluster diff --git a/modules/oke/metricserver.tf b/modules/oke/metricserver.tf index 954e82e4..5696afdd 100644 --- a/modules/oke/metricserver.tf +++ b/modules/oke/metricserver.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "template_file" "install_metricserver" { template = file("${path.module}/scripts/install_metricserver.template.sh") @@ -9,14 +9,18 @@ data "template_file" "install_metricserver" { resource null_resource "install_metricserver" { connection { - host = var.oke_bastion.bastion_public_ip + host = var.oke_admin.admin_private_ip private_key = file(var.oke_ssh_keys.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" + + bastion_host = var.oke_admin.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) } - depends_on = ["null_resource.install_kubectl_bastion", "null_resource.write_kubeconfig_bastion"] + depends_on = [null_resource.install_kubectl_admin, null_resource.write_kubeconfig_on_admin] provisioner "file" { content = data.template_file.install_metricserver[0].rendered @@ -31,5 +35,5 @@ resource null_resource "install_metricserver" { ] } - count = var.oke_bastion.create_bastion == true && var.install_metricserver == true ? 1 : 0 + count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true && var.install_metricserver == true ? 1 : 0 } diff --git a/modules/oke/nodepools.tf b/modules/oke/nodepools.tf index d818c917..3674674d 100644 --- a/modules/oke/nodepools.tf +++ b/modules/oke/nodepools.tf @@ -1,10 +1,10 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl resource "oci_containerengine_node_pool" "nodepools" { cluster_id = oci_containerengine_cluster.k8s_cluster.id compartment_id = var.oke_identity.compartment_id - depends_on = ["oci_containerengine_cluster.k8s_cluster"] + depends_on = [oci_containerengine_cluster.k8s_cluster] kubernetes_version = local.kubernetes_version name = "${var.oke_general.label_prefix}-${var.node_pools.node_pool_name_prefix}-${count.index + 1}" diff --git a/modules/oke/ocir.tf b/modules/oke/ocir.tf index 77641db5..062b4c85 100644 --- a/modules/oke/ocir.tf +++ b/modules/oke/ocir.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "template_file" "create_ocir_script" { template = file("${path.module}/scripts/create_ocir_secret.template.sh") @@ -9,7 +9,6 @@ data "template_file" "create_ocir_script" { region_registry = var.oke_ocir.ocir_urls[var.oke_general.region] tenancy_name = var.oke_ocir.tenancy_name username = var.oke_ocir.username - tiller_enabled = var.oke_cluster.cluster_options_add_ons_is_tiller_enabled } count = var.oke_ocir.create_auth_token == true ? 1 : 0 @@ -21,14 +20,19 @@ resource null_resource "create_ocir_secret" { } connection { - host = var.oke_bastion.bastion_public_ip + host = var.oke_admin.admin_private_ip private_key = file(var.oke_ssh_keys.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" + + bastion_host = var.oke_admin.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) } - depends_on = ["null_resource.write_kubeconfig_bastion"] + depends_on = [null_resource.write_kubeconfig_on_admin] + provisioner "file" { content = data.template_file.create_ocir_script[0].rendered destination = "~/create_ocir_secret.sh" @@ -41,25 +45,29 @@ resource null_resource "create_ocir_secret" { ] } - count = var.oke_bastion.create_bastion == true && var.oke_ocir.create_auth_token == true ? 1 : 0 + count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true && var.oke_ocir.create_auth_token == true ? 1 : 0 } resource null_resource "delete_ocir_script" { - depends_on = ["null_resource.create_ocir_secret"] - connection { - host = var.oke_bastion.bastion_public_ip + host = var.oke_admin.admin_private_ip private_key = file(var.oke_ssh_keys.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" + + bastion_host = var.oke_admin.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path) } + depends_on = [null_resource.create_ocir_secret] + provisioner "remote-exec" { inline = [ "rm -f $HOME/create_ocir_secret.sh", ] } - count = var.oke_bastion.create_bastion == true && var.oke_ocir.create_auth_token == true ? 1 : 0 + count = var.oke_admin.bastion_enabled == true && var.oke_admin.admin_enabled == true && var.oke_ocir.create_auth_token == true ? 1 : 0 } diff --git a/modules/oke/outputs.tf b/modules/oke/outputs.tf index 03f4fb0d..87542f56 100644 --- a/modules/oke/outputs.tf +++ b/modules/oke/outputs.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl output "cluster_id" { value = oci_containerengine_cluster.k8s_cluster.id diff --git a/modules/oke/scripts/create_ocir_secret.template.sh b/modules/oke/scripts/create_ocir_secret.template.sh index ae987040..45ad8a83 100644 --- a/modules/oke/scripts/create_ocir_secret.template.sh +++ b/modules/oke/scripts/create_ocir_secret.template.sh @@ -1,12 +1,6 @@ #!/bin/bash # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -if [ ${tiller_enabled} ]; then - kubectl -n kube-system delete secret ocirsecret - kubectl create secret docker-registry ocirsecret -n kube-system --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password='${authtoken}' - kubectl -n kube-system patch serviceaccount tiller -p '{"imagePullSecrets": [{"name": "ocirsecret"}]}' -else - kubectl -n default delete secret ocirsecret - kubectl create secret docker-registry ocirsecret -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password='${authtoken}' -fi \ No newline at end of file +kubectl -n default delete secret ocirsecret +kubectl create secret docker-registry ocirsecret -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password='${authtoken}' diff --git a/modules/oke/scripts/generate_kubeconfig.template.sh b/modules/oke/scripts/generate_kubeconfig.template.sh new file mode 100644 index 00000000..3d0602ad --- /dev/null +++ b/modules/oke/scripts/generate_kubeconfig.template.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl + +oci ce cluster create-kubeconfig --cluster-id ${cluster-id} --file $HOME/.kube/config --region ${region} --token-version 2.0.0 \ No newline at end of file diff --git a/modules/oke/scripts/install_calico.template.sh b/modules/oke/scripts/install_calico.template.sh index 59e5add1..bf973f56 100644 --- a/modules/oke/scripts/install_calico.template.sh +++ b/modules/oke/scripts/install_calico.template.sh @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl mkdir calico diff --git a/modules/oke/scripts/install_helm.template.sh b/modules/oke/scripts/install_helm.template.sh index aabc7b96..20887c09 100644 --- a/modules/oke/scripts/install_helm.template.sh +++ b/modules/oke/scripts/install_helm.template.sh @@ -1,8 +1,8 @@ #!/bin/bash # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -wget https://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-amd64.tar.gz +wget https://get.helm.sh/helm-v${helm_version}-linux-amd64.tar.gz tar zxvf helm-v${helm_version}-linux-amd64.tar.gz @@ -12,16 +12,6 @@ rm -f helm-v${helm_version}-linux-amd64.tar.gz rm -rf linux-amd64 -helm init --upgrade - -if [ ${add_incubator_repo} ]; then - helm repo add incubator https://kubernetes-charts-incubator.storage.googleapis.com/ -fi - -if [ ${add_jetstack_repo} ]; then - helm repo add jetstack https://charts.jetstack.io -fi - helm repo update echo "source <(helm completion bash)" >> ~/.bashrc diff --git a/modules/oke/scripts/install_kubectl.template.sh b/modules/oke/scripts/install_kubectl.template.sh index 1997577e..ce3d1c45 100644 --- a/modules/oke/scripts/install_kubectl.template.sh +++ b/modules/oke/scripts/install_kubectl.template.sh @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl sudo yum install -y kubectl git diff --git a/modules/oke/scripts/install_metricserver.template.sh b/modules/oke/scripts/install_metricserver.template.sh index 16da691e..bf245773 100644 --- a/modules/oke/scripts/install_metricserver.template.sh +++ b/modules/oke/scripts/install_metricserver.template.sh @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl git clone https://github.com/kubernetes-incubator/metrics-server.git /tmp/metricserver cd /tmp/metricserver diff --git a/modules/oke/scripts/is_worker_active.py b/modules/oke/scripts/is_worker_active.py index a11a964b..840fb568 100644 --- a/modules/oke/scripts/is_worker_active.py +++ b/modules/oke/scripts/is_worker_active.py @@ -1,6 +1,6 @@ #!/bin/python # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl import os import oci diff --git a/modules/oke/variables.tf b/modules/oke/variables.tf index d643b1e0..456449b7 100644 --- a/modules/oke/variables.tf +++ b/modules/oke/variables.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019 Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl # identity @@ -31,11 +31,13 @@ variable "oke_general" { # bastion -variable "oke_bastion" { +variable "oke_admin" { type = object({ - bastion_public_ip = string - create_bastion = bool - enable_instance_principal = bool + bastion_public_ip = string + admin_private_ip = string + bastion_enabled = bool + admin_enabled = bool + admin_instance_principal = bool }) } @@ -46,7 +48,6 @@ variable "oke_cluster" { cluster_kubernetes_version = string cluster_name = string cluster_options_add_ons_is_kubernetes_dashboard_enabled = bool - cluster_options_add_ons_is_tiller_enabled = bool cluster_options_kubernetes_network_config_pods_cidr = string cluster_options_kubernetes_network_config_services_cidr = string cluster_subnets = map(string) @@ -79,7 +80,7 @@ variable "cluster_kube_config_expiration" { default = 2592000 } variable "cluster_kube_config_token_version" { - default = "1.0.0" + default = "2.0.0" } # ocir @@ -98,8 +99,6 @@ variable "oke_ocir" { # helm variable "helm" { type = object({ - add_incubator_repo = bool - add_jetstack_repo = bool helm_version = string install_helm = bool }) diff --git a/modules/okenetwork/datasources.tf b/modules/okenetwork/datasources.tf index f1086221..985bd982 100644 --- a/modules/okenetwork/datasources.tf +++ b/modules/okenetwork/datasources.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "oci_core_services" "all_oci_services" { filter { diff --git a/modules/okenetwork/locals.tf b/modules/okenetwork/locals.tf index 647c1bd7..18adcf37 100644 --- a/modules/okenetwork/locals.tf +++ b/modules/okenetwork/locals.tf @@ -1,11 +1,11 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl locals { # subnet cidrs - used by subnets - int_lb_subnet = cidrsubnet(var.oke_network_vcn.vcn_cidr, var.oke_network_vcn.newbits["lb"], var.oke_network_vcn.subnets["int_lb"]) - pub_lb_subnet = cidrsubnet(var.oke_network_vcn.vcn_cidr, var.oke_network_vcn.newbits["lb"], var.oke_network_vcn.subnets["pub_lb"]) - worker_subnet = cidrsubnet(var.oke_network_vcn.vcn_cidr, var.oke_network_vcn.newbits["workers"], var.oke_network_vcn.subnets["workers"]) + int_lb_subnet = cidrsubnet(var.oke_network_vcn.vcn_cidr, var.oke_network_vcn.newbits["lb"], var.oke_network_vcn.netnum["int_lb"]) + pub_lb_subnet = cidrsubnet(var.oke_network_vcn.vcn_cidr, var.oke_network_vcn.newbits["lb"], var.oke_network_vcn.netnum["pub_lb"]) + worker_subnet = cidrsubnet(var.oke_network_vcn.vcn_cidr, var.oke_network_vcn.newbits["workers"], var.oke_network_vcn.netnum["workers"]) # security rules locals - used by security all_protocols = "all" diff --git a/modules/okenetwork/outputs.tf b/modules/okenetwork/outputs.tf index fb4dfc53..1c6220b8 100644 --- a/modules/okenetwork/outputs.tf +++ b/modules/okenetwork/outputs.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl output "subnet_ids" { value = map( diff --git a/modules/okenetwork/security.tf b/modules/okenetwork/security.tf index bafd16a1..fe7aeb8e 100644 --- a/modules/okenetwork/security.tf +++ b/modules/okenetwork/security.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl # public worker security checklist resource "oci_core_security_list" "public_workers_seclist" { diff --git a/modules/okenetwork/subnets.tf b/modules/okenetwork/subnets.tf index 211c27bc..913e0acf 100644 --- a/modules/okenetwork/subnets.tf +++ b/modules/okenetwork/subnets.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl resource "oci_core_subnet" "workers" { cidr_block = local.worker_subnet diff --git a/modules/okenetwork/variables.tf b/modules/okenetwork/variables.tf index 11df8765..0a88c5a7 100644 --- a/modules/okenetwork/variables.tf +++ b/modules/okenetwork/variables.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl # Identity and access parameters @@ -22,8 +22,8 @@ variable "oke_network_vcn" { ig_route_id = string is_service_gateway_enabled = bool nat_route_id = string + netnum = map(number) newbits = map(number) - subnets = map(number) vcn_cidr = string vcn_id = string }) diff --git a/modules/policies/datasources.tf b/modules/policies/datasources.tf index f0869128..fce98038 100644 --- a/modules/policies/datasources.tf +++ b/modules/policies/datasources.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl data "oci_identity_tenancy" "tenancy" { tenancy_id = var.oci_identity.tenancy_id @@ -13,13 +13,13 @@ data "oci_identity_regions" "home_region" { } } -data "oci_identity_compartments" "compartments_name" { +data "oci_identity_compartments" "compartments_id" { access_level = "ACCESSIBLE" compartment_id = var.oci_identity.tenancy_id compartment_id_in_subtree = "true" filter { - name = "name" - values = [var.oci_identity.compartment_name] + name = "id" + values = [var.oci_identity.compartment_id] } } \ No newline at end of file diff --git a/modules/policies/groups.tf b/modules/policies/groups.tf index 90041db2..ec9e9537 100644 --- a/modules/policies/groups.tf +++ b/modules/policies/groups.tf @@ -1,8 +1,8 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl resource "oci_identity_dynamic_group" "oke-kms-cluster" { - provider = "oci.home" + provider = oci.home compartment_id = var.oci_identity.tenancy_id description = "dynamic group to allow cluster to use kms" matching_rule = local.dynamic_group_rule_all_clusters @@ -22,9 +22,13 @@ data "template_file" "update_dynamic_group_script" { dynamic_group_rule = local.dynamic_group_rule_this_cluster } - depends_on = ["oci_identity_dynamic_group.oke-kms-cluster"] + depends_on = [oci_identity_dynamic_group.oke-kms-cluster] +<<<<<<< HEAD count = (var.oke_kms.use_encryption == true && var.bastion.create_bastion == true && var.bastion.enable_instance_principal == true) ? 1 : 0 +======= + count = var.oke_kms.use_encryption == true && var.admin.admin_enabled == true && var.admin.admin_instance_principal == true ? 1 : 0 +>>>>>>> c26d4b3... python3 and oci in admin host, using oci-cli to generate kubeconfig instead of uploading, sort all variables in alphabetical order, standard naming for enabled parameters, added additional checks to prevent locals in policies module looking up a dynamic group when instance_principal is not created and use_encryption=false and updated terraform.tfvars.example to remove unused bastion parameters, use compartment id instead of compartment name to write policy statement, update Kubernetes available versions in Terraform options doc, updated diagrams with admin host, kubeconfig v2 on admin host } resource null_resource "update_dynamic_group" { @@ -33,14 +37,18 @@ resource null_resource "update_dynamic_group" { } connection { - host = var.bastion.bastion_public_ip + host = var.admin.admin_private_ip private_key = file(var.ssh_keys.ssh_private_key_path) timeout = "40m" type = "ssh" user = "opc" + + bastion_host = var.admin.bastion_public_ip + bastion_user = "opc" + bastion_private_key = file(var.ssh_keys.ssh_private_key_path) } - depends_on = ["oci_identity_dynamic_group.oke-kms-cluster", "oci_identity_policy.bastion_instance_principal_dynamic_group"] + depends_on = [oci_identity_dynamic_group.oke-kms-cluster, oci_identity_policy.admin_instance_principal_dynamic_group] provisioner "file" { content = data.template_file.update_dynamic_group_script[0].rendered diff --git a/modules/policies/locals.tf b/modules/policies/locals.tf index c3ce8eed..7d659e64 100644 --- a/modules/policies/locals.tf +++ b/modules/policies/locals.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl locals { diff --git a/modules/policies/policies.tf b/modules/policies/policies.tf index b6d1a4fb..2037293c 100644 --- a/modules/policies/policies.tf +++ b/modules/policies/policies.tf @@ -1,17 +1,17 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl -resource "oci_identity_policy" "bastion_instance_principal_dynamic_group" { - provider = "oci.home" +resource "oci_identity_policy" "admin_instance_principal_dynamic_group" { + provider = oci.home compartment_id = var.oci_identity.tenancy_id - description = "policy to allow bastion host to manage dynamic group" - name = "${var.label_prefix}-bastion-instance-principal-dynamic-group" + description = "policy to allow admin host to manage dynamic group" + name = "${var.label_prefix}-admin-instance-principal-dynamic-group" statements = ["Allow dynamic-group ${var.dynamic_group} to use dynamic-groups in tenancy"] count = (var.oke_kms.use_encryption == true && var.bastion.create_bastion == true && var.bastion.enable_instance_principal == true) ? 1 : 0 } resource "oci_identity_policy" "oke-kms" { - provider = "oci.home" + provider = oci.home compartment_id = var.oci_identity.compartment_id description = "policy to allow instances to allow dynamic group ${var.label_prefix}-oke-kms-cluster to use kms" name = "${var.label_prefix}-oke-kms" diff --git a/modules/policies/provider.tf b/modules/policies/provider.tf index eb62b423..e7501f92 100644 --- a/modules/policies/provider.tf +++ b/modules/policies/provider.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl # create a home region provider for identity operations provider "oci" { diff --git a/modules/policies/scripts/update_dynamic_group.template.sh b/modules/policies/scripts/update_dynamic_group.template.sh index dd8722b7..133de7e9 100644 --- a/modules/policies/scripts/update_dynamic_group.template.sh +++ b/modules/policies/scripts/update_dynamic_group.template.sh @@ -1,5 +1,5 @@ #!/bin/bash # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl oci iam dynamic-group update --dynamic-group-id ${dynamic_group_id} --matching-rule "${dynamic_group_rule}" diff --git a/modules/policies/variables.tf b/modules/policies/variables.tf index aff7491f..561ae5cd 100644 --- a/modules/policies/variables.tf +++ b/modules/policies/variables.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl # Identity and access parameters @@ -8,7 +8,6 @@ variable "oci_identity" { api_fingerprint = string api_private_key_path = string compartment_id = string - compartment_name = string tenancy_id = string user_id = string }) @@ -26,11 +25,13 @@ variable "ssh_keys" { variable "label_prefix" {} -variable "bastion" { +variable "admin" { type = object({ - bastion_public_ip = string - create_bastion = bool - enable_instance_principal = bool + bastion_public_ip = string + admin_private_ip = string + bastion_enabled = bool + admin_enabled = bool + admin_instance_principal = bool }) } diff --git a/outputs.tf b/outputs.tf index 82f3b58d..af073bd5 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,10 +1,18 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl output "bastion_public_ip" { value = module.base.bastion_public_ip } +output "admin_private_ip" { + value = module.base.admin_private_ip +} + +output "ssh_to_admin" { + value = module.base.ssh_to_admin +} + output "ssh_to_bastion" { value = module.base.ssh_to_bastion } @@ -16,4 +24,4 @@ output "kubeconfig" { output "ocirtoken" { value = module.auth.ocirtoken sensitive = true -} \ No newline at end of file +} diff --git a/provider.tf b/provider.tf index 67c79dec..190c2f85 100644 --- a/provider.tf +++ b/provider.tf @@ -1,5 +1,5 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl provider "oci" { tenancy_ocid = var.tenancy_id diff --git a/scripts/dashboard.sh b/scripts/dashboard.sh index c92489b5..92cf78b4 100644 --- a/scripts/dashboard.sh +++ b/scripts/dashboard.sh @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl export KUBECONFIG=generated/kubeconfig diff --git a/terraform.tfvars.example b/terraform.tfvars.example index f852fde7..212ade40 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -1,22 +1,15 @@ -# Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl - # Identity and access parameters api_fingerprint = "" api_private_key_path = "" -compartment_name = "" - compartment_id = "" tenancy_id = "" user_id = "" -# ssh keys - ssh_private_key_path = "" ssh_public_key_path = "" @@ -28,68 +21,101 @@ region = "us-phoenix-1" # networking -newbits = { - "bastion" = 13 - "lb" = 11 - "workers" = 2 +nat_gateway_enabled = true + +netnum = { + admin = 33 + bastion = 32 + int_lb = 16 + pub_lb = 17 + workers = 1 } -subnets = { - "bastion" = 32 - "int_lb" = 16 - "pub_lb" = 17 - "workers" = 1 +newbits = { + admin = 13 + bastion = 13 + lb = 11 + workers = 2 } +service_gateway_enabled = true + vcn_cidr = "10.0.0.0/16" vcn_dns_label = "oke" vcn_name = "oke vcn" -create_nat_gateway = true -nat_gateway_name = "nat" +# bastion -create_service_gateway = true +bastion_access = "ANYWHERE" -service_gateway_name = "sg" +bastion_enabled = true -# bastion +bastion_image_id = "NONE" + +bastion_notification_enabled = true + +bastion_notification_endpoint = "" + +bastion_notification_protocol = "EMAIL" + +bastion_notification_topic= "bastion_server_notification" + +bastion_package_upgrade = false bastion_shape = "VM.Standard.E2.1" -create_bastion = true +bastion_timezone = "Australia/Sydney" -bastion_access = "ANYWHERE" +bastion_use_autonomous = true + +admin_enabled = true + +admin_image_id = "NONE" + +admin_instance_principal = true -enable_instance_principal = false +admin_notification_enabled = false + +admin_notification_endpoint = "" + +admin_notification_protocol = "EMAIL" + +admin_notification_topic= "admin_server_notification" + +admin_package_upgrade = true + +admin_shape = "VM.Standard.E2.1" + +admin_timezone= "Australia/Sydney" + +admin_use_autonomous = false # availability_domains -# which AD where to place non-OKE resources availability_domains = { - "bastion" = 1 + bastion = 1 + admin = 1 } -bastion_package_upgrade = true - # oke -cluster_name = "oke" - -worker_mode = "private" - allow_node_port_access = false allow_worker_ssh_access = false -dashboard_enabled = true +cluster_name = "oke" + +dashboard_enabled = "true" kubernetes_version = "LATEST" node_pools = { - "np1" = ["VM.Standard2.1", 1] + np1 = ["VM.Standard2.1", 3] + #np2 = ["VM.Standard2.8", 4] + #np3 = ["VM.Standard1.4", 5] } node_pool_name_prefix = "np" @@ -98,16 +124,15 @@ node_pool_image_id = "NONE" node_pool_os = "Oracle Linux" -node_pool_os_version = "7.6" +node_pool_os_version = "7.7" pods_cidr = "10.244.0.0/16" services_cidr = "10.96.0.0/16" -tiller_enabled = true +worker_mode = "private" # oke load balancers - lb_subnet_type = "public" preferred_lb_subnets = "public" @@ -122,14 +147,9 @@ tenancy_name = "" username = "" # helm +helm_version = "3.0.0" -add_incubator_repo = false - -add_jetstack_repo = false - -helm_version = "2.14.3" - -install_helm = true +install_helm = false # calico @@ -140,7 +160,6 @@ install_calico = false #metrics server install_metricserver = false -# kms use_encryption = false existing_key_id = "" diff --git a/variables.tf b/variables.tf index b6342ae3..c136b879 100644 --- a/variables.tf +++ b/variables.tf @@ -1,161 +1,259 @@ # Copyright 2017, 2019, Oracle Corporation and/or affiliates. All rights reserved. -# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl # Identity and access parameters variable "api_fingerprint" { description = "fingerprint of oci api private key" + type = string } variable "api_private_key_path" { description = "path to oci api private key" -} - -variable "compartment_name" { - type = "string" - description = "compartment name" + type = string } variable "compartment_id" { - type = "string" description = "compartment id" + type = string } variable "tenancy_id" { - type = "string" description = "tenancy id" + type = string } variable "user_id" { - type = "string" description = "user id" + type = string } # ssh keys variable "ssh_private_key_path" { description = "path to ssh private key" + type = string } variable "ssh_public_key_path" { description = "path to ssh public key" + type = string } # general oci parameters variable "disable_auto_retries" { default = true + type = bool } variable "label_prefix" { - type = "string" - default = "oke" + description = "a string that will be prependend to all resources" + default = "oke" + type = string } variable "region" { # List of regions: https://docs.cloud.oracle.com/iaas/Content/General/Concepts/regions.htm#ServiceAvailabilityAcrossRegions description = "region" default = "us-phoenix-1" + type = string } # networking parameters + +variable "nat_gateway_enabled" { + description = "whether to create a nat gateway" + default = true + type = bool +} + +variable "netnum" { + description = "zero-based index of the subnet when the network is masked with the newbit." + default = { + admin = 33 + bastion = 32 + int_lb = 16 + pub_lb = 17 + workers = 1 + } + type = map +} + variable "newbits" { - type = "map" description = "new mask for the subnet within the virtual network. use as newbits parameter for cidrsubnet function" - default = { + admin = 13 bastion = 13 lb = 11 workers = 2 } + type = map +} + +variable "service_gateway_enabled" { + description = "whether to create a service gateway" + default = true + type = bool } variable "vcn_cidr" { - type = "string" description = "cidr block of VCN" default = "10.0.0.0/16" + type = string } variable "vcn_dns_label" { - type = "string" default = "oke" + type = string } variable "vcn_name" { - type = "string" description = "name of vcn" default = "oke vcn" + type = string } -# nat -variable "create_nat_gateway" { - description = "whether to create a nat gateway" +# bastion +variable "bastion_access" { + description = "cidr from where the bastion can be sshed into. Default is ANYWHERE and equivalent to 0.0.0.0/0" + default = "ANYWHERE" + type = string +} + +variable "bastion_enabled" { + description = "whether to create a bastion host" default = true + type = bool } -variable "nat_gateway_name" { - description = "display name of the nat gateway" - default = "nat" +variable "bastion_image_id" { + description = "image id to use for bastion." + default = "NONE" + type = string } -# service gateway -variable "create_service_gateway" { - description = "whether to create a service gateway" +variable "bastion_notification_enabled" { + description = "Whether to enable notification on the bastion host" default = true + type = bool } -variable "service_gateway_name" { - description = "name of service gateway" - default = "sg" +variable "bastion_notification_endpoint" { + description = "The subscription notification endpoint for the bastion. Email address to be notified." + default = "" + type = string } -variable "subnets" { - description = "zero-based index of the subnet when the network is masked with the newbit." - type = "map" +variable "bastion_notification_protocol" { + description = "The notification protocol used." + default = "EMAIL" + type = string +} - default = { - bastion = 32 - int_lb = 16 - pub_lb = 17 - workers = 1 - } +variable "bastion_notification_topic" { + description = "The name of the notification topic." + default = "bastion" + type = string +} + +variable "bastion_package_upgrade" { + description = "Whether to upgrade the bastion host packages after provisioning. It’s useful to set this to false during development so the bastion is provisioned faster." + default = true + type = bool } -# bastion variable "bastion_shape" { description = "shape of bastion instance" default = "VM.Standard.E2.1" + type = string } -variable "create_bastion" { - default = true +variable "bastion_timezone" { + description = "The preferred timezone for the bastion host." + default = "Australia/Sydney" + type = string } -variable "bastion_access" { - description = "cidr from where the bastion can be sshed into. Default is ANYWHERE and equivalent to 0.0.0.0/0" - default = "ANYWHERE" +variable "bastion_use_autonomous" { + description = "Whether to use Autonomous Linux or an Oracle Linux Platform image or custom image. Set to false if you want to use your own image id or Oracle Linux Platform image." + default = true + type = bool } -variable "enable_instance_principal" { - description = "enable the bastion hosts to call OCI API services without requiring api key" +# admin server + +variable "admin_enabled" { + description = "whether to create an admin server in a private subnet" + default = true + type = bool +} + +variable "admin_image_id" { + description = "image id to use for admin server." + default = "NONE" + type = string +} + +variable "admin_instance_principal" { + description = "enable the admin server host to call OCI API services without requiring api key" + default = true + type = bool +} + +variable "admin_notification_enabled" { + description = "Whether to enable notification on the admin host" default = false + type = bool +} + +variable "admin_notification_endpoint" { + description = "The subscription notification endpoint for the admin. Email address to be notified." + default = "" + type = string +} + +variable "admin_notification_protocol" { + description = "The notification protocol used." + default = "EMAIL" + type = string +} + +variable "admin_notification_topic" { + description = "The name of the notification topic." + default = "admin" + type = string +} + +variable "admin_package_upgrade" { + description = "Whether to upgrade the bastion host packages after provisioning. It’s useful to set this to false during development so the bastion is provisioned faster." + default = true + type = bool +} + +variable "admin_shape" { + description = "shape of admin server instance" + default = "VM.Standard.E2.1" + type = string } -variable "image_id" { - default = "NONE" +variable "admin_timezone" { + default = "Australia/Sydney" + description = "The preferred timezone for the admin host." + type = string +} + +variable "admin_use_autonomous" { + description = "Whether to use Autonomous Linux or an Oracle Linux Platform image or custom image. Set to false if you want to use your own image id or Oracle Linux Platform image." + default = true + type = bool } # availability domains variable "availability_domains" { description = "ADs where to provision non-OKE resources" - type = "map" - default = { bastion = 1 + admin = 1 } -} - -variable "bastion_package_upgrade" { - description = "Upgrade the instance on first boot" - type = bool - default = true + type = map } # oke @@ -163,71 +261,78 @@ variable "bastion_package_upgrade" { variable "allow_node_port_access" { description = "whether to allow access to NodePorts when worker nodes are deployed in public mode" default = false + type = bool } variable "allow_worker_ssh_access" { description = "whether to allow ssh access to worker nodes when worker nodes are deployed in public mode" default = false + type = bool } variable "cluster_name" { description = "name of oke cluster" default = "oke" + type = string } variable "dashboard_enabled" { description = "whether to enable kubernetes dashboard" default = true + type = bool } variable "kubernetes_version" { description = "version of kubernetes to use" default = "LATEST" + type = string } variable "node_pools" { + description = "tuple node pools. each key maps to a node pool. each value is a tuple of shape (string) and size(number)" type = map(any) - description = "number of node pools" } variable "node_pool_name_prefix" { description = "prefix of node pool name" default = "np" + type = string } variable "node_pool_image_id" { description = "OCID of custom image to use for worker node" default = "NONE" + type = string } variable "node_pool_os" { description = "name of image to use" default = "Oracle Linux" + type = string } variable "node_pool_os_version" { description = "version of image Operating System to use" - default = "7.6" + default = "7.7" + type = string } variable "pods_cidr" { description = "This is the CIDR range used for IP addresses by your pods. A /16 CIDR is generally sufficient. This CIDR should not overlap with any subnet range in the VCN (it can also be outside the VCN CIDR range)." default = "10.244.0.0/16" + type = string } variable "services_cidr" { description = "This is the CIDR range used by exposed Kubernetes services (ClusterIPs). This CIDR should not overlap with the VCN CIDR range." default = "10.96.0.0/16" -} - -variable "tiller_enabled" { - description = "whether to enable tiller" - default = true + type = string } variable "worker_mode" { description = "whether to provision public or private workers" default = "private" + type = string } # oke load balancers @@ -236,6 +341,7 @@ variable "lb_subnet_type" { description = "type of load balancer subnets to create." # values: both, internal, public default = "public" + type = string } variable "preferred_lb_subnets" { @@ -243,6 +349,7 @@ variable "preferred_lb_subnets" { # values: public, internal. # When creating an internal load balancer, the internal annotation must still be specified regardless default = "public" + type = string } # ocir @@ -250,18 +357,18 @@ variable "preferred_lb_subnets" { variable "create_auth_token" { description = "whether to create an auth token to use with OCIR" default = false + type = bool } variable "email_address" { description = "email address used for OCIR" default = "" + type = string } variable "ocir_urls" { # Region and region codes: https://docs.cloud.oracle.com/iaas/Content/General/Concepts/regions.htm#ServiceAvailabilityAcrossRegions description = "urls of ocir" - type = "map" - default = { ap-sydney-1 = "syd.ocir.io" ap-mumbai-1 = "bom.ocir.io" @@ -275,78 +382,81 @@ variable "ocir_urls" { us-ashburn-1 = "iad.ocir.io" us-phoenix-1 = "phx.ocir.io" } + type = map(string) } variable "tenancy_name" { description = "tenancy name" default = "" + type = string } variable "username" { description = "username to access OCIR" default = "" + type = string } # helm -variable "add_incubator_repo" { - description = "whether to add incubator repo" - default = false -} - -variable "add_jetstack_repo" { - description = "whether to add jetstack repo. Required for cert-manager" - default = false -} - variable "helm_version" { description = "version of helm to install" - default = "2.14.3" + default = "3.0.0" + type = string } variable "install_helm" { description = "whether to install helm client on the bastion" default = false + type = bool } # calico variable "calico_version" { description = "version of calico to install" default = "3.9" + type = string } variable "install_calico" { description = "whether to install calico for network pod security policy" default = false + type = bool } variable "install_metricserver" { description = "whether to install metricserver for collecting metrics and for HPA" default = false + type = bool } # kms variable "use_encryption" { description = "whether to use OCI Key Management to encrypt data" - default = false + default = false + type = bool } variable "use_existing_vault" { description = "whether to use an existing vault to create an encryption key" - default = true + default = true + type = bool } variable "existing_vault_id" { description = "id of existing vault to use to create an encryption key" - default = "" + default = "" + type = string } variable "use_existing_key" { description = "whether to use an existing key for encryption" - default = false + default = false + type = bool } variable "existing_key_id" { description = "id of existing key" - default = "" -} \ No newline at end of file + default = "" + type = string +}