You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

285 lines
6.1 KiB

variable "instance_shape" {
# Free-Tier is VM.Standard.E2.1.Micro
default = "VM.Standard.E2.1.Micro"
}
variable "instance_image_ocid" {
type = map
default = {
# See https://docs.cloud.oracle.com/en-us/iaas/images/image/cc81a889-bc7f-4b70-b8e7-0503812665be/
# Oracle-provided image "Canonical-Ubuntu-20.04-2020.07.16-0"
uk-london-1 = "ocid1.image.oc1.uk-london-1.aaaaaaaasjs2ybnm22vx5ui7cklmnlobmweslpryhyvkjpiouchgtilpeypa"
}
}
variable "region" {
default = "uk-london-1"
}
variable "free_availability_domain" {
default = "JnpY:UK-LONDON-1-AD-2"
}
variable "vcn_cidr" {
default = "10.103.0.0/16"
}
variable "ssh-https_cidr" {
default = "10.103.3.0/24"
}
variable "sshonly_cidr" {
default = "10.103.4.0/24"
}
variable "lon_instances_ips" {
default = {
## green
# SSH+WG+HTTPS
lon-lb-g0 = "10.103.3.10"
lon-lb-g1 = "10.103.3.12"
lon-mon-g0 = "10.103.3.14"
# SSH+WG
lon-matrix-bridges-g0 = "10.103.4.26"
lon-kubeworker-g0 = "10.103.4.10"
lon-kubeworker-g1 = "10.103.4.11"
## blue
# SSH+WG+HTTPS
lon-lb-b0 = ""
lon-lb-b1 = ""
lon-mon-b0 = ""
# SSH+WG
lon-matrix-bridges-b0 = ""
lon-kubeworker-b0 = ""
lon-kubeworker-b1 = ""
}
}
resource "oci_core_vcn" "lon1_vcn" {
cidr_block = var.vcn_cidr
compartment_id = var.compartment_ocid
display_name = "oci-lon1"
dns_label = "sudois"
}
resource "oci_core_subnet" "sshonly" {
cidr_block = var.sshonly_cidr
display_name = "sshonly"
dns_label = "sshonly"
security_list_ids = [
oci_core_security_list.ssh.id
]
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.lon1_vcn.id
dhcp_options_id = oci_core_vcn.lon1_vcn.default_dhcp_options_id
}
resource "oci_core_subnet" "ssh-https" {
cidr_block = var.ssh-https_cidr
display_name = "sshhttps"
dns_label = "internet"
security_list_ids = [
oci_core_security_list.ssh-https.id
]
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.lon1_vcn.id
dhcp_options_id = oci_core_vcn.lon1_vcn.default_dhcp_options_id
}
resource "oci_core_internet_gateway" "lon1_ig" {
compartment_id = var.compartment_ocid
display_name = "lon1"
vcn_id = oci_core_vcn.lon1_vcn.id
}
resource "oci_core_route_table" "route0" {
display_name = "route0"
vcn_id = oci_core_vcn.lon1_vcn.id
compartment_id = var.compartment_ocid
route_rules {
destination = var.wg_cidr
destination_type = "CIDR_BLOCK"
network_entity_id = oci_core_private_ip.lon-matrix-bridges-g0.id
}
route_rules {
destination = "0.0.0.0/0"
destination_type = "CIDR_BLOCK"
network_entity_id = oci_core_internet_gateway.lon1_ig.id
}
}
resource "oci_core_route_table_attachment" "sshonly" {
subnet_id = oci_core_subnet.sshonly.id
route_table_id = oci_core_route_table.route0.id
}
resource "oci_core_route_table_attachment" "ssh-https" {
subnet_id = oci_core_subnet.ssh-https.id
route_table_id = oci_core_route_table.route0.id
}
# need to do some more magic to open ports:
# https://stackoverflow.com/questions/54794217/opening-port-80-on-oracle-cloud-infrastructure-compute-node
# quick hack:
# apt: firewalld
# sudo firewall-cmd --zone=public --permanent --add-port=443/tcp
# sudo firewall-cmd --reload
resource "oci_core_security_list" "ssh-https" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.lon1_vcn.id
display_name = "ssh-https"
egress_security_rules {
destination = "0.0.0.0/0"
protocol = "all"
}
ingress_security_rules {
protocol = "all"
source = var.vcn_cidr
}
ingress_security_rules {
protocol = "6" // tcp
source = "${local.mainframe_ip}/32"
stateless = false
tcp_options {
source_port_range {
min = 1
max = 65535
}
min = 22
max = 22
}
}
ingress_security_rules {
protocol = "6" // tcp
source = "${local.freespace_ip}/32"
stateless = false
tcp_options {
source_port_range {
min = 1
max = 65535
}
min = 22
max = 22
}
}
ingress_security_rules {
protocol = "6" // tcp
source = "0.0.0.0/0"
stateless = false
tcp_options {
source_port_range {
min = 1
max = 65535
}
min = 443
max = 443
}
}
ingress_security_rules {
protocol = "17" // udp
source = "0.0.0.0/0"
stateless = false
udp_options {
source_port_range {
min = 1
max = 65535
}
// These values correspond to the destination port range.
min = 4004
max = 4004
}
}
}
resource "oci_core_security_list" "ssh" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.lon1_vcn.id
display_name = "ssh"
egress_security_rules {
destination = "0.0.0.0/0"
protocol = "all"
}
ingress_security_rules {
protocol = "all"
source = var.vcn_cidr
}
ingress_security_rules {
protocol = "6" // tcp
source = "${local.mainframe_ip}/32"
stateless = false
tcp_options {
source_port_range {
min = 1
max = 65535
}
min = 22
max = 22
}
}
ingress_security_rules {
protocol = "6" // tcp
source = "${local.freespace_ip}/32"
stateless = false
tcp_options {
source_port_range {
min = 1
max = 65535
}
min = 22
max = 22
}
}
ingress_security_rules {
protocol = "17" // udp
source = "0.0.0.0/0"
stateless = false
udp_options {
source_port_range {
min = 1
max = 65535
}
// These values correspond to the destination port range.
min = 4004
max = 4004
}
}
}
resource "oci_core_public_ip" "float" {
compartment_id = var.compartment_ocid
lifetime = "RESERVED"
display_name = "float"
#private_ip_id = oci_core_private_ip.lon3.id
}
resource "cloudflare_record" "oci_float" {
zone_id = cloudflare_zone.sudois.id
type = "A"
name = "lon-lb"
value = oci_core_public_ip.float.ip_address
ttl = 60
}