Add sec groups

2025-11-01 18:58:39 +00:00 · 2021-12-15 23:14:57 +02:00
parent 91f021c7f1
commit b417b11295
8 changed files with 315 additions and 0 deletions
--- a/oracle/auth.tf
+++ b/oracle/auth.tf
@@ -0,0 +1,13 @@
+
+# openssl genrsa -out ~/.oci/oci_api_key.pem 2048
+# chmod go-rwx ~/.oci/oci_api_key.pem
+# openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem
+
+provider "oci" {
+  tenancy_ocid     = var.tenancy_ocid
+  user_ocid        = var.user_ocid
+  fingerprint      = var.fingerprint
+  private_key_path = "~/.oci/oci_api_key.pem"
+
+  region = var.region
+}
--- a/oracle/common.tf
+++ b/oracle/common.tf
@@ -0,0 +1,32 @@
+
+data "oci_core_images" "talos_x64" {
+  compartment_id   = var.compartment_ocid
+  operating_system = "Canonical Ubuntu"
+  # operating_system_version = "20.04"
+  state   = "AVAILABLE"
+  sort_by = "TIMECREATED"
+
+  # filter {
+  #   name   = "launch_mode"
+  #   values = ["NATIVE"]
+  #   regex  = true
+  # }
+  # filter {
+  #   name   = "display_name"
+  #   values = ["Linux"]
+  #   regex  = true
+  # }
+  # filter {
+  #   name   = "network_type"
+  #   values = ["VFIO"]
+  # }
+}
+
+data "oci_core_image_shapes" "talos_x64" {
+  image_id = data.oci_core_images.talos_x64.images[0].id
+}
+
+data "oci_identity_fault_domains" "fault_domains" {
+  compartment_id      = var.compartment_ocid
+  availability_domain = local.network_public["jNdv:eu-amsterdam-1-AD-1"].availability_domain
+}
--- a/oracle/instances-controlplane.tf
+++ b/oracle/instances-controlplane.tf
--- a/oracle/network-lb.tf
+++ b/oracle/network-lb.tf
@@ -0,0 +1,33 @@
+
+resource "oci_network_load_balancer_network_load_balancer" "contolplane" {
+  compartment_id             = var.compartment_ocid
+  display_name               = "${local.project}-contolplane-lb"
+  subnet_id                  = local.network_lb.id
+  network_security_group_ids = [local.nsg_contolplane_lb]
+
+  is_preserve_source_destination = false
+  is_private                     = true
+}
+
+resource "oci_network_load_balancer_listener" "contolplane" {
+  default_backend_set_name = oci_network_load_balancer_backend_set.contolplane.name
+
+  name                     = "${local.project}-contolplane"
+  network_load_balancer_id = oci_network_load_balancer_network_load_balancer.contolplane.id
+  port                     = 80
+  protocol                 = "TCP"
+}
+
+resource "oci_network_load_balancer_backend_set" "contolplane" {
+  name                     = "${local.project}-contolplane"
+  network_load_balancer_id = oci_network_load_balancer_network_load_balancer.contolplane.id
+  policy                   = "FIVE_TUPLE"
+  is_preserve_source       = false
+
+  health_checker {
+    protocol    = "HTTP"
+    port        = 80
+    url_path    = "/"
+    return_code = 200
+  }
+}
--- a/oracle/prepare/network-secgroup.tf
+++ b/oracle/prepare/network-secgroup.tf
@@ -0,0 +1,164 @@
+
+resource "oci_core_network_security_group" "cilium" {
+  display_name   = "${var.project}-cilium"
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.main.id
+}
+resource "oci_core_network_security_group_security_rule" "cilium_vxvlan" {
+  network_security_group_id = oci_core_network_security_group.cilium.id
+
+  protocol  = "17"
+  direction = "INGRESS"
+  source    = var.vpc_main_cidr
+  stateless = true
+
+  udp_options {
+  }
+}
+resource "oci_core_network_security_group_security_rule" "cilium_health" {
+  network_security_group_id = oci_core_network_security_group.cilium.id
+
+  protocol  = "6"
+  direction = "INGRESS"
+  source    = var.vpc_main_cidr
+  stateless = true
+
+  tcp_options {
+    destination_port_range {
+      min = 4240
+      max = 4240
+    }
+  }
+}
+
+resource "oci_core_network_security_group" "talos" {
+  display_name   = "${var.project}-talos"
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.main.id
+}
+
+resource "oci_core_network_security_group_security_rule" "talos" {
+  network_security_group_id = oci_core_network_security_group.talos.id
+
+  protocol  = "6"
+  direction = "INGRESS"
+  source    = var.vpc_main_cidr
+  stateless = true
+
+  tcp_options {
+    destination_port_range {
+      min = 50000
+      max = 50001
+    }
+  }
+}
+
+resource "oci_core_network_security_group_security_rule" "admin_ssh" {
+  network_security_group_id = oci_core_network_security_group.talos.id
+
+  protocol  = "6"
+  direction = "INGRESS"
+  source    = var.vpc_main_cidr
+  stateless = true
+
+  tcp_options {
+    destination_port_range {
+      min = 22
+      max = 22
+    }
+  }
+}
+
+resource "oci_core_network_security_group" "contolplane_lb" {
+  display_name   = "${var.project}-contolplane-lb"
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.main.id
+}
+
+resource "oci_core_network_security_group_security_rule" "kubernetes" {
+  network_security_group_id = oci_core_network_security_group.contolplane_lb.id
+
+  protocol  = "6"
+  direction = "INGRESS"
+  source    = var.vpc_main_cidr
+  stateless = true
+
+  tcp_options {
+    destination_port_range {
+      min = 80
+      max = 80
+    }
+  }
+}
+
+resource "oci_core_network_security_group" "contolplane" {
+  display_name   = "${var.project}-contolplane"
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.main.id
+}
+resource "oci_core_network_security_group_security_rule" "contolplane_kubernetes" {
+  network_security_group_id = oci_core_network_security_group.contolplane.id
+
+  protocol  = "6"
+  direction = "INGRESS"
+  source    = "0.0.0.0/0"
+  stateless = true
+
+  tcp_options {
+    destination_port_range {
+      min = 6443
+      max = 6443
+    }
+  }
+}
+resource "oci_core_network_security_group_security_rule" "contolplane_etcd" {
+  network_security_group_id = oci_core_network_security_group.contolplane.id
+
+  protocol  = "6"
+  direction = "INGRESS"
+  source    = var.vpc_main_cidr
+  stateless = true
+
+  tcp_options {
+    destination_port_range {
+      min = 2379
+      max = 2380
+    }
+  }
+}
+
+resource "oci_core_network_security_group" "web" {
+  display_name   = "${var.project}-web"
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.main.id
+}
+resource "oci_core_network_security_group_security_rule" "web_http" {
+  network_security_group_id = oci_core_network_security_group.web.id
+
+  protocol  = "6"
+  direction = "INGRESS"
+  source    = "0.0.0.0/0"
+  stateless = true
+
+  tcp_options {
+    destination_port_range {
+      min = 80
+      max = 80
+    }
+  }
+}
+resource "oci_core_network_security_group_security_rule" "web_https" {
+  network_security_group_id = oci_core_network_security_group.web.id
+
+  protocol  = "6"
+  direction = "INGRESS"
+  source    = "0.0.0.0/0"
+  stateless = true
+
+  tcp_options {
+    destination_port_range {
+      min = 443
+      max = 443
+    }
+  }
+}
--- a/oracle/prepare/output.tf
+++ b/oracle/prepare/output.tf
@@ -19,6 +19,11 @@ output "network_nat" {
  value       = oci_core_public_ip.nat.ip_address
 }

+output "network_lb" {
+  description = "The lb network"
+  value       = oci_core_subnet.regional_lb
+}
+
 output "network_public" {
  description = "The public network"
  value       = oci_core_subnet.public
@@ -28,3 +33,28 @@ output "network_private" {
  description = "The private network"
  value       = oci_core_subnet.private
 }
+
+output "nsg_cilium" {
+  description = "The cilium Network Security Groups"
+  value       = oci_core_network_security_group.cilium.id
+}
+
+output "nsg_talos" {
+  description = "The talos Network Security Groups"
+  value       = oci_core_network_security_group.talos.id
+}
+
+output "nsg_contolplane_lb" {
+  description = "The contolplane-lb Network Security Groups"
+  value       = oci_core_network_security_group.contolplane_lb.id
+}
+
+output "nsg_contolplane" {
+  description = "The contolplane Network Security Groups"
+  value       = oci_core_network_security_group.contolplane.id
+}
+
+output "nsg_web" {
+  description = "The web Network Security Groups"
+  value       = oci_core_network_security_group.web.id
+}
--- a/oracle/variables.tf
+++ b/oracle/variables.tf
@@ -0,0 +1,34 @@
+
+variable "compartment_ocid" {}
+variable "tenancy_ocid" {}
+variable "user_ocid" {}
+variable "fingerprint" {}
+
+variable "project" {
+  type    = string
+  default = "main"
+}
+
+variable "region" {
+  description = "the OCI region where resources will be created"
+  type        = string
+  default     = null
+}
+
+data "terraform_remote_state" "prepare" {
+  backend = "local"
+  config = {
+    path = "${path.module}/prepare/terraform.tfstate"
+  }
+}
+
+locals {
+  project = data.terraform_remote_state.prepare.outputs.project
+
+  nsg_contolplane_lb = data.terraform_remote_state.prepare.outputs.nsg_contolplane_lb
+  network_lb         = data.terraform_remote_state.prepare.outputs.network_lb
+
+  nsg_contolplane = data.terraform_remote_state.prepare.outputs.nsg_contolplane
+  network_public  = data.terraform_remote_state.prepare.outputs.network_public
+  network_private = data.terraform_remote_state.prepare.outputs.network_private
+}
--- a/oracle/versions.tf
+++ b/oracle/versions.tf
@@ -0,0 +1,9 @@
+
+terraform {
+  required_providers {
+    oci = {
+      source  = "hashicorp/oci"
+      version = "4.56.0"
+    }
+  }
+}