diff --git a/network.tf b/network.tf index d35119c..de4aca1 100644 --- a/network.tf +++ b/network.tf @@ -1,63 +1,151 @@ -resource "oci_core_vcn" "default_oci_core_vcn" { - cidr_block = var.oci_core_vcn_cidr - compartment_ocid = var.compartment_ocid - display_name = "Default OCI core vcn" - dns_label = var.oci_core_vcn_dns_label +resource "oci_core_network_security_group" "public_lb_nsg" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.default_oci_core_vcn.id + display_name = "K3s public LB nsg" + freeform_tags = { "provisioner" = "terraform" - "environment" = "${var.environment}" - "${var.unique_tag_key}" = "${var.unique_tag_value}" + "environment" = var.environment + "${var.unique_tag_key}" = var.unique_tag_value } } -resource "oci_core_subnet" "default_oci_core_subnet10" { - cidr_block = var.oci_core_subnet_cidr10 - compartment_id = var.compartment_ocid - display_name = "${var.oci_core_subnet_cidr10} (default) OCI core subnet" - dns_label = var.oci_core_subnet_dns_label10 - route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id - vcn_id = oci_core_vcn.default_oci_core_vcn.id - security_list_ids = [oci_core_default_security_list.default_security_list.id] - freeform_tags = { - "provisioner" = "terraform" - "environment" = "${var.environment}" - "${var.unique_tag_key}" = "${var.unique_tag_value}" +resource "oci_core_network_security_group_security_rule" "allow_http_from_all" { + network_security_group_id = oci_core_network_security_group.public_lb_nsg.id + direction = "INGRESS" + protocol = 6 # tcp + + description = "Allow HTTP from all" + + source = "0.0.0.0/0" + source_type = "CIDR_BLOCK" + stateless = true + + tcp_options { + destination_port_range { + max = var.http_lb_port + min = var.http_lb_port + } + } +} + +resource "oci_core_network_security_group_security_rule" "allow_https_from_all" { + network_security_group_id = oci_core_network_security_group.public_lb_nsg.id + direction = "INGRESS" + protocol = 6 # tcp + + description = "Allow HTTPS from all" + + source = "0.0.0.0/0" + source_type = "CIDR_BLOCK" + stateless = true + + tcp_options { + destination_port_range { + max = var.https_lb_port + min = var.https_lb_port + } + } +} + +resource "oci_core_network_security_group_security_rule" "allow_kubeapi_from_all" { + count = var.expose_kubeapi ? 1 : 0 + network_security_group_id = oci_core_network_security_group.public_lb_nsg.id + direction = "INGRESS" + protocol = 6 # tcp + + description = "Allow kubeapi access from my_public_ip_cidr" + + source = var.my_public_ip_cidr[0] # Selecting the first element from the list + source_type = "CIDR_BLOCK" + stateless = true + + tcp_options { + destination_port_range { + max = var.kube_api_port + min = var.kube_api_port + } } } -resource "oci_core_subnet" "oci_core_subnet11" { - cidr_block = var.oci_core_subnet_cidr11 - compartment_id = var.compartment_ocid - display_name = "${var.oci_core_subnet_cidr11} OCI core subnet" - dns_label = var.oci_core_subnet_dns_label11 - route_table_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id - vcn_id = oci_core_vcn.default_oci_core_vcn.id - security_list_ids = [oci_core_default_security_list.default_security_list.id] +resource "oci_core_network_security_group" "lb_to_instances_http" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.default_oci_core_vcn.id + display_name = "Public LB to K3s workers Compute Instances NSG" + freeform_tags = { "provisioner" = "terraform" - "environment" = "${var.environment}" - "${var.unique_tag_key}" = "${var.unique_tag_value}" + "environment" = var.environment + "${var.unique_tag_key}" = var.unique_tag_value + } +} + +resource "oci_core_network_security_group_security_rule" "nsg_to_instances_http" { + network_security_group_id = oci_core_network_security_group.lb_to_instances_http.id + direction = "INGRESS" + protocol = 6 # tcp + + description = "Allow HTTP from all" + + source = oci_core_network_security_group.public_lb_nsg.id + source_type = "NETWORK_SECURITY_GROUP" + stateless = true + + tcp_options { + destination_port_range { + max = var.http_lb_port + min = var.http_lb_port + } } } +resource "oci_core_network_security_group_security_rule" "nsg_to_instances_https" { + network_security_group_id = oci_core_network_security_group.lb_to_instances_http.id + direction = "INGRESS" + protocol = 6 # tcp -resource "oci_core_internet_gateway" "default_oci_core_internet_gateway" { + description = "Allow HTTPS from all" + + source = oci_core_network_security_group.public_lb_nsg.id + source_type = "NETWORK_SECURITY_GROUP" + stateless = true + + tcp_options { + destination_port_range { + max = var.https_lb_port + min = var.https_lb_port + } + } +} + +resource "oci_core_network_security_group" "lb_to_instances_kubeapi" { compartment_id = var.compartment_ocid - display_name = "Internet Gateway Default OCI core vcn" - enabled = "true" vcn_id = oci_core_vcn.default_oci_core_vcn.id + display_name = "Public LB to K3s master Compute Instances NSG (kubeapi)" + freeform_tags = { "provisioner" = "terraform" - "environment" = "${var.environment}" - "${var.unique_tag_key}" = "${var.unique_tag_value}" + "environment" = var.environment + "${var.unique_tag_key}" = var.unique_tag_value } } -resource "oci_core_default_route_table" "default_oci_core_default_route_table" { - route_rules { - destination = "0.0.0.0/0" - destination_type = "CIDR_BLOCK" - network_entity_id = oci_core_internet_gateway.default_oci_core_internet_gateway.id +resource "oci_core_network_security_group_security_rule" "nsg_to_instances_kubeapi" { + count = var.expose_kubeapi ? 1 : 0 + network_security_group_id = oci_core_network_security_group.lb_to_instances_kubeapi.id + direction = "INGRESS" + protocol = 6 # tcp + + description = "Allow kubeapi access from my_public_ip_cidr" + + source = oci_core_network_security_group.public_lb_nsg.id + source_type = "NETWORK_SECURITY_GROUP" + stateless = true + + tcp_options { + destination_port_range { + max = var.kube_api_port + min = var.kube_api_port + } } - manage_default_resource_id = oci_core_vcn.default_oci_core_vcn.default_route_table_id }