generated from oracle-quickstart/oci-quickstart-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvcn.tf
211 lines (182 loc) · 5.83 KB
/
vcn.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
resource oci_core_vcn vtap_vcn {
cidr_blocks = [
var.vcn_cidr,
]
compartment_id = var.compartment_ocid
display_name = "vcn_vtap_setup"
dns_label = "vcnvtapsetup"
}
resource oci_core_service_gateway service_gateway {
compartment_id = var.compartment_ocid
display_name = "service_gateway"
services {
service_id = data.oci_core_services.all_services.services[0].id
}
vcn_id = oci_core_vcn.vtap_vcn.id
}
resource oci_core_internet_gateway internet_gateway {
compartment_id = var.compartment_ocid
display_name = "internet_gateway"
enabled = "true"
vcn_id = oci_core_vcn.vtap_vcn.id
}
resource oci_core_subnet vtap_src_pvt_subnet {
cidr_block = var.pvt_subnet_cidr_vtap_src_nodes
compartment_id = var.compartment_ocid
display_name = "vtap_src_pvt_subnet"
dns_label = "vtapsrcpvtsb"
prohibit_internet_ingress = "true"
prohibit_public_ip_on_vnic = "true"
route_table_id = oci_core_route_table.all_pvt_sb_rt.id
security_list_ids = [
oci_core_security_list.vtap_src_sb_sl.id,
]
vcn_id = oci_core_vcn.vtap_vcn.id
}
resource oci_core_security_list vtap_src_sb_sl {
compartment_id = var.compartment_ocid
display_name = "vtap_src_sb_sl"
egress_security_rules {
destination = "0.0.0.0/0"
destination_type = "CIDR_BLOCK"
protocol = "all"
stateless = "false"
}
ingress_security_rules {
description = "For ssh from public subnet jumpbox"
protocol = "6" #TCP
source = oci_core_subnet.jumpbox_and_fileserver_public_subnet.cidr_block
source_type = "CIDR_BLOCK"
stateless = "false"
tcp_options {
max = "22"
min = "22"
}
}
vcn_id = oci_core_vcn.vtap_vcn.id
}
resource oci_core_subnet vtap_sink_pvt_subnet {
cidr_block = var.pvt_subnet_cidr_sink_nodes
compartment_id = var.compartment_ocid
display_name = "vtap_sink_pvt_subnet"
dns_label = "vtapsinkpvtsb"
prohibit_internet_ingress = "true"
prohibit_public_ip_on_vnic = "true"
route_table_id = oci_core_route_table.all_pvt_sb_rt.id
security_list_ids = [
oci_core_security_list.vtap_sink_sb_sl.id,
]
vcn_id = oci_core_vcn.vtap_vcn.id
}
resource oci_core_security_list vtap_sink_sb_sl {
compartment_id = var.compartment_ocid
display_name = "vtap_sink_sb_sl"
egress_security_rules {
destination = "0.0.0.0/0"
destination_type = "CIDR_BLOCK"
protocol = "all"
stateless = "false"
}
ingress_security_rules {
description = "for VTAP (VxLAN/UDP) mirror traffic, stateless for high performance"
protocol = "17" # UDP
source = var.pvt_subnet_cidr_vtap_src_nodes
source_type = "CIDR_BLOCK"
stateless = "true"
udp_options {
max = "4789"
min = "4789"
}
}
ingress_security_rules {
description = "for Backend Server's Health Check by NLB, & for ssh from public subnet jumpbox"
protocol = "6" #TCP
source = oci_core_subnet.jumpbox_and_fileserver_public_subnet.cidr_block
source_type = "CIDR_BLOCK"
stateless = "false"
tcp_options {
max = "22"
min = "22"
}
}
ingress_security_rules {
description = "for Backend Server's Health Check by NLB, & for ssh from public subnet jumpbox"
protocol = "6" #TCP
source = var.pvt_subnet_cidr_sink_nodes # for Health check from NLB from the same subnet
source_type = "CIDR_BLOCK"
stateless = "false"
tcp_options {
max = "22"
min = "22"
}
}
vcn_id = oci_core_vcn.vtap_vcn.id
}
resource oci_core_route_table all_pvt_sb_rt {
compartment_id = var.compartment_ocid
display_name = "rt_all_pvt_sb"
route_rules {
description = "for access to Object Storage and Yum repo access, region specific OSN CIDR"
# following spits out "all-<3 letter region code>-services-in-oracle-services-network"
destination = data.oci_core_services.all_services.services[0].cidr_block
destination_type = "SERVICE_CIDR_BLOCK"
network_entity_id = oci_core_service_gateway.service_gateway.id
}
vcn_id = oci_core_vcn.vtap_vcn.id
}
resource oci_core_subnet jumpbox_and_fileserver_public_subnet {
cidr_block = var.pub_subnet_cidr_jumpbox_plus_http_file_server
compartment_id = var.compartment_ocid
display_name = "jumpbox_and_fileserver_public_subnet"
dns_label = "jumpboxfspubsb"
prohibit_internet_ingress = "false"
prohibit_public_ip_on_vnic = "false"
route_table_id = oci_core_route_table.jumpbox_and_fileserver_pb_sb_rt.id
security_list_ids = [
oci_core_security_list.public_sb_sl.id,
]
vcn_id = oci_core_vcn.vtap_vcn.id
}
resource oci_core_security_list public_sb_sl {
compartment_id = var.compartment_ocid
display_name = "vtap_pub_sb_sl"
egress_security_rules {
destination = "0.0.0.0/0"
destination_type = "CIDR_BLOCK"
protocol = "all"
stateless = "false"
}
ingress_security_rules {
description = "for ssh to public subnet computes"
protocol = "6" #TCP
source = "0.0.0.0/0"
source_type = "CIDR_BLOCK"
stateless = "false"
tcp_options {
max = "22"
min = "22"
}
}
ingress_security_rules {
description = "for VTAP source nodes to download file over HTTP file server"
protocol = "6" #TCP
source = var.pvt_subnet_cidr_vtap_src_nodes # only private subnet of VTAP sources can access
source_type = "CIDR_BLOCK"
stateless = "false"
tcp_options {
max = "80"
min = "80"
}
}
vcn_id = oci_core_vcn.vtap_vcn.id
}
resource oci_core_route_table jumpbox_and_fileserver_pb_sb_rt {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.vtap_vcn.id
display_name = "jumpbox_and_fileserver_pb_sb_rt"
route_rules {
destination = "0.0.0.0/0"
destination_type = "CIDR_BLOCK"
network_entity_id = oci_core_internet_gateway.internet_gateway.id
}
}