Support for Bastion Service

oracle-quickstart · Jul 13, 2021 · d920413 · d920413
1 parent 10a4744
commit d920413
Show file tree

Hide file tree

Showing 14 changed files with 398 additions and 310 deletions.
diff --git a/bastion.tf b/bastion.tf
@@ -0,0 +1,83 @@
+## Copyright © 2021, Oracle and/or its affiliates. 
+## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl
+
+resource "oci_bastion_bastion" "bastion-service" {
+  count                        = var.use_bastion_service ? 1 : 0
+  bastion_type                 = "STANDARD"
+  compartment_id               = var.compartment_ocid
+  target_subnet_id             = oci_core_subnet.vcn01_subnet_pub02.id
+  client_cidr_block_allow_list = ["0.0.0.0/0"]
+  defined_tags                 = { "${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release }
+  name                         = "BastionService${random_id.tag.hex}"
+  max_session_ttl_in_seconds   = 1800
+}
+
+resource "oci_bastion_session" "ssh_via_bastion_service" {
+  depends_on = [oci_core_instance.tomcat-server,
+    oci_core_nat_gateway.vcn01_nat_gateway,
+    oci_core_route_table_attachment.vcn01_subnet_app01_route_table_attachment,
+    oci_core_route_table.vnc01_nat_route_table,
+    oci_core_network_security_group.SSHSecurityGroup,
+    oci_core_network_security_group_security_rule.SSHSecurityEgressGroupRule,
+    oci_core_network_security_group_security_rule.SSHSecurityIngressGroupRules
+  ]
+
+  count      = var.use_bastion_service ? var.numberOfNodes : 0
+  bastion_id = oci_bastion_bastion.bastion-service[0].id
+
+  key_details {
+    public_key_content = tls_private_key.public_private_key_pair.public_key_openssh
+  }
+  target_resource_details {
+    session_type       = "MANAGED_SSH"
+    target_resource_id = oci_core_instance.tomcat-server[count.index].id
+
+    #Optional
+    target_resource_operating_system_user_name = "opc"
+    target_resource_port                       = 22
+    target_resource_private_ip_address         = oci_core_instance.tomcat-server[count.index].private_ip
+  }
+
+  display_name           = "ssh_via_bastion_service"
+  key_type               = "PUB"
+  session_ttl_in_seconds = 1800
+}
+
+
+resource "oci_core_instance" "bastion_instance" {
+  count               = var.use_bastion_service ? 0 : 1
+  availability_domain = var.availablity_domain_name == "" ? data.oci_identity_availability_domains.ADs.availability_domains[var.availablity_domain_number]["name"] : var.availablity_domain_name
+  compartment_id      = var.compartment_ocid
+  display_name        = "BastionVM"
+  shape               = var.InstanceShape
+
+  dynamic "shape_config" {
+    for_each = local.is_flexible_node_shape ? [1] : []
+    content {
+      memory_in_gbs = var.InstanceFlexShapeMemory
+      ocpus         = var.InstanceFlexShapeOCPUS
+    }
+  }
+
+  create_vnic_details {
+    subnet_id        = oci_core_subnet.vcn01_subnet_pub02.id
+    display_name     = "primaryvnic"
+    assign_public_ip = true
+    nsg_ids          = [oci_core_network_security_group.SSHSecurityGroup.id]
+  }
+
+  source_details {
+    source_type             = "image"
+    source_id               = data.oci_core_images.InstanceImageOCID.images[0].id
+    boot_volume_size_in_gbs = "50"
+  }
+
+  metadata = {
+    ssh_authorized_keys = var.ssh_public_key
+    user_data           = data.template_cloudinit_config.cloud_init.rendered
+  }
+
+  defined_tags = { "${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release }
+}
+
+
diff --git a/compute.tf b/compute.tf
@@ -1,4 +1,4 @@
-## Copyright © 2020, Oracle and/or its affiliates. 
+## Copyright © 2021, Oracle and/or its affiliates. 
 ## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl
 
 data "template_file" "key_script" {
@@ -34,75 +34,53 @@ locals {
   is_flexible_node_shape = contains(local.compute_flexible_shapes, var.InstanceShape)
 }
 
-resource "oci_core_instance" "bastion_instance" {
-  availability_domain = var.availablity_domain_name
-  compartment_id = var.compartment_ocid
-  display_name = "BastionVM"
-  shape = var.InstanceShape
-
-  create_vnic_details {
-    subnet_id = oci_core_subnet.vcn01_subnet_pub02.id
-    display_name = "primaryvnic"
-    assign_public_ip = true
-    nsg_ids = [oci_core_network_security_group.SSHSecurityGroup.id]
-  }
-
-  source_details {
-    source_type             = "image"
-    source_id               = data.oci_core_images.InstanceImageOCID.images[0].id
-    boot_volume_size_in_gbs = "50"
-  }
-
-  metadata = {
-    ssh_authorized_keys = var.ssh_public_key
-    user_data = data.template_cloudinit_config.cloud_init.rendered
-  }
-
-  dynamic "shape_config" {
-    for_each = local.is_flexible_node_shape ? [1] : []
-    content {
-      memory_in_gbs = var.InstanceFlexShapeMemory
-      ocpus = var.InstanceFlexShapeOCPUS
-    }
-  }
-
-  defined_tags = {"${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release }
-}
-
 resource "oci_core_instance" "tomcat-server" {
   count               = var.numberOfNodes
-  availability_domain = var.availablity_domain_name
+  availability_domain = var.availablity_domain_name == "" ? data.oci_identity_availability_domains.ADs.availability_domains[var.availablity_domain_number]["name"] : var.availablity_domain_name
   compartment_id      = var.compartment_ocid
   display_name        = "tomcat-server-${count.index}"
-  fault_domain        = "FAULT-DOMAIN-${(count.index%3)+1}"
+  fault_domain        = "FAULT-DOMAIN-${(count.index % 3) + 1}"
   shape               = var.InstanceShape
 
+  dynamic "agent_config" {
+    for_each = var.use_bastion_service ? [1] : []
+    content {
+      are_all_plugins_disabled = false
+      is_management_disabled   = false
+      is_monitoring_disabled   = false
+      plugins_config {
+        desired_state = "ENABLED"
+        name          = "Bastion"
+      }
+    }
+  }
+
   create_vnic_details {
-    subnet_id = oci_core_subnet.vcn01_subnet_app01.id
-    display_name = "primaryvnic"
+    subnet_id        = oci_core_subnet.vcn01_subnet_app01.id
+    display_name     = "primaryvnic"
     assign_public_ip = false
-    nsg_ids = [oci_core_network_security_group.SSHSecurityGroup.id, oci_core_network_security_group.APPSecurityGroup.id]
+    nsg_ids          = [oci_core_network_security_group.SSHSecurityGroup.id, oci_core_network_security_group.APPSecurityGroup.id]
   }
 
   source_details {
-    source_type = "image"
-    source_id   = lookup(data.oci_core_images.InstanceImageOCID.images[0], "id")
+    source_type             = "image"
+    source_id               = lookup(data.oci_core_images.InstanceImageOCID.images[0], "id")
     boot_volume_size_in_gbs = "50"
   }
 
   metadata = {
     ssh_authorized_keys = var.ssh_public_key
-    user_data = data.template_cloudinit_config.cloud_init.rendered
+    user_data           = data.template_cloudinit_config.cloud_init.rendered
   }
 
   dynamic "shape_config" {
     for_each = local.is_flexible_node_shape ? [1] : []
     content {
       memory_in_gbs = var.InstanceFlexShapeMemory
-      ocpus = var.InstanceFlexShapeOCPUS
+      ocpus         = var.InstanceFlexShapeOCPUS
     }
   }
 
-  defined_tags = {"${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release }
+  defined_tags = { "${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release }
 }
 
diff --git a/datasources.tf b/datasources.tf
@@ -1,4 +1,4 @@
-## Copyright © 2020, Oracle and/or its affiliates. 
+## Copyright © 2021, Oracle and/or its affiliates. 
 ## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl
 
 # Get list of availability domains
@@ -22,9 +22,9 @@ data "oci_core_images" "InstanceImageOCID" {
 
 #Get list of MySQL configuration
 data "oci_mysql_mysql_configurations" "mds_mysql_configurations" {
-    compartment_id = var.compartment_ocid
-    type = ["DEFAULT"]
-    shape_name = var.mysql_shape_name
+  compartment_id = var.compartment_ocid
+  type           = ["DEFAULT"]
+  shape_name     = var.mysql_shape_name
 }
 
 data "oci_core_vnic_attachments" "tomcat-server_primaryvnic_attach" {
@@ -40,11 +40,11 @@ data "oci_core_vnic" "tomcat-server_primaryvnic" {
 }
 
 data "oci_identity_region_subscriptions" "home_region_subscriptions" {
-    tenancy_id = var.tenancy_ocid
+  tenancy_id = var.tenancy_ocid
 
-    filter {
-      name   = "is_home_region"
-      values = [true]
-    }
+  filter {
+    name   = "is_home_region"
+    values = [true]
+  }
 }
 
diff --git a/lb.tf b/lb.tf
@@ -1,4 +1,4 @@
-## Copyright © 2020, Oracle and/or its affiliates. 
+## Copyright © 2021, Oracle and/or its affiliates. 
 ## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl
 
 # Checks if is using Flexible LB Shapes
@@ -7,8 +7,8 @@ locals {
 }
 
 resource "oci_load_balancer" "lb01" {
-  shape          = var.lb_shape
-    
+  shape = var.lb_shape
+
   dynamic "shape_details" {
     for_each = local.is_flexible_lb_shape ? [1] : []
     content {
@@ -23,10 +23,10 @@ resource "oci_load_balancer" "lb01" {
     oci_core_subnet.vcn01_subnet_pub01.id,
   ]
 
-  display_name = "load_balancer_01"
+  display_name               = "load_balancer_01"
   network_security_group_ids = [oci_core_network_security_group.LBSecurityGroup.id]
 
-  defined_tags = {"${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release }
+  defined_tags = { "${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release }
 }
 
 resource "oci_load_balancer_backend_set" "lb_be_app01" {

diff --git a/mds.tf b/mds.tf
@@ -1,17 +1,17 @@
-## Copyright © 2020, Oracle and/or its affiliates. 
+## Copyright © 2021, Oracle and/or its affiliates. 
 ## All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl
 
 resource "oci_mysql_mysql_db_system" "mds01_mysql_db_system" {
-    admin_password = var.mysql_db_system_admin_password
-    admin_username = var.mysql_db_system_admin_username
-    availability_domain = data.oci_identity_availability_domains.ADs.availability_domains[0]["name"]
-    compartment_id = var.compartment_ocid
-    configuration_id = data.oci_mysql_mysql_configurations.mds_mysql_configurations.configurations[0].id
-    shape_name = data.oci_mysql_mysql_configurations.mds_mysql_configurations.configurations[0].shape_name
-    subnet_id = oci_core_subnet.vcn01_subnet_db01.id
-    data_storage_size_in_gb = var.mysql_db_system_data_storage_size_in_gb
-    display_name = var.mysql_db_system_display_name
-    hostname_label = var.mysql_db_system_hostname_label
-    is_highly_available = var.mysql_is_highly_available
-    defined_tags = {"${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release }
-}
+  admin_password          = var.mysql_db_system_admin_password
+  admin_username          = var.mysql_db_system_admin_username
+  availability_domain     = data.oci_identity_availability_domains.ADs.availability_domains[0]["name"]
+  compartment_id          = var.compartment_ocid
+  configuration_id        = data.oci_mysql_mysql_configurations.mds_mysql_configurations.configurations[0].id
+  shape_name              = data.oci_mysql_mysql_configurations.mds_mysql_configurations.configurations[0].shape_name
+  subnet_id               = oci_core_subnet.vcn01_subnet_db01.id
+  data_storage_size_in_gb = var.mysql_db_system_data_storage_size_in_gb
+  display_name            = var.mysql_db_system_display_name
+  hostname_label          = var.mysql_db_system_hostname_label
+  is_highly_available     = var.mysql_is_highly_available
+  defined_tags            = { "${oci_identity_tag_namespace.ArchitectureCenterTagNamespace.name}.${oci_identity_tag.ArchitectureCenterTag.name}" = var.release }
+}