Merge pull request #90 from mgueury/main

Service Gateway for DB Cloud in private network - CIDR range moved on top of network.tf file
oracle-devrel · Mar 16, 2024 · 76fc054 · 76fc054
2 parents 314208d + 6836e9a
commit 76fc054
Showing 1 changed file with 38 additions and 12 deletions.
diff --git a/option/terraform/network.j2.tf b/option/terraform/network.j2.tf
@@ -17,8 +17,14 @@ data "oci_core_subnet" "starter_private_subnet" {
 }
 
 {%- else %} 
+locals {
+ cidr_vcn = "10.0.0.0/16"
+ cidr_public_subnet = "10.0.1.0/24"
+ cidr_private_subnet = "10.0.2.0/24"
+}
+
 resource "oci_core_vcn" "starter_vcn" {
- cidr_block = "10.0.0.0/16"
+ cidr_block = local.cidr_vcn
  compartment_id = local.lz_network_cmp_ocid
  display_name = "${var.prefix}-vcn"
  dns_label = "${var.prefix}vcn"
@@ -46,7 +52,7 @@ resource "oci_core_default_route_table" "default_route_table" {
 
 # Public Subnet
 resource "oci_core_subnet" "starter_public_subnet" {
- cidr_block = "10.0.1.0/24"
+ cidr_block = local.cidr_public_subnet
  display_name = "${var.prefix}-pub-subnet"
  dns_label = "${var.prefix}pub"
  security_list_ids = [oci_core_vcn.starter_vcn.default_security_list_id, oci_core_security_list.starter_security_list.id]
@@ -59,7 +65,7 @@ resource "oci_core_subnet" "starter_public_subnet" {
 
 # Private Subnet
 resource "oci_core_subnet" "starter_private_subnet" {
- cidr_block = "10.0.2.0/24"
+ cidr_block = local.cidr_private_subnet
  display_name = "${var.prefix}-priv-subnet"
  dns_label = "${var.prefix}priv"
  security_list_ids = [oci_core_vcn.starter_vcn.default_security_list_id, oci_core_security_list.starter_security_list.id]
@@ -113,7 +119,7 @@ resource "oci_core_security_list" "starter_security_list" {
  // Oracle TNS Listener port
  ingress_security_rules {
  protocol = "6" // tcp
- source = "10.0.0.0/8"
+ source = local.cidr_vcn
  stateless = false
 
  tcp_options {
@@ -125,7 +131,7 @@ resource "oci_core_security_list" "starter_security_list" {
  // MySQL listener port: XXX optional ?
  ingress_security_rules {
  protocol = "6" // tcp
- source = "10.0.0.0/8"
+ source = local.cidr_vcn
  stateless = false
 
  tcp_options {
@@ -137,7 +143,7 @@ resource "oci_core_security_list" "starter_security_list" {
  // MySQL listener port_x: XXX optional ?
  ingress_security_rules {
  protocol = "6" // tcp
- source = "10.0.0.0/8"
+ source = local.cidr_vcn
  stateless = false
 
  tcp_options {
@@ -149,7 +155,7 @@ resource "oci_core_security_list" "starter_security_list" {
  // PostgreSQL
  ingress_security_rules {
  protocol = "6" // tcp
- source = "10.0.0.0/8"
+ source = local.cidr_vcn
  stateless = false
 
  tcp_options {
@@ -161,7 +167,7 @@ resource "oci_core_security_list" "starter_security_list" {
  // Opensearch
  ingress_security_rules {
  protocol = "6" // tcp
- source = "10.0.0.0/8"
+ source = local.cidr_vcn
  stateless = false
 
  tcp_options {
@@ -172,7 +178,7 @@ resource "oci_core_security_list" "starter_security_list" {
 
  ingress_security_rules {
  protocol = "6" // tcp
- source = "10.0.0.0/8"
+ source = local.cidr_vcn
  stateless = false
 
  tcp_options {
@@ -184,7 +190,7 @@ resource "oci_core_security_list" "starter_security_list" {
  // External access to Kubernetes API endpoint
  ingress_security_rules {
  protocol = "6" // tcp
- source = "0.0.0.0/0"
+ source = local.cidr_vcn
  stateless = false
 
  tcp_options {
@@ -196,7 +202,7 @@ resource "oci_core_security_list" "starter_security_list" {
  // Kubernetes worker to control plane communication
  ingress_security_rules {
  protocol = "6" // tcp
- source = "10.0.0.0/8"
+ source = local.cidr_vcn
  stateless = false
 
  tcp_options {
@@ -208,7 +214,7 @@ resource "oci_core_security_list" "starter_security_list" {
  // K8S Ingress-Controller
  ingress_security_rules {
  protocol = "6" // tcp
- source = "10.0.0.0/8"
+ source = local.cidr_vcn
  stateless = false
 
  tcp_options {
@@ -247,18 +253,38 @@ resource "oci_core_route_table" "starter_route_private" {
 }
 
 {%- else %} 
+
+# NAT Gateway
 resource "oci_core_nat_gateway" "starter_nat_gateway" {
  compartment_id = local.lz_network_cmp_ocid
  vcn_id = oci_core_vcn.starter_vcn.id
  display_name = "${var.prefix}-nat-gateway"
  freeform_tags = local.freeform_tags
 }
 
+# Service Gateway
+resource "oci_core_service_gateway" "starter_service_gateway" {
+ compartment_id = local.lz_network_cmp_ocid
+ services {
+ service_id = data.oci_core_services.all_services.services[0]["id"]
+ }
+ vcn_id = oci_core_vcn.starter_vcn.id
+
+ display_name = "${var.prefix}-service-gateway"
+ freeform_tags = local.freeform_tags
+}
+
+# Route Private Subnet
 resource "oci_core_route_table" "starter_route_private" {
  compartment_id = local.lz_network_cmp_ocid
  vcn_id = oci_core_vcn.starter_vcn.id
  display_name = "${var.prefix}-route-private"
 
+ route_rules {
+ destination = data.oci_core_services.all_services.services[0]["cidr_block"]
+ destination_type = "SERVICE_CIDR_BLOCK"
+ network_entity_id = oci_core_service_gateway.starter_service_gateway.id
+ } 
  route_rules {
  destination = "0.0.0.0/0"
  destination_type = "CIDR_BLOCK"