The following brick enables you to configure the associated route tables once LPG are in place. This brick makes use of Open Source Python Module ortu 0.5.0
The following is the reference architecture associated to this brick
- As this module makes intensive use of OCI Python SDK, the usage of this module requires mandatorily a preconfigured OCI CLI Profile on local terraform executor, so that authentication parameters are loaded. For such thing, make sure the file
/home/opc/.oci/config
is populated with the following entries:
[DEFAULT]
user=ocid1.user.oc1..FOOBAR
fingerprint=fo:oo:ba:ar:fi:ng:er:pr:in:nt
tenancy=ocid1.tenancy.FOOBAR
region=fo-region-1
key_file=/foo/bar/api_key.pem
- Requires pre-configured LPG to assemble the peering
- Requires pre-created route tables to update in runtime
- Executor host requires python3 pre-installed
########## SAMPLE TFVAR FILE ##########
########## PROVIDER SPECIFIC VARIABLES ##########
region = "foo-region-1"
tenancy_ocid = "ocid1.tenancy.oc1..abcdefg"
user_ocid = "ocid1.user.oc1..aaaaaaabcdefg"
fingerprint = "fo:oo:ba:ar:ba:ar"
private_key_path = "/absolute/path/to/api/key/your_api_key.pem"
########## PROVIDER SPECIFIC VARIABLES ##########
########## ARTIFACT SPECIFIC VARIABLES ##########
from_network_compartment_name = "HUB_NETWORK_COMPARTMENT"
from_vcn_display_name = "HUB_VCN"
from_route_table_display_name = "HUB_Route_Table"
from_lpg_display_name = "HUB_LPG"
to_network_compartment_name = "SPOKE_NETWORK_COMPARTMENT"
to_vcn_display_name = "SPOKE_VCN"
to_route_table_display_name = "SPOKE_Route_Table"
to_lpg_display_name = "SPOKE_LPG"
########## ARTIFACT SPECIFIC VARIABLES ##########
########## SAMPLE TFVAR FILE ##########
- In order to use this module, it's required to invoke each time a routing table is involved. If implementation has more than one route table, it's required to call this module as many times as routing tables are present
- Its recommended to orchestrate and hook this module with the brick terraform-oci-cloudbricks-network-artifacts in order to take advantage of the output of this module and immediately pass on required variables based on it
The following is the base provider definition to be used with this module
terraform {
required_version = ">= 0.13.5"
}
provider "oci" {
region = var.region
tenancy_ocid = var.tenancy_ocid
user_ocid = var.user_ocid
fingerprint = var.fingerprint
private_key_path = var.private_key_path
disable_auto_retries = "true"
}
provider "oci" {
alias = "home"
region = data.oci_identity_region_subscriptions.home_region_subscriptions.region_subscriptions[0].region_name
tenancy_ocid = var.tenancy_ocid
user_ocid = var.user_ocid
fingerprint = var.fingerprint
private_key_path = var.private_key_path
disable_auto_retries = "true"
}
Name | Version |
---|---|
terraform | >= 0.13.5 |
Name | Version |
---|---|
oci | 4.36.0 |
oci.home | 4.36.0 |
random | 3.1.0 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
custom_search_domain | A domain name where the custom option can be applied | any |
n/a | yes |
dhcp_options_display_name | (Optional) (Updatable) A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information. | any |
n/a | yes |
fingerprint | API Key Fingerprint for user_ocid derived from public API Key imported in OCI User config | any |
n/a | yes |
internet_gateway_display_name | (Optional) (Updatable) A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information. | any |
n/a | yes |
internet_gateway_enabled | Describes if the Internet Gateway is enabled upon creation or not | bool |
true |
no |
is_private_subnet_private | Describes if the subnet is private or not | bool |
true |
no |
is_public_subnet_private | Describes if the subnet is private or not | bool |
false |
no |
is_spoke | Boolean that describes if the compartment is a spoke or not | bool |
true |
no |
label_zs | Auxiliary variable to concatenate with lpg number | list(any) |
[ |
no |
lpg_count | Number of LPG to create | number |
1 |
no |
lpg_display_name_base | Local Peering Gateway Display Name Base | any |
n/a | yes |
nat_gateway_display_name | NAT Gateway Display Name | any |
n/a | yes |
peered_lpg_display_name | Display name of peered LPG | string |
"" |
no |
peered_vcn_display_name | Name of the peered VCN where the peered LPG is created | string |
"" |
no |
peered_vcn_network_compartment_name | Name of the compartment where the VCN that's going to be peered is | string |
"" |
no |
private_key_path | Private Key Absolute path location where terraform is executed | any |
n/a | yes |
private_route_table_display_name | Private Route Table Display Name. | any |
n/a | yes |
private_route_table_nat_route_rules_description | (Optional) (Updatable) An optional description of your choice for the rule. | string |
"NAT Gateway default route" |
no |
private_route_table_nat_route_rules_destination | private_route_table_route_rules_destination | string |
"0.0.0.0/0" |
no |
private_route_table_nat_route_rules_destination_type | (Optional) (Updatable) Type of destination for the rule. Required if you provide a destination. | string |
"CIDR_BLOCK" |
no |
private_route_table_svc_route_rules_description | (Optional) (Updatable) An optional description of your choice for the rule. | string |
"Service Gateway default route" |
no |
private_route_table_svc_route_rules_destination_type | (Optional) (Updatable) Type of destination for the rule. Required if you provide a destination. | string |
"SERVICE_CIDR_BLOCK" |
no |
private_security_list_display_name | (Optional) (Updatable) A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information. | any |
n/a | yes |
private_security_list_egress_security_rules_description | (Optional) (Updatable) An optional description of your choice for the rule. | string |
"All egress rule for all protocols and IP Addresses" |
no |
private_security_list_egress_security_rules_destination | (Required) (Updatable) Conceptually, this is the range of IP addresses that a packet originating from the instance can go to. | string |
"0.0.0.0/0" |
no |
private_security_list_egress_security_rules_destination_type | Optional) (Updatable) Type of destination for the rule. The default is CIDR_BLOCK | string |
"CIDR_BLOCK" |
no |
private_security_list_egress_security_rules_protocol | (Required) (Updatable) The transport protocol. Specify either all or an IPv4 protocol number as defined in Protocol Numbers. Options are supported only for ICMP (1), TCP (6), UDP (17), and ICMPv6 (58). | string |
"all" |
no |
private_security_list_egress_security_rules_stateless | (Optional) (Updatable) A stateless rule allows traffic in one direction. Remember to add a corresponding stateless rule in the other direction if you need to support bidirectional traffic. For example, if egress traffic allows TCP destination port 80, there should be an ingress rule to allow TCP source port 80. Defaults to false, which means the rule is stateful and a corresponding rule is not necessary for bidirectional traffic. | bool |
true |
no |
private_security_list_ingress_security_rules_description | (Optional) (Updatable) An optional description of your choice for the rule. | string |
"All traffic in for private security List" |
no |
private_security_list_ingress_security_rules_protocol | (Required) (Updatable) The transport protocol. Specify either all or an IPv4 protocol number as defined in Protocol Numbers. Options are supported only for ICMP (1), TCP (6), UDP (17), and ICMPv6 (58). | string |
"all" |
no |
private_security_list_ingress_security_rules_source | (Required) (Updatable) Conceptually, this is the range of IP addresses that a packet coming into the instance can come from. | string |
"0.0.0.0/0" |
no |
private_security_list_ingress_security_rules_source_type | Type of source for the rule. | string |
"CIDR_BLOCK" |
no |
private_security_list_ingress_security_rules_stateless | A stateless rule allows traffic in one direction. Remember to add a corresponding stateless rule in the other direction if you need to support bidirectional traffic. For example, if ingress traffic allows TCP destination port 80, there should be an egress rule to allow TCP source port 80. Defaults to false, which means the rule is stateful and a corresponding rule is not necessary for bidirectional traffic. | bool |
true |
no |
private_subnet_cidr_block_map | Map of CIDR Blocks associated to private subnets and it's corresponding names | map(any) |
n/a | yes |
public_route_table_display_name | Public Route Table Display Name. | any |
n/a | yes |
public_route_table_inet_route_rules_description | Description of Route Table Entry for Internet Gateway | string |
"Route entry for Internet Gateway" |
no |
public_route_table_inet_route_rules_destination | private_route_table_route_rules_destination | string |
"0.0.0.0/0" |
no |
public_route_table_inet_route_rules_destination_type | (Optional) (Updatable) Type of destination for the rule. Required if you provide a destination. | string |
"CIDR_BLOCK" |
no |
public_route_table_svc_route_rules_description | (Optional) (Updatable) An optional description of your choice for the rule. | string |
"Service Gateway default route" |
no |
public_route_table_svc_route_rules_destination_type | (Optional) (Updatable) Type of destination for the rule. Required if you provide a destination. | string |
"SERVICE_CIDR_BLOCK" |
no |
public_security_list_display_name | (Optional) (Updatable) A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information. | any |
n/a | yes |
public_security_list_egress_security_rules_description | (Optional) (Updatable) An optional description of your choice for the rule. | string |
"All egress rule for all protocols and IP Addresses" |
no |
public_security_list_egress_security_rules_destination | (Required) (Updatable) Conceptually, this is the range of IP addresses that a packet originating from the instance can go to. | string |
"0.0.0.0/0" |
no |
public_security_list_egress_security_rules_destination_type | Optional) (Updatable) Type of destination for the rule. The default is CIDR_BLOCK | string |
"CIDR_BLOCK" |
no |
public_security_list_egress_security_rules_protocol | (Required) (Updatable) The transport protocol. Specify either all or an IPv4 protocol number as defined in Protocol Numbers. Options are supported only for ICMP (1), TCP (6), UDP (17), and ICMPv6 (58). | string |
"all" |
no |
public_security_list_egress_security_rules_stateless | (Optional) (Updatable) A stateless rule allows traffic in one direction. Remember to add a corresponding stateless rule in the other direction if you need to support bidirectional traffic. For example, if egress traffic allows TCP destination port 80, there should be an ingress rule to allow TCP source port 80. Defaults to false, which means the rule is stateful and a corresponding rule is not necessary for bidirectional traffic. | bool |
true |
no |
public_security_list_ingress_security_rules_description | (Optional) (Updatable) An optional description of your choice for the rule. | string |
"All traffic in for Public Security List" |
no |
public_security_list_ingress_security_rules_protocol | (Required) (Updatable) The transport protocol. Specify either all or an IPv4 protocol number as defined in Protocol Numbers. Options are supported only for ICMP (1), TCP (6), UDP (17), and ICMPv6 (58). | string |
"all" |
no |
public_security_list_ingress_security_rules_source | (Required) (Updatable) Conceptually, this is the range of IP addresses that a packet coming into the instance can come from. | string |
"0.0.0.0/0" |
no |
public_security_list_ingress_security_rules_source_type | Type of source for the rule. | string |
"CIDR_BLOCK" |
no |
public_security_list_ingress_security_rules_stateless | A stateless rule allows traffic in one direction. Remember to add a corresponding stateless rule in the other direction if you need to support bidirectional traffic. For example, if ingress traffic allows TCP destination port 80, there should be an egress rule to allow TCP source port 80. Defaults to false, which means the rule is stateful and a corresponding rule is not necessary for bidirectional traffic. | bool |
true |
no |
public_subnet_cidr_block_map | Map of CIDR Blocks associated to private subnets and it's corresponding names | map(any) |
n/a | yes |
region | Target region where artifacts are going to be created | any |
n/a | yes |
service_gateway_display_name | Service Gateway Display Name | any |
n/a | yes |
tenancy_ocid | OCID of tenancy | any |
n/a | yes |
user_ocid | User OCID in tenancy. Currently hardcoded to user [email protected] | any |
n/a | yes |
vcn_cidr_blocks | The list of one or more IPv4 CIDR blocks for the VCN | any |
n/a | yes |
vcn_display_name | (Optional) (Updatable) A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information. | any |
n/a | yes |
vcn_network_compartment_name | Name of the compartment that contains all the networking artifacts. This compartment needs to be pre-created | any |
n/a | yes |
Name | Description |
---|---|
dhcp_options | DHCP Options associated to VCN |
internet_gateway | Internet Gateway component |
local_peering_gateways | Local Peering Gateways Associated to VCN |
nat_gateway | NAT Gateway component |
network_compartment | Compartment where network resides on |
private_route_table | Private Route Table associated to subnets |
private_security_list | Private Security List associated to subnets |
private_subnets | Private subnets created |
public_route_table | Public Route Table assocaited to subnets |
public_security_list | Public Security List associated to subnets |
public_subnets | Public subnets created |
service_gateway | Service Gateway component |
vcn | VCN Object |
This project is open source. Please submit your contributions by forking this repository and submitting a pull request! Oracle appreciates any contributions that are made by the open source community.
Copyright (c) 2021 Oracle and/or its affiliates.
Licensed under the Universal Permissive License (UPL), Version 1.0.
See LICENSE for more details.