Code refactored for CLI

oracle-quickstart · May 14, 2020 · bc81248 · bc81248
1 parent b8d1a8c
commit bc81248
Show file tree

Hide file tree

Showing 9 changed files with 280 additions and 160 deletions.
diff --git a/compute.tf b/compute.tf
@@ -1,40 +1,34 @@
-locals {
-  # If ad_number is non-negative use it for AD lookup, else use ad_name.
-  # Allows for use of ad_number in TF deploys, and ad_name in ORM.
-  # Use of max() prevents out of index lookup call.
-  ad = var.availability_domain_number >= 0 ? data.oci_identity_availability_domains.availability_domains.availability_domains[max(0, var.availability_domain_number)]["name"] : var.availability_domain_name
-
-  # Platform OL7 image regarless of region
-  platform_image = data.oci_core_images.ol7.images[0].id
-
-  # Logic to choose platform or mkpl image based on
-  # var.enabled
-  image          = var.enabled ? var.mp_listing_resource_id : local.platform_image
-
-  # local.use_existing_network defined in network.tf and referenced here
-}
-
 resource "oci_core_instance" "simple-vm" {
-  availability_domain = local.ad
-  compartment_id      = var.compartment_ocid
+  availability_domain = local.availability_domain
+  compartment_id      = var.compute_compartment_ocid
   display_name        = var.vm_display_name
   shape               = var.vm_compute_shape
 
+  shape_config {
+    #required for VM.Standard.E3.Flex shape
+    ocpus = var.vm_compute_shape_ocpus
+  }
+
   create_vnic_details {
-    subnet_id        = local.use_existing_network ? var.subnet_id : oci_core_subnet.public_subnet[0].id
-    display_name     = var.vm_display_name
-    assign_public_ip = true
-    hostname_label = "simple-vm"
+    subnet_id              = local.use_existing_network ? var.subnet_id : oci_core_subnet.simple_subnet[0].id
+    display_name           = var.subnet_display_name
+    assign_public_ip       = local.is_public_subnet
+    hostname_label         = var.hostname_label
+    skip_source_dest_check = false
+    nsg_ids                = [oci_core_network_security_group.simple_nsg.id]
   }
 
   source_details {
     source_type = "image"
-    source_id   = local.image
+    source_id   = local.platform_image_id
+    #use a marketplace image or custom image:
+    #source_id   = local.compute_image_id
   }
 
   metadata = {
     ssh_authorized_keys = var.ssh_public_key
-    user_data = base64encode(file("./scripts/example.sh"))
+    user_data           = base64encode(file("./scripts/example.sh"))
   }
 
+  freeform_tags = map(var.tag_key_name, var.tag_value)
 }
diff --git a/data_sources.tf b/data_sources.tf
@@ -1,25 +1,26 @@
-data "oci_core_images" "ol7" {
-  compartment_id      = "${var.compartment_ocid}"
-  operating_system    = "Oracle Linux"
-  sort_by             = "TIMECREATED"
-  sort_order          = "DESC"
-  state               = "AVAILABLE"
+data "oci_identity_availability_domain" "ad" {
+  compartment_id = var.tenancy_ocid
+  ad_number      = var.availability_domain_number
+}
+
+data "oci_core_images" "autonomous_ol7" {
+  compartment_id   = var.compute_compartment_ocid
+  operating_system = "Oracle Autonomous Linux"
+  sort_by          = "TIMECREATED"
+  sort_order       = "DESC"
+  state            = "AVAILABLE"
 
   # filter restricts to pegged version regardless of region
   filter {
-    name = "display_name"
-    values = ["Oracle-Linux-7.7-2020.03.23-0"]
-    regex = false
+    name   = "display_name"
+    values = ["Oracle-Autonomous-Linux-7.8-2020.04-0"]
+    regex  = false
   }
 
   # filter restricts to OL 7
   filter {
-    name = "operating_system_version"
+    name   = "operating_system_version"
     values = ["7\\.[0-9]"]
-    regex = true
+    regex  = true
   }
-}
-
-data "oci_identity_availability_domains" "availability_domains" {
-  compartment_id = var.compartment_ocid
-}
+}
diff --git a/image_subscription.tf b/image_subscription.tf
@@ -1,25 +1,16 @@
-#Local variables pointing to the Marketplace catalog resource
-#Eg. Modify accordingly to your Application/Listing
-locals {
-  enabled                  = var.enabled ? 1 : 0
-  listing_id               = var.mp_listing_id
-  listing_resource_id      = var.mp_listing_resource_id
-  listing_resource_version = var.mp_listing_resource_version
-}
-
 #Get Image Agreement
 resource "oci_core_app_catalog_listing_resource_version_agreement" "mp_image_agreement" {
-  count = local.enabled
+  count = local.mp_subscription_enabled
 
   listing_id               = local.listing_id
   listing_resource_version = local.listing_resource_version
 }
 
 #Accept Terms and Subscribe to the image, placing the image in a particular compartment
 resource "oci_core_app_catalog_subscription" "mp_image_subscription" {
-  count = local.enabled
+  count = local.mp_subscription_enabled
 
-  compartment_id           = var.compartment_ocid
+  compartment_id           = var.compute_compartment_ocid
   eula_link                = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement[0].eula_link
   listing_id               = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement[0].listing_id
   listing_resource_version = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement[0].listing_resource_version
@@ -34,9 +25,9 @@ resource "oci_core_app_catalog_subscription" "mp_image_subscription" {
 
 # Gets the partner image subscription
 data "oci_core_app_catalog_subscriptions" "mp_image_subscription" {
-  count = local.enabled
+  count = local.mp_subscription_enabled
 
-  compartment_id = var.compartment_ocid
+  compartment_id = var.compute_compartment_ocid
   listing_id     = local.listing_id
 
   filter {

diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,25 @@
+locals {
+
+  # Logic to use AD name provided by user input on ORM or to lookup for the AD name when running from CLI
+  availability_domain = (var.availability_domain_name != "" ? var.availability_domain_name : data.oci_identity_availability_domain.ad.name)
+
+  # local.use_existing_network referenced in network.tf
+  use_existing_network = var.network_strategy == var.network_strategy_enum["USE_EXISTING_VCN_SUBNET"] ? true : false
+
+  # local.is_public_subnet referenced in compute.tf
+  is_public_subnet = var.subnet_type == var.subnet_type_enum["PUBLIC_SUBNET"] ? true : false
+
+  # Logic to select Oracle Autonomous Linux 7 platform image (latest image available)
+  platform_image_id = data.oci_core_images.autonomous_ol7.images[0].id
+
+  # Logic to choose a custom image or a marketplace image.
+  compute_image_id = var.mp_subscription_enabled ? var.mp_listing_resource_id : var.custom_image_id
+
+  # Local to control subscription to Marketplace image.
+  mp_subscription_enabled = var.mp_subscription_enabled ? 1 : 0
+
+  # Marketplace Image listing variables - required for subscription only
+  listing_id               = var.mp_listing_id
+  listing_resource_id      = var.mp_listing_resource_id
+  listing_resource_version = var.mp_listing_resource_version
+}
diff --git a/network.tf b/network.tf
@@ -1,89 +1,54 @@
-
-locals {
-  use_existing_network = var.network_strategy == "Use Existing VCN and Subnet" ? true : false
-}
-
-# VCN comes with default route table, security list and DHCP options
-
-resource "oci_core_vcn" "vcn" {
-  count          = local.use_existing_network ? 0:1
+resource "oci_core_vcn" "simple" {
+  count          = local.use_existing_network ? 0 : 1
   cidr_block     = var.vcn_cidr_block
-  dns_label      = var.vcn_dns_label
-  compartment_id = var.compartment_ocid
+  dns_label      = substr(var.vcn_dns_label, 0, 15)
+  compartment_id = var.network_compartment_ocid
   display_name   = var.vcn_display_name
-}
 
-resource "oci_core_internet_gateway" "igw" {
-  count          = local.use_existing_network ? 0:1
-  compartment_id = var.compartment_ocid
-  display_name   = "internet_gateway"
-  vcn_id         = oci_core_vcn.vcn[count.index].id
+  freeform_tags = map(var.tag_key_name, var.tag_value)
 }
 
-resource "oci_core_default_route_table" "default_route_table" {
-  count          = local.use_existing_network ? 0:1
-  manage_default_resource_id = oci_core_vcn.vcn[count.index].default_route_table_id
+#IGW
+resource "oci_core_internet_gateway" "simple_internet_gateway" {
+  count          = local.use_existing_network ? 0 : 1
+  compartment_id = var.network_compartment_ocid
+  vcn_id         = oci_core_vcn.simple[count.index].id
+  enabled        = "true"
+  display_name   = "${var.vcn_display_name}-igw"
 
-  route_rules {
-    destination       = "0.0.0.0/0"
-    destination_type  = "CIDR_BLOCK"
-    network_entity_id = oci_core_internet_gateway.igw[count.index].id
-  }
+  freeform_tags = map(var.tag_key_name, var.tag_value)
 }
 
-
-resource "oci_core_subnet" "public_subnet" {
-  count          = local.use_existing_network ? 0:1
-  compartment_id             = var.compartment_ocid
-  vcn_id                     = oci_core_vcn.vcn[count.index].id
+#simple subnet
+resource "oci_core_subnet" "simple_subnet" {
+  count                      = local.use_existing_network ? 0 : 1
   cidr_block                 = var.subnet_cidr_block
+  compartment_id             = var.network_compartment_ocid
+  vcn_id                     = oci_core_vcn.simple[count.index].id
   display_name               = var.subnet_display_name
-  route_table_id             = oci_core_vcn.vcn[count.index].default_route_table_id
-  dns_label                  = var.subnet_dns_label
-  prohibit_public_ip_on_vnic = "false"
-}
+  dns_label                  = substr(var.subnet_dns_label, 0, 15)
+  prohibit_public_ip_on_vnic = ! local.is_public_subnet
 
-resource "oci_core_network_security_group" "nsg" {
-  #Required
-  compartment_id = var.compartment_ocid
-  vcn_id         = local.use_existing_network ? var.vcn_id : oci_core_vcn.vcn[0].id
-
-  #Optional
-  display_name = var.nsg_display_name
-}
-
-resource "oci_core_network_security_group_security_rule" "rule_egress_all" {
-  network_security_group_id = oci_core_network_security_group.nsg.id
-
-  direction   = "EGRESS"
-  protocol    = "all"
-  destination = "0.0.0.0/0"
+  freeform_tags = map(var.tag_key_name, var.tag_value)
 }
 
-resource "oci_core_network_security_group_security_rule" "rule_ingress_tcp443" {
-  network_security_group_id = oci_core_network_security_group.nsg.id
-  protocol                  = "6"
-  direction                 = "INGRESS"
-  source                    = var.nsg_whitelist_ip != "" ? var.nsg_whitelist_ip : "0.0.0.0/0"
-  stateless                 = false
+resource "oci_core_route_table" "simple_route_table" {
+  count          = local.use_existing_network ? 0 : 1
+  compartment_id = var.network_compartment_ocid
+  vcn_id         = oci_core_vcn.simple[count.index].id
+  display_name   = "${var.subnet_display_name}-rt"
 
-  tcp_options {
-    destination_port_range {
-      min = 443
-      max = 443
-    }
+  route_rules {
+    network_entity_id = oci_core_internet_gateway.simple_internet_gateway[count.index].id
+    destination       = "0.0.0.0/0"
+    destination_type  = "CIDR_BLOCK"
   }
-}
-
-resource "oci_core_network_security_group_security_rule" "rule_ingress_all_icmp_type3_code4" {
-  network_security_group_id = oci_core_network_security_group.nsg.id
-  protocol                  = 1
-  direction                 = "INGRESS"
-  source                    = var.nsg_whitelist_ip != "" ? var.nsg_whitelist_ip : "0.0.0.0/0"
-  stateless                 = true
 
-  icmp_options {
-    type = 3
-    code = 4
-  }
+  freeform_tags = map(var.tag_key_name, var.tag_value)
 }
+
+resource "oci_core_route_table_attachment" "route_table_attachment" {
+  count          = local.use_existing_network ? 0 : 1
+  subnet_id      = oci_core_subnet.simple_subnet[count.index].id
+  route_table_id = oci_core_route_table.simple_route_table[count.index].id
+}
diff --git a/nsg.tf b/nsg.tf
@@ -0,0 +1,77 @@
+resource "oci_core_network_security_group" "simple_nsg" {
+  #Required
+  compartment_id = var.network_compartment_ocid
+  vcn_id         = local.use_existing_network ? var.vcn_id : oci_core_vcn.simple.0.id
+
+  #Optional
+  display_name = var.nsg_display_name
+
+  freeform_tags = map(var.tag_key_name, var.tag_value)
+}
+
+# Allow Egress traffic to all networks
+resource "oci_core_network_security_group_security_rule" "simple_rule_egress" {
+  network_security_group_id = oci_core_network_security_group.simple_nsg.id
+
+  direction   = "EGRESS"
+  protocol    = "all"
+  destination = "0.0.0.0/0"
+
+}
+
+# Allow SSH (TCP port 22) Ingress traffic from any network
+resource "oci_core_network_security_group_security_rule" "simple_rule_ssh_ingress" {
+  network_security_group_id = oci_core_network_security_group.simple_nsg.id
+  protocol                  = "6"
+  direction                 = "INGRESS"
+  source                    = "0.0.0.0/0"
+  stateless                 = false
+
+  tcp_options {
+    destination_port_range {
+      min = 22
+      max = 22
+    }
+  }
+}
+
+# Allow HTTPS (TCP port 443) Ingress traffic from any network
+resource "oci_core_network_security_group_security_rule" "simple_rule_https_ingress" {
+  network_security_group_id = oci_core_network_security_group.simple_nsg.id
+  protocol                  = "6"
+  direction                 = "INGRESS"
+  source                    = "0.0.0.0/0"
+  stateless                 = false
+
+  tcp_options {
+    destination_port_range {
+      min = 443
+      max = 443
+    }
+  }
+}
+
+# Allow HTTP (TCP port 80) Ingress traffic from any network
+resource "oci_core_network_security_group_security_rule" "simple_rule_http_ingress" {
+  network_security_group_id = oci_core_network_security_group.simple_nsg.id
+  protocol                  = "6"
+  direction                 = "INGRESS"
+  source                    = "0.0.0.0/0"
+  stateless                 = false
+
+  tcp_options {
+    destination_port_range {
+      min = 80
+      max = 80
+    }
+  }
+}
+
+# Allow ANY Ingress traffic from within simple vcn
+resource "oci_core_network_security_group_security_rule" "simple_rule_all_simple_vcn_ingress" {
+  network_security_group_id = oci_core_network_security_group.simple_nsg.id
+  protocol                  = "all"
+  direction                 = "INGRESS"
+  source                    = var.vcn_cidr_block
+  stateless                 = false
+}