From 7d5a1532c8cd8233151f6c3cde93a91bda22044b Mon Sep 17 00:00:00 2001 From: Aaron van Meerten Date: Thu, 27 Jun 2024 11:08:14 -0400 Subject: [PATCH 1/2] feat(vcn): move jvb security group into separate terraform and state --- .../create-jvb-security-group.sh | 131 ++++++++++++++++++ .../jvb-security-group.tf | 75 ++++++++++ 2 files changed, 206 insertions(+) create mode 100755 terraform/vcn-jvb-security-group/create-jvb-security-group.sh create mode 100644 terraform/vcn-jvb-security-group/jvb-security-group.tf diff --git a/terraform/vcn-jvb-security-group/create-jvb-security-group.sh b/terraform/vcn-jvb-security-group/create-jvb-security-group.sh new file mode 100755 index 000000000..5555e89d1 --- /dev/null +++ b/terraform/vcn-jvb-security-group/create-jvb-security-group.sh @@ -0,0 +1,131 @@ +#!/bin/bash +if [ -z "$ENVIRONMENT" ]; then + echo "No ENVIRONMENT found. Exiting..." + exit 203 +fi + +[ -e ./sites/$ENVIRONMENT/stack-env.sh ] && . ./sites/$ENVIRONMENT/stack-env.sh + +# e.g. /terraform/standalone +LOCAL_PATH=$(dirname "${BASH_SOURCE[0]}") + +#pull in cloud-specific variables, e.g. tenancy +[ -e "$LOCAL_PATH/../../clouds/oracle.sh" ] && . $LOCAL_PATH/../../clouds/oracle.sh + +if [ -z "$ORACLE_REGION" ]; then + echo "No ORACLE_REGION found. Exiting..." + exit 203 +fi + +#set -x + +# Create Security Lists +[ -z "$NAME_ROOT" ] && NAME_ROOT="$ORACLE_REGION-$ENVIRONMENT" + +[ -z "$S3_PROFILE" ] && S3_PROFILE="oracle" +[ -z "$S3_STATE_BUCKET" ] && S3_STATE_BUCKET="tf-state-$ENVIRONMENT" +[ -z "$S3_ENDPOINT" ] && S3_ENDPOINT="https://$ORACLE_S3_NAMESPACE.compat.objectstorage.$ORACLE_REGION.oraclecloud.com" + +S3_STATE_BASE="$ENVIRONMENT/vcn-jvb-security-group" +[ -z "$S3_STATE_KEY" ] && S3_STATE_KEY="${S3_STATE_BASE}/terraform.tfstate" + + +TERRAFORM_MAJOR_VERSION=$(terraform -v | head -1 | awk '{print $2}' | cut -d'.' -f1) +TF_GLOBALS_CHDIR= +if [[ "$TERRAFORM_MAJOR_VERSION" == "v1" ]]; then + TF_GLOBALS_CHDIR="-chdir=$LOCAL_PATH" + TF_CLI_ARGS="" + TF_POST_PARAMS= +else + TF_POST_PARAMS="$LOCAL_PATH" +fi +#The —reconfigure option disregards any existing configuration, preventing migration of any existing state +terraform $TF_GLOBALS_CHDIR init \ + -backend-config="bucket=$S3_STATE_BUCKET" \ + -backend-config="key=$S3_STATE_KEY" \ + -backend-config="region=$ORACLE_REGION" \ + -backend-config="profile=$S3_PROFILE" \ + -backend-config="endpoint=$S3_ENDPOINT" \ + -reconfigure $TF_POST_PARAMS + +[ -z "$ACTION" ] && ACTION="apply" + +if [[ "$ACTION" == "apply" ]]; then + ACTION_POST_PARAMS="-auto-approve" +fi + +if [[ "$ACTION" == "import" ]]; then + [ -z "$IMPORT_LOOKUP_FLAG" ] && IMPORT_LOOKUP_FLAG="true" + if [ "$IMPORT_LOOKUP_FLAG" == "true" ]; then + SECURITY_GROUP_OCID="$(oci network nsg list --compartment-id $COMPARTMENT_OCID --all --region $ORACLE_REGION --display-name $NAME_ROOT-JVBSecurityGroup | jq -r '.data[].id')" + if [[ "$SECURITY_GROUP_OCID" == "null" ]]; then + echo "No security group found, not automatically providing import parameters" + else + ACTION_POST_PARAMS="oci_core_network_security_group.jvb_network_security_group $SECURITY_GROUP_OCID" + terraform $TF_GLOBALS_CHDIR $ACTION \ + -var="oracle_region=$ORACLE_REGION"\ + -var="tenancy_ocid=$TENANCY_OCID"\ + -var="compartment_ocid=$COMPARTMENT_OCID"\ + -var="environment=$ENVIRONMENT"\ + -var="vcn_name=$VCN_NAME"\ + -var="resource_name_root=$NAME_ROOT"\ + $ACTION_POST_PARAMS $TF_POST_PARAMS + + SECURITY_GROUP_RULES="$(oci network nsg rules list --nsg-id $SECURITY_GROUP_OCID --region $ORACLE_REGION)" + if [[ $? -eq 0 ]]; then + GROUP_LENGTH="$(echo "$SECURITY_GROUP_RULES" | jq -r '.data | length')" + for i in $(seq 0 $(($GROUP_LENGTH - 1))); do + echo "Rule $i: $(echo "$SECURITY_GROUP_RULES" | jq ".data[$i]")" + RULE_ID="$(echo "$SECURITY_GROUP_RULES" | jq -r ".data[$i].id")" + RULE_TYPE= + EGRESS_RULE_ID="$(echo "$SECURITY_GROUP_RULES" | jq ".data[$i]" | jq -s '.[]|select(.direction == "EGRESS" and .destination == "0.0.0.0/0") | .id')" + if [ -n "$EGRESS_RULE_ID" ]; then + RULE_TYPE="egress" + fi + HTTPS_RULE_ID="$(echo "$SECURITY_GROUP_RULES" | jq ".data[$i]" | jq -s '.[]|select(.direction == "INGRESS" and .source == "0.0.0.0/0" and ."tcp-options"."destination-port-range".max == 443) | .id')" + if [ -n "$HTTPS_RULE_ID" ]; then + RULE_TYPE="https" + fi + + MEDIA_RULE_ID="$(echo "$SECURITY_GROUP_RULES" | jq ".data[$i]" | jq -s '.[]|select(.direction == "INGRESS" and .source == "0.0.0.0/0" and ."udp-options"."destination-port-range".max == 10000) | .id')" + if [ -n "$MEDIA_RULE_ID" ]; then + RULE_TYPE="media" + fi + + SSH_RULE_ID="$(echo "$SECURITY_GROUP_RULES" | jq ".data[$i]" | jq -s '.[]|select(.direction == "INGRESS" and .source == "0.0.0.0/0" and ."tcp-options"."destination-port-range".max == 22) | .id')" + if [ -n "$SSH_RULE_ID" ]; then + RULE_TYPE="ssh" + fi + + if [ -n "$RULE_TYPE" ]; then + ACTION_POST_PARAMS="oci_core_network_security_group_security_rule.jvb_network_security_group_security_rule_$RULE_TYPE networkSecurityGroups/$SECURITY_GROUP_OCID/securityRules/$RULE_ID" + + terraform $TF_GLOBALS_CHDIR $ACTION \ + -var="oracle_region=$ORACLE_REGION"\ + -var="tenancy_ocid=$TENANCY_OCID"\ + -var="compartment_ocid=$COMPARTMENT_OCID"\ + -var="environment=$ENVIRONMENT"\ + -var="vcn_name=$VCN_NAME"\ + -var="resource_name_root=$NAME_ROOT"\ + $ACTION_POST_PARAMS $TF_POST_PARAMS + else + echo "Found rule $RULE_ID with no known type, skipping" + fi + done + else + echo "No security group rules found, not automatically providing import parameters" + fi + fi + else + ACTION_POST_PARAMS="$1 $2" + fi +else + terraform $TF_GLOBALS_CHDIR $ACTION \ + -var="oracle_region=$ORACLE_REGION"\ + -var="tenancy_ocid=$TENANCY_OCID"\ + -var="compartment_ocid=$COMPARTMENT_OCID"\ + -var="environment=$ENVIRONMENT"\ + -var="vcn_name=$VCN_NAME"\ + -var="resource_name_root=$NAME_ROOT"\ + $ACTION_POST_PARAMS $TF_POST_PARAMS +fi \ No newline at end of file diff --git a/terraform/vcn-jvb-security-group/jvb-security-group.tf b/terraform/vcn-jvb-security-group/jvb-security-group.tf new file mode 100644 index 000000000..ddb93bfda --- /dev/null +++ b/terraform/vcn-jvb-security-group/jvb-security-group.tf @@ -0,0 +1,75 @@ +variable "tenancy_ocid" {} +variable "compartment_ocid" {} +variable "oracle_region" {} +variable "environment" {} +variable "vcn_name" {} +variable "resource_name_root" {} + +provider "oci" { + region = var.oracle_region + tenancy_ocid = var.tenancy_ocid +} + +terraform { + backend "s3" { + skip_region_validation = true + skip_credentials_validation = true + skip_metadata_api_check = true + force_path_style = true + } + required_providers { + oci = { + source = "oracle/oci" + } + } +} + +data "oci_core_vcns" "vcns" { + compartment_id = var.compartment_ocid + display_name = var.vcn_name +} + +// ============ NETWORKS SECURITY GROUPS ============ + +resource "oci_core_network_security_group" "jvb_network_security_group" { + compartment_id = var.compartment_ocid + vcn_id = data.oci_core_vcns.vcns.virtual_networks[0].id + display_name = "${var.resource_name_root}-JVBSecurityGroup" +} + +resource "oci_core_network_security_group_security_rule" "jvb_network_security_group_security_rule_egress" { + network_security_group_id = oci_core_network_security_group.jvb_network_security_group.id + direction = "EGRESS" + destination = "0.0.0.0/0" + protocol = "all" +} + +resource "oci_core_network_security_group_security_rule" "jvb_network_security_group_security_rule_https" { + network_security_group_id = oci_core_network_security_group.jvb_network_security_group.id + protocol = "6" //tcp + direction = "INGRESS" + source = "0.0.0.0/0" + stateless = false + + tcp_options { + destination_port_range { + min = 443 + max = 443 + } + } +} + +resource "oci_core_network_security_group_security_rule" "jvb_network_security_group_security_rule_media" { + network_security_group_id = oci_core_network_security_group.jvb_network_security_group.id + protocol = "17" //udp + direction = "INGRESS" + source = "0.0.0.0/0" + stateless = false + + udp_options { + destination_port_range { + min = 10000 + max = 10000 + } + } +} From 1e4d7b0a3313b0493285e633a47e78440497d369 Mon Sep 17 00:00:00 2001 From: scott boone Date: Thu, 27 Jun 2024 10:15:50 -0500 Subject: [PATCH 2/2] Update create-jvb-security-group.sh --- terraform/vcn-jvb-security-group/create-jvb-security-group.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/vcn-jvb-security-group/create-jvb-security-group.sh b/terraform/vcn-jvb-security-group/create-jvb-security-group.sh index 5555e89d1..ef12298d6 100755 --- a/terraform/vcn-jvb-security-group/create-jvb-security-group.sh +++ b/terraform/vcn-jvb-security-group/create-jvb-security-group.sh @@ -19,7 +19,7 @@ fi #set -x -# Create Security Lists +# Create Security Groups [ -z "$NAME_ROOT" ] && NAME_ROOT="$ORACLE_REGION-$ENVIRONMENT" [ -z "$S3_PROFILE" ] && S3_PROFILE="oracle" @@ -128,4 +128,4 @@ else -var="vcn_name=$VCN_NAME"\ -var="resource_name_root=$NAME_ROOT"\ $ACTION_POST_PARAMS $TF_POST_PARAMS -fi \ No newline at end of file +fi