Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(vcn): move jvb security group into separate terraform and state #554

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+206 −0
Open

feat(vcn): move jvb security group into separate terraform and state #554

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7d5a153
feat(vcn): move jvb security group into separate terraform and state
aaronkvanmeerten Jun 27, 2024
1e4d7b0
Update create-jvb-security-group.sh
sawall Jun 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 131 additions & 0 deletions terraform/vcn-jvb-security-group/create-jvb-security-group.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
#!/bin/bash
if [ -z "$ENVIRONMENT" ]; then
echo "No ENVIRONMENT found. Exiting..."
exit 203
fi

[ -e ./sites/$ENVIRONMENT/stack-env.sh ] && . ./sites/$ENVIRONMENT/stack-env.sh

# e.g. /terraform/standalone
LOCAL_PATH=$(dirname "${BASH_SOURCE[0]}")

#pull in cloud-specific variables, e.g. tenancy
[ -e "$LOCAL_PATH/../../clouds/oracle.sh" ] && . $LOCAL_PATH/../../clouds/oracle.sh

if [ -z "$ORACLE_REGION" ]; then
echo "No ORACLE_REGION found. Exiting..."
exit 203
fi

#set -x

# Create Security Lists
[ -z "$NAME_ROOT" ] && NAME_ROOT="$ORACLE_REGION-$ENVIRONMENT"

[ -z "$S3_PROFILE" ] && S3_PROFILE="oracle"
[ -z "$S3_STATE_BUCKET" ] && S3_STATE_BUCKET="tf-state-$ENVIRONMENT"
[ -z "$S3_ENDPOINT" ] && S3_ENDPOINT="https://$ORACLE_S3_NAMESPACE.compat.objectstorage.$ORACLE_REGION.oraclecloud.com"

S3_STATE_BASE="$ENVIRONMENT/vcn-jvb-security-group"
[ -z "$S3_STATE_KEY" ] && S3_STATE_KEY="${S3_STATE_BASE}/terraform.tfstate"


TERRAFORM_MAJOR_VERSION=$(terraform -v | head -1 | awk '{print $2}' | cut -d'.' -f1)
TF_GLOBALS_CHDIR=
if [[ "$TERRAFORM_MAJOR_VERSION" == "v1" ]]; then
TF_GLOBALS_CHDIR="-chdir=$LOCAL_PATH"
TF_CLI_ARGS=""
TF_POST_PARAMS=
else
TF_POST_PARAMS="$LOCAL_PATH"
fi
#The —reconfigure option disregards any existing configuration, preventing migration of any existing state
terraform $TF_GLOBALS_CHDIR init \
-backend-config="bucket=$S3_STATE_BUCKET" \
-backend-config="key=$S3_STATE_KEY" \
-backend-config="region=$ORACLE_REGION" \
-backend-config="profile=$S3_PROFILE" \
-backend-config="endpoint=$S3_ENDPOINT" \
-reconfigure $TF_POST_PARAMS

[ -z "$ACTION" ] && ACTION="apply"

if [[ "$ACTION" == "apply" ]]; then
ACTION_POST_PARAMS="-auto-approve"
fi

if [[ "$ACTION" == "import" ]]; then
[ -z "$IMPORT_LOOKUP_FLAG" ] && IMPORT_LOOKUP_FLAG="true"
if [ "$IMPORT_LOOKUP_FLAG" == "true" ]; then
SECURITY_GROUP_OCID="$(oci network nsg list --compartment-id $COMPARTMENT_OCID --all --region $ORACLE_REGION --display-name $NAME_ROOT-JVBSecurityGroup | jq -r '.data[].id')"
if [[ "$SECURITY_GROUP_OCID" == "null" ]]; then
echo "No security group found, not automatically providing import parameters"
else
ACTION_POST_PARAMS="oci_core_network_security_group.jvb_network_security_group $SECURITY_GROUP_OCID"
terraform $TF_GLOBALS_CHDIR $ACTION \
-var="oracle_region=$ORACLE_REGION"\
-var="tenancy_ocid=$TENANCY_OCID"\
-var="compartment_ocid=$COMPARTMENT_OCID"\
-var="environment=$ENVIRONMENT"\
-var="vcn_name=$VCN_NAME"\
-var="resource_name_root=$NAME_ROOT"\
$ACTION_POST_PARAMS $TF_POST_PARAMS

SECURITY_GROUP_RULES="$(oci network nsg rules list --nsg-id $SECURITY_GROUP_OCID --region $ORACLE_REGION)"
if [[ $? -eq 0 ]]; then
GROUP_LENGTH="$(echo "$SECURITY_GROUP_RULES" | jq -r '.data | length')"
for i in $(seq 0 $(($GROUP_LENGTH - 1))); do
echo "Rule $i: $(echo "$SECURITY_GROUP_RULES" | jq ".data[$i]")"
RULE_ID="$(echo "$SECURITY_GROUP_RULES" | jq -r ".data[$i].id")"
RULE_TYPE=
EGRESS_RULE_ID="$(echo "$SECURITY_GROUP_RULES" | jq ".data[$i]" | jq -s '.[]|select(.direction == "EGRESS" and .destination == "0.0.0.0/0") | .id')"
if [ -n "$EGRESS_RULE_ID" ]; then
RULE_TYPE="egress"
fi
HTTPS_RULE_ID="$(echo "$SECURITY_GROUP_RULES" | jq ".data[$i]" | jq -s '.[]|select(.direction == "INGRESS" and .source == "0.0.0.0/0" and ."tcp-options"."destination-port-range".max == 443) | .id')"
if [ -n "$HTTPS_RULE_ID" ]; then
RULE_TYPE="https"
fi

MEDIA_RULE_ID="$(echo "$SECURITY_GROUP_RULES" | jq ".data[$i]" | jq -s '.[]|select(.direction == "INGRESS" and .source == "0.0.0.0/0" and ."udp-options"."destination-port-range".max == 10000) | .id')"
if [ -n "$MEDIA_RULE_ID" ]; then
RULE_TYPE="media"
fi

SSH_RULE_ID="$(echo "$SECURITY_GROUP_RULES" | jq ".data[$i]" | jq -s '.[]|select(.direction == "INGRESS" and .source == "0.0.0.0/0" and ."tcp-options"."destination-port-range".max == 22) | .id')"
if [ -n "$SSH_RULE_ID" ]; then
RULE_TYPE="ssh"
fi

if [ -n "$RULE_TYPE" ]; then
ACTION_POST_PARAMS="oci_core_network_security_group_security_rule.jvb_network_security_group_security_rule_$RULE_TYPE networkSecurityGroups/$SECURITY_GROUP_OCID/securityRules/$RULE_ID"

terraform $TF_GLOBALS_CHDIR $ACTION \
-var="oracle_region=$ORACLE_REGION"\
-var="tenancy_ocid=$TENANCY_OCID"\
-var="compartment_ocid=$COMPARTMENT_OCID"\
-var="environment=$ENVIRONMENT"\
-var="vcn_name=$VCN_NAME"\
-var="resource_name_root=$NAME_ROOT"\
$ACTION_POST_PARAMS $TF_POST_PARAMS
else
echo "Found rule $RULE_ID with no known type, skipping"
fi
done
else
echo "No security group rules found, not automatically providing import parameters"
fi
fi
else
ACTION_POST_PARAMS="$1 $2"
fi
else
terraform $TF_GLOBALS_CHDIR $ACTION \
-var="oracle_region=$ORACLE_REGION"\
-var="tenancy_ocid=$TENANCY_OCID"\
-var="compartment_ocid=$COMPARTMENT_OCID"\
-var="environment=$ENVIRONMENT"\
-var="vcn_name=$VCN_NAME"\
-var="resource_name_root=$NAME_ROOT"\
$ACTION_POST_PARAMS $TF_POST_PARAMS
fi
75 changes: 75 additions & 0 deletions terraform/vcn-jvb-security-group/jvb-security-group.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
variable "tenancy_ocid" {}
variable "compartment_ocid" {}
variable "oracle_region" {}
variable "environment" {}
variable "vcn_name" {}
variable "resource_name_root" {}

provider "oci" {
region = var.oracle_region
tenancy_ocid = var.tenancy_ocid
}

terraform {
backend "s3" {
skip_region_validation = true
skip_credentials_validation = true
skip_metadata_api_check = true
force_path_style = true
}
required_providers {
oci = {
source = "oracle/oci"
}
}
}

data "oci_core_vcns" "vcns" {
compartment_id = var.compartment_ocid
display_name = var.vcn_name
}

// ============ NETWORKS SECURITY GROUPS ============

resource "oci_core_network_security_group" "jvb_network_security_group" {
compartment_id = var.compartment_ocid
vcn_id = data.oci_core_vcns.vcns.virtual_networks[0].id
display_name = "${var.resource_name_root}-JVBSecurityGroup"
}

resource "oci_core_network_security_group_security_rule" "jvb_network_security_group_security_rule_egress" {
network_security_group_id = oci_core_network_security_group.jvb_network_security_group.id
direction = "EGRESS"
destination = "0.0.0.0/0"
protocol = "all"
}

resource "oci_core_network_security_group_security_rule" "jvb_network_security_group_security_rule_https" {
network_security_group_id = oci_core_network_security_group.jvb_network_security_group.id
protocol = "6" //tcp
direction = "INGRESS"
source = "0.0.0.0/0"
stateless = false

tcp_options {
destination_port_range {
min = 443
max = 443
}
}
}

resource "oci_core_network_security_group_security_rule" "jvb_network_security_group_security_rule_media" {
network_security_group_id = oci_core_network_security_group.jvb_network_security_group.id
protocol = "17" //udp
direction = "INGRESS"
source = "0.0.0.0/0"
stateless = false

udp_options {
destination_port_range {
min = 10000
max = 10000
}
}
}