Merge pull request #2005 from oracle-devrel/oke-rm

oke-rm-1.1.5

Author: martatolosa

app-dev/devops-and-containers/oke/oke-rm/README.md

@@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co
 * By default, everything is private, but there is the possibility to create public subnets
 * Be careful when modifying the default values, as inputs are not validated
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.4/infra.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.5/infra.zip)
 
 ## Step 2: Create the OKE control plane
 
 This stack is used to create the OKE control plane ONLY.
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.4/oke.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.5/oke.zip)
 
 Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI,
 you must add these policies:

app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip

@@ -1,5 +1,4 @@
 locals {
-  create_bastion = var.create_bastion_subnet && var.create_bastion
   # VCN_NATIVE_CNI internally it is mapped as npn
   cni = var.cni_type == "vcn_native" ? "npn" : var.cni_type
 }

app-dev/devops-and-containers/oke/oke-rm/infra/local.tf

@@ -53,14 +53,11 @@ module "network" {
   cp_external_nat = var.cp_external_nat
   allow_external_cp_traffic = var.allow_external_cp_traffic
   cp_egress_cidr = var.cp_egress_cidr
-}
-
-module "bastion" {
-  source = "./modules/bastion"
-  region = var.region
-  compartment_id = var.bastion_compartment_id
-  vcn_name = var.vcn_name
-  bastion_subnet_id = module.network.bastion_subnet_id
-  bastion_cidr_block_allow_list = var.bastion_cidr_block_allow_list
-  count = local.create_bastion ? 1 : 0
+  # DRG
+  enable_drg = var.enable_drg
+  create_drg = var.create_drg
+  drg_id = var.drg_id
+  drg_name = var.drg_name
+  create_drg_attachment = var.create_drg_attachment
+  peer_vcns = var.peer_vcns
 }

app-dev/devops-and-containers/oke/oke-rm/infra/main.tf

@@ -0,0 +1,19 @@
+resource "oci_core_drg" "vcn_drg" {
+  compartment_id = var.network_compartment_id
+  display_name = var.drg_name
+
+  count = local.create_drg ? 1 : 0
+}
+
+resource "oci_core_drg_attachment" "oke_drg_attachment" {
+  drg_id = local.drg_id
+  display_name = "${var.vcn_name}-attachment"
+
+  network_details {
+    id = local.vcn_id
+    type = "VCN"
+  }
+
+  count = local.create_drg_attachment ? 1 : 0
+}
+

app-dev/devops-and-containers/oke/oke-rm/infra/modules/bastion/bastion.tf

@@ -10,6 +10,10 @@ locals {
   nat_gateway_id = var.create_gateways ? oci_core_nat_gateway.nat_gateway.0.id : var.nat_gateway_id
   cp_nat_mode = local.create_cp_subnet && var.cp_subnet_private && var.cp_external_nat
   create_cp_external_traffic_rule = var.allow_external_cp_traffic && (! var.create_cp_subnet || (! var.cp_subnet_private || var.cp_external_nat))
+  create_drg = var.enable_drg && var.create_drg
+  create_drg_attachment = var.enable_drg && var.create_drg_attachment
+  drg_id = var.create_drg ? oci_core_drg.vcn_drg.0.id : var.drg_id
+
 
 
   tcp_protocol = "6"

app-dev/devops-and-containers/oke/oke-rm/infra/modules/bastion/provider.tf

@@ -33,6 +33,17 @@ resource "oci_core_route_table" "service_route_table" {
     destination = lookup(data.oci_core_services.all_oci_services.services[0], "cidr_block")
     description = "Route for all internal OCI services in the region"
   }
+
+  dynamic "route_rules" {
+    for_each = var.enable_drg ? var.peer_vcns : []
+    content {
+      network_entity_id = local.drg_id
+      destination_type  = "CIDR_BLOCK"
+      destination       = route_rules.value
+      description       = "Route to ${route_rules.value} through the DRG"
+    }
+  }
+
 }
 
 resource "oci_core_route_table" "nat_route_table" {
@@ -51,6 +62,17 @@ resource "oci_core_route_table" "nat_route_table" {
     destination = "0.0.0.0/0"
     description = "Route to reach external Internet through a NAT gateway"
   }
+
+  dynamic "route_rules" {
+    for_each = var.enable_drg ? var.peer_vcns : []
+    content {
+      network_entity_id = local.drg_id
+      destination_type  = "CIDR_BLOCK"
+      destination       = route_rules.value
+      description       = "Route to ${route_rules.value} through the DRG"
+    }
+  }
+
 }
 
 resource "oci_core_route_table" "internet_route_table" {