Merge pull request #2320 from oracle-devrel/oke-rm

oke-rm-1.1.9

Author: martatolosa

app-dev/devops-and-containers/oke/oke-rm/README.md

@@ -16,13 +16,13 @@ This stack is used to create the initial network infrastructure for OKE. When co
 * By default, everything is private, but there is the possibility to create public subnets
 * Be careful when modifying the default values, as inputs are not validated
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.8/infra.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.9/infra.zip)
 
 ## Step 2: Create the OKE control plane
 
 This stack is used to create the OKE control plane ONLY.
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.8/oke.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-rm-1.1.9/oke.zip)
 
 Also note that if the network infrastructure is located in a different compartment than the OKE cluster AND you are planning to use the OCI_VCN_NATIVE CNI,
 you must add these policies:

app-dev/devops-and-containers/oke/oke-rm/infra/infra.zip

@@ -4,13 +4,13 @@ locals {
   vcn_cidr_blocks = [var.vcn_cidr_block]
   subnets = {
     cidr = {
-      pod           = cidrsubnet(var.vcn_cidr_block, 1, 0)       # e.g., "10.1.0.0/17"
-      worker        = cidrsubnet(var.vcn_cidr_block, 3, 4)       # e.g., "10.1.128.0/19"
-      lb_external   = cidrsubnet(var.vcn_cidr_block, 8, 160)     # e.g., "10.1.160.0/24"
-      lb_internal   = cidrsubnet(var.vcn_cidr_block, 8, 161)     # e.g., "10.1.161.0/24"
-      fss           = cidrsubnet(var.vcn_cidr_block, 8, 162)     # e.g., "10.1.162.0/24"
-      bastion       = cidrsubnet(var.vcn_cidr_block, 13, 5216)   # e.g., "10.1.163.0/29"
-      cp            = cidrsubnet(var.vcn_cidr_block, 13, 5217)   # e.g., "10.1.163.8/29"
+      pod           = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 1, 0) : null       # e.g., "10.1.0.0/17"
+      worker        = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 3, 4) : null       # e.g., "10.1.128.0/19"
+      lb_external   = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 160) : null     # e.g., "10.1.160.0/24"
+      lb_internal   = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 161) : null     # e.g., "10.1.161.0/24"
+      fss           = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 8, 162) : null     # e.g., "10.1.162.0/24"
+      bastion       = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 13, 5216) : null   # e.g., "10.1.163.0/29"
+      cp            = var.create_vcn ? cidrsubnet(var.vcn_cidr_block, 13, 5217) : null   # e.g., "10.1.163.8/29"
     }
     dns = {
       pod = "pod"

app-dev/devops-and-containers/oke/oke-rm/infra/local.tf

@@ -49,8 +49,6 @@ module "network" {
   fss_subnet_name = var.fss_subnet_name
   # GATEWAYS
   create_gateways = var.create_gateways
-  nat_gateway_id = var.nat_gateway_id
-  service_gateway_id = var.service_gateway_id
   create_internet_gateway = var.create_internet_gateway
   # CONTROL PLANE EXTERNAL CONNECTION
   cp_external_nat = var.cp_external_nat

app-dev/devops-and-containers/oke/oke-rm/infra/main.tf

@@ -85,7 +85,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_bastion_api
       min = 6443
     }
   }
-  count = var.create_bastion_subnet ? 1 : 0
+  count = local.create_bastion_subnet ? 1 : 0
 }
 
 resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_bastion_apiserver_egress" {
@@ -102,7 +102,7 @@ resource "oci_core_network_security_group_security_rule" "oke_cp_nsg_bastion_api
       min = 6443
     }
   }
-  count = var.create_bastion_subnet ? 1 : 0
+  count = local.create_bastion_subnet ? 1 : 0
 }
 
 # Pods to control plane - Kubelet communication (port 12250)

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/cp-nsg.tf

@@ -5,19 +5,19 @@ resource "oci_core_service_gateway" "service_gateway" {
   services {
     service_id = lookup(data.oci_core_services.all_oci_services.services[0], "id")
   }
-  count = var.create_gateways ? 1 : 0
+  count = local.create_gateways ? 1 : 0
 }
 
 resource "oci_core_nat_gateway" "nat_gateway" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name = "NAT"
-  count = var.create_gateways ? 1 : 0
+  count = local.create_gateways ? 1 : 0
 }
 
 resource "oci_core_internet_gateway" "internet_gateway" {
   compartment_id = var.network_compartment_id
   vcn_id         = local.vcn_id
   display_name = "IG"
-  count = local.all_subnet_private && ! local.create_internet_gateway ? 0 : 1
+  count = local.create_internet_gateway ? 1 : 0
 }

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/gateways.tf

@@ -1,23 +1,24 @@
 locals {
   is_npn = var.cni_type == "npn"
-  create_pod_subnet = var.create_pod_subnet && local.is_npn
-  create_cp_subnet = var.create_cp_subnet
-  create_bastion_subnet = var.create_bastion_subnet
-  create_fss_subnet = var.create_fss
-  create_worker_subnet = var.create_worker_subnet
-  create_external_lb_subnet = var.create_external_lb_subnet
-  create_internal_lb_subnet = var.create_internal_lb_subnet
+  create_pod_subnet = var.create_pod_subnet && local.is_npn && var.create_vcn
+  create_cp_subnet = var.create_cp_subnet && var.create_vcn
+  create_bastion_subnet = var.create_bastion_subnet && var.create_vcn
+  create_fss_subnet = var.create_fss && var.create_vcn
+  create_worker_subnet = var.create_worker_subnet && var.create_vcn
+  create_external_lb_subnet = var.create_external_lb_subnet && var.create_vcn
+  create_internal_lb_subnet = var.create_internal_lb_subnet && var.create_vcn
   all_subnet_private = (var.cp_subnet_private || ! local.create_cp_subnet) && (! local.create_external_lb_subnet) && (var.bastion_subnet_private || ! var.create_bastion_subnet)
   vcn_id = var.create_vcn ? oci_core_vcn.spoke_vcn.0.id : var.vcn_id
-  service_gateway_id = var.create_gateways ? oci_core_service_gateway.service_gateway.0.id : var.service_gateway_id
-  nat_gateway_id = var.create_gateways ? oci_core_nat_gateway.nat_gateway.0.id : var.nat_gateway_id
+  service_gateway_id = var.create_gateways ? oci_core_service_gateway.service_gateway.0.id : null
+  nat_gateway_id = var.create_gateways ? oci_core_nat_gateway.nat_gateway.0.id : null
   cp_nat_mode = local.create_cp_subnet && var.cp_subnet_private && var.cp_external_nat
   create_cp_external_traffic_rule = var.allow_external_cp_traffic && (! var.create_cp_subnet || (! var.cp_subnet_private || var.cp_external_nat))
 
-  create_internet_gateway = (! var.create_vcn) && var.create_gateways && var.create_internet_gateway
+  create_gateways = (var.create_gateways && ! var.create_vcn) || var.create_vcn
+  create_internet_gateway = (local.create_gateways && ! var.create_vcn && var.create_internet_gateway) || (var.create_vcn && ! local.all_subnet_private)
 
   create_drg = var.enable_drg && var.create_drg
-  create_drg_attachment = var.enable_drg && var.create_drg_attachment
+  create_drg_attachment = var.enable_drg && var.create_drg_attachment && var.create_vcn
   drg_id = var.create_drg ? try(oci_core_drg.vcn_drg.0.id, null) : var.drg_id
 
 

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/local.tf

@@ -25,7 +25,7 @@ output "internal_lb_subnet_id" {
 }
 
 output "bastion_subnet_id" {
-  value = var.create_bastion_subnet ? oci_core_subnet.bastion_subnet[0].id : null
+  value = local.create_bastion_subnet ? oci_core_subnet.bastion_subnet[0].id : null
 }
 
 # NSG

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/output.tf

@@ -151,10 +151,6 @@ variable "create_gateways" {
   type = bool
 }
 
-variable "service_gateway_id" {}
-
-variable "nat_gateway_id" {}
-
 variable "create_internet_gateway" {
   type = bool
 }

app-dev/devops-and-containers/oke/oke-rm/infra/modules/network/variable.tf

@@ -183,7 +183,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_bastion
       min = 22
     }
   }
-  count = var.create_bastion_subnet ? 1 : 0
+  count = local.create_bastion_subnet ? 1 : 0
 }
 
 resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_bastion_ssh_egress" {
@@ -200,7 +200,7 @@ resource "oci_core_network_security_group_security_rule" "oke_worker_nsg_bastion
       min = 22
     }
   }
-  count = var.create_bastion_subnet ? 1 : 0
+  count = local.create_bastion_subnet ? 1 : 0
 }
 
 # Internet - ALL protocols